aboutsummaryrefslogtreecommitdiff
path: root/doc/rendezvous.txt
blob: b1ef97b56c6b726e5a66a27879efd27acfd2206e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
                  How to make rendezvous points work
                               1-11Jun2003

1. Overview

   This document provides a design overview for rendezvous points, as
   discussed by Nick and Roger after Discex.  

   Rendezvous points are an implementation of server anonymity /
   location-hidden servers in the onion routing network.  There are
   three components needed for rendezvous points:

   A) A means for the client ("Alice") to tell a server ("Bob") where
      to contact her in order to establish a connection.  (Notification)
   B) A means for Bob to contact Alice to actually establish the
      connection, and for them to communicate later. (Meeting)
   C) Necessary glue code so that Alice can view webpages on a
      location-hidden webserver, and Bob can run a location-hidden
      server with minimal invasive changes. (Application)

   We'll tackle these in order.  In all cases, I'll assume that both
   Alice and Bob have local OPs.

2. Notification service

   Bob wants to learn about client requests for communication, but
   wants to avoid responding unnecessarily to unauthorized clients.
   Bob's proxy opens a circuit, and tells some onion router on that
   circuit to expect incoming connections, and notify Bob of them.

   When establishing such a notification point, Bob provides the onion
   router with a public "notification" key.  The hash of this public
   key uniquely identifies Bob, and prevents anybody else from
   usurping Bob's notification point in the future.  Additionally, Bob
   can use the same public key to establish a notification point on
   another OR, and Alice can still be confident that Bob is the same
   server.
  
   (The set-up-a-notification-point command should come via a
   RELAY_BIND_NOTIFICATION cell. This cell creates a new stream on the
   circuit from Bob to the notification point.)

   ORs that support notification run a notification service on a
   separate port.  When Alice wants to notify Bob of a meeting point,
   she connects (directly or via Tor) to the notification port, and
   sends the following:
   
     MEETING REQUEST
        Encrypted with server's public key:
           Hash of Bob's public key (identifies which Bob to notify)
           Initial authentication [optional]
        Encrypted with Bob's public key:
           Meeting point
           Meeting cookie
           End-to-end forward key
	   End-to-end backward key
           End-to-end authentication [optional]
           
   [Add a Nonce or some kind of replay prevention mechanism? -NM]
   [Should this use DH instead? -NM]

   The meeting point and meeting cookie allow Bob to contact Alice and
   prove his identity; the end-to-end authentication enables Bob to 
   decide whether to talk to Alice; the initial authentication enables
   the meeting point to pre-screen notification requests before
   sending them to Bob.  (See 3 for a discussion of meeting points;
   see 2.1 for a proposed authentication mechanism.)

   When the notification point receives a valid meeting request, it
   sends the portion encrypted with Bob's public key along the stream
   created by Bob's RELAY_BIND_NOTIFICATION.  Bob then, at his
   discretion, connects to Alice's meeting point.

2.1. Proposed authentication for notification services

   Bob makes two short-term secrets SB and SN, and tells the
   notification point about SN.  Bob gives Alice a cookie consisting
   of A,B,C such that H(A|SB)=B and H(A|SN)=C.  Alice's initial
   authentication is <A,C>; Alice's end-to-end authentication is <A,B>.

   [Maybe] Bob keeps a replay cache of A values, and doesn't allow any
   value to be used twice.  Over time, Bob rotates SB and SN.

   [Maybe] Each 'A' has an expiration time built in to it.

3. Meeting points

   For Bob to actually reply to Alice, Alice first establishes a
   circuit to an onion router R, and sends a RELAY_BIND_MEETING cell
   to that onion router.  The RELAY_BIND_MEETING cell contains a 
   'Meeting cookie' (MC) that Bob can use to authenticate to R.  R
   remembers the cookie and associates it with Alice.

   Later, Bob also routes to R and sends R a RELAY_JOIN_MEETING cell
   with the meeting cookie MC.  After this point, R routes all traffic
   from Bob's circuit or Alice's circuit as if the two circuits were
   joined: any RELAY cells that are not for a recognized topic are
   passed down Alice or Bob's circuit.
   
   To prevent R from reading their traffic, Alice and Bob use the two
   end-to-end keys in Alice's original notification to Bob: Bob uses
   the 'forward' key and Alice the 'backward' key.  (These keys are
   used in addition to the series of encryption keys already in use on
   Alice and Bob's circuits.)

   Bob's OP accepts RELAY_BEGIN, RELAY_DATA, RELAY_END, and
   RELAY_SENDME cells from Alice.  Alice's OP accepts RELAY_DATA,
   RELAY_END, and RELAY_SENDME cells from Bob.  All RELAY_BEGIN cells
   to Bob must have target IP and port of zero; Bob's OP will redirect
   them to the actual target IP and port of Bob's server.

   Alice and Bob's OPs disallow CREATE or RELAY_EXTEND cells as usual.

4. Application interface

4.1. Application interface: client side

   Because we require that the client interface remain a SOCKS proxy,
   we can't have clients explicitly connect to Bob.  Instead, we have
   the OP map DNS addresses used by the client to the
       <Notification point, Bob's PK, Authentication> 
   tuples needed to establish a connection to Bob.

   [We had earlier hoped encode this information into the DNS address,
    but that won't work.  The data needed will be at least ~1024 bits
    long (for Bob's public key).  You'd need over 197 characters to
    encode a blob that long, and you'd wind up triggering pathological
    cases in a lot of client code. -NM]

   I propose that the client OP receive this mapping information
   outside of the Tor protocol: either from true out-of-band entry, or
   from protocol-specific transmission.

   (For example of protocol-specific, an HTTP server could include
   notification information in reply headers, or cookies, or
   something.)