[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Sat, 18 Sep 2021 16:14:30 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 18 Sep 2021 16:14:57 -0400
In-reply-to: <20210716123141.GA3810@yoink.cs.uwaterloo.ca>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwT_xVDK-W+RX=GkPvaK+0kY1oJA=S3a61+XajYzSY1sg@mail.gmail.com> <CAGZ8ZG3tDuROVsMw5ZmgDOM6h78oUUJbn6-Ejia+qo3Uv2m1cA@mail.gmail.com> <20210716123141.GA3810@yoink.cs.uwaterloo.ca>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Fri, Jul 16, 2021 at 8:31 AM Ian Goldberg <iang@xxxxxxxxxxxx> wrote:
 [...]
> But this post from Trevor also made me realize a bigger issue with the
> protocol Nick proposed:
>
> If you want the protocol to work with Walking Onions, it needs to be
> *post-specified peer*.  That is, contrary to:
>
> > The client knows:
> >   * B: a public "onion key" for S
>
> The client will in fact _not_ know B in advance in a Walking Onions
> setting, but rather will learn it at the end of the handshake.  The
> protocol Nick specified does in fact use B in the first message, unlike
> the current ntor handshake, which just sends KEYID(B) in the first flow,
> but it's not part of the math, or indeed as far as I can see, used for
> anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily
> removed (and replaced with B being sent by the server) for Walking
> Onions.

Well, in the current deployment, the client only knows one B for each
server at a time, and if the server responds with a B that the client
_doesn't_ recognize, the client won't have any idea whether or not B
is really authentic. (Priving that B is authentic is a big part of
what Walking Onions has to solve.)

Walking Onions is a big enough set of protocol changes that I'm
comfortable requiring a subsequent handshake bump when we get there.
Who knows, we may want another one between now and then if we decide
to go hybrid-PQ or use Noise or something :)

cheers,
-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Proposal 334: A flag to mark Relays as middle-only
Next by Author: [tor-dev] No arti report this week.
Previous by thread: [tor-dev] Arti report 5: August 18 through September 15
Index(es):
- Author
- Thread