Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake

Jacob Appelbaum jacob at appelbaum.net
Thu Jan 28 15:21:30 UTC 2010 

Nick Mathewson wrote:
> Filename: 169-eliminating-renegotiation.txt
> Title: Eliminate TLS renegotiation for the Tor connection handshake
> Author: Nick Mathewson
> Created: 27-Jan-2010
> Status: Draft
> Target: 0.2.2
> 

[...]

>    The new initiator behavior now looks like this:
> 

[...]

>              * If the CERT cell is a good cert signing the public
>                key in the x.509 certificate we got during the TLS
>                handshake, we connected to the server with that
>                identity key.  Otherwise close the connection.


I think this needs to be re-written to be clearer.

>              * Once the NETINFO cell arrives, continue as before.
> 

[...]

> 6. Open questions:
> 
>   - Should we use X.509 certificates instead of the certificate-ish
>     things we describe here?  They are more standard, but more ugly.

Do we get anything out of custom-ish things? It seems kludgy to make
stuff up on the fly but perhaps it's somehow simpler for our use?

> 
>   - May we cache which certificates we've already verified?  It
>     might leak in timing whether we've connected with a given server
>     before, and how recently.

It seems like timing information would be leaked. We should avoid that
if possible.

> 
>   - Is there a better secret than the master secret to use in the
>     AUTHENTICATE cell?  Say, a portable one?  Can we get at it for
>     other libraries besides OpenSSL?
> 

I'm not sure. It seems OK. What worries you about it?


>   - Can we give some way for clients to signal "I want to use the
>     V3 protocol if possible, but I can't renegotiate, so don't give
>     me the V2"?  Clients currently have a fair idea of server
>     versions, so they could potentially do the V3+ handshake with
>     servers that support it, and fall back to V1 otherwise.
> 

Does this open us up to downgrade attacks? Downgrade attacks here seem
like they might range in seriousness from simply potentially detecting
Tor users or perhaps doing something actually nasty...

>   - What should servers that don't have TLS renegotiation do?  For
>     now, I think they should just get it.  Eventually we can
>     deprecate the V2 handshake as we did with the V1 handshake.
> 

Seems reasonable.

Best,
Jake

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100128/6e36c8bf/attachment.pgp>

More information about the tor-dev mailing list