aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/tor-design.tex53
1 files changed, 23 insertions, 30 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex
index b71f013fa..c39e01061 100644
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@@ -1314,11 +1314,11 @@ entry in the DHT.
The message that Alice gives
the introduction point includes a hash of Bob's public key to identify
-the service, along with an optional initial authentication token (the
+the service, along with an optional initial authorization token (the
introduction point can do prescreening, for example to block replays). Her
-message to Bob may include an end-to-end authentication token so Bob
+message to Bob may include an end-to-end authorization token so Bob
can choose whether to respond.
-The authentication tokens can be used to provide selective access:
+The authorization tokens can be used to provide selective access:
important users get tokens to ensure uninterrupted access to the
service. During normal situations, Bob's service might simply be offered
directly from mirrors, while Bob gives out tokens to high-priority users. If
@@ -1354,7 +1354,7 @@ remains a SOCKS proxy. We encode all of the necessary information
into the fully qualified domain name Alice uses when establishing her
connection. Location-hidden services use a virtual top level domain
called {\tt .onion}: thus hostnames take the form {\tt x.y.onion} where
-{\tt x} is the authentication cookie, and {\tt y} encodes the hash of
+{\tt x} is the authorization cookie, and {\tt y} encodes the hash of
the public key. Alice's onion proxy
examines addresses; if they're destined for a hidden server, it decodes
the key and starts the rendezvous as described above.
@@ -1565,8 +1565,8 @@ us) that comes without source.\\
\noindent{\large\bf Directory attacks}\\
\emph{Destroy directory servers.} If a few directory
-servers disappear, the others still arrive at a final
-directory. So long as any any directory servers remain in operation,
+servers disappear, the others still decide on a valid
+directory. So long as any directory servers remain in operation,
they will still broadcast their views of the network and generate a
consensus directory. (If more than half are destroyed, this
directory will not, however, have enough signatures for clients to
@@ -1580,19 +1580,17 @@ at worst cast a tie-breaking vote to decide whether to include
marginal ORs. It remains to be seen how often such marginal cases
occur in practice.
-\emph{Subvert a majority of directory servers.} If the
-adversary controls more than half of the directory servers, he can
-decide on a final directory, and thus can include as many
-compromised ORs in the final directory as he wishes.
-Tor does not address this possibility, except to try to ensure that
-directory server operators are independent and attack resistant.
+\emph{Subvert a majority of directory servers.} An adversary who controls
+more than half the directory servers can include as many compromised
+ORs in the final directory as he wishes. We must ensure that directory
+server operators are independent and attack resistant.
\emph{Encourage directory server dissent.} The directory
-agreement protocol requires that directory server operators agree on
-the list of directory servers. An adversary who can persuade some
+agreement protocol assumes that directory server operators agree on
+the set of directory servers. An adversary who can persuade some
of the directory server operators to distrust one another could
split the quorum into mutually hostile camps, thus partitioning
-users based on which directory they used. Tor does not address
+users based on which directory they use. Tor does not address
this attack.
\emph{Trick the directory servers into listing a hostile OR.}
@@ -1614,7 +1612,7 @@ appropriate. The tradeoffs of a similar approach are discussed in
\emph{Make many introduction requests.} An attacker could
try to deny Bob service by flooding his introduction points with
requests. Because the introduction points can block requests that
-lack authentication tokens, however, Bob can restrict the volume of
+lack authorization tokens, however, Bob can restrict the volume of
requests he receives, or require a certain amount of computation for
every request he receives.
@@ -1622,22 +1620,17 @@ every request he receives.
disrupt a location-hidden service by disabling its introduction
points. But because a service's identity is attached to its public
key, not its introduction point, the service can simply re-advertise
-itself at a different introduction point.
-An attacker who disables all the introduction points for a given
-service can block access to the service. However, re-advertisement of
-introduction points can still be done secretly so that only
-high-priority clients know the address of Bob's introduction
-points. (These selective secret authorizations can also be issued
-during normal operation.) Thus an attacker must disable
-all possible introduction points.
-
-\emph{Compromise an introduction point.} If an attacker controls
-Bob's an introduction point, he can flood Bob with
+itself at a different introduction point. Advertisements can also be
+done secretly so that only high-priority clients know the address of
+Bob's introduction points, forcing the attacker to disable all possible
+introduction points.
+
+\emph{Compromise an introduction point.} An attacker who controls
+Bob's introduction point can flood Bob with
introduction requests, or prevent valid introduction requests from
-reaching him. Bob will notice a flooding
-attempt if it receives many introduction requests. To notice
+reaching him. Bob can notice a flood, and close the circuit. To notice
blocking of valid requests, however, he should periodically test the
-introduction point by sending it introduction requests, and making
+introduction point by sending rendezvous requests and making
sure he receives them.
\emph{Compromise a rendezvous point.} A rendezvous