diff options
author | Nick Mathewson <nickm@torproject.org> | 2007-01-03 20:15:47 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2007-01-03 20:15:47 +0000 |
commit | 8518f535ff717d989b19b07ace80cbc3c218fef0 (patch) | |
tree | 209524839fb82b29af327ea0bdace06901a2ddaa /doc | |
parent | 2963d4acc267102e1b2927ed6bbcd0717fbae67e (diff) | |
download | tor-8518f535ff717d989b19b07ace80cbc3c218fef0.tar.gz tor-8518f535ff717d989b19b07ace80cbc3c218fef0.zip |
r11822@Kushana: nickm | 2007-01-03 15:15:45 -0500
Clarify spec wrt keys, certificates, and SSL.
svn:r9256
Diffstat (limited to 'doc')
-rw-r--r-- | doc/tor-spec.txt | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/doc/tor-spec.txt b/doc/tor-spec.txt index 2be87659dd..f27901ec82 100644 --- a/doc/tor-spec.txt +++ b/doc/tor-spec.txt @@ -122,9 +122,27 @@ see tor-design.pdf. ``cells'', which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream. +1.1. Keys and names + + Every Tor server has multiple public/private keypairs: + + - A long-term signing-only "Identity key" used to sign documents and + certificates, and used to establish server identity. + - A medium-term "Onion key" used to decrypt onion skins when accepting + circuit extend attempts. (See 5.1.) Old keys MUST be accepted for at + least one week after they are no longer advertised. Because of this, + servers MUST retain old keys for a while after they're rotated. + - A short-term "Connection key" used to negotiate TLS connections. + Tor implementations MAY rotate this key as often as they like, and + SHOULD rotate this key at least once a day. + + Tor servers are also identified by "nicknames"; these are specified in + dir-spec.txt. + 2. Connections - Tor uses TLS for link encryption. All implementations MUST support + Tor uses TLS for link authentication and encryption. All implementations + MUST support the TLS ciphersuite "TLS_EDH_RSA_WITH_DES_192_CBC3_SHA", and SHOULD support "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available. Implementations MAY support other ciphersuites, but MUST NOT @@ -137,13 +155,13 @@ see tor-design.pdf. local requests. Onion proxies SHOULD NOT provide long-term-trackable identifiers in their handshakes. - The connection initiator always sends a two-certificate chain, - consisting of a - certificate using a short-term connection key and a second, self- - signed certificate containing the OR's identity key. The commonName of the - first certificate is the OR's nickname, and the commonName of the second + During the TLS handshake, the connection initiator always sends a + two-certificate chain, consisting of an X.509 certificate using a + short-term connection public key and a second, self- signed X.509 + certificate containing its identity key. The commonName of the first + certificate is the OR's nickname, and the commonName of the second certificate is the OR's nickname, followed by a space and the string - "<identity>". + "<identity>". The other party sends a similar certificate chain. Implementations running Protocol 1 and earlier use an organizationName of "Tor" or "TOR". Future implementations (which @@ -238,7 +256,7 @@ see tor-design.pdf. The payload for a CREATE cell is an 'onion skin', which consists of the first step of the DH handshake data (also known as g^x). - This value is hybrid-encrypted (see 0.3) to Bob's public key, giving + This value is hybrid-encrypted (see 0.3) to Bob's onion key, giving an onion-skin of: PK-encrypted: Padding padding [PK_PAD_LEN bytes] @@ -383,7 +401,7 @@ see tor-design.pdf. To extend the circuit by a single onion router R_M, the OP performs these steps: - 1. Create an onion skin, encrypted to R_M's public key. + 1. Create an onion skin, encrypted to R_M's public onion key. 2. Send the onion skin in a relay EXTEND cell along the circuit (see section 5). |