Delivery-Date: Tue, 03 Jun 2014 19:56:59 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id 16D341E093A
	for <archiver@seul.org>; Tue,  3 Jun 2014 19:56:57 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E9BAF2F4D2;
	Tue,  3 Jun 2014 23:56:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 051FD2F43D
 for <tor-talk@lists.torproject.org>; Tue,  3 Jun 2014 23:44:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Q4kA5MOf-gZ4 for <tor-talk@lists.torproject.org>;
 Tue,  3 Jun 2014 23:44:22 +0000 (UTC)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com
 [IPv6:2a00:1450:400c:c00::230])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id B63F22D087
 for <tor-talk@lists.torproject.org>; Tue,  3 Jun 2014 23:44:22 +0000 (UTC)
Received: by mail-wg0-f48.google.com with SMTP id k14so7587920wgh.19
 for <tor-talk@lists.torproject.org>; Tue, 03 Jun 2014 16:44:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=from:date:to:subject:message-id:references:mime-version
 :content-type:content-disposition:in-reply-to:user-agent;
 bh=VLtt5X2G/fB0rKau7/lr94ey1NJvF9yEzqk0gpSDMkg=;
 b=0pSpO6Tn4PNwOg1oU4gkwa5laO6/Ojrw2LKPhBfJfVAMNDI9Juv9czWBjOk0kyndSe
 qEBtvDb1AcbU7LQGVLHE1cC5/AnewUtFfjoLD2CWAUQCn1kibhJC6J96eRuCXTy0gA36
 0QIKaLmiLAkcBgePmpmbyHB6YevFXmM411g6tOBxgnBVKvOAomudvnJGMRP9YTfpszZ3
 Pk/x95dwb2TfSxYtGgcLhHkZyMdmv1SyVLGrSkXRpdSmzUldkomVXYg/nrnQBYDwTvtm
 Hj1fPmswkkxq7qYwy78ehYPVYXUKwMCDAP+HGdF71imdoaZtxl5jPs1EA8nYB/sWVXnh
 QbcA==
X-Received: by 10.14.99.67 with SMTP id w43mr2355044eef.11.1401839059702;
 Tue, 03 Jun 2014 16:44:19 -0700 (PDT)
Received: from localhost (195-154-13-10.rev.poneytelecom.eu. [195.154.13.10])
 by mx.google.com with ESMTPSA id
 l4sm1100782eeo.13.2014.06.03.16.44.18
 for <tor-talk@lists.torproject.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 03 Jun 2014 16:44:18 -0700 (PDT)
From: Matthew Finkel <matthew.finkel@gmail.com>
X-Google-Original-From: Matthew Finkel <Matthew.Finkel@gmail.com>
Date: Tue, 3 Jun 2014 23:44:15 +0000
To: tor-talk@lists.torproject.org
Message-ID: <20140603234408.GV4755@localhost>
References: <1401824849773.99497@microsoft.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1401824849773.99497@microsoft.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [tor-talk] Can someone please help me understand section 1.10
 of the rendezvous spec
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Tue, Jun 03, 2014 at 07:47:29PM +0000, Yaron Goland wrote:
> I'm trying to understand section 1.10 of https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt
> 
> 
> It seems to say that Alice and Bob directly negotiate a shared symmetric key. Is that true? Does it mean that all communications between Alice and Bob, in the context of a Tor hidden service, are in fact encrypted end to end?
> 
> 
> I believe that https://www.torproject.org/docs/hidden-services.html.en confirms this point when it says "The rendezvous point simply relays (end-to-end encrypted) messages from client to service and vice versa."
> 
> 
> But this point is really critical for a threat model I'm building so I just want to make sure I've gotten things right. Could anyone confirm?


Hi Yaron,

The short answer is yes. This is how Alice and Bob establish a shared
secret key.

The longer answer is yes, section 1.10 describes how Alice (the client)
and Bob (the hidden service) establish shared secrets. After both Alice
and Bob possess the two respective halves of the Diffie-Hellman keys,
they use the shared secret and a key derivation function to expand the
key material into a byte sequence from which a 5-tuple is extracted (KH,
Df, Db, Kf, Kb). The first element (KH) is used to prove knowledge of
the shared secret, the second (Df) is used when computing the digest of
every cell from Alice to Bob, Db is the same but for cells from Bob to
Alice, Kf is the shared secret key used to {en,de}cipher cells from
Alice to Bob, and Kb is used to {en,de}cipher cells from Bob to Alice.
It sounds like these latter two keys, Kf and Kb, are what you are most
interested in.  Assuming the rendezvous point is unable to break the
security assumptions of the Diffie-Hellman handshake and the KDF is
secure, all messages sent between Alice and Bob are end-to-end
encrypted.

Does this make sense?

HTH,
Matt
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

