Cryptography Reference
In-Depth Information
This won't tell them who initiated the data packet, but it will give
them a view of the data itself and this can be quite useful. This prob-
lem can be reduced by using SSL to negotiate a separate encrypted
channel between the sender and the final destination for the data.
10.7.1 Establishing a Circuit
The Onion Routing protocol builds its circuits up step by step by ne-
gotiating with each step along the circuit. Here are the steps involved
in building the chain illustrated in Figures 10.2 and 10.3:
1. Alice decides she wants to send some packets of data to Bob
using the Onion Routing network.
2. She chooses server
S
alpha
at random from a list of servers that
accept incoming circuits. This is often called the
entry node
.
S
alpha
negotiate a key. The latest version of the
Onion Routing software uses ElGamal key exchange with es-
tablishedDiffie-Hellman keys because it has proven to be faster
than the RSA algorithms used in the original version. Call this
key
alice,alpha
. [ØS07a]
3. Alice and
S
alpha
.
She can extend this by choosing another server at random from
the network,
4. Alice now has a secure path between her computer and
S
beta
.
5. Alice does not communicate with
S
beta
directly; she uses
S
alpha
as her proxy.
S
beta
doesn't even know that Alice exists because
all of
. Alice negotiates
a key by sending her half of the key establishment protocols
through her encrypted tunnel with
Sbeta
's communications are with
S
a
lpha
S
alpha
who sends them on
to
S
beta
on her behalf. Let's call the result of this negotiation:
keyalice, beta.
6. After Alice completes the key negotiation process with
S
beta
,
key
alice,beta
provided by
S
beta
.This
she checks the signature on
S
alpha
from cheating and pretending to open up a new
circuit for
prevents
S
beta
or just setting up a fake man-in-the-middle at-
tack.
7. If the circuit was longer, Alice would repeat this negotiation
phase with a number of servers in the circuit.
8. Alice now has a circuit constructed with
S
beta
,herproxyforthe
general Internet also called the
exit node
.Ifshesendsouta
