1

In Tor, when a client communicates with an entry node, they exchange the parameters such as the prime number and the generator with each other through DH.

What about when an entry node communicating with a middle node, or a middle node communicating with an exit node? Do they (1) still use DH to exchange parameters for calculating the session keys? or (2) use symmetric encryption like AES to exchange the session keys directly?

Gaai Chia
  • 71
  • 6

1 Answers1

1

Tor v4 supports TLS 1.3 for connections to relays. In TLS 1.3, session keys are generated using ECDHE, for perfect forward secrecy.

Indeed, if you randomly choose a TOR relay from the list of TOR relays at https://www.dan.me.uk/tornodes, and use openssl s_client to connect to the relay, you'll likely see that it connects using TLS 1.3.

For example:

openssl s_client -connect 103.119.112.167:9001

produces:

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 31FE335808BE2C0B4385E38C2C93A182EA80ED6269091825881EA2A0DD2C80DE
    Session-ID-ctx: 
    Resumption PSK: 581060B5B0657B0658D11676062F4C55C43583765002DA5A04B053D1A4656492CE9D4E808A30F99F9B7781E647598949
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 58 e6 35 a4 16 b0 72 ae-7c 34 91 68 72 c4 cf e1   X.5...r.|4.hr...
    0010 - c0 c6 7d c5 d3 77 d7 55-ec 6b 73 3e 6a 9b fb e1   ..}..w.U.ks>j...

    Start Time: 1647771099
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0

As you can see, the connection was over TLS 1.3, using the ciphersuite TLS_AES_256_GCM_SHA384.

See How are key exchange and signature algorithms negotiated in TLS 1.3 for more information on how ephemeral key exchange takes place in TLS 1.3. https://tls13.ulfheim.net/ is also helpful.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Sorry I am new to cryptography. Does TLS_AES_256_GCM_SHA384 mean that the communication is encrypted with AES? – Gaai Chia Mar 20 '22 at 13:46
  • Yes, AES is used as the underlying encryption method in almost all variations of TLS. The plaintext sent/received between the client and the server is encrypted with AES, using a key known to both the client and the server, derived using a key-exchange method, such as ECDHE. – mti2935 Mar 20 '22 at 13:49
  • Thank you for explaining! – Gaai Chia Mar 20 '22 at 13:52
  • 1
    No problem. AES_256_GCM is the symmetric encryption algorithm that is used to encrypt the plaintext. It's AES with a 256-bit key, in GCM mode, which is an authenticated encryption mode that provides integrity verification in addition to secrecy. SHA384 is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF), which is used to authenticate the key exchange for the keys used in AES. See https://datatracker.ietf.org/doc/html/rfc8446 for more info. https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ is also informative, as well as the links I included in my answer. – mti2935 Mar 20 '22 at 14:02