[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Proposal 176: Proposed version-3 link handshake for Tor
- To: or-dev@xxxxxxxxxxxxx
- Subject: Re: Proposal 176: Proposed version-3 link handshake for Tor
- From: Adam Langley <agl@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jan 2011 22:46:27 -0500
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-dev-outgoing@xxxxxxxx
- Delivered-to: or-dev@xxxxxxxx
- Delivery-date: Mon, 31 Jan 2011 22:46:33 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=uE6XdUvzSnYza6H1HY1dk/jDX7YgTjqHzqdcy2r9vA8=; b=Bn4Zt3D1MMTGDTUMIKILNeuqEVwe9SX6CkwzedDk8h9JcJBD591iLWKsyCDYv7YxaC UcYi+9mKHtMj/hGrxEmnk8bC8mbP0xBhC/Jo7g/3yYordBjFUQ3+sju80ZaYH1Q2pwTy REb27S2DkMl3nXGHabDBfPXH3OsnvlsHGZ+m8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=SlyTPWCpxbnVxhU9UvR4vZYcb9EPNLLRPZcArYKQ8F4Nw1y354I2z3qf/rlsQQXrjr wXSwrKKqvvvV4TWkcyRcPwwCkxkErdrMcKwP6RmVCt9Le7D/nZzwvHZLifKLTwpGoEG3 3+PobvW8Q1gNyfOwMOc3vhvBPIxMvupNtAKmU=
- In-reply-to: <AANLkTinQjEz2C9MSyZNWABNMqqJrv9eFdbUY7VnMoAA4@xxxxxxxxxxxxxx>
- References: <AANLkTinQjEz2C9MSyZNWABNMqqJrv9eFdbUY7VnMoAA4@xxxxxxxxxxxxxx>
- Reply-to: or-dev@xxxxxxxxxxxxx
- Sender: owner-or-dev@xxxxxxxxxxxxx
On Mon, Jan 31, 2011 at 9:50 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> Â certificates. ÂThe security properties of this protocol are just
> Â fine; the problem was that our behavior of sending
> Â two-certificate chains made Tor easy to identify.
Actually, two (or more) certificates are very common when talking to
HTTPS servers. (See mail.google.com:443 for example.)
> Â And the cell-based part of the V3 handshake, in summary, is:
>
> Â ÂC<->S: TLS handshake where S sends a "v3 certificate"
>
> Â ÂIn TLS:
>
> Â Â Â C->S: VERSIONS cell
> Â Â Â S->C: VERSIONS cell, CERT cell, AUTH_CHALLENGE cell, NETINFO cell
>
> Â Â Â C->S: Optionally: CERT cell, AUTHENTICATE cell
Forgive my ignorance here. I have only a passing knowledge of the Tor
protocol these days.
If you wish to prevent scanning for Tor nodes then you could have the
client put the SHA256 of the server's identity key in its initial
cell. This supposes that the client always knows the identity of the
server that it's connecting to; which may not be the case.
If the client doesn't care about authenticating to the server, then it
could optimistically send cells predicated on a correct version
prediction. SSH does this (see RFC 4253, section 7.1,
'first_kex_packet_follows'). The server will know if the prediction
was correct once it sees the client's version and can discard
optimistic cells.
AGL
--
Adam Langley agl@xxxxxxxxxxxxxxxxxx http://www.imperialviolet.org