Destroy cell & OP decryption question

Nick Mathewson nickm at
Tue Jan 23 21:40:25 UTC 2007

On Fri, Jan 19, 2007 at 09:33:48PM -0800, Christian Seberino wrote:
> *** ''Tearing down circuits'' section of spec had a sentence I like to
> humbly ask clarification on...
> "The origin of a circuit always sets this error code to 0, to avoid
> leaking its version."
> The origin must be an OP right?

It is whatever process decided to create the circuit in the first
place, and sent the first create cell.  ORs can initiate circuits too,
for various purposes including testing their OR ports.

>  If OP sets reason byte value (error code) to zero then how can ORs
> propagate the right one?

The ORs propagate the value they get in their destroy cells: 0.

> And what does it mean 'leaking its version' ?

Older versions of Tor didn't ever send versions in destroy cells.  If
newer clients included version information, that would be a giveaway
that they were newer.

In practice, there are sometimes other ways to distinguish a client's
possible range of versions, but we try not to add them gratuitously.

(Also, even if it weren't for the version issue, we probably wouldn't
want circuit initiators to set a full range of destroy reasons: First,
ORs shouldn't really care why they're tearing down a circuit; they
should just do it when asked.  Second, some of the error codes could
conceivably tell an attacker something useful about the client.)

> *** As cells travel along circuits, ORs decrypt them and send them along
> (reencrypted) after analyzing the payloads right?  Hence old encryption is
> //replaced// with new encryption as cells move down circuit!  So I don't
> understand why OP needs to do multiple decryptions for every hop along
> circuit.

I think you're confused.  There are two kinds of encryption that
happen to cells.  One (link encryption) happens at every step with
TLS.  This one is added to everything as it goes over the wire, and
decrypted before anything happens to any cell.  The purpose of link
encryption is to prevent an adversary from seeing or altering cells as
they pass from router to router.

The other (circuit-based) encryption happens for relay cells at every
step, using keys negotiated during circuit setup.  ORs decrypt relay
cells as they move away from the origin, and encrypt them as they move
toward the origin -- never both.  The OP (or whoever initiated the
circuit) needs to have these keys so it can generate relay cells that
will reach their destination properly, and so it can read the
multiply-encrypted responses when they arrive.  Circuit encryption
needs to be done in multiple layers so that nobody but the circuit
originator and the exit can see plaintext cell contents, and so that
the cells look different at every step.

I think this is documented on the website, and in tor-design.pdf.
With any luck, it will make sense this time.

Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <>

More information about the tor-dev mailing list