[tor-talk] Do onion services have forward secrecy?
George Kadianakis
desnacked at riseup.net
Sat Jun 24 14:37:27 UTC 2017
Jeremy Rand <jeremyrand at airmail.cc> writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> My understanding is that the communication between circuit hops has
> forward secrecy, but I've been unable to find any documentation on
> whether forward secrecy exists for traffic sent between a Tor client
> and a Tor onion service (not just the forward secrecy existing between
> adjacent hops). Or, put another way -- if the machine hosting a
> hidden service is compromised after data is exchanged, *and* some/all
> of the Tor relays on the circuit were compromised prior to the data
> being exchanged, is it feasible for the adversary to decrypt the data
> being exchanged?
>
Hello,
yes, hidden service circuits are end-to-end encrypted between the HS and
the client. It works like this:
The hidden service sends its ephemeral DH keys to the client using the
INTRODUCE1 cell, and the client sends its own ephemeral DH keys in the
RENDEZVOUS1 cell; both parties then use those keys to establish the
end-to-end shared secret that secures the session.
To answer your question: If the HS or the client get compromised _after_
the session has ended (and the ephemeral DH keys have been wiped), the
adversary must not be able to decrypt the exchanged data, even if all
the between hops get pwned as well.
Cheers!
More information about the tor-talk
mailing list