Tcpcrypt and tor

Gregory Maxwell gmaxwell at
Mon Aug 30 04:21:29 UTC 2010

Tcpcrypt ( proposes a new extension to TCP to
enable opportunistic encryption with optional authentication. From a
features and performance perspective, it's probably exactly what we
need to get away from the almost-everything-in-the-clear Internet that
we have today.

Unfortunately, it won't interact well with tor as tor is today: It's a
TCP level technique and with tor the TCP sessions don't cross the
network. This means it would provide security between an exit and the
destination but not end to end security.

I spent a little time thinking about this and trying to figure out if
there were some socket options that could be added to tcpcrypt in
order to make it run in a purely proxy mode where the data is end to
end encrypted but the TCP still runs on the exit. However, I don't
think this is possible:  It integrates deeply with the TCP state
machine. For example, it uses TCP's sequence numbers as the counter
and replay prevention. It also uses TCP retransmission (with it's own
MAC) to deal with forged data.

I don't like the idea that a future layer-3 transport in tor is the
solution to this: Today tor gains a lot of fingerprinting immunity by
isolating the layer 3/4 and it's also nice that the tor software
doesn't need access to weird raw sockets so that it can inject

So perhaps someone smarter than I can see a way that tor could gain
end to end crypto in a world using tcpcrypt, perhaps with some changes
to tcpcrypt?
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list