Question about the CREATE cell and circuit setup

Eugene Y. Vasserman eyv at
Fri Aug 19 07:56:05 UTC 2005

Hash: RIPEMD160

Thanks. This makes sense!

Thus spake Roger Dingledine:
> On Fri, Aug 19, 2005 at 12:49:08AM -0500, Eugene Y. Vasserman wrote:
>>I have a very quick question. While reading the DH handshake flaw post,
>> I noticed that the DH handshake is done by first decrypting g^x to
>>Bob's PK before sending (E_{Bob}(g^x)). The tor spec document says:
>>The payload for a CREATE cell is an 'onion skin', which consists of the
>>first step of the DH handshake data (also known as g^x).
>>The data is encrypted to Bob's PK...
>>Why is this? Why not send g^x in the clear? Isn't the point of DH that
>>you don't need encryption during the key agreement stage? Shouldn't we
>>be able to send g^x in the clear? The extra encryption step does not
>>seem to get us anything (other than heat from the CPU cycles).
>>Please let me know if I'm missing something - I would be happy to be
>>shown wrong! :)
> We need some way to verify that Bob is in fact Bob. Otherwise somebody
> could MITM us and we'd be no better off than the designs where you just
> ask the entry node to handle the path-building for you.
> See the bottom of
> Another traditional way to make sure we know Bob is Bob is to have him
> sign his response. But we chose our approach for, well, historical
> reasons. :) Both operations are designed to prove that the guy we
> handshaked with knows Bob's private key.
> --Roger

- --
Eugene Y. Vasserman
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird -


More information about the tor-dev mailing list