[tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor

Nick Mathewson nickm at alum.mit.edu
Fri Mar 7 16:33:07 UTC 2014


On Wed, Mar 5, 2014 at 1:36 PM, Sebastian G. <bastik.tor>
<bastik.tor at googlemail.com> wrote:
> 04.03.2014 03:45, Nick Mathewson:
>> 5. We should revisit proposals to have Tor server <-> server
>> communication use the v1 link protocol again.  (That's the one where
>> both sides present a certificate chain in their TLS handshake.  We
>> moved away from it because of protocol fingerprinting issues, before
>> we'd hit upon pluggable transports as a better means for protocol
>> obfuscation.) Due to our messed-up use of ciphersuites for
>> signalling, we will have some tricky times designing this compatibly
>> with existing Tors. But it might be our best long-term option if we
>> can make it work. (IIRC Robert Ransom was advocating this.)
>
> Hello Nick,
>
> thank you for the education. :)
>
> Since this is somewhat "important" for the list it is sent to it.
>
> You say both presented a "certificate chain". For me this is what
> SSL/TLS provides with
>
> CA certificate -> Sub CA certificate -> website certificate.
>
> Did Tor had a similar implementation where there was an actual chain of
> certificates?>

Yes; have a look at the "v1 link handshake" as described in
tor-spec.txt.  The certificate chain doesn't involve a CA, but rather
it was:

Identity certificate -> Short-term link certificate

The advantage to having multiple layers of keys is:
  * It provides another layer of forward secrecy by periodic
discarding of private keys used for actual communication.
  * It makes it easier to keep identity keys offline to mitigate the
effects of key compromise.  (That's not fully possible in current Tor
designs, because a Tor node needs its identity key to sign descriptors
periodically.  But see proposal 220 for a way to get into a position
where we can support this.)

yrs,
-- 
Nick


More information about the tor-dev mailing list