2003-03-07 03:39:40 +01:00
|
|
|
$Id$
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
TOR Spec
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
Note: This is an attempt to specify TOR as it exists as implemented in
|
2003-05-28 08:36:26 +02:00
|
|
|
early June, 2003. It is not recommended that others implement this
|
2003-03-07 03:39:40 +01:00
|
|
|
design as it stands; future versions of TOR will implement improved
|
|
|
|
protocols.
|
|
|
|
|
|
|
|
0. Notation:
|
|
|
|
|
|
|
|
PK -- a public key.
|
|
|
|
SK -- a private key
|
|
|
|
K -- a key for a symmetric cypher
|
|
|
|
|
2003-03-11 22:36:00 +01:00
|
|
|
a|b -- concatenation of 'a' with 'b'.
|
|
|
|
a[i:j] -- Bytes 'i' through 'j'-1 (inclusive) of the string a.
|
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
All numeric values are encoded in network (big-endian) order.
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
Unless otherwise specified, all symmetric ciphers are 3DES in OFB
|
|
|
|
mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
|
|
|
|
with 1024-bit keys and exponents of 65537, or DH with the safe prime
|
|
|
|
from rfc2409, section 6.2, whose hex representation is:
|
|
|
|
|
|
|
|
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
|
|
|
|
"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
|
|
|
|
"302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
|
|
|
|
"A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
|
|
|
|
"49286651ECE65381FFFFFFFFFFFFFFFF"
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-03-07 09:41:57 +01:00
|
|
|
[We will move to AES once we can assume everybody will have it. -RD]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
1. System overview
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
Tor is a connection-oriented anonymizing communication service. Users
|
|
|
|
build a path known as a "virtual circuit" through the network, in which
|
2003-03-07 09:41:57 +01:00
|
|
|
each node knows its predecessor and successor, but no others. Traffic
|
|
|
|
flowing down the circuit is unwrapped by a symmetric key at each node,
|
|
|
|
which reveals the downstream node.
|
|
|
|
|
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
2. Connections
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
2.1. Establishing OR connections
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
When one onion router opens a connection to another, the initiating
|
|
|
|
OR (called the 'client') and the listening OR (called the 'server')
|
|
|
|
perform the following handshake.
|
2003-05-28 08:36:26 +02:00
|
|
|
[or when an op wants to connect to or]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-03-07 09:41:57 +01:00
|
|
|
Before the handshake begins, the client and server know one
|
2003-03-07 03:39:40 +01:00
|
|
|
another's (1024-bit) public keys, IPV4 addresses, and ports.
|
|
|
|
|
|
|
|
1. Client connects to server:
|
|
|
|
|
|
|
|
The client generates a pair of 8-byte symmetric keys (one
|
|
|
|
[K_f] for the 'forward' stream from client to server, and one
|
|
|
|
[K_b] for the 'backward' stream from server to client.
|
|
|
|
|
|
|
|
The client then generates a 'Client authentication' message [M]
|
|
|
|
containing:
|
2003-05-28 08:36:26 +02:00
|
|
|
The number 2 to signify OR handshake [2 bytes]
|
2003-03-07 03:39:40 +01:00
|
|
|
The client's published IPV4 address [4 bytes]
|
|
|
|
The client's published port [2 bytes]
|
|
|
|
The server's published IPV4 address [4 bytes]
|
|
|
|
The server's published port [2 bytes]
|
2003-03-19 22:47:18 +01:00
|
|
|
The forward key (K_f) [16 bytes]
|
|
|
|
The backward key (K_f) [16 bytes]
|
2003-03-07 09:41:57 +01:00
|
|
|
The maximum bandwidth (bytes/s) [4 bytes]
|
2003-05-28 08:36:26 +02:00
|
|
|
[Total: 50 bytes]
|
|
|
|
|
|
|
|
The client then RSA-encrypts [M] with the server's public key
|
|
|
|
and PKCS1 padding to give an encrypted message.
|
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
The client then opens a TCP connection to the server, sends
|
|
|
|
the 128-byte RSA-encrypted data to the server, and waits for a
|
|
|
|
reply.
|
|
|
|
|
|
|
|
2. Server authenticates to client:
|
|
|
|
|
|
|
|
Upon receiving a TCP connection, the server waits to receive
|
|
|
|
128 bytes from the client. It decrypts the message with its
|
|
|
|
private key, and checks the PKCS1 padding. If the padding is
|
2003-05-28 08:36:26 +02:00
|
|
|
incorrect, or if the message's length is other than 50 bytes,
|
2003-03-07 03:39:40 +01:00
|
|
|
the server closes the TCP connection and stops handshaking.
|
|
|
|
|
|
|
|
The server then checks the list of known ORs for one with the
|
|
|
|
address and port given in the client's authentication. If no
|
|
|
|
such OR is known, or if the server is already connected to
|
|
|
|
that OR, the server closes the current TCP connection and
|
|
|
|
stops handshaking.
|
|
|
|
|
|
|
|
For later use, the server sets its keys for this connection,
|
2003-03-07 09:41:57 +01:00
|
|
|
setting K_f to the client's K_b, and K_b to the client's K_f.
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
The server then creates a server authentication message[M2] as
|
|
|
|
follows:
|
2003-03-19 22:47:18 +01:00
|
|
|
Modified client authentication [48 bytes]
|
2003-03-07 03:39:40 +01:00
|
|
|
A random nonce [N] [8 bytes]
|
2003-03-19 22:47:18 +01:00
|
|
|
[Total: 56 bytes]
|
2003-03-07 03:39:40 +01:00
|
|
|
The client authentication is generated from M by replacing
|
|
|
|
the client's preferred bandwidth [B_c] with the server's
|
|
|
|
preferred bandwidth [B_s], if B_s < B_c.
|
|
|
|
|
|
|
|
The server encrypts M2 with the client's public key (found
|
|
|
|
from the list of known routers), using PKCS1 padding.
|
|
|
|
|
|
|
|
The server sends the 128-byte encrypted message to the client,
|
2003-03-07 09:41:57 +01:00
|
|
|
and waits for a reply.
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
3. Client authenticates to server.
|
|
|
|
|
|
|
|
Once the client has received 128 bytes, it decrypts them with
|
|
|
|
its public key, and checks the PKCS1 padding. If the padding
|
2003-05-28 08:36:26 +02:00
|
|
|
is invalid, or the decrypted message's length is other than 56
|
2003-03-07 03:39:40 +01:00
|
|
|
bytes, the client closes the TCP connection.
|
|
|
|
|
|
|
|
The client checks that the addresses and keys in the reply
|
|
|
|
message are the same as the ones it originally sent. If not,
|
|
|
|
it closes the TCP connection.
|
|
|
|
|
|
|
|
The client updates the connection's bandwidth to that set by
|
|
|
|
the server, and generates the following authentication message [M3]:
|
|
|
|
The client's published IPV4 address [4 bytes]
|
|
|
|
The client's published port [2 bytes]
|
|
|
|
The server's published IPV4 address [4 bytes]
|
|
|
|
The server's published port [2 bytes]
|
|
|
|
The server-generated nonce [N] [8 bytes]
|
|
|
|
[Total: 20 bytes]
|
|
|
|
|
|
|
|
Once again, the client encrypts this message using the
|
|
|
|
server's public key and PKCS1 padding, and sends the resulting
|
|
|
|
128-byte message to the server.
|
|
|
|
|
|
|
|
4. Server checks client authentication
|
|
|
|
|
|
|
|
The server once again waits to receive 128 bytes from the
|
|
|
|
client, decrypts the message with its private key, and checks
|
|
|
|
the PKCS1 padding. If the padding is incorrect, or if the
|
|
|
|
message's length is other than 20 bytes, the server closes the
|
|
|
|
TCP connection and stops handshaking.
|
|
|
|
|
|
|
|
If the addresses in the decrypted message M3 match those in M
|
|
|
|
and M2, and if the nonce in M3 is the same as in M2, the
|
|
|
|
handshake is complete, and the client and server begin sending
|
|
|
|
cells to one another. Otherwise, the server closes the TCP
|
|
|
|
connection.
|
|
|
|
|
|
|
|
2.2. Establishing OP-to-OR connections
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
[wrap this with the above]
|
2003-03-07 09:41:57 +01:00
|
|
|
When an Onion Proxy (OP) needs to establish a connection to an OR,
|
|
|
|
the handshake is simpler because the OR does not need to verify the
|
|
|
|
OP's identity. The OP and OR establish the following steps:
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
1. OP connects to OR:
|
2003-03-07 09:41:57 +01:00
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
First, the OP generates a pair of 8-byte symmetric keys (one
|
2003-03-07 09:41:57 +01:00
|
|
|
[K_f] for the 'forward' stream from OP to OR, and one
|
2003-04-05 21:04:05 +02:00
|
|
|
[K_b] for the 'backward' stream from OR to OP).
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
The OP generates a message [M] in the following format:
|
2003-05-28 08:36:26 +02:00
|
|
|
The number 1 to signify OP handshake [2 bytes]
|
|
|
|
Maximum bandwidth (bytes/s) [4 bytes]
|
|
|
|
Forward key [K_f] [16 bytes]
|
|
|
|
Backward key [K_b] [16 bytes]
|
|
|
|
[Total: 38 bytes]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
The OP encrypts M with the OR's public key and PKCS1 padding,
|
|
|
|
opens a TCP connection to the OR's TCP port, and sends the
|
|
|
|
resulting 128-byte encrypted message to the OR.
|
|
|
|
|
|
|
|
2. OR receives keys:
|
|
|
|
|
|
|
|
When the OR receives a connection from an OP [This is on a
|
|
|
|
different port, right? How does it know the difference? -NM],
|
2003-03-07 09:41:57 +01:00
|
|
|
[Correct. The 'or_port' config variable specifies the OR port,
|
|
|
|
and the op_port variable specified the OP port. -RD]
|
2003-03-07 03:39:40 +01:00
|
|
|
it waits for 128 bytes of data, and decrypts the resulting
|
|
|
|
data with its private key, checking the PKCS1 padding. If the
|
2003-05-28 08:36:26 +02:00
|
|
|
padding is invalid, or the message is not 38 bytes long, the
|
2003-03-07 03:39:40 +01:00
|
|
|
OR closes the connection.
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
Otherwise, the connection is established, and the OR is ready
|
2003-03-07 03:39:40 +01:00
|
|
|
to receive cells.
|
|
|
|
|
|
|
|
The server sets its keys for this connection, setting K_f to
|
2003-03-07 09:41:57 +01:00
|
|
|
the client's K_b, and K_b to the client's K_f.
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
2.3. Sending cells and link encryption
|
|
|
|
|
|
|
|
Once the handshake is complete, the ORs or OR and OP send cells
|
|
|
|
(specified below) to one another. Cells are sent serially,
|
2003-03-19 22:47:18 +01:00
|
|
|
encrypted with the 3DES-OFB keystream specified by the handshake
|
2003-03-07 03:39:40 +01:00
|
|
|
protocol. Over a connection, communicants encrypt outgoing cells
|
|
|
|
with the connection's K_f, and decrypt incoming cells with the
|
|
|
|
connection's K_b.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
[Commentary: This means that OR/OP->OR connections are malleable; I
|
|
|
|
can flip bits in cells as they go across the wire, and see flipped
|
|
|
|
bits coming out the cells as they are decrypted at the next
|
|
|
|
server. I need to look more at the data format to see whether
|
|
|
|
this is exploitable, but if there's no integrity checking there
|
|
|
|
either, I suspect we may have an attack here. -NM]
|
2003-03-07 09:41:57 +01:00
|
|
|
[Yes, this protocol is open to tagging attacks. The payloads are
|
|
|
|
encrypted inside the network, so it's only at the edge node and beyond
|
|
|
|
that it's a worry. But adversaries can already count packets and
|
|
|
|
observe/modify timing. It's not worth putting in hashes; indeed, it
|
|
|
|
would be quite hard, because one of the sides of the circuit doesn't
|
|
|
|
know the keys that are used for de/encrypting at each hop, so couldn't
|
|
|
|
craft hashes anyway. See the Bandwidth Throttling (threat model)
|
|
|
|
thread on http://archives.seul.org/or/dev/Jul-2002/threads.html. -RD]
|
2003-03-11 22:36:00 +01:00
|
|
|
[Even if I don't control both sides of the connection, I can still
|
|
|
|
do evil stuff. For instance, if I can guess that a cell is a
|
|
|
|
TOPIC_COMMAND_BEGIN cell to www.slashdot.org:80 , I can change the
|
|
|
|
address and port to point to a machine I control. -NM]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
3. Cell Packet format
|
|
|
|
|
2003-03-12 13:02:06 +01:00
|
|
|
The basic unit of communication for onion routers and onion
|
2003-04-05 21:04:05 +02:00
|
|
|
proxies is a fixed-width "cell". Each cell contains the following
|
2003-03-07 03:39:40 +01:00
|
|
|
fields:
|
|
|
|
|
|
|
|
ACI (anonymous circuit identifier) [2 bytes]
|
|
|
|
Command [1 byte]
|
2003-04-17 19:10:41 +02:00
|
|
|
Length [1 byte]
|
2003-04-18 20:57:22 +02:00
|
|
|
Sequence number (unused, set to 0) [4 bytes]
|
2003-04-05 21:04:05 +02:00
|
|
|
Payload (padded with 0 bytes) [248 bytes]
|
|
|
|
[Total size: 256 bytes]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
|
|
|
The 'Command' field holds one of the following values:
|
2003-03-11 22:36:00 +01:00
|
|
|
0 -- PADDING (Padding) (See Sec 6.2)
|
|
|
|
1 -- CREATE (Create a circuit) (See Sec 4)
|
2003-05-28 08:36:26 +02:00
|
|
|
2 -- CREATED (Acknowledge create) (See Sec 4)
|
|
|
|
3 -- RELAY (End-to-end data) (See Sec 5)
|
|
|
|
4 -- DESTROY (Stop using a circuit) (See Sec 4)
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
The interpretation of 'Length' and 'Payload' depend on the type of
|
|
|
|
the cell.
|
2003-05-28 08:36:26 +02:00
|
|
|
PADDING: Neither field is used.
|
|
|
|
CREATE: Length is 144; the payload contains the first phase of the
|
|
|
|
DH handshake.
|
|
|
|
CREATED: Length is 128; the payload contains the second phase of
|
|
|
|
the DH handshake.
|
|
|
|
RELAY: Length is a value between 8 and 248; the first 'length'
|
2003-03-11 22:36:00 +01:00
|
|
|
bytes of payload contain useful data.
|
|
|
|
DESTROY: Neither field is used.
|
|
|
|
|
|
|
|
Unused fields are filled with 0 bytes. The payload is padded with
|
|
|
|
0 bytes.
|
|
|
|
|
|
|
|
PADDING cells are currently used to implement connection
|
|
|
|
keepalive. ORs and OPs send one another a PADDING cell every few
|
|
|
|
minutes.
|
|
|
|
|
|
|
|
CREATE and DESTROY cells are used to manage circuits; see section
|
|
|
|
4 below.
|
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
RELAY cells are used to send commands and data along a circuit; see
|
2003-03-11 22:36:00 +01:00
|
|
|
section 5 below.
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
4. Circuit management
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
4.1. CREATE and CREATED cells
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
Users set up circuits incrementally, one hop at a time. To create
|
|
|
|
a new circuit, users send a CREATE cell to the first node, with the
|
|
|
|
first half of the DH handshake; that node responds with a CREATED cell
|
|
|
|
with the second half of the DH handshake. To extend a circuit past
|
|
|
|
the first hop, the user sends an EXTEND relay cell (see section 5)
|
|
|
|
which instructs the last node in the circuit to send a CREATE cell
|
|
|
|
to extend the circuit.
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
The payload for a CREATE cell is an 'onion skin', consisting of:
|
|
|
|
RSA-encrypted data [128 bytes]
|
|
|
|
Symmetrically-encrypted data [16 bytes]
|
|
|
|
The RSA-encrypted portion contains:
|
|
|
|
Symmetric key [16 bytes]
|
|
|
|
First part of DH data (g^x) [112 bytes]
|
|
|
|
The symmetrically encrypted portion contains:
|
|
|
|
Second part of DH data (g^x) [16 bytes]
|
2003-05-28 08:36:26 +02:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
The two parts of the DH data, once decrypted and concatenated, form
|
|
|
|
g^x as calculated by the client.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
The relay payload for an EXTEND relay cell consists of:
|
|
|
|
Address [4 bytes]
|
|
|
|
Port [2 bytes]
|
|
|
|
Onion skin [144 bytes]
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
The port and address field denote the IPV4 address and port of the
|
|
|
|
next onion router in the circuit.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
4.2. Setting circuit keys
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
Once the handshake between the OP and an OR is completed, both
|
|
|
|
servers can now calculate g^xy with ordinary DH. They divide the
|
|
|
|
last 32 bytes of this shared secret into two 16-byte keys, the
|
|
|
|
first of which (called Kf) is used to encrypt the stream of data
|
|
|
|
going from the OP to the OR, and second of which (called Kb) is
|
|
|
|
used to encrypt the stream of data going from the OR to the OP.
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
4.3. Creating circuits
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
When creating a circuit through the network, the circuit creator
|
|
|
|
performs the following steps:
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
1. Choose a chain of N onion routers (R_1...R_N) to constitute
|
|
|
|
the path, such that no router appears in the path twice.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
2. If not already connected to the first router in the chain,
|
|
|
|
open a new connection to that router.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
3. Choose an ACI not already in use on the connection with the
|
|
|
|
first router in the chain. If our address/port pair is
|
|
|
|
numerically higher than the address/port pair of the other
|
|
|
|
side, then let the high bit of the ACI be 1, else 0.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
4. Send a CREATE cell along the connection, to be received by
|
|
|
|
the first onion router.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
5. Wait until a CREATED cell is received; finish the handshake
|
|
|
|
and extract the forward key Kf_1 and the back key Kb_1.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
6. For each subsequent onion router R (R_2 through R_N), extend
|
|
|
|
the circuit to R.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
To extend the circuit by a single onion router R_M, the circuit
|
|
|
|
creator performs these steps:
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
1. Create an onion skin, encrypting the RSA-encrypted part with
|
|
|
|
R's public key.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
2. Encrypt and send the onion skin in a RELAY_CREATE cell along
|
|
|
|
the circuit (see section 5).
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
3. When a RELAY_CREATED cell is received, calculate the shared
|
|
|
|
keys. The circuit is now extended.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
Upon receiving a CREATE cell along a connection, an OR performs
|
|
|
|
the following steps:
|
|
|
|
|
|
|
|
1. If we already have an 'open' circuit along this connection
|
|
|
|
with this ACI, drop the cell.
|
|
|
|
|
|
|
|
Otherwise, if we have no circuit along this connection with
|
2003-03-12 13:02:06 +01:00
|
|
|
this ACI, let L = the integer value of the first 4 bytes of
|
2003-03-11 22:36:00 +01:00
|
|
|
the payload. Create a half-open circuit with this ACI, and
|
2003-03-12 13:02:06 +01:00
|
|
|
begin queueing CREATE cells for this circuit.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-03-18 08:21:31 +01:00
|
|
|
Otherwise, we have a half-open circuit. If the total payload
|
2003-03-19 23:44:29 +01:00
|
|
|
length of the CREATE cells for this circuit is exactly equal
|
2003-03-18 08:21:31 +01:00
|
|
|
to the onion length specified in the first cell (minus 4), then
|
|
|
|
process the onion. If it is more, then tear down the circuit.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
2. Once we have a complete onion, decrypt the first 128 bytes
|
|
|
|
of the onion with this OR's RSA private key, and extract
|
|
|
|
the outmost onion layer. If the version, back cipher, or
|
2003-03-12 13:02:06 +01:00
|
|
|
forward cipher is unrecognized, or the expiration time is
|
|
|
|
in the past, then tear down the circuit (see section 4.2).
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
Compute K1 through K3 as above. Use K1 to decrypt the rest
|
2003-04-16 19:44:33 +02:00
|
|
|
of the onion using 3DES/OFB.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
If we are not the exit node, remove the first layer from the
|
2003-03-12 13:02:06 +01:00
|
|
|
decrypted onion, and send the remainder to the next OR
|
2003-03-11 22:36:00 +01:00
|
|
|
on the circuit, as specified above. (Note that we'll
|
|
|
|
choose a different ACI for this circuit on the connection
|
|
|
|
with the next OR.)
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
When an onion router receives an EXTEND relay cell, it sends a
|
|
|
|
CREATE cell to the next onion router, with the enclosed onion skin
|
|
|
|
as its payload. The initiating onion router chooses some random
|
|
|
|
ACI not yet used on the connection between the two onion routers.
|
|
|
|
|
|
|
|
Some time after receiving a create cell, an onion router completes
|
|
|
|
the DH handshake, and replies with a CREATED cell, containing g^y
|
|
|
|
as its [128 byte] payload. Upon receiving a CREATED cell, an onion
|
2003-06-03 11:51:23 +02:00
|
|
|
router packs it payload into an EXTENDED relay cell (see section 5),
|
|
|
|
and sends that cell up the circuit. Upon receiving the EXTENDED
|
2003-06-03 08:45:06 +02:00
|
|
|
relay cell, the OP can retrieve g^y.
|
|
|
|
|
|
|
|
(As an optimization, OR implementations may delay processing onions
|
2003-03-11 22:36:00 +01:00
|
|
|
until a break in traffic allows time to do so without harming
|
2003-06-03 08:45:06 +02:00
|
|
|
network latency too greatly.)
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
4.2. Tearing down circuits
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
[Note: this section is untouched; the code doesn't seem to match
|
|
|
|
what I remembered discussing. Let's sort it out. -NM]
|
|
|
|
|
2003-03-11 22:36:00 +01:00
|
|
|
Circuits are torn down when an unrecoverable error occurs along
|
2003-06-03 08:45:06 +02:00
|
|
|
the circuit, or when all streams on a circuit are closed and the
|
2003-03-12 13:02:06 +01:00
|
|
|
circuit's intended lifetime is over.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
To tear down a circuit, an OR or OP sends a DESTROY cell with that
|
2003-03-12 13:02:06 +01:00
|
|
|
direction's ACI to the adjacent nodes on that circuit.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
Upon receiving a DESTROY cell, an OR frees resources associated
|
2003-03-12 13:02:06 +01:00
|
|
|
with the corresponding circuit. If it's not the start or end of the
|
|
|
|
circuit, it sends a DESTROY cell for that circuit to the next OR in
|
|
|
|
the circuit. If the node is the start or end of the circuit, then
|
|
|
|
it tears down any associated edge connections (see section 5.1).
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
After a DESTROY cell has been processed, an OR ignores all data or
|
|
|
|
destroy cells for the corresponding circuit.
|
|
|
|
|
|
|
|
4.3. Routing data cells
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
When an OR receives a RELAY cell, it checks the cell's ACI and
|
2003-03-11 22:36:00 +01:00
|
|
|
determines whether it has a corresponding circuit along that
|
2003-06-03 08:45:06 +02:00
|
|
|
connection. If not, the OR drops the RELAY cell.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-03-12 13:02:06 +01:00
|
|
|
Otherwise, if the OR is not at the OP edge of the circuit (that is,
|
|
|
|
either an 'exit node' or a non-edge node), it de/encrypts the length
|
2003-04-16 19:44:33 +02:00
|
|
|
field and the payload with 3DES/OFB, as follows:
|
2003-06-03 08:45:06 +02:00
|
|
|
'Forward' relay cell (same direction as CREATE):
|
|
|
|
Use Kf as key; encrypt.
|
|
|
|
'Back' relay cell (opposite direction from CREATE):
|
|
|
|
Use Kb as key; decrypt.
|
|
|
|
If the OR recognizes the stream ID on the cell (it is either the ID
|
2003-06-03 11:51:23 +02:00
|
|
|
of an open stream or the signaling (zero) ID), the OR processes the
|
2003-06-03 08:45:06 +02:00
|
|
|
contents of the relay cell. Otherwise, it passes the decrypted
|
2003-06-03 11:51:23 +02:00
|
|
|
relay cell along the circuit if the circuit continues, or drops the
|
|
|
|
cell if it's the end of the circuit. [Getting an unrecognized
|
|
|
|
relay cell at the end of the circuit must be allowed for now;
|
|
|
|
we can reexamine this once we've designed full tcp-style close
|
|
|
|
handshakes. -RD]
|
2003-06-03 08:45:06 +02:00
|
|
|
|
|
|
|
Otherwise, if the data cell is coming from the OP edge of the
|
|
|
|
circuit, the OP decrypts the length and payload fields with 3DES/OFB as
|
|
|
|
follows:
|
|
|
|
OP sends data cell to node R_M:
|
|
|
|
For I=1...M, decrypt with Kf_I.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
Otherwise, if the data cell is arriving at the OP edge if the
|
|
|
|
circuit, the OP encrypts the length and payload fields with 3DES/OFB as
|
2003-03-11 22:36:00 +01:00
|
|
|
follows:
|
|
|
|
OP receives data cell:
|
2003-06-03 08:45:06 +02:00
|
|
|
For I=N...1,
|
|
|
|
Encrypt with Kb_I. If the stream ID is a recognized
|
|
|
|
stream for R_I, or if the stream ID is the signaling
|
2003-06-03 11:51:23 +02:00
|
|
|
ID (zero), then stop and process the payload.
|
2003-03-12 13:02:06 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
For more information, see section 5 below.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
5. Application connections and stream management
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-05-28 08:36:26 +02:00
|
|
|
5.1. Streams
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
Within a circuit, the OP and the exit node use the contents of
|
|
|
|
RELAY packets to tunnel end-to-end commands and TCP connections
|
|
|
|
("Streams") across circuits. End-to-end commands can be initiated
|
|
|
|
by either edge; streams are initiated by the OP.
|
|
|
|
|
|
|
|
The first 8 bytes of each relay cell are reserved as follows:
|
|
|
|
Relay command [1 byte]
|
|
|
|
Stream ID [7 bytes]
|
|
|
|
|
|
|
|
The recognized relay commands are:
|
|
|
|
1 -- RELAY_BEGIN
|
|
|
|
2 -- RELAY_DATA
|
|
|
|
3 -- RELAY_END
|
|
|
|
4 -- RELAY_CONNECTED
|
|
|
|
5 -- RELAY_SENDME
|
|
|
|
6 -- RELAY_EXTEND
|
|
|
|
7 -- RELAY_EXTENDED
|
|
|
|
|
|
|
|
All RELAY cells pertaining to the same tunneled stream have the
|
|
|
|
same stream ID. Stream ID's are chosen randomly by the OP. A
|
|
|
|
stream ID is considered "recognized" on a circuit C by an OP or an
|
|
|
|
OR if it already has an existing stream established on that
|
|
|
|
circuit, or if the stream ID is equal to the signaling stream ID,
|
|
|
|
which is all zero: [00 00 00 00 00 00 00]
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
To create a new anonymized TCP connection, the OP sends a
|
2003-06-03 08:45:06 +02:00
|
|
|
RELAY_BEGIN data cell with a payload encoding the address and port
|
|
|
|
of the destination host. The stream ID is zero. The payload format is:
|
2003-04-18 20:57:22 +02:00
|
|
|
ADDRESS | ':' | PORT | '\000'
|
2003-03-11 22:36:00 +01:00
|
|
|
where ADDRESS may be a DNS hostname, or an IPv4 address in
|
|
|
|
dotted-quad format; and where PORT is encoded in decimal.
|
|
|
|
|
|
|
|
Upon receiving this packet, the exit node resolves the address as
|
|
|
|
necessary, and opens a new TCP connection to the target port. If
|
|
|
|
the address cannot be resolved, or a connection can't be
|
2003-06-03 08:45:06 +02:00
|
|
|
established, the exit node replies with a RELAY_END cell.
|
|
|
|
Otherwise, the exit node replies with a RELAY_CONNECTED cell.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
The OP waits for a RELAY_CONNECTED cell before sending any data.
|
2003-03-11 22:36:00 +01:00
|
|
|
Once a connection has been established, the OP and exit node
|
2003-06-03 08:45:06 +02:00
|
|
|
package stream data in RELAY_DATA cells, and upon receiving such
|
2003-03-11 22:36:00 +01:00
|
|
|
cells, echo their contents to the corresponding TCP stream.
|
2003-03-19 22:47:18 +01:00
|
|
|
[XXX Mention zlib encoding. -NM]
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
When one side of the TCP stream is closed, the corresponding edge
|
2003-06-03 08:45:06 +02:00
|
|
|
node sends a RELAY_END cell along the circuit; upon receiving a
|
|
|
|
RELAY_END cell, the edge node closes the corresponding TCP stream.
|
2003-03-11 22:36:00 +01:00
|
|
|
[This should probably become:
|
|
|
|
|
|
|
|
When one side of the TCP stream is closed, the corresponding edge
|
2003-06-03 08:45:06 +02:00
|
|
|
node sends a RELAY_END cell along the circuit; upon receiving a
|
|
|
|
RELAY_END cell, the edge node closes its side of the corresponding
|
2003-03-11 22:36:00 +01:00
|
|
|
TCP stream (by sending a FIN packet), but continues to accept and
|
|
|
|
package incoming data until both sides of the TCP stream are
|
2003-06-03 08:45:06 +02:00
|
|
|
closed. At that point, the edge node sends a second RELAY_END
|
2003-03-11 22:36:00 +01:00
|
|
|
cell, and drops its record of the topic. -NM]
|
2003-03-07 03:39:40 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
For creation and handling of RELAY_EXTEND and RELAY_EXTENDED cells,
|
|
|
|
see section 4. For creating and handling of RELAY_SENDME cells,
|
|
|
|
see section 6.
|
|
|
|
|
|
|
|
|
2003-03-07 03:39:40 +01:00
|
|
|
6. Flow control
|
|
|
|
|
2003-03-11 22:36:00 +01:00
|
|
|
6.1. Link throttling
|
|
|
|
|
|
|
|
As discussed above in section 2.1, ORs and OPs negotiate a maximum
|
|
|
|
bandwidth upon startup. The communicants only read up to that
|
2003-03-18 08:21:31 +01:00
|
|
|
number of bytes per second on average, though they may use mechanisms
|
|
|
|
to handle spikes (eg token buckets).
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-03-18 08:21:31 +01:00
|
|
|
Communicants rely on TCP's default flow control to push back when they
|
|
|
|
stop reading, so nodes that don't obey this bandwidth limit can't do
|
|
|
|
too much damage.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
6.2. Link padding
|
|
|
|
|
2003-03-18 08:21:31 +01:00
|
|
|
Currently nodes are not required to do any sort of link padding or
|
|
|
|
dummy traffic. Because strong attacks exist even with link padding,
|
|
|
|
and because link padding greatly increases the bandwidth requirements
|
|
|
|
for running a node, we plan to leave out link padding until this
|
|
|
|
tradeoff is better understood.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
6.3. Circuit flow control
|
|
|
|
|
|
|
|
To control a circuit's bandwidth usage, each node keeps track of
|
2003-06-03 08:45:06 +02:00
|
|
|
two 'windows', consisting of how many RELAY_DATA cells it is
|
|
|
|
allowed to package for transmission, and how many RELAY_DATA cells
|
|
|
|
it is willing to deliver to a stream outside the network.
|
|
|
|
Each 'window' value is initially set to 500 data cells
|
2003-03-18 08:21:31 +01:00
|
|
|
in each direction (cells that are not data cells do not affect
|
2003-06-03 08:45:06 +02:00
|
|
|
the window).
|
|
|
|
|
|
|
|
[Note: I'm not touching the rest of this section... it looks in the
|
|
|
|
code as if RELAY_COMMAND_SENDME is now doing double duty for both
|
|
|
|
stream flow control and circuit flow control. I thought we wanted
|
|
|
|
two different notions of windows. -NM]
|
2003-06-03 11:51:23 +02:00
|
|
|
[We do have two different 'levels' of windows. The relay sendme command
|
|
|
|
is talking about a stream for non-zero stream id, and talking about
|
|
|
|
the circuit for zero stream id. -RD]
|
2003-06-03 08:45:06 +02:00
|
|
|
|
|
|
|
Each edge node on a circuit sends a SENDME cell
|
2003-03-18 08:21:31 +01:00
|
|
|
(with length=100) every time it has received 100 data cells on the
|
|
|
|
circuit. When a node receives a SENDME cell for a circuit, it increases
|
|
|
|
the circuit's window in the corresponding direction (that is, for
|
|
|
|
sending data cells back in the direction from which the sendme arrived)
|
|
|
|
by the value of the cell's length field. If it's not an edge node,
|
|
|
|
it passes an equivalent SENDME cell to the next node in the circuit.
|
|
|
|
|
|
|
|
If the window value reaches 0 at the edge of a circuit, the OR stops
|
|
|
|
reading from the edge connections. (It may finish processing what
|
|
|
|
it's already read, and queue those cells for when a SENDME cell
|
|
|
|
arrives.) Otherwise (when not at the edge of a circuit), if the
|
|
|
|
window value is 0 and a data cell arrives, the node must tear down
|
|
|
|
the circuit.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
|
|
|
6.4. Topic flow control
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
Edge nodes use RELAY_SENDME data cells to implement end-to-end flow
|
2003-03-24 04:31:11 +01:00
|
|
|
control for individual connections across circuits. As with circuit
|
2003-03-18 08:21:31 +01:00
|
|
|
flow control, edge nodes begin with a window of cells (500) per
|
|
|
|
topic, and increment the window by a fixed value (50) upon receiving
|
2003-06-03 08:45:06 +02:00
|
|
|
a RELAY_SENDME data cell. Edge nodes initiate TOPIC_SENDME data
|
2003-03-24 04:31:11 +01:00
|
|
|
cells when both a) the window is <= 450, and b) there are less than
|
|
|
|
ten cell payloads remaining to be flushed at that edge.
|
2003-03-11 22:36:00 +01:00
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
|
2003-03-11 22:36:00 +01:00
|
|
|
7. Directories and routers
|
|
|
|
|
2003-04-18 20:57:22 +02:00
|
|
|
7.1. Router descriptor format.
|
|
|
|
|
2003-06-03 08:45:06 +02:00
|
|
|
(Unless otherwise noted, tokens on the same line are space-separated.)
|
|
|
|
|
|
|
|
Router ::= Router-Line Public-Key Signing-Key? Exit-Policy NL
|
|
|
|
Router-Line ::= "router" address ORPort OPPort APPort DirPort bandwidth
|
|
|
|
NL
|
|
|
|
Public-key ::= a public key in PEM format NL
|
|
|
|
Signing-Key ::= "signing-key" NL signing key in PEM format NL
|
|
|
|
Exit-Policy ::= Exit-Line*
|
|
|
|
Exit-Line ::= ("accept"|"reject") string NL
|
|
|
|
|
|
|
|
ORport ::= port where the router listens for other routers (speaking cells)
|
|
|
|
OPPort ::= where the router listens for onion proxies (speaking cells)
|
|
|
|
APPort ::= where the router listens for applications (speaking socks)
|
|
|
|
DirPort ::= where the router listens for directory download requests
|
|
|
|
bandwidth ::= maximum bandwidth, in bytes/s
|
|
|
|
|
2003-04-18 20:57:22 +02:00
|
|
|
|
|
|
|
Example:
|
2003-06-03 08:45:06 +02:00
|
|
|
router moria.mit.edu 9001 9011 9021 9031 100000
|
2003-04-18 20:57:22 +02:00
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
|
|
MIGJAoGBAMBBuk1sYxEg5jLAJy86U3GGJ7EGMSV7yoA6mmcsEVU3pwTUrpbpCmwS
|
|
|
|
7BvovoY3z4zk63NZVBErgKQUDkn3pp8n83xZgEf4GI27gdWIIwaBjEimuJlEY+7K
|
|
|
|
nZ7kVMRoiXCbjL6VAtNa4Zy1Af/GOm0iCIDpholeujQ95xew7rQnAgMA//8=
|
|
|
|
-----END RSA PUBLIC KEY-----
|
2003-06-03 08:45:06 +02:00
|
|
|
signing-key
|
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
|
|
7BvovoY3z4zk63NZVBErgKQUDkn3pp8n83xZgEf4GI27gdWIIwaBjEimuJlEY+7K
|
|
|
|
MIGJAoGBAMBBuk1sYxEg5jLAJy86U3GGJ7EGMSV7yoA6mmcsEVU3pwTUrpbpCmwS
|
|
|
|
f/GOm0iCIDpholeujQ95xew7rnZ7kVMRoiXCbjL6VAtNa4Zy1AQnAgMA//8=
|
|
|
|
-----END RSA PUBLIC KEY-----
|
|
|
|
reject 18.0.0.0/24
|
|
|
|
|
|
|
|
Note: The extra newline at the end of the router block is intentional.
|
|
|
|
|
|
|
|
7.2. Directory format
|
|
|
|
|
|
|
|
Directory ::= Directory-Header Directory-Router Router* Signature
|
|
|
|
Directory-Header ::= "signed-directory" NL Software-Line NL
|
|
|
|
Software-Line: "recommended-software" comma-separated-version-list
|
|
|
|
Directory-Router ::= Router
|
|
|
|
Signature ::= "directory-signature" NL "-----BEGIN SIGNATURE-----" NL
|
|
|
|
Base-64-encoded-signature NL "-----END SIGNATURE-----" NL
|
|
|
|
|
|
|
|
Note: The router block for the directory server must appear first.
|
|
|
|
The signature is computed by computing the SHA-1 hash of the
|
|
|
|
directory, from the characters "signed-directory", through the newline
|
|
|
|
after "directory-signature". This digest is then padded with PKCS.1,
|
|
|
|
and signed with the directory server's signing key.
|
2003-03-07 03:39:40 +01:00
|
|
|
|