[tor-dev] Proposal 202: Two improved relay encryption protocols for Tor cells

[Nick Mathewson]

On Tue, Jun 19, 2012 at 2:06 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 6/19/12, Nick Mathewson <nickm at freehaven.net> wrote:
>> Filename: 202-improved-relay-crypto.txt
>
>>    Any new approach should be able to coexist on a circuit
>>    with the old approach.  That is, if Alice wants to build a
>>    circuit through Bob1, Bob2, and Bob3, and only Bob2 supports a
>>    revised relay protocol, then Alice should be able to build a
>>    circuit such that she can have Bob1 and Bob3 process each cell
>>    with the current protocol, and Bob2 process it with a revised
>>    protocol.  (Why?  Because if all nodes in a circuit needed to use
>>    the same relay protocol, then each node could learn information
>>    about the other nodes in the circuit from which relay protocol
>>    was chosen.  For example, if Bob1 supports the new protocol, and
>>    sees that the old relay protocol is in use, and knows that Bob2
>>    supports the new one, then Bob1 has learned that Bob3 is some
>>    node that does not support the new relay protocol.)
>
> This feature is unsafe to use.  Each client must use the same
> circuit-extension protocol for every relay on every circuit it builds.

Do you mean that every client must use at most one circuit-extension
protocol on all circuits, or do you mean that every circuit must by
built by at most one circuit-extension protocol?

And why?

And how would you have either*of those without having the choice of
circuit extension protocol used at any hop in the circuit leak to the
attacker which other nodes might be later in the circuit?  (In other
words, if I'm a guard, and I support an improved protocol, and I know
the client supports it, and the middle node supports it, but the
client does not use it, I can deduce that the exit node does not
support the improved protocol.)

yrs,
-- 
Nick