[tor-dev] A series of questions about Tor (m1 support, forward secrecy, v3 auth)

George Kadianakis desnacked at riseup.net
Mon Jul 26 10:11:07 UTC 2021

Holmes Wilson <h at zbay.llc> writes:

> Hi everyone,

Hello Holmes,

here are some attempts to answer your questions.

> Is there a good source for documentation on how forward secrecy works in Tor, and on what security guarantees it provides? Googling finds things like this reddit post (https://www.reddit.com/r/TOR/comments/cryrjx/does_tor_use_pfs/) but I can’t find any detailed information about it, what threat models it fits, etc. 
> One specific question is, if two users are communicating by sending messages over a connection to an onion service (like ricochet) and an attacker surveils their internet traffic and compromises their devices at a later date, will the attacker be able to recover the clear text of their conversation? When are keys for a given connection destroyed? Does it happen continuously throughout the course of a Tor connection? Or on the creation of a new circuit? Or what?

tl;dr Onion service sessions are protected with forward secrecy.

In particular, v3 onion services use a variant of the ntor key exchange
(see [NTOR-WITH-EXTRA-DATA] in rend-spec-v3.txt) when doing their
rendezvous. The ntor key exchange provides forward secrecy which means
that if the long-term public key is compromised (e.g. by pwning their
device), the session remains secure as long as the short-term ephemeral
session secrets don't get compromised.

The forward secrecy "happens" at the creation of the rendezvous circuit
and not continuously through the course of a Tor connection (i.e. no
ratcheting happens). This means that if an attacker has the transcript
of the entire circuit, and manages to compromise the session in its
midpoint, it should be possible for her to decrypt back to the start of
the session.

Here is the original ntor paper:  http://www.cypherpunks.ca/~iang/pubs/ntor.pdf

> Does v3 onion authentication protect against DOS attacks? That is, can someone who is not authorized to connect to an onion address with authentication enabled still cause problems for that onion address? Can they connect to it at all, in the sense of being able to send data to the tor client at that onion address? Or does the Tor network itself prevent this connection from even happening? 
> A related question is, if we’re looking to deny connections to an onion address to any unauthorized users, and we’re considering turning off onion authentication and implementing some standard authentication scheme that seems fairly well-supported at the web server layer, is there any security-related reason why we would be better off using Tor’s own authentication instead? Using our own authentication scheme will be a bit easier to control, rather than having to send commands to Tor (and possibly restart it for removing users?) but I’m wondering if there are security properties we lose by doing that. 

Like hackerncoder said, v3 onion authentication protects against DoS
attacks because the access control happens very early in the connection

An attacker with no access to the auth keys cannot decrypt the onion
descriptor, which means that they cannot do introduction or rendezvous
with the onion service. It so happens that all onion DoS attack vectors
are during intro or rendezvous, and hence v3 onion auth protects against

WRT your second question, if you swap the client authentication with
your own application-layer authentication scheme, you are losing the
above properties, since it means that an attacker will be able to reach
the web server before they get denied access. This means that the
attacker will be able to abuse DoS vectors during the intro and
rendezvous steps of the connection.

There is something to be said about the UX issues of having this custom
authentication mechanism and it not being in the application-layer, and
this is something we should be improving in the future.

More information about the tor-dev mailing list