[tor-dev] Proposal 216: Improved circuit-creation key exchange
Watson Ladd
watsonbladd at gmail.com
Fri Nov 30 12:42:05 UTC 2012
On Thu, Nov 29, 2012 at 11:07 PM, Mike Perry <mikeperry at torproject.org> wrote:
>
> Thus spake Nick Mathewson (nickm at freehaven.net):
>
> > Title: Improved circuit-creation key exchange
> > Author: Nick Mathewson
> >
> > Summary:
> >
> > This is an attempt to translate the proposed circuit handshake from
> > "Anonymity and one-way authentication in key-exchange protocols" by
> > Goldberg, Stebila, and Ustaoglu, into a Tor proposal format.
> >
> > It assumes that proposal 200 is implemented, to provide an extended CREATE
> > cell format that can indicate what type of handshake is in use.
> >
> > Protocol:
> >
> > Take a router with identity key digest ID.
> >
> > As setup, the router generates a secret key b, and a public onion key
> > B with b, B = KEYGEN(). The router publishes B in its server descriptor.
> >
> > To send a create cell, the client generates a keypair x,X = KEYGEN(), and
> > sends a CREATE cell with contents:
> >
> > NODEID: ID -- H_LENGTH bytes
> > KEYID: KEYID(B) -- H_LENGTH bytes
> > CLIENT_PK: X -- G_LENGTH bytes
>
> I mentioned this on the ntor ticket (#7202), but it's probably worth
> repeating here in case anyone has any suggestions or ideas:
>
> I think we really should consider a proof-of-work field on the client's
> CREATE cell, so we have some form of response available in the event of
> circuit-based CPU DoSes against Tor relays.
Not an issue: in 10 minutes a Core 2 Quad Intel machine can calculate
10 million ECC calculations.
I think we'll be okay.
--
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
More information about the tor-dev
mailing list