tor-spec.txt 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949
  1. $Id$
  2. Tor Protocol Specification
  3. Roger Dingledine
  4. Nick Mathewson
  5. Note: This document aims to specify Tor as implemented in 0.2.1.x. Future
  6. versions of Tor may implement improved protocols, and compatibility is not
  7. guaranteed. Compatibility notes are given for versions 0.1.1.15-rc and
  8. later; earlier versions are not compatible with the Tor network as of this
  9. writing.
  10. This specification is not a design document; most design criteria
  11. are not examined. For more information on why Tor acts as it does,
  12. see tor-design.pdf.
  13. 0. Preliminaries
  14. 0.1. Notation and encoding
  15. PK -- a public key.
  16. SK -- a private key.
  17. K -- a key for a symmetric cypher.
  18. a|b -- concatenation of 'a' and 'b'.
  19. [A0 B1 C2] -- a three-byte sequence, containing the bytes with
  20. hexadecimal values A0, B1, and C2, in that order.
  21. All numeric values are encoded in network (big-endian) order.
  22. H(m) -- a cryptographic hash of m.
  23. 0.2. Security parameters
  24. Tor uses a stream cipher, a public-key cipher, the Diffie-Hellman
  25. protocol, and a hash function.
  26. KEY_LEN -- the length of the stream cipher's key, in bytes.
  27. PK_ENC_LEN -- the length of a public-key encrypted message, in bytes.
  28. PK_PAD_LEN -- the number of bytes added in padding for public-key
  29. encryption, in bytes. (The largest number of bytes that can be encrypted
  30. in a single public-key operation is therefore PK_ENC_LEN-PK_PAD_LEN.)
  31. DH_LEN -- the number of bytes used to represent a member of the
  32. Diffie-Hellman group.
  33. DH_SEC_LEN -- the number of bytes used in a Diffie-Hellman private key (x).
  34. HASH_LEN -- the length of the hash function's output, in bytes.
  35. PAYLOAD_LEN -- The longest allowable cell payload, in bytes. (509)
  36. CELL_LEN -- The length of a Tor cell, in bytes.
  37. 0.3. Ciphers
  38. For a stream cipher, we use 128-bit AES in counter mode, with an IV of all
  39. 0 bytes.
  40. For a public-key cipher, we use RSA with 1024-bit keys and a fixed
  41. exponent of 65537. We use OAEP-MGF1 padding, with SHA-1 as its digest
  42. function. We leave optional the "Label" parameter unset. (For OAEP
  43. padding, see ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf)
  44. [Nick, what does "we leave optional the Label parameter unset" mean? -RD]
  45. For Diffie-Hellman, we use a generator (g) of 2. For the modulus (p), we
  46. use the 1024-bit safe prime from rfc2409 section 6.2 whose hex
  47. representation is:
  48. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  49. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  50. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  51. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  52. "49286651ECE65381FFFFFFFFFFFFFFFF"
  53. As an optimization, implementations SHOULD choose DH private keys (x) of
  54. 320 bits. Implementations that do this MUST never use any DH key more
  55. than once.
  56. [May other implementations reuse their DH keys?? -RD]
  57. [Probably not. Conceivably, you could get away with changing DH keys once
  58. per second, but there are too many oddball attacks for me to be
  59. comfortable that this is safe. -NM]
  60. For a hash function, we use SHA-1.
  61. KEY_LEN=16.
  62. DH_LEN=128; DH_SEC_LEN=40.
  63. PK_ENC_LEN=128; PK_PAD_LEN=42.
  64. HASH_LEN=20.
  65. When we refer to "the hash of a public key", we mean the SHA-1 hash of the
  66. DER encoding of an ASN.1 RSA public key (as specified in PKCS.1).
  67. All "random" values should be generated with a cryptographically strong
  68. random number generator, unless otherwise noted.
  69. The "hybrid encryption" of a byte sequence M with a public key PK is
  70. computed as follows:
  71. 1. If M is less than PK_ENC_LEN-PK_PAD_LEN, pad and encrypt M with PK.
  72. 2. Otherwise, generate a KEY_LEN byte random key K.
  73. Let M1 = the first PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes of M,
  74. and let M2 = the rest of M.
  75. Pad and encrypt K|M1 with PK. Encrypt M2 with our stream cipher,
  76. using the key K. Concatenate these encrypted values.
  77. [XXX Note that this "hybrid encryption" approach does not prevent
  78. an attacker from adding or removing bytes to the end of M. It also
  79. allows attackers to modify the bytes not covered by the OAEP --
  80. see Goldberg's PET2006 paper for details. We will add a MAC to this
  81. scheme one day. -RD]
  82. 0.4. Other parameter values
  83. CELL_LEN=512
  84. 1. System overview
  85. Tor is a distributed overlay network designed to anonymize
  86. low-latency TCP-based applications such as web browsing, secure shell,
  87. and instant messaging. Clients choose a path through the network and
  88. build a ``circuit'', in which each node (or ``onion router'' or ``OR'')
  89. in the path knows its predecessor and successor, but no other nodes in
  90. the circuit. Traffic flowing down the circuit is sent in fixed-size
  91. ``cells'', which are unwrapped by a symmetric key at each node (like
  92. the layers of an onion) and relayed downstream.
  93. 1.1. Keys and names
  94. Every Tor server has multiple public/private keypairs:
  95. - A long-term signing-only "Identity key" used to sign documents and
  96. certificates, and used to establish server identity.
  97. - A medium-term "Onion key" used to decrypt onion skins when accepting
  98. circuit extend attempts. (See 5.1.) Old keys MUST be accepted for at
  99. least one week after they are no longer advertised. Because of this,
  100. servers MUST retain old keys for a while after they're rotated.
  101. - A short-term "Connection key" used to negotiate TLS connections.
  102. Tor implementations MAY rotate this key as often as they like, and
  103. SHOULD rotate this key at least once a day.
  104. Tor servers are also identified by "nicknames"; these are specified in
  105. dir-spec.txt.
  106. 2. Connections
  107. Connections between two Tor servers, or between a client and a server,
  108. use TLS/SSLv3 for link authentication and encryption. All
  109. implementations MUST support the SSLv3 ciphersuite
  110. "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", and SHOULD support the TLS
  111. ciphersuite "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available.
  112. There are three acceptable ways to perform a TLS handshake when
  113. connecting to a Tor server: "certificates up-front", "renegotiation", and
  114. "backwards-compatible renegotiation". ("Backwards-compatible
  115. renegotiation" is, as the name implies, compatible with both other
  116. handshake types.)
  117. Before Tor 0.2.0.21, only "certificates up-front" was supported. In Tor
  118. 0.2.0.21 or later, "backwards-compatible renegotiation" is used.
  119. In "certificates up-front", the connection initiator always sends a
  120. two-certificate chain, consisting of an X.509 certificate using a
  121. short-term connection public key and a second, self- signed X.509
  122. certificate containing its identity key. The other party sends a similar
  123. certificate chain. The initiator's ClientHello MUST NOT include any
  124. ciphersuites other than:
  125. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  126. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  127. SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  128. SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  129. In "renegotiation", the connection initiator sends no certificates, and
  130. the responder sends a single connection certificate. Once the TLS
  131. handshake is complete, the initiator renegotiates the handshake, with each
  132. parties sending a two-certificate chain as in "certificates up-front".
  133. The initiator's ClientHello MUST include at least once ciphersuite not in
  134. the list above. The responder SHOULD NOT select any ciphersuite besides
  135. those in the list above.
  136. [The above "should not" is because some of the ciphers that
  137. clients list may be fake.]
  138. In "backwards-compatible renegotiation", the connection initiator's
  139. ClientHello MUST include at least one ciphersuite other than those listed
  140. above. The connection responder examines the initiator's ciphersuite list
  141. to see whether it includes any ciphers other than those included in the
  142. list above. If extra ciphers are included, the responder proceeds as in
  143. "renegotiation": it sends a single certificate and does not request
  144. client certificates. Otherwise (in the case that no extra ciphersuites
  145. are included in the ClientHello) the responder proceeds as in
  146. "certificates up-front": it requests client certificates, and sends a
  147. two-certificate chain. In either case, once the responder has sent its
  148. certificate or certificates, the initiator counts them. If two
  149. certificates have been sent, it proceeds as in "certificates up-front";
  150. otherwise, it proceeds as in "renegotiation".
  151. All new implementations of the Tor server protocol MUST support
  152. "backwards-compatible renegotiation"; clients SHOULD do this too. If
  153. this is not possible, new client implementations MUST support both
  154. "renegotiation" and "certificates up-front" and use the router's
  155. published link protocols list (see dir-spec.txt on the "protocols" entry)
  156. to decide which to use.
  157. In all of the above handshake variants, certificates sent in the clear
  158. SHOULD NOT include any strings to identify the host as a Tor server. In
  159. the "renegotation" and "backwards-compatible renegotiation", the
  160. initiator SHOULD chose a list of ciphersuites and TLS extensions chosen
  161. to mimic one used by a popular web browser.
  162. Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
  163. or whose symmetric keys are less then KEY_LEN bits, or whose digests are
  164. less than HASH_LEN bits. Responders SHOULD NOT select any SSLv3
  165. ciphersuite other than those listed above.
  166. Even though the connection protocol is identical, we will think of the
  167. initiator as either an onion router (OR) if it is willing to relay
  168. traffic for other Tor users, or an onion proxy (OP) if it only handles
  169. local requests. Onion proxies SHOULD NOT provide long-term-trackable
  170. identifiers in their handshakes.
  171. In all handshake variants, once all certificates are exchanged, all
  172. parties receiving certificates must confirm that the identity key is as
  173. expected. (When initiating a connection, the expected identity key is
  174. the one given in the directory; when creating a connection because of an
  175. EXTEND cell, the expected identity key is the one given in the cell.) If
  176. the key is not as expected, the party must close the connection.
  177. When connecting to an OR, all parties SHOULD reject the connection if that
  178. OR has a malformed or missing certificate. When accepting an incoming
  179. connection, an OR SHOULD NOT reject incoming connections from parties with
  180. malformed or missing certificates. (However, an OR should not believe
  181. that an incoming connection is from another OR unless the certificates
  182. are present and well-formed.)
  183. [Before version 0.1.2.8-rc, ORs rejected incoming connections from ORs and
  184. OPs alike if their certificates were missing or malformed.]
  185. Once a TLS connection is established, the two sides send cells
  186. (specified below) to one another. Cells are sent serially. All
  187. cells are CELL_LEN bytes long. Cells may be sent embedded in TLS
  188. records of any size or divided across TLS records, but the framing
  189. of TLS records MUST NOT leak information about the type or contents
  190. of the cells.
  191. TLS connections are not permanent. Either side MAY close a connection
  192. if there are no circuits running over it and an amount of time
  193. (KeepalivePeriod, defaults to 5 minutes) has passed since the last time
  194. any traffic was transmitted over the TLS connection. Clients SHOULD
  195. also hold a TLS connection with no circuits open, if it is likely that a
  196. circuit will be built soon using that connection.
  197. (As an exception, directory servers may try to stay connected to all of
  198. the ORs -- though this will be phased out for the Tor 0.1.2.x release.)
  199. 3. Cell Packet format
  200. The basic unit of communication for onion routers and onion
  201. proxies is a fixed-width "cell".
  202. On a version 1 connection, each cell contains the following
  203. fields:
  204. CircID [2 bytes]
  205. Command [1 byte]
  206. Payload (padded with 0 bytes) [PAYLOAD_LEN bytes]
  207. On a version 2 connection, all cells are as in version 1 connections,
  208. except for the initial VERSIONS cell, whose format is:
  209. Circuit [2 octets; set to 0]
  210. Command [1 octet; set to 7 for VERSIONS]
  211. Length [2 octets; big-endian integer]
  212. Payload [Length bytes]
  213. The CircID field determines which circuit, if any, the cell is
  214. associated with.
  215. The 'Command' field holds one of the following values:
  216. 0 -- PADDING (Padding) (See Sec 7.2)
  217. 1 -- CREATE (Create a circuit) (See Sec 5.1)
  218. 2 -- CREATED (Acknowledge create) (See Sec 5.1)
  219. 3 -- RELAY (End-to-end data) (See Sec 5.5 and 6)
  220. 4 -- DESTROY (Stop using a circuit) (See Sec 5.4)
  221. 5 -- CREATE_FAST (Create a circuit, no PK) (See Sec 5.1)
  222. 6 -- CREATED_FAST (Circuit created, no PK) (See Sec 5.1)
  223. 7 -- VERSIONS (Negotiate proto version) (See Sec 4)
  224. 8 -- NETINFO (Time and address info) (See Sec 4)
  225. The interpretation of 'Payload' depends on the type of the cell.
  226. PADDING: Payload is unused.
  227. CREATE: Payload contains the handshake challenge.
  228. CREATED: Payload contains the handshake response.
  229. RELAY: Payload contains the relay header and relay body.
  230. DESTROY: Payload contains a reason for closing the circuit.
  231. (see 5.4)
  232. Upon receiving any other value for the command field, an OR must
  233. drop the cell. Since more cell types may be added in the future, ORs
  234. should generally not warn when encountering unrecognized commands.
  235. The payload is padded with 0 bytes.
  236. PADDING cells are currently used to implement connection keepalive.
  237. If there is no other traffic, ORs and OPs send one another a PADDING
  238. cell every few minutes.
  239. CREATE, CREATED, and DESTROY cells are used to manage circuits;
  240. see section 5 below.
  241. RELAY cells are used to send commands and data along a circuit; see
  242. section 6 below.
  243. VERSIONS and NETINFO cells are used to set up connections. See section 4
  244. below.
  245. 4. Negotiating and initializing connections
  246. 4.1. Negotiating versions with VERSIONS cells
  247. There are multiple instances of the Tor link connection protocol. Any
  248. connection negotiated using the "certificates up front" handshake (see
  249. section 2 above) is "version 1". In any connection where both parties
  250. have behaved as in the "renegotiation" handshake, the link protocol
  251. version is 2 or higher.
  252. To determine the version, in any connection where the "renegotiation"
  253. handshake was used (that is, where the server sent only one certificate
  254. at first and where the client did not send any certificates until
  255. renegotiation), both parties MUST send a VERSIONS cell immediately after
  256. the renegotiation is finished, before any other cells are sent. Parties
  257. MUST NOT send any other cells on a connection until they have received a
  258. VERSIONS cell.
  259. The payload in a VERSIONS cell is a series of big-endian two-byte
  260. integers. Both parties MUST select as the link protocol version the
  261. highest number contained both in the VERSIONS cell they sent and in the
  262. versions cell they received. If they have no such version in common,
  263. they cannot communicate and MUST close the connection.
  264. Since the version 1 link protocol does not use the "renegotiation"
  265. handshake, implementations MUST NOT list version 1 in their VERSIONS
  266. cell.
  267. 4.2. NETINFO cells
  268. If version 2 or higher is negotiated, each party sends the other a
  269. NETINFO cell. The cell's payload is:
  270. Timestamp [4 bytes]
  271. Other OR's address [variable]
  272. Number of addresses [1 byte]
  273. This OR's addresses [variable]
  274. The address format is a type/length/value sequence as given in section
  275. 6.4 below. The timestamp is a big-endian unsigned integer number of
  276. seconds since the unix epoch.
  277. Implementations MAY use the timestamp value to help decide if their
  278. clocks are skewed. Initiators MAY use "other OR's address" to help
  279. learn which address their connections are originating from, if they do
  280. not know it. Initiators SHOULD use "this OR's address" to make sure
  281. that they have connected to another OR at its canonical address.
  282. [As of 0.2.0.23-rc, implementations use none of the above values.]
  283. 5. Circuit management
  284. 5.1. CREATE and CREATED cells
  285. Users set up circuits incrementally, one hop at a time. To create a
  286. new circuit, OPs send a CREATE cell to the first node, with the
  287. first half of the DH handshake; that node responds with a CREATED
  288. cell with the second half of the DH handshake plus the first 20 bytes
  289. of derivative key data (see section 5.2). To extend a circuit past
  290. the first hop, the OP sends an EXTEND relay cell (see section 5)
  291. which instructs the last node in the circuit to send a CREATE cell
  292. to extend the circuit.
  293. The payload for a CREATE cell is an 'onion skin', which consists
  294. of the first step of the DH handshake data (also known as g^x).
  295. This value is hybrid-encrypted (see 0.3) to Bob's onion key, giving
  296. an onion-skin of:
  297. PK-encrypted:
  298. Padding padding [PK_PAD_LEN bytes]
  299. Symmetric key [KEY_LEN bytes]
  300. First part of g^x [PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes]
  301. Symmetrically encrypted:
  302. Second part of g^x [DH_LEN-(PK_ENC_LEN-PK_PAD_LEN-KEY_LEN)
  303. bytes]
  304. The relay payload for an EXTEND relay cell consists of:
  305. Address [4 bytes]
  306. Port [2 bytes]
  307. Onion skin [DH_LEN+KEY_LEN+PK_PAD_LEN bytes]
  308. Identity fingerprint [HASH_LEN bytes]
  309. The port and address field denote the IPV4 address and port of the next
  310. onion router in the circuit; the public key hash is the hash of the PKCS#1
  311. ASN1 encoding of the next onion router's identity (signing) key. (See 0.3
  312. above.) (Including this hash allows the extending OR verify that it is
  313. indeed connected to the correct target OR, and prevents certain
  314. man-in-the-middle attacks.)
  315. The payload for a CREATED cell, or the relay payload for an
  316. EXTENDED cell, contains:
  317. DH data (g^y) [DH_LEN bytes]
  318. Derivative key data (KH) [HASH_LEN bytes] <see 5.2 below>
  319. The CircID for a CREATE cell is an arbitrarily chosen 2-byte integer,
  320. selected by the node (OP or OR) that sends the CREATE cell. To prevent
  321. CircID collisions, when one node sends a CREATE cell to another, it chooses
  322. from only one half of the possible values based on the ORs' public
  323. identity keys: if the sending node has a lower key, it chooses a CircID with
  324. an MSB of 0; otherwise, it chooses a CircID with an MSB of 1.
  325. (An OP with no public key MAY choose any CircID it wishes, since an OP
  326. never needs to process a CREATE cell.)
  327. Public keys are compared numerically by modulus.
  328. As usual with DH, x and y MUST be generated randomly.
  329. 5.1.1. CREATE_FAST/CREATED_FAST cells
  330. When initializing the first hop of a circuit, the OP has already
  331. established the OR's identity and negotiated a secret key using TLS.
  332. Because of this, it is not always necessary for the OP to perform the
  333. public key operations to create a circuit. In this case, the
  334. OP MAY send a CREATE_FAST cell instead of a CREATE cell for the first
  335. hop only. The OR responds with a CREATED_FAST cell, and the circuit is
  336. created.
  337. A CREATE_FAST cell contains:
  338. Key material (X) [HASH_LEN bytes]
  339. A CREATED_FAST cell contains:
  340. Key material (Y) [HASH_LEN bytes]
  341. Derivative key data [HASH_LEN bytes] (See 5.2 below)
  342. The values of X and Y must be generated randomly.
  343. If an OR sees a circuit created with CREATE_FAST, the OR is sure to be the
  344. first hop of a circuit. ORs SHOULD reject attempts to create streams with
  345. RELAY_BEGIN exiting the circuit at the first hop: letting Tor be used as a
  346. single hop proxy makes exit nodes a more attractive target for compromise.
  347. 5.2. Setting circuit keys
  348. Once the handshake between the OP and an OR is completed, both can
  349. now calculate g^xy with ordinary DH. Before computing g^xy, both client
  350. and server MUST verify that the received g^x or g^y value is not degenerate;
  351. that is, it must be strictly greater than 1 and strictly less than p-1
  352. where p is the DH modulus. Implementations MUST NOT complete a handshake
  353. with degenerate keys. Implementations MUST NOT discard other "weak"
  354. g^x values.
  355. (Discarding degenerate keys is critical for security; if bad keys
  356. are not discarded, an attacker can substitute the server's CREATED
  357. cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
  358. the server. Discarding other keys may allow attacks to learn bits of
  359. the private key.)
  360. If CREATE or EXTEND is used to extend a circuit, the client and server
  361. base their key material on K0=g^xy, represented as a big-endian unsigned
  362. integer.
  363. If CREATE_FAST is used, the client and server base their key material on
  364. K0=X|Y.
  365. From the base key material K0, they compute KEY_LEN*2+HASH_LEN*3 bytes of
  366. derivative key data as
  367. K = H(K0 | [00]) | H(K0 | [01]) | H(K0 | [02]) | ...
  368. The first HASH_LEN bytes of K form KH; the next HASH_LEN form the forward
  369. digest Df; the next HASH_LEN 41-60 form the backward digest Db; the next
  370. KEY_LEN 61-76 form Kf, and the final KEY_LEN form Kb. Excess bytes from K
  371. are discarded.
  372. KH is used in the handshake response to demonstrate knowledge of the
  373. computed shared key. Df is used to seed the integrity-checking hash
  374. for the stream of data going from the OP to the OR, and Db seeds the
  375. integrity-checking hash for the data stream from the OR to the OP. Kf
  376. is used to encrypt the stream of data going from the OP to the OR, and
  377. Kb is used to encrypt the stream of data going from the OR to the OP.
  378. 5.3. Creating circuits
  379. When creating a circuit through the network, the circuit creator
  380. (OP) performs the following steps:
  381. 1. Choose an onion router as an exit node (R_N), such that the onion
  382. router's exit policy includes at least one pending stream that
  383. needs a circuit (if there are any).
  384. 2. Choose a chain of (N-1) onion routers
  385. (R_1...R_N-1) to constitute the path, such that no router
  386. appears in the path twice.
  387. 3. If not already connected to the first router in the chain,
  388. open a new connection to that router.
  389. 4. Choose a circID not already in use on the connection with the
  390. first router in the chain; send a CREATE cell along the
  391. connection, to be received by the first onion router.
  392. 5. Wait until a CREATED cell is received; finish the handshake
  393. and extract the forward key Kf_1 and the backward key Kb_1.
  394. 6. For each subsequent onion router R (R_2 through R_N), extend
  395. the circuit to R.
  396. To extend the circuit by a single onion router R_M, the OP performs
  397. these steps:
  398. 1. Create an onion skin, encrypted to R_M's public onion key.
  399. 2. Send the onion skin in a relay EXTEND cell along
  400. the circuit (see section 5).
  401. 3. When a relay EXTENDED cell is received, verify KH, and
  402. calculate the shared keys. The circuit is now extended.
  403. When an onion router receives an EXTEND relay cell, it sends a CREATE
  404. cell to the next onion router, with the enclosed onion skin as its
  405. payload. The initiating onion router chooses some circID not yet
  406. used on the connection between the two onion routers. (But see
  407. section 5.1. above, concerning choosing circIDs based on
  408. lexicographic order of nicknames.)
  409. When an onion router receives a CREATE cell, if it already has a
  410. circuit on the given connection with the given circID, it drops the
  411. cell. Otherwise, after receiving the CREATE cell, it completes the
  412. DH handshake, and replies with a CREATED cell. Upon receiving a
  413. CREATED cell, an onion router packs it payload into an EXTENDED relay
  414. cell (see section 5), and sends that cell up the circuit. Upon
  415. receiving the EXTENDED relay cell, the OP can retrieve g^y.
  416. (As an optimization, OR implementations may delay processing onions
  417. until a break in traffic allows time to do so without harming
  418. network latency too greatly.)
  419. 5.3.1. Canonical connections
  420. It is possible for an attacker to launch a man-in-the-middle attack
  421. against a connection by telling OR Alice to extend to OR Bob at some
  422. address X controlled by the attacker. The attacker cannot read the
  423. encrypted traffic, but the attacker is now in a position to count all
  424. bytes sent between Alice and Bob (assuming Alice was not already
  425. connected to Bob.)
  426. To prevent this, when an OR we gets an extend request, it SHOULD use an
  427. existing OR connection if the ID matches, and ANY of the following
  428. conditions hold:
  429. - The IP matches the requested IP.
  430. - The OR knows that the IP of the connection it's using is canonical
  431. because it was listed in the NETINFO cell.
  432. - The OR knows that the IP of the connection it's using is canonical
  433. because it was listed in the server descriptor.
  434. [This is not implemented in Tor 0.2.0.23-rc.]
  435. 5.4. Tearing down circuits
  436. Circuits are torn down when an unrecoverable error occurs along
  437. the circuit, or when all streams on a circuit are closed and the
  438. circuit's intended lifetime is over. Circuits may be torn down
  439. either completely or hop-by-hop.
  440. To tear down a circuit completely, an OR or OP sends a DESTROY
  441. cell to the adjacent nodes on that circuit, using the appropriate
  442. direction's circID.
  443. Upon receiving an outgoing DESTROY cell, an OR frees resources
  444. associated with the corresponding circuit. If it's not the end of
  445. the circuit, it sends a DESTROY cell for that circuit to the next OR
  446. in the circuit. If the node is the end of the circuit, then it tears
  447. down any associated edge connections (see section 6.1).
  448. After a DESTROY cell has been processed, an OR ignores all data or
  449. destroy cells for the corresponding circuit.
  450. To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
  451. signaling a given OR (Stream ID zero). That OR sends a DESTROY
  452. cell to the next node in the circuit, and replies to the OP with a
  453. RELAY_TRUNCATED cell.
  454. When an unrecoverable error occurs along one connection in a
  455. circuit, the nodes on either side of the connection should, if they
  456. are able, act as follows: the node closer to the OP should send a
  457. RELAY_TRUNCATED cell towards the OP; the node farther from the OP
  458. should send a DESTROY cell down the circuit.
  459. The payload of a RELAY_TRUNCATED or DESTROY cell contains a single octet,
  460. describing why the circuit is being closed or truncated. When sending a
  461. TRUNCATED or DESTROY cell because of another TRUNCATED or DESTROY cell,
  462. the error code should be propagated. The origin of a circuit always sets
  463. this error code to 0, to avoid leaking its version.
  464. The error codes are:
  465. 0 -- NONE (No reason given.)
  466. 1 -- PROTOCOL (Tor protocol violation.)
  467. 2 -- INTERNAL (Internal error.)
  468. 3 -- REQUESTED (A client sent a TRUNCATE command.)
  469. 4 -- HIBERNATING (Not currently operating; trying to save bandwidth.)
  470. 5 -- RESOURCELIMIT (Out of memory, sockets, or circuit IDs.)
  471. 6 -- CONNECTFAILED (Unable to reach server.)
  472. 7 -- OR_IDENTITY (Connected to server, but its OR identity was not
  473. as expected.)
  474. 8 -- OR_CONN_CLOSED (The OR connection that was carrying this circuit
  475. died.)
  476. 9 -- FINISHED (The circuit has expired for being dirty or old.)
  477. 10 -- TIMEOUT (Circuit construction took too long)
  478. 11 -- DESTROYED (The circuit was destroyed w/o client TRUNCATE)
  479. 12 -- NOSUCHSERVICE (Request for unknown hidden service)
  480. 5.5. Routing relay cells
  481. When an OR receives a RELAY cell, it checks the cell's circID and
  482. determines whether it has a corresponding circuit along that
  483. connection. If not, the OR drops the RELAY cell.
  484. Otherwise, if the OR is not at the OP edge of the circuit (that is,
  485. either an 'exit node' or a non-edge node), it de/encrypts the payload
  486. with the stream cipher, as follows:
  487. 'Forward' relay cell (same direction as CREATE):
  488. Use Kf as key; decrypt.
  489. 'Back' relay cell (opposite direction from CREATE):
  490. Use Kb as key; encrypt.
  491. Note that in counter mode, decrypt and encrypt are the same operation.
  492. The OR then decides whether it recognizes the relay cell, by
  493. inspecting the payload as described in section 6.1 below. If the OR
  494. recognizes the cell, it processes the contents of the relay cell.
  495. Otherwise, it passes the decrypted relay cell along the circuit if
  496. the circuit continues. If the OR at the end of the circuit
  497. encounters an unrecognized relay cell, an error has occurred: the OR
  498. sends a DESTROY cell to tear down the circuit.
  499. When a relay cell arrives at an OP, the OP decrypts the payload
  500. with the stream cipher as follows:
  501. OP receives data cell:
  502. For I=N...1,
  503. Decrypt with Kb_I. If the payload is recognized (see
  504. section 6..1), then stop and process the payload.
  505. For more information, see section 6 below.
  506. 6. Application connections and stream management
  507. 6.1. Relay cells
  508. Within a circuit, the OP and the exit node use the contents of
  509. RELAY packets to tunnel end-to-end commands and TCP connections
  510. ("Streams") across circuits. End-to-end commands can be initiated
  511. by either edge; streams are initiated by the OP.
  512. The payload of each unencrypted RELAY cell consists of:
  513. Relay command [1 byte]
  514. 'Recognized' [2 bytes]
  515. StreamID [2 bytes]
  516. Digest [4 bytes]
  517. Length [2 bytes]
  518. Data [CELL_LEN-14 bytes]
  519. The relay commands are:
  520. 1 -- RELAY_BEGIN [forward]
  521. 2 -- RELAY_DATA [forward or backward]
  522. 3 -- RELAY_END [forward or backward]
  523. 4 -- RELAY_CONNECTED [backward]
  524. 5 -- RELAY_SENDME [forward or backward] [sometimes control]
  525. 6 -- RELAY_EXTEND [forward] [control]
  526. 7 -- RELAY_EXTENDED [backward] [control]
  527. 8 -- RELAY_TRUNCATE [forward] [control]
  528. 9 -- RELAY_TRUNCATED [backward] [control]
  529. 10 -- RELAY_DROP [forward or backward] [control]
  530. 11 -- RELAY_RESOLVE [forward]
  531. 12 -- RELAY_RESOLVED [backward]
  532. 13 -- RELAY_BEGIN_DIR [forward]
  533. 32..40 -- Used for hidden services; see rend-spec.txt.
  534. Commands labelled as "forward" must only be sent by the originator
  535. of the circuit. Commands labelled as "backward" must only be sent by
  536. other nodes in the circuit back to the originator. Commands marked
  537. as either can be sent either by the originator or other nodes.
  538. The 'recognized' field in any unencrypted relay payload is always set
  539. to zero; the 'digest' field is computed as the first four bytes of
  540. the running digest of all the bytes that have been destined for
  541. this hop of the circuit or originated from this hop of the circuit,
  542. seeded from Df or Db respectively (obtained in section 5.2 above),
  543. and including this RELAY cell's entire payload (taken with the digest
  544. field set to zero).
  545. When the 'recognized' field of a RELAY cell is zero, and the digest
  546. is correct, the cell is considered "recognized" for the purposes of
  547. decryption (see section 5.5 above).
  548. (The digest does not include any bytes from relay cells that do
  549. not start or end at this hop of the circuit. That is, it does not
  550. include forwarded data. Therefore if 'recognized' is zero but the
  551. digest does not match, the running digest at that node should
  552. not be updated, and the cell should be forwarded on.)
  553. All RELAY cells pertaining to the same tunneled stream have the
  554. same stream ID. StreamIDs are chosen arbitrarily by the OP. RELAY
  555. cells that affect the entire circuit rather than a particular
  556. stream use a StreamID of zero -- they are marked in the table above
  557. as "[control]" style cells. (Sendme cells are marked as "sometimes
  558. control" because they can take include a StreamID or not depending
  559. on their purpose -- see Section 7.)
  560. The 'Length' field of a relay cell contains the number of bytes in
  561. the relay payload which contain real payload data. The remainder of
  562. the payload is padded with NUL bytes.
  563. If the RELAY cell is recognized but the relay command is not
  564. understood, the cell must be dropped and ignored. Its contents
  565. still count with respect to the digests, though.
  566. 6.2. Opening streams and transferring data
  567. To open a new anonymized TCP connection, the OP chooses an open
  568. circuit to an exit that may be able to connect to the destination
  569. address, selects an arbitrary StreamID not yet used on that circuit,
  570. and constructs a RELAY_BEGIN cell with a payload encoding the address
  571. and port of the destination host. The payload format is:
  572. ADDRESS | ':' | PORT | [00]
  573. where ADDRESS can be a DNS hostname, or an IPv4 address in
  574. dotted-quad format, or an IPv6 address surrounded by square brackets;
  575. and where PORT is a decimal integer between 1 and 65535, inclusive.
  576. [What is the [00] for? -NM]
  577. [It's so the payload is easy to parse out with string funcs -RD]
  578. Upon receiving this cell, the exit node resolves the address as
  579. necessary, and opens a new TCP connection to the target port. If the
  580. address cannot be resolved, or a connection can't be established, the
  581. exit node replies with a RELAY_END cell. (See 6.4 below.)
  582. Otherwise, the exit node replies with a RELAY_CONNECTED cell, whose
  583. payload is in one of the following formats:
  584. The IPv4 address to which the connection was made [4 octets]
  585. A number of seconds (TTL) for which the address may be cached [4 octets]
  586. or
  587. Four zero-valued octets [4 octets]
  588. An address type (6) [1 octet]
  589. The IPv6 address to which the connection was made [16 octets]
  590. A number of seconds (TTL) for which the address may be cached [4 octets]
  591. [XXXX No version of Tor currently generates the IPv6 format.]
  592. [Tor servers before 0.1.2.0 set the TTL field to a fixed value. Later
  593. versions set the TTL to the last value seen from a DNS server, and expire
  594. their own cached entries after a fixed interval. This prevents certain
  595. attacks.]
  596. The OP waits for a RELAY_CONNECTED cell before sending any data.
  597. Once a connection has been established, the OP and exit node
  598. package stream data in RELAY_DATA cells, and upon receiving such
  599. cells, echo their contents to the corresponding TCP stream.
  600. RELAY_DATA cells sent to unrecognized streams are dropped.
  601. Relay RELAY_DROP cells are long-range dummies; upon receiving such
  602. a cell, the OR or OP must drop it.
  603. 6.2.1. Opening a directory stream
  604. If a Tor server is a directory server, it should respond to a
  605. RELAY_BEGIN_DIR cell as if it had received a BEGIN cell requesting a
  606. connection to its directory port. RELAY_BEGIN_DIR cells ignore exit
  607. policy, since the stream is local to the Tor process.
  608. If the Tor server is not running a directory service, it should respond
  609. with a REASON_NOTDIRECTORY RELAY_END cell.
  610. Clients MUST generate an all-zero payload for RELAY_BEGIN_DIR cells,
  611. and servers MUST ignore the payload.
  612. [RELAY_BEGIN_DIR was not supported before Tor 0.1.2.2-alpha; clients
  613. SHOULD NOT send it to routers running earlier versions of Tor.]
  614. 6.3. Closing streams
  615. When an anonymized TCP connection is closed, or an edge node
  616. encounters error on any stream, it sends a 'RELAY_END' cell along the
  617. circuit (if possible) and closes the TCP connection immediately. If
  618. an edge node receives a 'RELAY_END' cell for any stream, it closes
  619. the TCP connection completely, and sends nothing more along the
  620. circuit for that stream.
  621. The payload of a RELAY_END cell begins with a single 'reason' byte to
  622. describe why the stream is closing, plus optional data (depending on
  623. the reason.) The values are:
  624. 1 -- REASON_MISC (catch-all for unlisted reasons)
  625. 2 -- REASON_RESOLVEFAILED (couldn't look up hostname)
  626. 3 -- REASON_CONNECTREFUSED (remote host refused connection) [*]
  627. 4 -- REASON_EXITPOLICY (OR refuses to connect to host or port)
  628. 5 -- REASON_DESTROY (Circuit is being destroyed)
  629. 6 -- REASON_DONE (Anonymized TCP connection was closed)
  630. 7 -- REASON_TIMEOUT (Connection timed out, or OR timed out
  631. while connecting)
  632. 8 -- (unallocated) [**]
  633. 9 -- REASON_HIBERNATING (OR is temporarily hibernating)
  634. 10 -- REASON_INTERNAL (Internal error at the OR)
  635. 11 -- REASON_RESOURCELIMIT (OR has no resources to fulfill request)
  636. 12 -- REASON_CONNRESET (Connection was unexpectedly reset)
  637. 13 -- REASON_TORPROTOCOL (Sent when closing connection because of
  638. Tor protocol violations.)
  639. 14 -- REASON_NOTDIRECTORY (Client sent RELAY_BEGIN_DIR to a
  640. non-directory server.)
  641. (With REASON_EXITPOLICY, the 4-byte IPv4 address or 16-byte IPv6 address
  642. forms the optional data, along with a 4-byte TTL; no other reason
  643. currently has extra data.)
  644. OPs and ORs MUST accept reasons not on the above list, since future
  645. versions of Tor may provide more fine-grained reasons.
  646. [*] Older versions of Tor also send this reason when connections are
  647. reset.
  648. [**] Due to a bug in versions of Tor through 0095, error reason 8 must
  649. remain allocated until that version is obsolete.
  650. --- [The rest of this section describes unimplemented functionality.]
  651. Because TCP connections can be half-open, we follow an equivalent
  652. to TCP's FIN/FIN-ACK/ACK protocol to close streams.
  653. An exit connection can have a TCP stream in one of three states:
  654. 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
  655. of modeling transitions, we treat 'CLOSED' as a fourth state,
  656. although connections in this state are not, in fact, tracked by the
  657. onion router.
  658. A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
  659. the corresponding TCP connection, the edge node sends a 'RELAY_FIN'
  660. cell along the circuit and changes its state to 'DONE_PACKAGING'.
  661. Upon receiving a 'RELAY_FIN' cell, an edge node sends a 'FIN' to
  662. the corresponding TCP connection (e.g., by calling
  663. shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
  664. When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
  665. also sends a 'RELAY_FIN' along the circuit, and changes its state
  666. to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
  667. 'RELAY_FIN' cell, it sends a 'FIN' and changes its state to
  668. 'CLOSED'.
  669. If an edge node encounters an error on any stream, it sends a
  670. 'RELAY_END' cell (if possible) and closes the stream immediately.
  671. 6.4. Remote hostname lookup
  672. To find the address associated with a hostname, the OP sends a
  673. RELAY_RESOLVE cell containing the hostname to be resolved. (For a reverse
  674. lookup, the OP sends a RELAY_RESOLVE cell containing an in-addr.arpa
  675. address.) The OR replies with a RELAY_RESOLVED cell containing a status
  676. byte, and any number of answers. Each answer is of the form:
  677. Type (1 octet)
  678. Length (1 octet)
  679. Value (variable-width)
  680. TTL (4 octets)
  681. "Length" is the length of the Value field.
  682. "Type" is one of:
  683. 0x00 -- Hostname
  684. 0x04 -- IPv4 address
  685. 0x06 -- IPv6 address
  686. 0xF0 -- Error, transient
  687. 0xF1 -- Error, nontransient
  688. If any answer has a type of 'Error', then no other answer may be given.
  689. The RELAY_RESOLVE cell must use a nonzero, distinct streamID; the
  690. corresponding RELAY_RESOLVED cell must use the same streamID. No stream
  691. is actually created by the OR when resolving the name.
  692. 7. Flow control
  693. 7.1. Link throttling
  694. Each node should do appropriate bandwidth throttling to keep its
  695. user happy.
  696. Communicants rely on TCP's default flow control to push back when they
  697. stop reading.
  698. 7.2. Link padding
  699. Link padding can be created by sending PADDING cells along the
  700. connection; relay cells of type "DROP" can be used for long-range
  701. padding.
  702. Currently nodes are not required to do any sort of link padding or
  703. dummy traffic. Because strong attacks exist even with link padding,
  704. and because link padding greatly increases the bandwidth requirements
  705. for running a node, we plan to leave out link padding until this
  706. tradeoff is better understood.
  707. 7.3. Circuit-level flow control
  708. To control a circuit's bandwidth usage, each OR keeps track of two
  709. 'windows', consisting of how many RELAY_DATA cells it is allowed to
  710. originate (package for transmission), and how many RELAY_DATA cells
  711. it is willing to consume (receive for local streams). These limits
  712. do not apply to cells that the OR receives from one host and relays
  713. to another.
  714. Each 'window' value is initially set to 1000 data cells
  715. in each direction (cells that are not data cells do not affect
  716. the window). When an OR is willing to deliver more cells, it sends a
  717. RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
  718. receives a RELAY_SENDME cell with stream ID zero, it increments its
  719. packaging window.
  720. Each of these cells increments the corresponding window by 100.
  721. The OP behaves identically, except that it must track a packaging
  722. window and a delivery window for every OR in the circuit.
  723. An OR or OP sends cells to increment its delivery window when the
  724. corresponding window value falls under some threshold (900).
  725. If a packaging window reaches 0, the OR or OP stops reading from
  726. TCP connections for all streams on the corresponding circuit, and
  727. sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
  728. [this stuff is badly worded; copy in the tor-design section -RD]
  729. 7.4. Stream-level flow control
  730. Edge nodes use RELAY_SENDME cells to implement end-to-end flow
  731. control for individual connections across circuits. Similarly to
  732. circuit-level flow control, edge nodes begin with a window of cells
  733. (500) per stream, and increment the window by a fixed value (50)
  734. upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
  735. cells when both a) the window is <= 450, and b) there are less than
  736. ten cell payloads remaining to be flushed at that edge.
  737. A.1. Differences between spec and implementation
  738. - The current specification requires all ORs to have IPv4 addresses, but
  739. allows servers to exit and resolve to IPv6 addresses, and to declare IPv6
  740. addresses in their exit policies. The current codebase has no IPv6
  741. support at all.