mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 12:23:32 +01:00
Add first draft of rendezvous point document
svn:r310
This commit is contained in:
parent
cb2c43d735
commit
3d538f6d70
138
doc/rendezvous.txt
Normal file
138
doc/rendezvous.txt
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
How to make rendezvous points work
|
||||||
|
1-11Jun2003
|
||||||
|
|
||||||
|
1. Overview
|
||||||
|
|
||||||
|
This document provides a design overview for rendezvous points, as
|
||||||
|
discussed by Nick and Roger after Discex.
|
||||||
|
|
||||||
|
Rendezvous points are an implementation of server anonymity /
|
||||||
|
location-hidden servers in the onion routing network. There are
|
||||||
|
three components needed for rendezvous points:
|
||||||
|
|
||||||
|
A) A means for the client ("Alice") to tell a server ("Bob") where
|
||||||
|
to contact her in order to establish a connection. (Notification)
|
||||||
|
B) A means for Bob to contact Alice to actually establish the
|
||||||
|
connection, and for them to communicate later. (Meeting)
|
||||||
|
C) Necessary glue code so that Alice can view webpages on a
|
||||||
|
location-hidden webserver, and Bob can run a location-hidden
|
||||||
|
server with minimal invasive changes. (Application)
|
||||||
|
|
||||||
|
We'll tackle these in order. In all cases, I'll assume that both
|
||||||
|
Alice and Bob have local OPs.
|
||||||
|
|
||||||
|
2. Notification service
|
||||||
|
|
||||||
|
Bob wants to learn about client requests for communication, but
|
||||||
|
wants to avoid responding unnecessarily to unauthorized clients.
|
||||||
|
Bob's proxy opens a circuit, and tells some onion router on that
|
||||||
|
circuit to expect incoming connections, and notify Bob of them.
|
||||||
|
|
||||||
|
When establishing such a notification point, Bob provides the onion
|
||||||
|
router with a public "notification" key. The hash of this public
|
||||||
|
key uniquely identifies Bob, and prevents anybody else from
|
||||||
|
usurping Bob's notification point in the future. Additionally, Bob
|
||||||
|
can use the same public key to establish a notification point on
|
||||||
|
another OR, and Alice can still be confident that Bob is the same
|
||||||
|
server.
|
||||||
|
|
||||||
|
(The set-up-a-notification-point command should come via a
|
||||||
|
RELAY_BIND_NOTIFICATION cell. This cell creates a new stream on the
|
||||||
|
circuit from Bob to the notification point.)
|
||||||
|
|
||||||
|
ORs that support notification run a notification service on a
|
||||||
|
separate port. When Alice wants to notify Bob of a meeting point,
|
||||||
|
she connects (directly or via Tor) to the notification port, and
|
||||||
|
sends the following:
|
||||||
|
|
||||||
|
MEETING REQUEST
|
||||||
|
Encrypted with server's public key:
|
||||||
|
Hash of Bob's public key (identifies which Bob to notify)
|
||||||
|
Initial authentication [optional]
|
||||||
|
Encrypted with Bob's public key:
|
||||||
|
Meeting point
|
||||||
|
Meeting cookie
|
||||||
|
End-to-end forward key
|
||||||
|
End-to-end backward key
|
||||||
|
End-to-end authentication [optional]
|
||||||
|
|
||||||
|
[Add a Nonce or some kind of replay prevention mechanism? -NM]
|
||||||
|
[Should this use DH instead? -NM]
|
||||||
|
|
||||||
|
The meeting point and meeting cookie allow Bob to contact Alice and
|
||||||
|
prove his identity; the end-to-end authentication enables Bob to
|
||||||
|
decide whether to talk to Alice; the initial authentication enables
|
||||||
|
the meeting point to pre-screen notification requests before
|
||||||
|
sending them to Bob. (See 3 for a discussion of meeting points;
|
||||||
|
see 2.1 for a proposed authentication mechanism.)
|
||||||
|
|
||||||
|
When the notification point receives a valid meeting request, it
|
||||||
|
sends the portion encrypted with Bob's public key along the stream
|
||||||
|
created by Bob's RELAY_BIND_NOTIFICATION. Bob then, at his
|
||||||
|
discretion, connects to Alice's meeting point.
|
||||||
|
|
||||||
|
2.1. Proposed authentication for notification services
|
||||||
|
|
||||||
|
Bob makes two short-term secrets SB and SN, and tells the
|
||||||
|
notification point about SN. Bob gives Alice a cookie consisting
|
||||||
|
of A,B,C such that H(A|SB)=B and H(A|SN)=C. Alice's initial
|
||||||
|
authentication is <A,C>; Alice's end-to-end authentication is <A,B>.
|
||||||
|
|
||||||
|
[Maybe] Bob keeps a replay cache of A values, and doesn't allow any
|
||||||
|
value to be used twice. Over time, Bob rotates SB and SN.
|
||||||
|
|
||||||
|
[Maybe] Each 'A' has an expiration time built in to it.
|
||||||
|
|
||||||
|
3. Meeting points
|
||||||
|
|
||||||
|
For Bob to actually reply to Alice, Alice first establishes a
|
||||||
|
circuit to an onion router R, and sends a RELAY_BIND_MEETING cell
|
||||||
|
to that onion router. The RELAY_BIND_MEETING cell contains a
|
||||||
|
'Meeting cookie' (MC) that Bob can use to authenticate to R. R
|
||||||
|
remembers the cookie and associates it with Alice.
|
||||||
|
|
||||||
|
Later, Bob also routes to R and sends R a RELAY_JOIN_MEETING cell
|
||||||
|
with the meeting cookie MC. After this point, R routes all traffic
|
||||||
|
from Bob's circuit or Alice's circuit as if the two circuits were
|
||||||
|
joined: any RELAY cells that are not for a recognized topic are
|
||||||
|
passed down Alice or Bob's circuit.
|
||||||
|
|
||||||
|
To prevent R from reading their traffic, Alice and Bob use the two
|
||||||
|
end-to-end keys in Alice's original notification to Bob: Bob uses
|
||||||
|
the 'forward' key and Alice the 'backward' key. (These keys are
|
||||||
|
used in addition to the series of encryption keys already in use on
|
||||||
|
Alice and Bob's circuits.)
|
||||||
|
|
||||||
|
Bob's OP accepts RELAY_BEGIN, RELAY_DATA, RELAY_END, and
|
||||||
|
RELAY_SENDME cells from Alice. Alice's OP accepts RELAY_DATA,
|
||||||
|
RELAY_END, and RELAY_SENDME cells from Bob. All RELAY_BEGIN cells
|
||||||
|
to Bob must have target IP and port of zero; Bob's OP will redirect
|
||||||
|
them to the actual target IP and port of Bob's server.
|
||||||
|
|
||||||
|
Alice and Bob's OPs disallow CREATE or RELAY_EXTEND cells as usual.
|
||||||
|
|
||||||
|
4. Application interface
|
||||||
|
|
||||||
|
4.1. Application interface: client side
|
||||||
|
|
||||||
|
Because we require that the client interface remain a SOCKS proxy,
|
||||||
|
we can't have clients explicitly connect to Bob. Instead, we have
|
||||||
|
the OP map DNS addresses used by the client to the
|
||||||
|
<Notification point, Bob's PK, Authentication>
|
||||||
|
tuples needed to establish a connection to Bob.
|
||||||
|
|
||||||
|
[We had earlier hoped encode this information into the DNS address,
|
||||||
|
but that won't work. The data needed will be at least ~1024 bits
|
||||||
|
long (for Bob's public key). You'd need over 197 characters to
|
||||||
|
encode a blob that long, and you'd wind up triggering pathological
|
||||||
|
cases in a lot of client code. -NM]
|
||||||
|
|
||||||
|
I propose that the client OP receive this mapping information
|
||||||
|
outside of the Tor protocol: either from true out-of-band entry, or
|
||||||
|
from protocol-specific transmission.
|
||||||
|
|
||||||
|
(For example of protocol-specific, an HTTP server could include
|
||||||
|
notification information in reply headers, or cookies, or
|
||||||
|
something.)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user