[tor-dev] Proposal 332: Ntor protocol with extra data, version 3.

Ian Goldberg iang at uwaterloo.ca
Fri Jul 16 12:31:41 UTC 2021


On Tue, Jul 13, 2021 at 11:34:47AM -0700, Trevor Perrin wrote:
> You also wanted to add an (optional) pre-shared key, which Noise supports:
> 
> NKpsk0:
>   <- s
>   ...
>   -> psk, e, es
>   <- e, ee

Out of curiosity, Trevor, what properties does this Noise protocol
provide for low-entropy psk?

Nick, what are the settings in Tor (if any) in which low-entropy psk
will come up?


But this post from Trevor also made me realize a bigger issue with the
protocol Nick proposed:

If you want the protocol to work with Walking Onions, it needs to be
*post-specified peer*.  That is, contrary to:

> The client knows:
>   * B: a public "onion key" for S

The client will in fact _not_ know B in advance in a Walking Onions
setting, but rather will learn it at the end of the handshake.  The
protocol Nick specified does in fact use B in the first message, unlike
the current ntor handshake, which just sends KEYID(B) in the first flow,
but it's not part of the math, or indeed as far as I can see, used for
anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily
removed (and replaced with B being sent by the server) for Walking
Onions.


More information about the tor-dev mailing list