2

I'm trying to understand exactly how Tor builds a circuit with encryption. I've read the Tor design literature and have a pretty good grasp on it, however I'm left with the following misunderstanding.

When Alice, the client, goes to build her circuit, she will choose a node, say Bob, from the list of nodes distributed by Tor. She will find Bob's corresponding "onion key", which is I believe a public 1,024 bit RSA key (please correct me if I'm wrong). Alice generates the first half of a Diffe-Hellman key exchange, encrypts it with Bob's onion key then sends it to Bob, who decrypts it, generates his half of the DHKE and sends this to Alice along with a hash of the new symmetric key which they will use to encrypt future messages, which is known as a "session key".

Question 1: Does Bob send this message back to Alice in plaintext? I know that by nature of a DHKE even if an eavesdropper obtains Bob's half of the exchange he still cannot determine the secret key so I'm not sure if there is a need for encryption from Bob back to Alice at this point but if so, what type of encryption is it?

Also, if my understanding of the Tor encryption model is way off or there are any errors in my explanations, please let me know, if you can. Thank you.

Jon Behnken
  • 123
  • 4

2 Answers2

1

Here is the design document for tor's next generation onion service. The paper that you linked to is outdated. The next generation onion service is expected to launch with 0.3.2 around December 15, 2017. https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt Also here is Tor Protocol Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt onion-routerdotnet site is 12 years outdated, use tor's updated site's above

anon
  • 11
  • 2
1

Tor uses RSA keys as identity keys (except for .onion services, for the time being).

For exchanging secret key material Tor uses an ephemeral key exchange method, either TAP (old, DHE) or nTor (new, ECDHE). In {EC,}DH{,E} both parties exchange only public keys over the wire. Without knowledge of either of the secret keys, the shared secret cannot be recreated.

The RSA keys are for identity verification (I.E. Alice knows Bob is really Bob) and Alice knows that the RSA key she has for Bob is correct because the Directory Authorities attested to it. Alice knows the keys she has for the Directory Authorities is correct because they are hardcoded into Tor.

A passive attacker can see both public keys and still cannot discover the shared secret. An active attacker could try to replace part of the handshake but they would not be able to forge a signature for it using Bob's identity key. Bob doesn't have to verify Alice, only that he performed a key exchange with someone. Alice on the other hand needs to make sure she is definitely talking to the Bob she expects to, so she has a strong requirement to verify his identity.

cacahuatl
  • 11,047
  • 2
  • 17
  • 39