TLS for the link handshakes/encryption

Adam Shostack adam at
Tue Sep 2 13:37:32 UTC 2003

On Tue, Sep 02, 2003 at 05:40:11AM -0400, Roger Dingledine wrote:
| On Tue, Sep 02, 2003 at 01:51:20AM -0400, Roger Dingledine wrote:
| > I think we should definitely look into tls for the OR link-level
| Based on looking at the chainsaw [1] cvs and docs, it seems ZKS was
| very excited about Oakley key exchange [2], and also about Photuris,
| which has since been finalized into rfc 2522 and 2523.
| Part of the benefit here is they have cookies built into the protocol
| to keep adversaries from hammering the servers. ("Alice sends 128 zeros
| and the server does an RSA decrypt" is a bad DoS issue.)
| They seem to be designed for UDP (I'm not sure if that means they're
| less suitable/impressive for TCP).

We at ZKS were always fans of putting IP packets in an unreliable
transport so as to avoid double TCP retransmits on packet loss.  I
don't know if we ever tested this theory, but it sure was widespread.

Since TLS doesn't work with UDP out of the box, we looked at other
protocols, and Photuris was cool, reviewed, etc, we went with it.  The
tricky parts of this are more integrating crypto with the routers than
doing crypto perfectly.  Even slightly imperfect crypto is not that
big a loss, since at the end of the day, we don't have lots of bits of
security in a low latency system.

All as I recall.  I've bcc'd some folks who might be able to say more.


"It is seldom that liberty of any kind is lost all at once."

More information about the tor-dev mailing list