[tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
Ian Goldberg
iang at uwaterloo.ca
Fri Jul 16 12:31:41 UTC 2021
On Tue, Jul 13, 2021 at 11:34:47AM -0700, Trevor Perrin wrote:
> You also wanted to add an (optional) pre-shared key, which Noise supports:
>
> NKpsk0:
> <- s
> ...
> -> psk, e, es
> <- e, ee
Out of curiosity, Trevor, what properties does this Noise protocol
provide for low-entropy psk?
Nick, what are the settings in Tor (if any) in which low-entropy psk
will come up?
But this post from Trevor also made me realize a bigger issue with the
protocol Nick proposed:
If you want the protocol to work with Walking Onions, it needs to be
*post-specified peer*. That is, contrary to:
> The client knows:
> * B: a public "onion key" for S
The client will in fact _not_ know B in advance in a Walking Onions
setting, but rather will learn it at the end of the handshake. The
protocol Nick specified does in fact use B in the first message, unlike
the current ntor handshake, which just sends KEYID(B) in the first flow,
but it's not part of the math, or indeed as far as I can see, used for
anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily
removed (and replaced with B being sent by the server) for Walking
Onions.
More information about the tor-dev
mailing list