3 Tor Rendezvous Specification
5 0. Overview and preliminaries
7 Read http://tor.eff.org/doc/design-paper/tor-design.html#sec:rendezvous
8 before you read this specification. It will make more sense.
10 Rendezvous points provide location-hidden services (server
11 anonymity) for the onion routing network. With rendezvous points,
12 Bob can offer a TCP service (say, a webserver) via the onion
13 routing network, without revealing the IP of that service.
15 Bob does this by anonymously advertising a public key for his
16 service, along with a list of onion routers to act as "Introduction
17 Points" for his service. He creates forward OR circuits to those
18 introduction points, and tells them about his public key. To
19 connect to Bob, Alice first builds an OR circuit to an OR to act as
20 her "Rendezvous Point", then connects to one of Bob's chosen
21 introduction points, and asks it to tell him about her Rendezvous
22 Point (RP). If Bob chooses to answer, he builds an OR circuit to her
23 RP, and tells it to connect him to Alice. The RP joints their
24 circuits together, and begins relaying cells. Alice's 'BEGIN'
25 cells are received directly by Bob's OP, which responds by
26 communication with the local server implementing Bob's service.
28 Below, we describe a network-level specification of this service,
29 along with interfaces to make this process transparent to Alice
30 (so long as she is using an OP).
32 0.1. Notation, conventions and prerequisites
34 In the specifications below, we use the same notation as in
35 "tor-spec.txt". The service specified here also requires the existence of
36 an onion routing network as specified in "tor-spec.txt".
38 H(x) is a SHA1 digest of x.
39 PKSign(SK,x) is a PKCS.1-padded RSA signature of x with SK.
40 PKEncrypt(SK,x) is a PKCS.1-padded RSA encryption of x with SK.
41 Public keys are all RSA, and encoded in ASN.1.
42 All integers are stored in network (big-endian) order.
43 All symmetric encryption uses AES in counter mode, except where
46 In all discussions, "Alice" will refer to a user connecting to a
47 location-hidden service, and "Bob" will refer to a user running a
48 location-hidden service.
52 1. Bob->Bob's OP: "Offer IP:Port as public-key-name:Port". [configuration]
53 (We do not specify this step; it is left to the implementor of
56 2. Bob's OP generates keypair and rendezvous service descriptor:
57 "Meet public-key X at introduction point A, B, or C." (signed)
59 3. Bob's OP->Introduction point via Tor: [introduction setup]
62 4. Bob's OP->directory service via Tor: publishes Bob's service descriptor
65 5. Out of band, Alice receives a y.onion:port address. She opens a
66 SOCKS connection to her OP, and requests y.onion:port.
68 6. Alice's OP retrieves Bob's descriptor via Tor: [descriptor lookup.]
70 7. Alice's OP chooses a rendezvous point, opens a circuit to that
71 rendezvous point, and establishes a rendezvous circuit. [rendezvous
74 8. Alice connects to the Introduction point via Tor, and tells it about
75 her rendezvous point. (Encrypted to Bob.) [Introduction 1]
77 9. The Introduction point passes this on to Bob's OP via Tor, along the
78 introduction circuit. [Introduction 2]
80 10. Bob's OP decides whether to connect to Alice, and if so, creates a
81 circuit to Alice's RP via Tor. Establishes a shared circuit.
84 11. Alice's OP sends begin cells to Bob's OP. [Connection]
86 0.3. Constants and new cell types
89 32 -- RELAY_ESTABLISH_INTRO
90 33 -- RELAY_ESTABLISH_RENDEZVOUS
91 34 -- RELAY_INTRODUCE1
92 35 -- RELAY_INTRODUCE2
93 36 -- RELAY_RENDEZVOUS1
94 37 -- RELAY_RENDEZVOUS2
95 38 -- RELAY_INTRO_ESTABLISHED
96 39 -- RELAY_RENDEZVOUS_ESTABLISHED
97 40 -- RELAY_COMMAND_INTRODUCE_ACK
101 1.1. Bob configures his local OP.
103 We do not specify a format for the OP configuration file. However,
104 OPs SHOULD allow Bob to provide more than one advertised service
105 per OP, and MUST allow Bob to specify one or more virtual ports per
106 service. Bob provides a mapping from each of these virtual ports
107 to a local IP:Port pair.
109 1.2. Bob's OP generates service descriptors.
111 The first time the OP provides an advertised service, it generates
112 a public/private keypair (stored locally). Periodically, the OP
113 generates a service descriptor, containing:
115 KL Key length [2 octets]
116 PK Bob's public key [KL octets]
117 TS A timestamp [4 octets]
118 NI Number of introduction points [2 octets]
119 Ipt A list of NUL-terminated ORs [variable]
120 SIG Signature of above fields [variable]
122 KL is the length of PK, in octets. (Currently, KL must be 128.)
123 TS is the number of seconds elapsed since Jan 1, 1970.
125 The members of Ipt may be either (a) nicknames, or (b) identity key
126 digests, encoded in hex, and prefixed with a '$'. Clients must
127 accept both forms. Services must only generate the second form.
128 Once 0.0.9.x is obsoleted, we can drop the first form.
130 [It's ok for Bob to advertise 0 introduction points. He might want
131 to do that if he previously advertised some introduction points,
132 and now he doesn't have any. -RD]
134 1.3. Bob's OP establishes his introduction points.
136 The OP establishes a new introduction circuit to each introduction
137 point. These circuits MUST NOT be used for anything but rendezvous
138 introduction. To establish the introduction, Bob sends a
139 RELAY_ESTABLISH_INTRO cell, containing:
141 KL Key length [2 octets]
142 PK Bob's public key [KL octets]
143 HS Hash of session info [20 octets]
144 SIG Signature of above information [variable]
146 To prevent replay attacks, the HS field contains a SHA-1 hash based on the
147 shared secret KH between Bob's OP and the introduction point, as
149 HS = H(KH | "INTRODUCE")
151 HS = H(KH | [49 4E 54 52 4F 44 55 43 45])
152 (KH, as specified in tor-spec.txt, is H(g^xy | [00]) .)
154 Upon receiving such a cell, the OR first checks that the signature is
155 correct with the included public key. If so, it checks whether HS is
156 correct given the shared state between Bob's OP and the OR. If either
157 check fails, the OP discards the cell; otherwise, it associates the
158 circuit with Bob's public key, and dissociates any other circuits
159 currently associated with PK. On success, the OR sends Bob a
160 RELAY_INTRO_ESTABLISHED cell with an empty payload.
162 1.4. Bob's OP advertises his service descriptor
164 Bob's OP opens a stream to each directory server's directory port via Tor.
165 (He may re-use old circuits for this.)
166 Over this stream, Bob's OP makes an HTTP 'POST' request, to the URL
167 '/tor/rendezvous/publish' (relative to the directory server's root),
168 containing as its body Bob's service descriptor. Upon receiving a
169 descriptor, the directory server checks the signature, and discards the
170 descriptor if the signature does not match the enclosed public key. Next,
171 the directory server checks the timestamp. If the timestamp is more than
172 24 hours in the past or more than 1 hour in the future, or the directory
173 server already has a newer descriptor with the same public key, the server
174 discards the descriptor. Otherwise, the server discards any older
175 descriptors with the same public key, and associates the new descriptor
176 with the public key. The directory server remembers this descriptor for
177 at least 24 hours after its timestamp. At least every 24 hours, Bob's OP
178 uploads a fresh descriptor.
180 1.5. Alice receives a y.onion address
182 When Alice receives a pointer to a location-hidden service, it is as a
183 hostname of the form "y.onion", where y is a base-32 encoding of a
184 10-octet hash of Bob's service's public key, computed as follows:
187 2. Let H' = the first 80 bits of H, considering each octet from
188 most significant bit to least significant bit.
189 2. Generate a 16-character encoding of H', using base32 as defined
192 (We only use 80 bits instead of the 160 bits from SHA1 because we don't
193 need to worry about man-in-the-middle attacks, and because it will make
194 handling the url's more convenient.)
196 [Yes, numbers are allowed at the beginning. See RFC1123. -NM]
198 1.6. Alice's OP retrieves a service descriptor
200 Alice opens a stream to a directory server via Tor, and makes an
201 HTTP GET request for the document '/tor/rendezvous/<y>', where
202 '<y> is replaced with the encoding of Bob's public key as described
203 above. (She may re-use old circuits for this.) The directory replies
204 with a 404 HTTP response if it does not recognize <y>, and otherwise
205 returns Bob's most recently uploaded service descriptor.
207 If Alice's OP receives a 404 response, it tries the other directory
208 servers, and only fails the lookup if none recognizes the public key hash.
210 Upon receiving a service descriptor, Alice verifies with the same process
211 as the directory server uses, described above in section 1.4.
213 The directory server gives a 400 response if it cannot understand Alice's
216 Alice should cache the descriptor locally, but should not use
217 descriptors that are more than 24 hours older than their timestamp.
218 [Caching may make her partitionable, but she fetched it anonymously,
219 and we can't very well *not* cache it. -RD]
221 1.7. Alice's OP establishes a rendezvous point.
223 When Alice requests a connection to a given location-hidden service,
224 and Alice's OP does not have an established circuit to that service,
225 the OP builds a rendezvous circuit. It does this by establishing
226 a circuit to a randomly chosen OR, and sending a
227 RELAY_ESTABLISH_RENDEZVOUS cell to that OR. The body of that cell
230 RC Rendezvous cookie [20 octets]
232 The rendezvous cookie is an arbitrary 20-byte value, chosen randomly by
235 Upon receiving a RELAY_ESTABLISH_RENDEZVOUS cell, the OR associates the
236 RC with the circuit that sent it. It replies to Alice with an empty
237 RELAY_RENDEZVOUS_ESTABLISHED cell to indicate success.
239 Alice's OP MUST NOT use the circuit which sent the cell for any purpose
240 other than rendezvous with the given location-hidden service.
242 1.8. Introduction: from Alice's OP to Introduction Point
244 Alice builds a separate circuit to one of Bob's chosen introduction
245 points, and sends it a RELAY_INTRODUCE1 cell containing:
248 PK_ID Identifier for Bob's PK [20 octets]
250 Encrypted to Bob's PK:
251 RP Rendezvous point's nickname [20 octets]
252 RC Rendezvous cookie [20 octets]
253 g^x Diffie-Hellman data, part 1 [128 octets]
255 VER Version byte: set to 1. [1 octet]
256 RP Rendezvous point nick or ID [42 octets]
257 RC Rendezvous cookie [20 octets]
258 g^x Diffie-Hellman data, part 1 [128 octets]
260 VER Version byte: set to 2. [1 octet]
261 IP Rendezvous point's address [4 octets]
262 PORT Rendezvous point's OR port [2 octets]
263 ID Rendezvous point identity ID [20 octets]
264 KEY Rendezvous point onion key [128 octets]
265 RC Rendezvous cookie [20 octets]
266 g^x Diffie-Hellman data, part 1 [128 octets]
268 PK_ID is the hash of Bob's public key. RP is NUL-padded and terminated,
269 and must contain EITHER a nickname, or an identity key digest, encoded in
270 hex, and prefixed with a '$'.
272 Implementations must accept all variants, but should only generate the
273 first so long as any version of Tor before 0.1.1 is still in use.
274 Implementations should never generate the second version.
276 The hybrid encryption to Bob's PK works just like the hybrid
277 encryption in CREATE cells (see main spec). Thus the payload of the
278 RELAY_INTRODUCE1 cell on the wire will contain 20+42+16+20+20+128=246
279 bytes. [XXXX not really]
281 1.9. Introduction: From the Introduction Point to Bob's OP
283 If the Introduction Point recognizes PK_ID as a public key which has
284 established a circuit for introductions as in 1.3 above, it sends the body
285 of the cell in a new RELAY_INTRODUCE2 cell down the corresponding circuit.
286 (If the PK_ID is unrecognized, the RELAY_INTRODUCE1 cell is discarded.)
288 After sending the RELAY_INTRODUCE2 cell, the OR replies to Alice with an
289 empty RELAY_COMMAND_INTRODUCE_ACK cell. If no RELAY_INTRODUCE2 cell can
290 be sent, the OR replies to Alice with a non-empty cell to indicate an
291 error. (The semantics of the cell body may be determined later; the
292 current implementation sends a single '1' byte on failure.)
294 When Bob's OP receives the RELAY_INTRODUCE2 cell, it decrypts it with
295 the private key for the corresponding hidden service, and extracts the
296 rendezvous point's nickname, the rendezvous cookie, and the value of g^x
301 Bob's OP build a new Tor circuit ending at Alice's chosen rendezvous
302 point, and sends a RELAY_RENDEZVOUS1 cell along this circuit, containing:
303 RC Rendezvous cookie [20 octets]
304 g^y Diffie-Hellman [128 octets]
305 KH Handshake digest [20 octets]
307 (Bob's OP MUST NOT use this circuit for any other purpose.)
309 If the RP recognizes RC, it relays the rest of the cell down the
310 corresponding circuit in a RELAY_RENDEZVOUS2 cell, containing:
312 g^y Diffie-Hellman [128 octets]
313 KH Handshake digest [20 octets]
315 (If the RP does not recognize the RC, it discards the cell and
316 tears down the circuit.)
318 When Alice's OP receives a RELAY_RENDEZVOUS2 cell on a circuit which
319 has sent a RELAY_ESTABLISH_RENDEZVOUS cell but which has not yet received
320 a reply, it uses g^y and H(g^xy) to complete the handshake as in the Tor
321 circuit extend process: they establish a 60-octet string as
322 K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02])
328 Subsequently, the rendezvous point passes relay cells, unchanged, from
329 each of the two circuits to the other. When Alice's OP sends
330 RELAY cells along the circuit, it first encrypts them with the
331 Kf, then with all of the keys for the ORs in Alice's side of the circuit;
332 and when Alice's OP receives RELAY cells from the circuit, it decrypts
333 them with the keys for the ORs in Alice's side of the circuit, then
334 decrypts them with Kb. Bob's OP does the same, with Kf and Kb
337 1.11. Creating streams
339 To open TCP connections to Bob's location-hidden service, Alice's OP sends
340 a RELAY_BEGIN cell along the established circuit, using the special
341 address "", and a chosen port. Bob's OP chooses a destination IP and
342 port, based on the configuration of the service connected to the circuit,
343 and opens a TCP stream. From then on, Bob's OP treats the stream as an
344 ordinary exit connection.
345 [ Except he doesn't include addr in the connected cell or the end
348 Alice MAY send multiple RELAY_BEGIN cells along the circuit, to open
349 multiple streams to Bob. Alice SHOULD NOT send RELAY_BEGIN cells for any
350 other address along her circuit to Bob; if she does, Bob MUST reject them.