|
@@ -23,7 +23,7 @@ TODO: (very soon)
|
|
|
|
|
|
|
|
All numeric values are encoded in network (big-endian) order.
|
|
All numeric values are encoded in network (big-endian) order.
|
|
|
|
|
|
|
|
- Unless otherwise specified, all symmetric ciphers are 3DES in OFB
|
|
|
|
|
|
|
+ Unless otherwise specified, all symmetric ciphers are AES in counter
|
|
|
mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
|
|
mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
|
|
|
with 1024-bit keys and exponents of 65537, or DH with the safe prime
|
|
with 1024-bit keys and exponents of 65537, or DH with the safe prime
|
|
|
from rfc2409, section 6.2, whose hex representation is:
|
|
from rfc2409, section 6.2, whose hex representation is:
|
|
@@ -34,8 +34,6 @@ TODO: (very soon)
|
|
|
"A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
|
|
"A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
|
|
|
"49286651ECE65381FFFFFFFFFFFFFFFF"
|
|
"49286651ECE65381FFFFFFFFFFFFFFFF"
|
|
|
|
|
|
|
|
- [We will move to AES once we can assume everybody will have it. -RD]
|
|
|
|
|
-
|
|
|
|
|
|
|
|
|
|
1. System overview
|
|
1. System overview
|
|
|
|
|
|
|
@@ -64,7 +62,8 @@ which reveals the downstream node.
|
|
|
|
|
|
|
|
The client generates a pair of 16-byte symmetric keys (one
|
|
The client generates a pair of 16-byte symmetric keys (one
|
|
|
[K_f] for the 'forward' stream from client to server, and one
|
|
[K_f] for the 'forward' stream from client to server, and one
|
|
|
- [K_b] for the 'backward' stream from server to client.
|
|
|
|
|
|
|
+ [K_b] for the 'backward' stream from server to client) to be
|
|
|
|
|
+ used for link encryption.
|
|
|
|
|
|
|
|
The client then generates a 'Client authentication' message [M]
|
|
The client then generates a 'Client authentication' message [M]
|
|
|
containing:
|
|
containing:
|
|
@@ -72,8 +71,8 @@ which reveals the downstream node.
|
|
|
(If client is an OP)
|
|
(If client is an OP)
|
|
|
The number 1 to signify OP handshake [2 bytes]
|
|
The number 1 to signify OP handshake [2 bytes]
|
|
|
Maximum bandwidth (bytes/s) [4 bytes]
|
|
Maximum bandwidth (bytes/s) [4 bytes]
|
|
|
- Forward key [K_f] [16 bytes]
|
|
|
|
|
- Backward key [K_b] [16 bytes]
|
|
|
|
|
|
|
+ Forward link key [K_f] [16 bytes]
|
|
|
|
|
+ Backward link key [K_b] [16 bytes]
|
|
|
[Total: 38 bytes]
|
|
[Total: 38 bytes]
|
|
|
|
|
|
|
|
(If client is an OR)
|
|
(If client is an OR)
|
|
@@ -94,7 +93,7 @@ which reveals the downstream node.
|
|
|
the 128-byte RSA-encrypted data to the server, and waits for a
|
|
the 128-byte RSA-encrypted data to the server, and waits for a
|
|
|
reply.
|
|
reply.
|
|
|
|
|
|
|
|
- 2. The server receives the first handshake
|
|
|
|
|
|
|
+ 2. The server receives the first handshake:
|
|
|
|
|
|
|
|
The OR waits for 128 bytes of data, and decrypts the resulting
|
|
The OR waits for 128 bytes of data, and decrypts the resulting
|
|
|
data with its private key, checking the PKCS1 padding. If
|
|
data with its private key, checking the PKCS1 padding. If
|
|
@@ -178,7 +177,7 @@ which reveals the downstream node.
|
|
|
|
|
|
|
|
Once the handshake is complete, the two sides send cells
|
|
Once the handshake is complete, the two sides send cells
|
|
|
(specified below) to one another. Cells are sent serially,
|
|
(specified below) to one another. Cells are sent serially,
|
|
|
- encrypted with the 3DES-OFB keystream specified by the handshake
|
|
|
|
|
|
|
+ encrypted with the AES-CNT keystream specified by the handshake
|
|
|
protocol. Over a connection, communicants encrypt outgoing cells
|
|
protocol. Over a connection, communicants encrypt outgoing cells
|
|
|
with the connection's K_f, and decrypt incoming cells with the
|
|
with the connection's K_f, and decrypt incoming cells with the
|
|
|
connection's K_b.
|
|
connection's K_b.
|
|
@@ -201,6 +200,8 @@ which reveals the downstream node.
|
|
|
do evil stuff. For instance, if I can guess that a cell is a
|
|
do evil stuff. For instance, if I can guess that a cell is a
|
|
|
TOPIC_COMMAND_BEGIN cell to www.slashdot.org:80 , I can change the
|
|
TOPIC_COMMAND_BEGIN cell to www.slashdot.org:80 , I can change the
|
|
|
address and port to point to a machine I control. -NM]
|
|
address and port to point to a machine I control. -NM]
|
|
|
|
|
+ [We're going to address this tagging issue with e2e-only hashes.
|
|
|
|
|
+ See TODO file. -RD]
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Cell Packet format
|
|
3. Cell Packet format
|
|
@@ -386,7 +387,7 @@ which reveals the downstream node.
|
|
|
|
|
|
|
|
Otherwise, if the OR is not at the OP edge of the circuit (that is,
|
|
Otherwise, if the OR is not at the OP edge of the circuit (that is,
|
|
|
either an 'exit node' or a non-edge node), it de/encrypts the length
|
|
either an 'exit node' or a non-edge node), it de/encrypts the length
|
|
|
- field and the payload with 3DES/OFB, as follows:
|
|
|
|
|
|
|
+ field and the payload with AES/CNT, as follows:
|
|
|
'Forward' relay cell (same direction as CREATE):
|
|
'Forward' relay cell (same direction as CREATE):
|
|
|
Use Kf as key; encrypt.
|
|
Use Kf as key; encrypt.
|
|
|
'Back' relay cell (opposite direction from CREATE):
|
|
'Back' relay cell (opposite direction from CREATE):
|
|
@@ -401,13 +402,13 @@ which reveals the downstream node.
|
|
|
handshakes. -RD]
|
|
handshakes. -RD]
|
|
|
|
|
|
|
|
Otherwise, if the data cell is coming from the OP edge of the
|
|
Otherwise, if the data cell is coming from the OP edge of the
|
|
|
- circuit, the OP decrypts the length and payload fields with 3DES/OFB as
|
|
|
|
|
|
|
+ circuit, the OP decrypts the length and payload fields with AES/CNT as
|
|
|
follows:
|
|
follows:
|
|
|
OP sends data cell to node R_M:
|
|
OP sends data cell to node R_M:
|
|
|
For I=1...M, decrypt with Kf_I.
|
|
For I=1...M, decrypt with Kf_I.
|
|
|
|
|
|
|
|
Otherwise, if the data cell is arriving at the OP edge if the
|
|
Otherwise, if the data cell is arriving at the OP edge if the
|
|
|
- circuit, the OP encrypts the length and payload fields with 3DES/OFB as
|
|
|
|
|
|
|
+ circuit, the OP encrypts the length and payload fields with AES/CNT as
|
|
|
follows:
|
|
follows:
|
|
|
OP receives data cell:
|
|
OP receives data cell:
|
|
|
For I=N...1,
|
|
For I=N...1,
|
|
@@ -465,7 +466,6 @@ which reveals the downstream node.
|
|
|
Once a connection has been established, the OP and exit node
|
|
Once a connection has been established, the OP and exit node
|
|
|
package stream data in RELAY_DATA cells, and upon receiving such
|
|
package stream data in RELAY_DATA cells, and upon receiving such
|
|
|
cells, echo their contents to the corresponding TCP stream.
|
|
cells, echo their contents to the corresponding TCP stream.
|
|
|
- [XXX Mention zlib encoding. -NM]
|
|
|
|
|
|
|
|
|
|
5.2. Closing streams
|
|
5.2. Closing streams
|
|
|
|
|
|
|
@@ -511,6 +511,10 @@ which reveals the downstream node.
|
|
|
number of bytes per second on average, though they may use mechanisms
|
|
number of bytes per second on average, though they may use mechanisms
|
|
|
to handle spikes (eg token buckets).
|
|
to handle spikes (eg token buckets).
|
|
|
|
|
|
|
|
|
|
+ [This isn't true anymore. Each node has a total bandwidth it's willing
|
|
|
|
|
+ to accept from all nodes per second; it ignores negotiated
|
|
|
|
|
+ per-connection bandwidths. -RD]
|
|
|
|
|
+
|
|
|
Communicants rely on TCP's default flow control to push back when they
|
|
Communicants rely on TCP's default flow control to push back when they
|
|
|
stop reading, so nodes that don't obey this bandwidth limit can't do
|
|
stop reading, so nodes that don't obey this bandwidth limit can't do
|
|
|
too much damage.
|
|
too much damage.
|
Roger Dingledine