Question about the CREATE cell and circuit setup
Eugene Y. Vasserman
eyv at cs.umn.edu
Fri Aug 19 07:56:05 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Thanks. This makes sense!
Thus spake Roger Dingledine:
> On Fri, Aug 19, 2005 at 12:49:08AM -0500, Eugene Y. Vasserman wrote:
>
>>I have a very quick question. While reading the DH handshake flaw post,
>> I noticed that the DH handshake is done by first decrypting g^x to
>>Bob's PK before sending (E_{Bob}(g^x)). The tor spec document says:
>>The payload for a CREATE cell is an 'onion skin', which consists of the
>>first step of the DH handshake data (also known as g^x).
>>The data is encrypted to Bob's PK...
>>
>>Why is this? Why not send g^x in the clear? Isn't the point of DH that
>>you don't need encryption during the key agreement stage? Shouldn't we
>>be able to send g^x in the clear? The extra encryption step does not
>>seem to get us anything (other than heat from the CPU cycles).
>>Please let me know if I'm missing something - I would be happy to be
>>shown wrong! :)
>
>
> We need some way to verify that Bob is in fact Bob. Otherwise somebody
> could MITM us and we'd be no better off than the designs where you just
> ask the entry node to handle the path-building for you.
>
> See the bottom of
> http://tor.eff.org/doc/design-paper/tor-design.html#subsubsec:constructing-a-circuit
>
> Another traditional way to make sure we know Bob is Bob is to have him
> sign his response. But we chose our approach for, well, historical
> reasons. :) Both operations are designed to prove that the guy we
> handshaked with knows Bob's private key.
>
> --Roger
- --
Eugene Y. Vasserman
http://www.cs.umn.edu/~eyv/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDBZCV4S3hfPlRZlkRA9clAJ99403NcmTzaVuQEUBl4hBv3zKuqgCeJqFn
rs4DBypweaCQVsrULMxHzd4=
=xcsg
-----END PGP SIGNATURE-----
More information about the tor-dev
mailing list