How to make rendezvous points work 1-11Jun2003 1. Overview This document provides a design overview for rendezvous points, as discussed by Nick and Roger after Discex. Rendezvous points are an implementation of server anonymity / location-hidden servers in the onion routing network. There are three components needed for rendezvous points: A) A means for the client ("Alice") to tell a server ("Bob") where to contact her in order to establish a connection. (Notification) B) A means for Bob to contact Alice to actually establish the connection, and for them to communicate later. (Meeting) C) Necessary glue code so that Alice can view webpages on a location-hidden webserver, and Bob can run a location-hidden server with minimal invasive changes. (Application) We'll tackle these in order. In all cases, I'll assume that both Alice and Bob have local OPs. 2. Notification service Bob wants to learn about client requests for communication, but wants to avoid responding unnecessarily to unauthorized clients. Bob's proxy opens a circuit, and tells some onion router on that circuit to expect incoming connections, and notify Bob of them. When establishing such a notification point, Bob provides the onion router with a public "notification" key. The hash of this public key uniquely identifies Bob, and prevents anybody else from usurping Bob's notification point in the future. Additionally, Bob can use the same public key to establish a notification point on another OR, and Alice can still be confident that Bob is the same server. (The set-up-a-notification-point command should come via a RELAY_BIND_NOTIFICATION cell. This cell creates a new stream on the circuit from Bob to the notification point.) ORs that support notification run a notification service on a separate port. When Alice wants to notify Bob of a meeting point, she connects (directly or via Tor) to the notification port, and sends the following: MEETING REQUEST Encrypted with server's public key: Hash of Bob's public key (identifies which Bob to notify) Initial authentication [optional] Encrypted with Bob's public key: Meeting point Meeting cookie End-to-end forward key End-to-end backward key End-to-end authentication [optional] [Add a Nonce or some kind of replay prevention mechanism? -NM] [Should this use DH instead? -NM] The meeting point and meeting cookie allow Bob to contact Alice and prove his identity; the end-to-end authentication enables Bob to decide whether to talk to Alice; the initial authentication enables the meeting point to pre-screen notification requests before sending them to Bob. (See 3 for a discussion of meeting points; see 2.1 for a proposed authentication mechanism.) When the notification point receives a valid meeting request, it sends the portion encrypted with Bob's public key along the stream created by Bob's RELAY_BIND_NOTIFICATION. Bob then, at his discretion, connects to Alice's meeting point. 2.1. Proposed authentication for notification services Bob makes two short-term secrets SB and SN, and tells the notification point about SN. Bob gives Alice a cookie consisting of A,B,C such that H(A|SB)=B and H(A|SN)=C. Alice's initial authentication is ; Alice's end-to-end authentication is . [Maybe] Bob keeps a replay cache of A values, and doesn't allow any value to be used twice. Over time, Bob rotates SB and SN. [Maybe] Each 'A' has an expiration time built in to it. 3. Meeting points For Bob to actually reply to Alice, Alice first establishes a circuit to an onion router R, and sends a RELAY_BIND_MEETING cell to that onion router. The RELAY_BIND_MEETING cell contains a 'Meeting cookie' (MC) that Bob can use to authenticate to R. R remembers the cookie and associates it with Alice. Later, Bob also routes to R and sends R a RELAY_JOIN_MEETING cell with the meeting cookie MC. After this point, R routes all traffic from Bob's circuit or Alice's circuit as if the two circuits were joined: any RELAY cells that are not for a recognized topic are passed down Alice or Bob's circuit. To prevent R from reading their traffic, Alice and Bob use the two end-to-end keys in Alice's original notification to Bob: Bob uses the 'forward' key and Alice the 'backward' key. (These keys are used in addition to the series of encryption keys already in use on Alice and Bob's circuits.) Bob's OP accepts RELAY_BEGIN, RELAY_DATA, RELAY_END, and RELAY_SENDME cells from Alice. Alice's OP accepts RELAY_DATA, RELAY_END, and RELAY_SENDME cells from Bob. All RELAY_BEGIN cells to Bob must have target IP and port of zero; Bob's OP will redirect them to the actual target IP and port of Bob's server. Alice and Bob's OPs disallow CREATE or RELAY_EXTEND cells as usual. 4. Application interface 4.1. Application interface: client side Because we require that the client interface remain a SOCKS proxy, we can't have clients explicitly connect to Bob. Instead, we have the OP map DNS addresses used by the client to the tuples needed to establish a connection to Bob. [We had earlier hoped encode this information into the DNS address, but that won't work. The data needed will be at least ~1024 bits long (for Bob's public key). You'd need over 197 characters to encode a blob that long, and you'd wind up triggering pathological cases in a lot of client code. -NM] I propose that the client OP receive this mapping information outside of the Tor protocol: either from true out-of-band entry, or from protocol-specific transmission. (For example of protocol-specific, an HTTP server could include notification information in reply headers, or cookies, or something.)