Filename: 260-cryptography-agility.txt Title: Link Cryptography Agility Created: 2015-11-15 Status: Draft Extends: 249-large-create-cells.txt 1. Overview This proposal aims to add per-circuit cryptographic agility, such that the link handshake and cell layer encryption can be specified on au per-circuit basis. Once support for the negotiation mechanism in this proposal has been deployed, it will be possible to introduce support for new circuit handshake and/or cell encryption methods without the need for further wire protocol changes. 2. Negotiation Process The initator and responder MUST negotiate version 5 or higher to indicate support for the CIPHERSUITES, CREATE2V and CREATED2V cells along with fragmented EXTEND2 cells. 3. CIPHERSUITES cells. Upon negotiating version 5 of the link protocol and sending a VERSIONS cell, the responder sends a CIPHERSUITES cell befor sending the CERTS cell to indicate which handshake methods, and which link encryption primitives it supports. (XXX: Should this be variable length? At the rate that we will change handshake/cell crypto, I doubt space will ever be a concern, but VERSIONS is variable length...) struct ciphersuites_cell_body { /* Number of supported handshake types */ u16 hlen; /* Supported handshake types */ u16 handshake_types[hlen]; /* Number of supported cell crypto types */ u16 clen; /* Supported cell crypto types */ u16 cell_crypto_types[clen]; /* Padding data to be ignored */ u8 ignored[]; }; The initiator then selects the "best" algorithms supported by the peer as appropriate. To prevent downgrade attacks, both parties MUST include the contents of the CIPHERSUITES cell as part of the link handshake calculations, for example by including the SLOG (AUTHENTICATE cell) SHA256 hash in the ntor "auth_input" field. XXX: It occurs to me that we should include a 2 byte cell crypto specifier in the CREATE2V/fragmented EXTEND2 cells. 4. Cell Crypto Types The following cell crypto types are defined and reserved: 0x0000 - CTR-AES128 + SHA1 -- the original Tor cell crypto 0x0001 - reserved (AEZ?)