Jeremy Rand <jeremyr...@airmail.cc> writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > My understanding is that the communication between circuit hops has > forward secrecy, but I've been unable to find any documentation on > whether forward secrecy exists for traffic sent between a Tor client > and a Tor onion service (not just the forward secrecy existing between > adjacent hops). Or, put another way -- if the machine hosting a > hidden service is compromised after data is exchanged, *and* some/all > of the Tor relays on the circuit were compromised prior to the data > being exchanged, is it feasible for the adversary to decrypt the data > being exchanged? >
Hello, yes, hidden service circuits are end-to-end encrypted between the HS and the client. It works like this: The hidden service sends its ephemeral DH keys to the client using the INTRODUCE1 cell, and the client sends its own ephemeral DH keys in the RENDEZVOUS1 cell; both parties then use those keys to establish the end-to-end shared secret that secures the session. To answer your question: If the HS or the client get compromised _after_ the session has ended (and the ephemeral DH keys have been wiped), the adversary must not be able to decrypt the exchanged data, even if all the between hops get pwned as well. Cheers! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
