mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 23:53:32 +01:00
proposal 121: incorporated comments by Nick posted to or-dev on 10-Oct-2007
svn:r12725
This commit is contained in:
parent
ae1aa5a1bb
commit
6bf8e8aec3
@ -10,6 +10,7 @@ Status: Open
|
|||||||
Change history:
|
Change history:
|
||||||
|
|
||||||
26-Sep-2007 Initial proposal for or-dev
|
26-Sep-2007 Initial proposal for or-dev
|
||||||
|
08-Dec-2007 Incorporated comments by Nick posted to or-dev on 10-Oct-2007
|
||||||
|
|
||||||
Overview:
|
Overview:
|
||||||
|
|
||||||
@ -63,6 +64,15 @@ Motivation:
|
|||||||
|
|
||||||
Details:
|
Details:
|
||||||
|
|
||||||
|
[XXX Restructure this section in separate patch:
|
||||||
|
A) The general mechanisms to perform authentication at three
|
||||||
|
authentication points (directory, service, introduction point)
|
||||||
|
B) A specific authentication protocol based on secret cookies. -KL]
|
||||||
|
|
||||||
|
[XXX Describe use of descriptor cookie as "/0/ Client authentication at
|
||||||
|
directory". Optional encryption/decryption using a descriptor cookie is
|
||||||
|
understood since proposal 114, but not used by servers and clients. -KL]
|
||||||
|
|
||||||
/1/ Client authentication at the hidden service
|
/1/ Client authentication at the hidden service
|
||||||
|
|
||||||
In proposal 114 a client (Alice) who has a valid secret cookie, which may
|
In proposal 114 a client (Alice) who has a valid secret cookie, which may
|
||||||
@ -75,7 +85,8 @@ Details:
|
|||||||
Authentication data will be transmitted via the RELAY_INTRODUCE1 cell
|
Authentication data will be transmitted via the RELAY_INTRODUCE1 cell
|
||||||
from Alice to Bob that is forwarded by the IPo. For this message several
|
from Alice to Bob that is forwarded by the IPo. For this message several
|
||||||
format versions are specified in the rend-spec in section 1.8. We will
|
format versions are specified in the rend-spec in section 1.8. We will
|
||||||
use the format version 3. This specification already contains the fields
|
use the format version 3, which is specified, but not implemented by
|
||||||
|
December 2007. This specification already contains the fields
|
||||||
"AUTHT" (to specify the authentication method), "AUTHL" (length of the
|
"AUTHT" (to specify the authentication method), "AUTHL" (length of the
|
||||||
authentication data), and "AUTHD" (the authentication data) that will be
|
authentication data), and "AUTHD" (the authentication data) that will be
|
||||||
used to store authentication data. Since these fields are encrypted with
|
used to store authentication data. Since these fields are encrypted with
|
||||||
@ -83,6 +94,8 @@ Details:
|
|||||||
the circuit to the rendezvous point if the provided authentication data
|
the circuit to the rendezvous point if the provided authentication data
|
||||||
is valid, otherwise he will drop the cell. This will improve security due
|
is valid, otherwise he will drop the cell. This will improve security due
|
||||||
to preventing communication between Bob and Alice if she is an attacker.
|
to preventing communication between Bob and Alice if she is an attacker.
|
||||||
|
Especially, it prevents the attack described by Øverlier and Syverson in
|
||||||
|
their paper "Locating Hidden Servers", even without the need for guards.
|
||||||
As a positive side effect it reduces network traffic because it avoids
|
As a positive side effect it reduces network traffic because it avoids
|
||||||
Bob from building unnecessary circuits to the rendezvous points.
|
Bob from building unnecessary circuits to the rendezvous points.
|
||||||
Authentication at the HS should be the last gatekeeper and the number of
|
Authentication at the HS should be the last gatekeeper and the number of
|
||||||
@ -98,6 +111,8 @@ Details:
|
|||||||
|
|
||||||
(1) Alice creates a password x and sends the password digest h(x) to Bob
|
(1) Alice creates a password x and sends the password digest h(x) to Bob
|
||||||
out of band.
|
out of band.
|
||||||
|
[XXX Don't distinguish between x and h(x), so that both Alice and Bob
|
||||||
|
can be the initiator of the password exchange. -KL]
|
||||||
(2) Alice sends h(x) to Bob, encrypted with Bob's fresh service key (not
|
(2) Alice sends h(x) to Bob, encrypted with Bob's fresh service key (not
|
||||||
subject to this proposal, see proposal 114).
|
subject to this proposal, see proposal 114).
|
||||||
(3) Bob decrypts Alice's message using his private service key (see
|
(3) Bob decrypts Alice's message using his private service key (see
|
||||||
@ -114,43 +129,26 @@ Details:
|
|||||||
the SHA-1 secure hash (see tor-spec) of the shared secret (password).
|
the SHA-1 secure hash (see tor-spec) of the shared secret (password).
|
||||||
|
|
||||||
The premise to use password authentication is that Bob must send the
|
The premise to use password authentication is that Bob must send the
|
||||||
password to Alice outside Tor. If at the same time the secret cookie is
|
password to Alice -- or the other way around -- outside Tor.
|
||||||
|
If at the same time the secret cookie is
|
||||||
transmitted and the message is intercepted the attacker can gain access
|
transmitted and the message is intercepted the attacker can gain access
|
||||||
to the service. Therefore, a secure way to exchange this information must
|
to the service. Therefore, a secure way to exchange this information must
|
||||||
be established.
|
be established.
|
||||||
|
|
||||||
The second authentication mechanism is public-key authentication. The
|
[Removed public-key authentication protocol. -KL]
|
||||||
well-known RSA implementation will be used as cipher (see tor-spec).
|
|
||||||
Authentication data will be the hash of the rendezvous cookie, signed
|
|
||||||
with the private key (SK).
|
|
||||||
|
|
||||||
When Alice wants to use this authentication method she sets "AUTHT" to
|
|
||||||
"2" and "AUTHL" to "128" which is the size of the encrypted data. Since
|
|
||||||
the rendezvous cookie changes each time Alice connects, replay attacks
|
|
||||||
can be easily prevented.
|
|
||||||
|
|
||||||
(1) Alice creates a private key e and sends the corresponding public key
|
|
||||||
d to Bob out of band.
|
|
||||||
(2) Alice generates a random rendezvous cookie r, computes PKSign(e, r),
|
|
||||||
encrypts it with Bob's fresh service key (see proposal 114), and
|
|
||||||
sends the result to Bob.
|
|
||||||
(3) Bob decrypts Alice's message using his private service key (see
|
|
||||||
proposal 114) and verifies PKSign(e, r) with d.
|
|
||||||
|
|
||||||
The premise for public-key authentication is that Alice must send the
|
|
||||||
generated public key to Bob outside Tor. If an attacker is able to swap
|
|
||||||
that key, the attacker could perform a man-in-the-middle attack, if he
|
|
||||||
managed to serve as an IPo for Bob. Therefore a secure exchange channel
|
|
||||||
must be established.
|
|
||||||
|
|
||||||
Depending on what authentication data Bob knows from Alice (password
|
|
||||||
and/or public key, or other data that is added later) there are several
|
|
||||||
choices for Alice to authenticate to the service.
|
|
||||||
|
|
||||||
After validating the provided "AUTHD" Bob builds a circuit to the
|
After validating the provided "AUTHD" Bob builds a circuit to the
|
||||||
rendezvous point and starts interacting with Alice. If Bob cannot
|
rendezvous point and starts interacting with Alice. If Bob cannot
|
||||||
identify the client he must refuse the request by not connecting to the
|
identify the client he must refuse the request by not connecting to the
|
||||||
rendezvous point.
|
rendezvous point.
|
||||||
|
[XXX Bob should discard an IPo after a certain number of cells containing
|
||||||
|
bad auth data. But any denouncement by other IPos or clients, e.g. by
|
||||||
|
replaying cells, must be inhibited. Maybe Bob should keep a history of
|
||||||
|
connection attempts within a certain time and discard an IPo after a
|
||||||
|
specific threshold. And maybe authentication to the service should be
|
||||||
|
based on a nonce, so that the service can differentiate between a replay
|
||||||
|
attack by an introduction point and regular reconnection attempts. More
|
||||||
|
thoughts needed here. -KL]
|
||||||
|
|
||||||
It will also still be possible to establish v2 hidden services without
|
It will also still be possible to establish v2 hidden services without
|
||||||
authentication. Therefore the "AUTHT" field must be set to "0". "AUTHL"
|
authentication. Therefore the "AUTHT" field must be set to "0". "AUTHL"
|
||||||
@ -202,6 +200,9 @@ Details:
|
|||||||
out of band.
|
out of band.
|
||||||
(2) Bob creates a random value y, computes h(h(x)|y), and sends the
|
(2) Bob creates a random value y, computes h(h(x)|y), and sends the
|
||||||
result to the introduction point.
|
result to the introduction point.
|
||||||
|
[XXX There should be a separate y for each introduction point, so
|
||||||
|
that none of them may impersonate Alice to any of the other
|
||||||
|
introduction points. -KL]
|
||||||
(3) Bob encrypts y with a secret cookie (see proposal 114) and writes it
|
(3) Bob encrypts y with a secret cookie (see proposal 114) and writes it
|
||||||
to a rendezvous service descriptor.
|
to a rendezvous service descriptor.
|
||||||
(4) Alice fetches Bob's rendezvous service descriptor, decrypts y using
|
(4) Alice fetches Bob's rendezvous service descriptor, decrypts y using
|
||||||
@ -211,37 +212,7 @@ Details:
|
|||||||
(5) The introduction point decrypts h(h(x)|y) from Alice's message and
|
(5) The introduction point decrypts h(h(x)|y) from Alice's message and
|
||||||
compares it to the value it knows from Bob (from step 2).
|
compares it to the value it knows from Bob (from step 2).
|
||||||
|
|
||||||
If Alice wants to use public-key authentication to authenticate herself
|
[Removed public-key authentication protocol. -KL]
|
||||||
at Bob's HS, the challenge-response authentication protocol is slightly
|
|
||||||
different.
|
|
||||||
|
|
||||||
The IPo's are provided with a list of random value hashes h(r) with an
|
|
||||||
entry for each user via the RELAY_ESTABLISH_INTRO cell. For public-key
|
|
||||||
authentication Alice uses an RSA public/private-key pair (as specified in
|
|
||||||
tor-spec). The public key is made known to Bob out of band. The IPo's
|
|
||||||
will now be sent a new ESTABLISH_INTRO cell with an additional random
|
|
||||||
value hash for Alice and a new descriptor is uploaded to the responsible
|
|
||||||
directories. The public-key authentication part of the service descriptor
|
|
||||||
holds a blank separated list of key-value pairs with one pair for every
|
|
||||||
authorized user. The hash of the public key of a user serves as a key,
|
|
||||||
while the PK-encrypted r represents the value. Authorized users can now
|
|
||||||
find their respective key-value pair and decrypt the value of h(r). This
|
|
||||||
result serves as an authorization token at the IPo in the same way as
|
|
||||||
with password authentication. The IPo does not know which authentication
|
|
||||||
method was used since the tokens always have the same format.
|
|
||||||
|
|
||||||
(1) Alice creates a private key e and sends the corresponding public key
|
|
||||||
d to Bob out of band.
|
|
||||||
(2) Bob creates a random value y and sends it to the introduction point.
|
|
||||||
(3) Bob computes PKEncrypt(d, y), encrypts the result with a secret
|
|
||||||
cookie (see proposal 114), and writes it to a rendezvous service
|
|
||||||
descriptor.
|
|
||||||
(4) Alice fetches Bob's rendezvous service descriptor, decrypts
|
|
||||||
PKEncrypt(d, y) using the secret cookie (see proposal 114), decrypts
|
|
||||||
y from it using her private key e, and sends it to the introduction
|
|
||||||
point.
|
|
||||||
(5) The introduction point compares y with the value it knows from Bob
|
|
||||||
(from step 2).
|
|
||||||
|
|
||||||
To remove a user from a group, Bob needs to update the random value list
|
To remove a user from a group, Bob needs to update the random value list
|
||||||
at the IPo's.
|
at the IPo's.
|
||||||
@ -279,6 +250,9 @@ Details:
|
|||||||
client and used by Alice to determine her entry in the list. The
|
client and used by Alice to determine her entry in the list. The
|
||||||
remaining 128 octets contain the PK-encrypted token needed to
|
remaining 128 octets contain the PK-encrypted token needed to
|
||||||
authenticate to the IPo.
|
authenticate to the IPo.
|
||||||
|
[XXX Handle space limitation problem, either by using fewer space, by
|
||||||
|
sending multiple cells, or by finding a protocol that is
|
||||||
|
space-independent here. -KL]
|
||||||
|
|
||||||
The part of the RELAY_INTRODUCE1 cell that can be read by the IPo has the
|
The part of the RELAY_INTRODUCE1 cell that can be read by the IPo has the
|
||||||
following fields added:
|
following fields added:
|
||||||
@ -286,11 +260,15 @@ Details:
|
|||||||
AUTHT The auth type that is supported [1 octet]
|
AUTHT The auth type that is supported [1 octet]
|
||||||
AUTHL Length of auth data [1 octets]
|
AUTHL Length of auth data [1 octets]
|
||||||
AUTHD Auth data [variable]
|
AUTHD Auth data [variable]
|
||||||
|
[XXX Insert a version field, so that we won't be facing the same problems
|
||||||
|
again when specifying the next version of INTRODUCE1 cells. -KL]
|
||||||
|
|
||||||
The AUTHT and AUTHL fields are provided to allow extensions of the
|
The AUTHT and AUTHL fields are provided to allow extensions of the
|
||||||
protocol. Currently, we set AUTHT to 1 for password/public-key
|
protocol. Currently, we set AUTHT to 1 for password/public-key
|
||||||
authentication and AUTHL to 20 for the length of the authorization token.
|
authentication and AUTHL to 20 for the length of the authorization token.
|
||||||
|
|
||||||
|
[XXX Insert file format containing auth data here. -KL]
|
||||||
|
|
||||||
Security implications:
|
Security implications:
|
||||||
|
|
||||||
In addition to the security features proposed in 114-distributed-storage
|
In addition to the security features proposed in 114-distributed-storage
|
||||||
@ -352,7 +330,7 @@ Compatibility:
|
|||||||
When using our authentication for hidden services the implementation of
|
When using our authentication for hidden services the implementation of
|
||||||
IPo's needs to be extended. Therefore we use version information provided
|
IPo's needs to be extended. Therefore we use version information provided
|
||||||
in router descriptors to be sure that we only send modified
|
in router descriptors to be sure that we only send modified
|
||||||
RELAY_ESTABLISH_INTRO cells to routers that can handle them. Clients of
|
RELAY_ESTABLISH_INTRO cells to routers that can handle them. Clients and
|
||||||
v2 hidden services will have to update their Tor installation if they
|
service providers will have to update their Tor installation if they
|
||||||
want to be able to use the service.
|
want to be able to use the service.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user