Two create_fast questions

[Paul Syverson]

On Wed, Feb 28, 2007 at 09:27:59PM -0500, Nick Mathewson wrote:
> [Replying to or-dev with permission from Paul.]
> 
> In practice, though, it's very rare that a TLS connection will stay
> open that long without a live stream on some circuit using that
> connection.  Since clients don't attach streams to any circuit in use
> for longer than MaxCircuitDirtiness (10 min default), and close any
> TLS connection that has gone for KeepalivePeriod (5 min default)
> without an open circuit on it, it follows that absent a long-lived
> stream, you'll close your connection to any entry node soon after you
> pick a different entry for the next circuit.
> 

I think this is all consistent with what I said (or perhaps was trying
to say ;>) My thought is that Tor preemptively builds circuits. Since
we use entry guards, those circuits will be through the same three
first nodes, or two nodes e.g., when just one guard is down. So as
long as the Tor client is active, it will be building circuits through
the same few first nodes. They are thus likely to persistently have
open circuits from the same client (though not the same open circuits
persistently). Thus, it seems to me quite possible that the client
will be maintaining the TLS connection to a node for a long time, even
if it is expiring dirty circuits and even if TLS connections die
without an open circuit on them for more than 5 minutes.

> 
> > My second question is:
> > And of course there just is no PFS for CREATE_FAST exchanges because
> > the actual keying material was sent over the the TLS connection rather
> > than doing a DH exchange.  There is still PFS for the other hops in
> > the circuit, but none for the first hop. That's right yes?
> 
> That would be true for arbitrary TLS, but we only use TLS ciphersuites
> that include a DH exchange of their own. 

Yes, I was assuming that. But this is PFS for the TLS key. I was
talking about PFS for the Tor session key.

aloha,
Paul