[tor-dev] Proposal 216: Improved circuit-creation key exchange

Watson Ladd watsonbladd at gmail.com
Fri Nov 30 12:42:05 UTC 2012


On Thu, Nov 29, 2012 at 11:07 PM, Mike Perry <mikeperry at torproject.org> wrote:
>
> Thus spake Nick Mathewson (nickm at freehaven.net):
>
> > Title: Improved circuit-creation key exchange
> > Author:  Nick Mathewson
> >
> > Summary:
> >
> >   This is an attempt to translate the proposed circuit handshake from
> >   "Anonymity and one-way authentication in key-exchange protocols" by
> >   Goldberg, Stebila, and Ustaoglu, into a Tor proposal format.
> >
> >   It assumes that proposal 200 is implemented, to provide an extended CREATE
> >   cell format that can indicate what type of handshake is in use.
> >
> > Protocol:
> >
> >   Take a router with identity key digest ID.
> >
> >   As setup, the router generates a secret key b, and a public onion key
> >   B with b, B = KEYGEN().  The router publishes B in its server descriptor.
> >
> >   To send a create cell, the client generates a keypair x,X = KEYGEN(), and
> >   sends a CREATE cell with contents:
> >
> >     NODEID:     ID             -- H_LENGTH bytes
> >     KEYID:      KEYID(B)       -- H_LENGTH bytes
> >     CLIENT_PK:  X              -- G_LENGTH bytes
>
> I mentioned this on the ntor ticket (#7202), but it's probably worth
> repeating here in case anyone has any suggestions or ideas:
>
> I think we really should consider a proof-of-work field on the client's
> CREATE cell, so we have some form of response available in the event of
> circuit-based CPU DoSes against Tor relays.

Not an issue: in 10 minutes a Core 2 Quad Intel machine can calculate
10 million ECC calculations.
I think we'll be okay.

--
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin


More information about the tor-dev mailing list