1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
|
<a id="tor-spec.txt-4"></a>
# Negotiating and initializing connections
After Tor instances negotiate handshake with either the "renegotiation" or
"in-protocol" handshakes, they must exchange a set of cells to set up
the Tor connection and make it "open" and usable for circuits.
When the renegotiation handshake is used, both parties immediately
send a VERSIONS cell (4.1 below), and after negotiating a link
protocol version (which will be 2), each send a NETINFO cell (4.5
below) to confirm their addresses and timestamps. No other intervening
cell types are allowed.
When the in-protocol handshake is used, the initiator sends a
VERSIONS cell to indicate that it will not be renegotiating. The
responder sends a VERSIONS cell, a CERTS cell (4.2 below) to give the
initiator the certificates it needs to learn the responder's
identity, an AUTH_CHALLENGE cell (4.3) that the initiator must include
as part of its answer if it chooses to authenticate, and a NETINFO
cell (4.5). As soon as it gets the CERTS cell, the initiator knows
whether the responder is correctly authenticated. At this point the
initiator behaves differently depending on whether it wants to
authenticate or not. If it does not want to authenticate, it MUST
send a NETINFO cell. If it does want to authenticate, it MUST send a
CERTS cell, an AUTHENTICATE cell (4.4), and a NETINFO. When this
handshake is in use, the first cell must be VERSIONS, VPADDING, or
AUTHORIZE, and no other cell type is allowed to intervene besides
those specified, except for VPADDING cells.
The AUTHORIZE cell type is reserved for future use by scanning-resistance
designs.
[Tor versions before 0.2.3.11-alpha did not recognize the AUTHORIZE cell,
and did not permit any command other than VERSIONS as the first cell of
the in-protocol handshake.]
<a id="tor-spec.txt-4.1"></a>
## Negotiating versions with VERSIONS cells
There are multiple instances of the Tor link connection protocol. Any
connection negotiated using the "certificates up front" handshake (see
section 2 above) is "version 1". In any connection where both parties
have behaved as in the "renegotiation" handshake, the link protocol
version must be 2. In any connection where both parties have behaved
as in the "in-protocol" handshake, the link protocol must be 3 or higher.
To determine the version, in any connection where the "renegotiation"
or "in-protocol" handshake was used (that is, where the responder
sent only one certificate at first and where the initiator did not
send any certificates in the first negotiation), both parties MUST
send a VERSIONS cell. In "renegotiation", they send a VERSIONS cell
right after the renegotiation is finished, before any other cells are
sent. In "in-protocol", the initiator sends a VERSIONS cell
immediately after the initial TLS handshake, and the responder
replies immediately with a VERSIONS cell. (As an exception to this rule,
if both sides support the "in-protocol" handshake, either side may send
VPADDING cells at any time.)
The payload in a VERSIONS cell is a series of big-endian two-byte
integers. Both parties MUST select as the link protocol version the
highest number contained both in the VERSIONS cell they sent and in the
versions cell they received. If they have no such version in common,
they cannot communicate and MUST close the connection. Either party MUST
close the connection if the versions cell is not well-formed (for example,
if the payload contains an odd number of bytes).
Any VERSIONS cells sent after the first VERSIONS cell MUST be ignored.
(To be interpreted correctly, later VERSIONS cells MUST have a CIRCID_LEN
matching the version negotiated with the first VERSIONS cell.)
Since the version 1 link protocol does not use the "renegotiation"
handshake, implementations MUST NOT list version 1 in their VERSIONS
cell. When the "renegotiation" handshake is used, implementations
MUST list only the version 2. When the "in-protocol" handshake is
used, implementations MUST NOT list any version before 3, and SHOULD
list at least version 3.
Link protocols differences are:
```text
1 -- The "certs up front" handshake.
2 -- Uses the renegotiation-based handshake. Introduces
variable-length cells.
3 -- Uses the in-protocol handshake.
4 -- Increases circuit ID width to 4 bytes.
5 -- Adds support for link padding and negotiation (padding-spec.txt).
```
<a id="tor-spec.txt-4.2"></a>
## CERTS cells
The CERTS cell describes the keys that a Tor instance is claiming
to have. It is a variable-length cell. Its payload format is:
```text
N: Number of certs in cell [1 octet]
N times:
CertType [1 octet]
CLEN [2 octets]
Certificate [CLEN octets]
Any extra octets at the end of a CERTS cell MUST be ignored.
Relevant certType values are:
1: Link key certificate certified by RSA1024 identity
2: RSA1024 Identity certificate, self-signed.
3: RSA1024 AUTHENTICATE cell link certificate, signed with RSA1024 key.
4: Ed25519 signing key, signed with identity key.
5: TLS link certificate, signed with ed25519 signing key.
6: Ed25519 AUTHENTICATE cell key, signed with ed25519 signing key.
7: Ed25519 identity, signed with RSA identity.
```
The certificate format for certificate types 1-3 is DER encoded
X509. For others, the format is as documented in cert-spec.txt.
Note that type 7 uses a different format from types 4-6.
A CERTS cell may have no more than one certificate of each CertType.
To authenticate the responder as having a given Ed25519,RSA identity key
combination, the initiator MUST check the following.
```text
* The CERTS cell contains exactly one CertType 2 "ID" certificate.
* The CERTS cell contains exactly one CertType 4 Ed25519
"Id->Signing" cert.
* The CERTS cell contains exactly one CertType 5 Ed25519
"Signing->link" certificate.
* The CERTS cell contains exactly one CertType 7 "RSA->Ed25519"
cross-certificate.
* All X.509 certificates above have validAfter and validUntil dates;
no X.509 or Ed25519 certificates are expired.
* All certificates are correctly signed.
* The certified key in the Signing->Link certificate matches the
SHA256 digest of the certificate that was used to
authenticate the TLS connection.
* The identity key listed in the ID->Signing cert was used to
sign the ID->Signing Cert.
* The Signing->Link cert was signed with the Signing key listed
in the ID->Signing cert.
* The RSA->Ed25519 cross-certificate certifies the Ed25519
identity, and is signed with the RSA identity listed in the
"ID" certificate.
* The certified key in the ID certificate is a 1024-bit RSA key.
* The RSA ID certificate is correctly self-signed.
```
To authenticate the responder as having a given RSA identity only,
the initiator MUST check the following:
```text
* The CERTS cell contains exactly one CertType 1 "Link" certificate.
* The CERTS cell contains exactly one CertType 2 "ID" certificate.
* Both certificates have validAfter and validUntil dates that
are not expired.
* The certified key in the Link certificate matches the
link key that was used to negotiate the TLS connection.
* The certified key in the ID certificate is a 1024-bit RSA key.
* The certified key in the ID certificate was used to sign both
certificates.
* The link certificate is correctly signed with the key in the
ID certificate
* The ID certificate is correctly self-signed.
```
In both cases above, checking these conditions is sufficient to
authenticate that the initiator is talking to the Tor node with the
expected identity, as certified in the ID certificate(s).
To authenticate the initiator as having a given Ed25519,RSA
identity key combination, the responder MUST check the following:
```text
* The CERTS cell contains exactly one CertType 2 "ID" certificate.
* The CERTS cell contains exactly one CertType 4 Ed25519
"Id->Signing" certificate.
* The CERTS cell contains exactly one CertType 6 Ed25519
"Signing->auth" certificate.
* The CERTS cell contains exactly one CertType 7 "RSA->Ed25519"
cross-certificate.
* All X.509 certificates above have validAfter and validUntil dates;
no X.509 or Ed25519 certificates are expired.
* All certificates are correctly signed.
* The identity key listed in the ID->Signing cert was used to
sign the ID->Signing Cert.
* The Signing->AUTH cert was signed with the Signing key listed
in the ID->Signing cert.
* The RSA->Ed25519 cross-certificate certifies the Ed25519
identity, and is signed with the RSA identity listed in the
"ID" certificate.
* The certified key in the ID certificate is a 1024-bit RSA key.
* The RSA ID certificate is correctly self-signed.
```
To authenticate the initiator as having an RSA identity key only,
the responder MUST check the following:
```text
* The CERTS cell contains exactly one CertType 3 "AUTH" certificate.
* The CERTS cell contains exactly one CertType 2 "ID" certificate.
* Both certificates have validAfter and validUntil dates that
are not expired.
* The certified key in the AUTH certificate is a 1024-bit RSA key.
* The certified key in the ID certificate is a 1024-bit RSA key.
* The certified key in the ID certificate was used to sign both
certificates.
* The auth certificate is correctly signed with the key in the
ID certificate.
* The ID certificate is correctly self-signed.
```
Checking these conditions is NOT sufficient to authenticate that the
initiator has the ID it claims; to do so, the cells in 4.3 and 4.4
below must be exchanged.
<a id="tor-spec.txt-4.3"></a>
## AUTH_CHALLENGE cells
An AUTH_CHALLENGE cell is a variable-length cell with the following
fields:
```text
Challenge [32 octets]
N_Methods [2 octets]
Methods [2 * N_Methods octets]
```
It is sent from the responder to the initiator. Initiators MUST
ignore unexpected bytes at the end of the cell. Responders MUST
generate every challenge independently using a strong RNG or PRNG.
The Challenge field is a randomly generated string that the
initiator must sign (a hash of) as part of authenticating. The
methods are the authentication methods that the responder will
accept. Only two authentication methods are defined right now:
see 4.4.1 and 4.4.2 below.
<a id="tor-spec.txt-4.4"></a>
## AUTHENTICATE cells
If an initiator wants to authenticate, it responds to the
AUTH_CHALLENGE cell with a CERTS cell and an AUTHENTICATE cell.
The CERTS cell is as a server would send, except that instead of
sending a CertType 1 (and possibly CertType 5) certs for arbitrary link
certificates, the initiator sends a CertType 3 (and possibly
CertType 6) cert for an RSA/Ed25519 AUTHENTICATE key.
This difference is because we allow any link key type on a TLS
link, but the protocol described here will only work for specific key
types as described in 4.4.1 and 4.4.2 below.
An AUTHENTICATE cell contains the following:
```text
AuthType [2 octets]
AuthLen [2 octets]
Authentication [AuthLen octets]
```
Responders MUST ignore extra bytes at the end of an AUTHENTICATE
cell. Recognized AuthTypes are 1 and 3, described in the next
two sections.
Initiators MUST NOT send an AUTHENTICATE cell before they have
verified the certificates presented in the responder's CERTS
cell, and authenticated the responder.
<a id="tor-spec.txt-4.4.1"></a>
### Link authentication type 1: RSA-SHA256-TLSSecret
If AuthType is 1 (meaning "RSA-SHA256-TLSSecret"), then the
Authentication field of the AUTHENTICATE cell contains the following:
```text
TYPE: The characters "AUTH0001" [8 octets]
CID: A SHA256 hash of the initiator's RSA1024 identity key [32 octets]
SID: A SHA256 hash of the responder's RSA1024 identity key [32 octets]
SLOG: A SHA256 hash of all bytes sent from the responder to the
initiator as part of the negotiation up to and including the
AUTH_CHALLENGE cell; that is, the VERSIONS cell, the CERTS cell,
the AUTH_CHALLENGE cell, and any padding cells. [32 octets]
CLOG: A SHA256 hash of all bytes sent from the initiator to the
responder as part of the negotiation so far; that is, the
VERSIONS cell and the CERTS cell and any padding cells. [32
octets]
SCERT: A SHA256 hash of the responder's TLS link certificate. [32
octets]
TLSSECRETS: A SHA256 HMAC, using the TLS master secret as the
secret key, of the following:
- client_random, as sent in the TLS Client Hello
- server_random, as sent in the TLS Server Hello
- the NUL terminated ASCII string:
"Tor V3 handshake TLS cross-certification"
[32 octets]
RAND: A 24 byte value, randomly chosen by the initiator. (In an
imitation of SSL3's gmt_unix_time field, older versions of Tor
sent an 8-byte timestamp as the first 8 bytes of this field;
new implementations should not do that.) [24 octets]
SIG: A signature of a SHA256 hash of all the previous fields
using the initiator's "Authenticate" key as presented. (As
always in Tor, we use OAEP-MGF1 padding; see tor-spec.txt
section 0.3.)
[variable length]
```
To check the AUTHENTICATE cell, a responder checks that all fields
from TYPE through TLSSECRETS contain their unique
correct values as described above, and then verifies the signature.
The server MUST ignore any extra bytes in the signed data after
the RAND field.
Responders MUST NOT accept this AuthType if the initiator has
claimed to have an Ed25519 identity.
(There is no AuthType 2: It was reserved but never implemented.)
<a id="tor-spec.txt-4.4.2"></a>
### Link authentication type 3: Ed25519-SHA256-RFC5705
If AuthType is 3, meaning "Ed25519-SHA256-RFC5705", the
Authentication field of the AuthType cell is as below:
Modified values and new fields below are marked with asterisks.
```text
TYPE: The characters "AUTH0003" [8 octets]
CID: A SHA256 hash of the initiator's RSA1024 identity key [32 octets]
SID: A SHA256 hash of the responder's RSA1024 identity key [32 octets]
CID_ED: The initiator's Ed25519 identity key [32 octets]
SID_ED: The responder's Ed25519 identity key, or all-zero. [32 octets]
SLOG: A SHA256 hash of all bytes sent from the responder to the
initiator as part of the negotiation up to and including the
AUTH_CHALLENGE cell; that is, the VERSIONS cell, the CERTS cell,
the AUTH_CHALLENGE cell, and any padding cells. [32 octets]
CLOG: A SHA256 hash of all bytes sent from the initiator to the
responder as part of the negotiation so far; that is, the
VERSIONS cell and the CERTS cell and any padding cells. [32
octets]
SCERT: A SHA256 hash of the responder's TLS link certificate. [32
octets]
TLSSECRETS: The output of an RFC5705 Exporter function on the
TLS session, using as its inputs:
- The label string "EXPORTER FOR TOR TLS CLIENT BINDING AUTH0003"
- The context value equal to the initiator's Ed25519 identity key.
- The length 32.
[32 octets]
RAND: A 24 byte value, randomly chosen by the initiator. [24 octets]
SIG: A signature of all previous fields using the initiator's
Ed25519 authentication key (as in the cert with CertType 6).
[variable length]
```
To check the AUTHENTICATE cell, a responder checks that all fields
from TYPE through TLSSECRETS contain their unique
correct values as described above, and then verifies the signature.
The server MUST ignore any extra bytes in the signed data after
the RAND field.
<a id="tor-spec.txt-4.5"></a>
## NETINFO cells
If version 2 or higher is negotiated, each party sends the other a
NETINFO cell. The cell's payload is:
```text
TIME (Timestamp) [4 bytes]
OTHERADDR (Other OR's address) [variable]
ATYPE (Address type) [1 byte]
ALEN (Address length) [1 byte]
AVAL (Address value in NBO) [ALEN bytes]
NMYADDR (Number of this OR's addresses) [1 byte]
NMYADDR times:
ATYPE (Address type) [1 byte]
ALEN (Address length) [1 byte]
AVAL (Address value in NBO)) [ALEN bytes]
Recognized address types (ATYPE) are:
[04] IPv4.
[06] IPv6.
```
ALEN MUST be 4 when ATYPE is 0x04 (IPv4) and 16 when ATYPE is 0x06
(IPv6). If the ALEN value is wrong for the given ATYPE value, then
the provided address should be ignored.
The timestamp is a big-endian unsigned integer number of seconds
since the Unix epoch. Implementations MUST ignore unexpected bytes
at the end of the cell. Clients SHOULD send "0" as their timestamp, to
avoid fingerprinting.
Implementations MAY use the timestamp value to help decide if their
clocks are skewed. Initiators MAY use "other OR's address" to help
learn which address their connections may be originating from, if they do
not know it; and to learn whether the peer will treat the current
connection as canonical. Implementations SHOULD NOT trust these
values unconditionally, especially when they come from non-authorities,
since the other party can lie about the time or IP addresses it sees.
Initiators SHOULD use "this OR's address" to make sure
that they have connected to another OR at its canonical address.
(See 5.3.1 below.)
|
