Get hidden services explanation page started.
Karsten Loesing commited on 2008-03-29 00:42:46
Zeige 7 geänderte Dateien mit 81 Einfügungen und 0 Löschungen.
- en/overview.wml b94fe25e4..b0dc3c6a5
- img/THS-1.png
- img/THS-2.png
- img/THS-3.png
- img/THS-4.png
- img/THS-5.png
- img/THS-6.png
| ... | ... |
@@ -175,6 +175,87 @@ about censorship. Nobody would be able to determine who was offering |
| 175 | 175 |
the site, and nobody who offered the site would know who was posting to it. |
| 176 | 176 |
</p> |
| 177 | 177 |
|
| 178 |
+<!-- TO TRANSLATORS: this section might still need some review and |
|
| 179 |
+corrections! better wait at least one week from today (2008-03-29) before |
|
| 180 |
+starting translation --> |
|
| 181 |
+ |
|
| 182 |
+<p> |
|
| 183 |
+A hidden service needs to advertise its existence in the Tor network before |
|
| 184 |
+clients will be able to contact it. Therefore, the service randomly picks |
|
| 185 |
+some relays, builds circuits to them, and asks them to act as introduction |
|
| 186 |
+points telling them its public key. Note that in the following figures the |
|
| 187 |
+green links are circuits rather than direct connections. This makes it |
|
| 188 |
+impossible for anyone to associate the introduction points with the hidden |
|
| 189 |
+service's IP address. This is important, because although the introduction |
|
| 190 |
+points and others are told the hidden service's identity (public key), they |
|
| 191 |
+must not learn about the hidden server's identity (IP address). |
|
| 192 |
+</p> |
|
| 193 |
+ |
|
| 194 |
+<img alt="Tor hidden service step one" src="$(IMGROOT)/THS-1.png" /> |
|
| 195 |
+<!-- maybe add a speech bubble containing "PK" to Bob, because that's what |
|
| 196 |
+Bob tells to his introduction points --> |
|
| 197 |
+ |
|
| 198 |
+<p> |
|
| 199 |
+In a second step, the hidden service assembles a hidden service descriptor |
|
| 200 |
+containing the introduction points' addresses and its public key and signs |
|
| 201 |
+it with its private key. It stores that descriptor on a set of directory |
|
| 202 |
+servers, again using a circuit that hides the link between storing the |
|
| 203 |
+descriptor with the hidden service's IP address. The descriptor will be |
|
| 204 |
+found by clients requesting XYZ.onion where XYZ is uniquely derived from |
|
| 205 |
+the service's public key. After this step, the hidden service is set up. |
|
| 206 |
+</p> |
|
| 207 |
+ |
|
| 208 |
+<img alt="Tor hidden service step two" src="$(IMGROOT)/THS-2.png" /> |
|
| 209 |
+<!-- maybe replace "database" with "directory servers"; further: how |
|
| 210 |
+incorrect is it to *not* add DB to the Tor cloud, now that begin dir cells |
|
| 211 |
+are in use? --> |
|
| 212 |
+ |
|
| 213 |
+<p> |
|
| 214 |
+A client that wants to contact a hidden service needs to learn about its |
|
| 215 |
+onion address first. After that, the client can initiate connection |
|
| 216 |
+establishment by downloading the descriptor from the directory servers. If |
|
| 217 |
+there is a descriptor for XYZ.onion (the hidden service could also be |
|
| 218 |
+offline or have left long ago, or there could be a typo in the onion |
|
| 219 |
+address), the client creates a circuit to another randomly picked relay and |
|
| 220 |
+asks it to act as rendezvous point, telling it a one-time secret. |
|
| 221 |
+</p> |
|
| 222 |
+ |
|
| 223 |
+<img alt="Tor hidden service step three" src="$(IMGROOT)/THS-3.png" /> |
|
| 224 |
+<!-- maybe add "cookie" to speech bubble, separated from the surrounded |
|
| 225 |
+"IP1-3" and "PK" --> |
|
| 226 |
+ |
|
| 227 |
+<p> |
|
| 228 |
+Upon setting up the rendezvous point, the client assembles an introduce |
|
| 229 |
+message (encrypted to the hidden service's public key) including the |
|
| 230 |
+address of the rendezvous point and the one-time secret. The client sends |
|
| 231 |
+this message to one of the introduction points, requesting it to deliver it |
|
| 232 |
+to the hidden service. Again, communication takes place via a circuit, so |
|
| 233 |
+that nobody can relate sending the introduce message to the client's IP |
|
| 234 |
+address, ensuring the client's anonymity. |
|
| 235 |
+</p> |
|
| 236 |
+ |
|
| 237 |
+<img alt="Tor hidden service step four" src="$(IMGROOT)/THS-4.png" /> |
|
| 238 |
+ |
|
| 239 |
+<p> |
|
| 240 |
+The hidden service decrypts the client's introduce message and finds the |
|
| 241 |
+address of the rendezvous point and the one-time secret in it. The service |
|
| 242 |
+creates a circuit to the rendezvous point and sends the one-time secret to |
|
| 243 |
+it in a rendezvous message. |
|
| 244 |
+</p> |
|
| 245 |
+ |
|
| 246 |
+<img alt="Tor hidden service step five" src="$(IMGROOT)/THS-5.png" /> |
|
| 247 |
+<!-- it should say "Bob connects to Alice's ..." --> |
|
| 248 |
+ |
|
| 249 |
+<p> |
|
| 250 |
+In the last step, the rendezvous point notifies the client about successful |
|
| 251 |
+connection establishment. After that, both, client and hidden service can |
|
| 252 |
+use their circuits to the rendezvous point for communicating with each |
|
| 253 |
+other. The rendezvous point simply relays (end-to-end encrypted) messages |
|
| 254 |
+from client to service and vice versa. |
|
| 255 |
+</p> |
|
| 256 |
+ |
|
| 257 |
+<img alt="Tor hidden service step six" src="$(IMGROOT)/THS-6.png" /> |
|
| 258 |
+ |
|
| 178 | 259 |
<h3>Staying anonymous</h3> |
| 179 | 260 |
|
| 180 | 261 |
<p> |
