1

Diagram: Server -> Exit Node -> Middle Node -> Entry Node -> Client

In Entry Node -> Client, how does the entry node authenticate that the receiver is a real client but not a MITM?

Gaai Chia
  • 71
  • 6
  • is the traffic not encrypted by all three nodes in accordance with the circuit setup? so only the client can decrypt it? – user253751 Mar 22 '22 at 13:06

1 Answers1

1

The connection from the client to the entry node is over TLS (see https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt section 2).

As with any TLS connection between a client and a server, the security of the connection depends on one party being able to positively authenticate the certificate of the other party. Normally, it is the client that authenticates the server's certificate, but the reverse is also possible.

In the context of a connection from a Tor client to a Tor entry node, this authentication takes place as discussed here.

In any TLS connection - assuming one party is able to positively authenticate the certificate of the other party (in order to prevent a MITM attack) - then the secrecy and the integrity of the packets in both directions is protected. See Can a HTTPS MITM decypher server response packets? for more info.

mti2935
  • 21,098
  • 2
  • 47
  • 66
  • In the case that an entry node sends data back to the client, does the entry node authenticate the client using Session key because the client itself does not have a certificate? – Gaai Chia Mar 22 '22 at 15:40
  • 1
    That's basically correct. I wouldn't say that the entry node *authenticates* the client when it sends the response back to the client. But, if a client negotiates a TLS connection with the server, then sends a request to the server, then an attacker tries to intercept the response from the server back to the client - the attacker would be unable to decrypt the response. This is because only the true client (that negotiated the TLS session and sent the initial request), and not the attacker, would know the session key that the response is encrypted with. – mti2935 Mar 22 '22 at 15:56
  • If the entry node _does not_ authenticates the client when it sends the response back to the client, then what kind of thing does the job of authentication? – Gaai Chia Mar 22 '22 at 16:25
  • 1
    Any client can connect to an entry node, without authenticating. The entry node doesn't care who the client is - it will accept requests from any client, and respond to those requests. What's important is: when a client negotiates a TLS connection with the entry node, then sends a request to the entry node, then the entry node sends a response back to the client - only that same client (and not an attacker) can decrypt the response. TLS ensures this. – mti2935 Mar 22 '22 at 16:48
  • `The entry node doesn't care who the client is` What if a MITM act as the client? I know the MITM cannot decrypt the data. However, can the MITM know the identity (e.g. IP address) of the client when the entry node sends data back to the client? Wouldn't that decrease anonymity in Tor? – Gaai Chia Mar 23 '22 at 07:17
  • 2
    Any router between the client and the entry node (e.g. a router at the client's ISP) can see the IP address of the client, and the fact that the client is connecting to a Tor entry node. The router does not even have to MITM the connection to do that - just passive observation of the packets is enough. So, the router can see that the client is using Tor, but the router cannot see which servers that client is connecting to. – mti2935 Mar 23 '22 at 09:57
  • Can I use a bridge to prevent a MITM from knowing my IP address? – Gaai Chia Mar 25 '22 at 08:27
  • Yes. This is the reason we have [Tor bridges](https://bridges.torproject.org/). – mti2935 Mar 25 '22 at 10:38
  • Thank you for your patience on explaining to me. :) – Gaai Chia Mar 26 '22 at 11:41
  • No problem. Thank you for posting such interesting questions on this site! – mti2935 Mar 26 '22 at 13:31