tor-webwml.git

1) ## translation metadata

2) # Revision: $Revision$

3) # Translation-Priority: 3-low
4) 
5) #include "head.wmi" TITLE="Tor: Hidden Service Protocol"
6) 
7) <div class="main-column">
8) 
9) <h2>Tor: Hidden Service Protocol</h2>
10) <hr />
11) 
12) <p>
13) A hidden service needs to advertise its existence in the Tor network before
14) clients will be able to contact it. Therefore, the service randomly picks
15) some relays, builds circuits to them, and asks them to act as introduction
16) points telling them its public key. Note that in the following figures the
17) green links are circuits rather than direct connections. This makes it
18) impossible for anyone to associate the introduction points with the hidden

19) server's IP address. This is important, because although the introduction

20) points and others are told the hidden service's identity (public key), they

21) must not learn about the hidden server's location (IP address).

22) </p>
23) 
24) <img alt="Tor hidden service step one" src="$(IMGROOT)/THS-1.png" />
25) # maybe add a speech bubble containing "PK" to Bob, because that's what
26) # Bob tells to his introduction points
27) 
28) <p>
29) In a second step, the hidden service assembles a hidden service descriptor
30) containing the introduction points' addresses and its public key and signs
31) it with its private key. It stores that descriptor on a set of directory

32) servers, again using a circuit that hides the link between the directory
33) server storing the
34) descriptor with the hidden server's IP address. The descriptor will be

35) found by clients requesting XYZ.onion where XYZ is a 16 characters long
36) name that can be uniquely derived from the service's public key. Although
37) it might seem impractical to use an automatically-generated service name,

38) it serves an important goal: Everyone – including the introduction points,
39) the directory servers, and of course the clients – can verify that they

40) are talking to the hidden service. After this step, the hidden service is
41) set up.

42) </p>
43) 
44) <img alt="Tor hidden service step two" src="$(IMGROOT)/THS-2.png" />
45) # maybe replace "database" with "directory servers"; further: how incorrect
46) # is it to *not* add DB to the Tor cloud, now that begin dir cells are in
47) # use?
48) 
49) <p>
50) A client that wants to contact a hidden service needs to learn about its
51) onion address first. After that, the client can initiate connection
52) establishment by downloading the descriptor from the directory servers. If
53) there is a descriptor for XYZ.onion (the hidden service could also be
54) offline or have left long ago, or there could be a typo in the onion
55) address), the client creates a circuit to another randomly picked relay and
56) asks it to act as rendezvous point, telling it a one-time secret.
57) </p>
58) 
59) <img alt="Tor hidden service step three" src="$(IMGROOT)/THS-3.png" />
60) # maybe add "cookie" to speech bubble, separated from the surrounded
61) # "IP1-3" and "PK"
62) 
63) <p>
64) Upon setting up the rendezvous point, the client assembles an introduce
65) message (encrypted to the hidden service's public key) including the
66) address of the rendezvous point and the one-time secret. The client sends
67) this message to one of the introduction points, requesting it to deliver it
68) to the hidden service. Again, communication takes place via a circuit, so
69) that nobody can relate sending the introduce message to the client's IP
70) address, ensuring the client's anonymity.
71) </p>
72) 
73) <img alt="Tor hidden service step four" src="$(IMGROOT)/THS-4.png" />
74) 
75) <p>
76) The hidden service decrypts the client's introduce message and finds the
77) address of the rendezvous point and the one-time secret in it. The service
78) creates a circuit to the rendezvous point and sends the one-time secret to
79) it in a rendezvous message.
80) </p>
81) 

82) <p>
83) At this point it is of special importance that the hidden service sticks to
84) the same set of guard nodes for creating new circuits. Otherwise an attacker
85) could run an own relay and force a hidden service to create an arbitrary
86) number of circuits in the hope of the corrupt relay to be picked as entry

87) node and learn the hidden server's IP address via timing analysis. This

88) attack was described by Øverlier and Syverson in their paper titled

89) Locating Hidden Servers.

90) </p>
91) 

92) <img alt="Tor hidden service step five" src="$(IMGROOT)/THS-5.png" />
93) # it should say "Bob connects to Alice's ..."
94) 
95) <p>
96) In the last step, the rendezvous point notifies the client about successful
97) connection establishment. After that, both, client and hidden service can
98) use their circuits to the rendezvous point for communicating with each
99) other. The rendezvous point simply relays (end-to-end encrypted) messages
100) from client to service and vice versa.
101) </p>
102) 

103) <p>
104) One of the reasons for not using the earlier created connection via the
105) introduction point for actual communication is that no single relay should
106) appear to be responsible for a given hidden service. This is why the
107) rendezvous point never learns about the hidden service's identity.
108) </p>
109) 
110) <p>
111) In general, the complete connection between client and hidden service
112) consists of 6 relays: 3 of them were picked by the client with the third
113) being the rendezvous point and the other 3 were picked by the hidden
114) service.
115) </p>
116) 

117) <img alt="Tor hidden service step six" src="$(IMGROOT)/THS-6.png" />
118) 

119) <p>
120) There are more detailed descriptions about the hidden service protocol than
121) this one. See the
122) <a href="<svnsandbox>doc/design-paper/tor-design.pdf">Tor design paper</a>
123) for an in-depth design description and the
124) <a href="<svnsandbox>doc/spec/rend-spec.txt">rendezvous specification</a>
125) for the message formats.
126) </p>
127)