My understanding is that Tor user's are responsible (via their client) for creating their own circuit, and that this is typically done at random. However, are there any safeguards in place to ensure that it is random, and would this be desirable? I would imagine that attackers might try to choose specific circuits in order to learn more about particular nodes, and the network in general. Would preventing this behavior be helpful, and if so, would it be helpful enough to offset any disadvantage it causes for legit users?
My idea is pretty simple. Instead of creating the circuit through black-box means (relying on their local RNGs, for instance), the user would create some seed value S, and then a list of random adjustment values, R0, R1, R2,..., one for each relay in the circuit. The S value would be used to enforce randomness in the circuit, but the R values would be used to hide their circuit from relays as usual. Creating the onion, the user would put a different R value into each layer, encrypted for that relay, of course. To create the circuit, they would take a hash of S+R0 to get the address of the first relay: A1 = H(S+R0), and then hash this plus R1 to get the second relay: A2 = H(H(S+R0)+R1)), and so on. The user would now encrypt S for the first relay, and send that along side the onion. This relay would get R0 from the onion, and then hash S+R0 and confirm that the result points to their node, offering strong evidence that the user did not choose them deliberately (since that would require reversing the hash, which we'll assume is strong). Now they can unwrap the onion as usual, and forward it to the next relay. They would also encrypt H(S+R0) for this next relay, and send that along side the side, so that relay can also confirm that they were not chosen deliberately (by hashing H(S+R0) + R1), and so on until it reaches the exit node. Each each stage, the relay can't get to the R-value for the next node, so they only have part of the value that will be hashed there, and they can't figure out where it will go from there, ensuring forward privacy as usual. Ok, just a little idea I had. Someone can go ahead and tell me now that this is already being done, or why it's so obviously flawed that it wouldn't work, or why it's so obviously flawed that it would be devastating to legit users. Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
