Question about the CREATE cell and circuit setup

Roger Dingledine arma at
Fri Aug 19 07:26:34 UTC 2005

On Fri, Aug 19, 2005 at 12:49:08AM -0500, Eugene Y. Vasserman wrote:
> I have a very quick question. While reading the DH handshake flaw post,
>  I noticed that the DH handshake is done by first decrypting g^x to
> Bob's PK before sending (E_{Bob}(g^x)). The tor spec document says:
> The payload for a CREATE cell is an 'onion skin', which consists of the
> first step of the DH handshake data (also known as g^x).
> The data is encrypted to Bob's PK...
> Why is this? Why not send g^x in the clear? Isn't the point of DH that
> you don't need encryption during the key agreement stage? Shouldn't we
> be able to send g^x in the clear? The extra encryption step does not
> seem to get us anything (other than heat from the CPU cycles).
> Please let me know if I'm missing something - I would be happy to be
> shown wrong! :)

We need some way to verify that Bob is in fact Bob. Otherwise somebody
could MITM us and we'd be no better off than the designs where you just
ask the entry node to handle the path-building for you.

See the bottom of

Another traditional way to make sure we know Bob is Bob is to have him
sign his response. But we chose our approach for, well, historical
reasons. :) Both operations are designed to prove that the guy we
handshaked with knows Bob's private key.


More information about the tor-dev mailing list