Using TLS for circuit-level handshake (Was Re: tor-spec comments)

Roger Dingledine arma at
Wed Sep 10 17:16:26 UTC 2003

On Sun, Sep 07, 2003 at 01:48:57PM -0400, Joel N. Weber II wrote:
> OK, so I'm convinced that using TLS for the actual cells is probably
> the wrong approach.
> Would it be reasonable to use the TLS key negotiation (d-h, rsa, etc)
> stuff for the cells, though?

The trick here is that we've got some constraints (eg message size,
number of passes) that we'd like to obey if we can, and we also have a
clear subset of what TLS provides.

That is, we want to get unilateral entity authentication (Alice knows
she's handshaking with Bob, Bob doesn't care who it is) and unilateral
key authentication (Alice and Bob agree on a key, and Alice knows Bob
is the only other person who could know it). Possibly we also want
unilateral key confirmation (Alice knows that Bob actually knows the
shared key). We also want PFS, key freshness, etc.

I'd like to emphasize that as I phrased the goals above, we don't require
mutual key authentication. That is, Bob does not need to verify that
the entity who started the handshake is the one who learned the session
key. That's because only Alice cares if the handshake went correctly. (Are
these requirements that I've specified sufficient for what we want?)

More on this topic in the thread Paul started yesterday
( and the response
I'll send later on).

So why not use TLS even if it's overkill?
Another requirement is that we'd like the handshaking process to have
a small externally visible footprint (externally visible to other nodes
on the circuit, as well as to passive observers). One round-trip seems
pretty good for that. A several-pass protocol, where each message uses a
predictable number of cells (more than one), would seem to leave a louder
footprint. One of the features to putting 'extend' requests inside relay
cells is that only the last node in the circuit can know that they're
extend requests. Having a pair of TLS handshakers at each end chatting
with each other in implementation-specific ways is contradictory to
this goal.

Speaking of implementation-specifics, we must require all clients to
use exactly the same security/handshake parameters, else clients using
different tor implementations would be distinguishable.

Is that convincing? Nick/Paul, what other arguments did we have for this?

More information about the tor-dev mailing list