|
|
@@ -0,0 +1,621 @@
|
|
|
+Filename: 176-revising-handshake.txt
|
|
|
+Title: Proposed version-3 link handshake for Tor
|
|
|
+Author: Nick Mathewson
|
|
|
+Created: 31-Jan-2011
|
|
|
+Status: Draft
|
|
|
+Target: 0.2.3
|
|
|
+Supersedes: 169
|
|
|
+
|
|
|
+1. Overview
|
|
|
+
|
|
|
+ I propose a (mostly) backward-compatible change to the Tor
|
|
|
+ connection establishment protocol to avoid the use of TLS
|
|
|
+ renegotiation, to avoid certain protocol fingerprinting attacks,
|
|
|
+ and to make it easier to write Tor clients and servers.
|
|
|
+
|
|
|
+ Rather than doing a TLS renegotiation to exchange certificates
|
|
|
+ and authenticate the original handshake, this proposal takes an
|
|
|
+ approach similar to Steven Murdoch's proposal 124 and my old
|
|
|
+ proposal 169, and uses Tor cells to finish authenticating the
|
|
|
+ parties' identities once the initial TLS handshake is finished.
|
|
|
+
|
|
|
+ I discuss some alternative design choices and why I didn't make
|
|
|
+ them in section 7; please have a quick look there before
|
|
|
+ telling me that something is pointless or makes no sense.
|
|
|
+
|
|
|
+ Terminological note: I use "client" below to mean the Tor
|
|
|
+ instance (a client or a bridge or a relay) that initiates a TLS
|
|
|
+ connection, and "server" to mean the Tor instance (a bridge or a
|
|
|
+ relay) that accepts it.
|
|
|
+
|
|
|
+2. History and Motivation
|
|
|
+
|
|
|
+ The _goals_ of the Tor link handshake have remained basically uniform
|
|
|
+ since our earliest versions. They are:
|
|
|
+
|
|
|
+ * Provide data confidentiality, data integrity
|
|
|
+ * Provide forward secrecy
|
|
|
+ * Allow responder authentication or bidirectional authentication.
|
|
|
+ * Try to look like some popular too-important-to-block-at-whim
|
|
|
+ encryption protocol, to avoid fingerprinting and censorship.
|
|
|
+ * Try to be implementatble -- on the client side at least! --
|
|
|
+ by as many TLS implementations as possible.
|
|
|
+
|
|
|
+ When we added the v2 handshake, we added another goal:
|
|
|
+
|
|
|
+ * Remain compatible with older versions of the handshake
|
|
|
+ protocol.
|
|
|
+
|
|
|
+ In the original Tor TLS connection handshake protocol ("V1", or
|
|
|
+ "two-cert"), parties that wanted to authenticate provided a
|
|
|
+ two-cert chain of X.509 certificates during the handshake setup
|
|
|
+ phase. Every party that wanted to authenticate sent these
|
|
|
+ certificates. The security properties of this protocol are just
|
|
|
+ fine; the problem was that our behavior of sending
|
|
|
+ two-certificate chains made Tor easy to identify.
|
|
|
+
|
|
|
+ In the current Tor TLS connection handshake protocol ("V2", or
|
|
|
+ "renegotiating"), the parties begin with a single certificate
|
|
|
+ sent from the server (responder) to the client (initiator), and
|
|
|
+ then renegotiate to a two-certs-from-each-authenticating party.
|
|
|
+ We made this change to make Tor's handshake look like a browser
|
|
|
+ speaking SSL to a webserver. (See proposal 130, and
|
|
|
+ tor-spec.txt.) So from an observer's point of view, two parties
|
|
|
+ performing the V2 handshake begin by making a regular TLS
|
|
|
+ handshake with a single certificate, then renegotiate
|
|
|
+ immediately.
|
|
|
+
|
|
|
+ To tell whether to use the V1 or V2 handshake, the servers look
|
|
|
+ at the list of ciphers sent by the client. (This is ugly, but
|
|
|
+ there's not much else in the ClientHello that they can look at.)
|
|
|
+ If the list contains any cipher not used by the V1 protocol, the
|
|
|
+ server sends back a single cert and expects a renegotiation. If
|
|
|
+ the client gets back a single cert, then it withholds its own
|
|
|
+ certificates until the TLS renegotiation phase.
|
|
|
+
|
|
|
+ In other words, V2-supporting initiator behavior currently looks
|
|
|
+ like this:
|
|
|
+
|
|
|
+ - Begin TLS negotiation with V2 cipher list; wait for
|
|
|
+ certificate(s).
|
|
|
+ - If we get a certificate chain:
|
|
|
+ - Then we are using the V1 handshake. Send our own
|
|
|
+ certificate chain as part of this initial TLS handshake
|
|
|
+ if we want to authenticate; otherwise, send no
|
|
|
+ certificates. When the handshake completes, check
|
|
|
+ certificates. We are now mutually authenticated.
|
|
|
+
|
|
|
+ Otherwise, if we get just a single certificate:
|
|
|
+ - Then we are using the V2 handshake. Do not send any
|
|
|
+ certificates during this handshake.
|
|
|
+ - When the handshake is done, immediately start a TLS
|
|
|
+ renegotiation. During the renegotiation, expect
|
|
|
+ a certificate chain from the server; send a certificate
|
|
|
+ chain of our own if we want to authenticate ourselves.
|
|
|
+ - After the renegotiation, check the certificates. Then
|
|
|
+ send (and expect) a VERSIONS cell from the other side to
|
|
|
+ establish the link protocol version.
|
|
|
+
|
|
|
+ And V2-supporting responder behavior now looks like this:
|
|
|
+
|
|
|
+ - When we get a TLS ClientHello request, look at the cipher
|
|
|
+ list.
|
|
|
+ - If the cipher list contains only the V1 ciphersuites:
|
|
|
+ - Then we're doing a V1 handshake. Send a certificate
|
|
|
+ chain. Expect a possible client certificate chain in
|
|
|
+ response.
|
|
|
+ Otherwise, if we get other ciphersuites:
|
|
|
+ - We're using the V2 handshake. Send back a single
|
|
|
+ certificate and let the handshake complete.
|
|
|
+ - Do not accept any data until the client has renegotiated.
|
|
|
+ - When the client is renegotiating, send a certificate
|
|
|
+ chain, and expect (possibly multiple) certificates in
|
|
|
+ reply.
|
|
|
+ - Check the certificates when the renegotiation is done.
|
|
|
+ Then exchange VERSIONS cells.
|
|
|
+
|
|
|
+ Late in 2009, researchers found a flaw in most applications' use
|
|
|
+ of TLS renegotiation: Although TLS renegotiation does not
|
|
|
+ reauthenticate any information exchanged before the renegotiation
|
|
|
+ takes place, many applications were treating it as though it did,
|
|
|
+ and assuming that data sent _before_ the renegotiation was
|
|
|
+ authenticated with the credentials negotiated _during_ the
|
|
|
+ renegotiation. This problem was exacerbated by the fact that
|
|
|
+ most TLS libraries don't actually give you an obvious good way to
|
|
|
+ tell where the renegotiation occurred relative to the datastream.
|
|
|
+ Tor wasn't directly affected by this vulnerability, but the
|
|
|
+ aftermath hurts us in a few ways:
|
|
|
+
|
|
|
+ 1) OpenSSL has disabled renegotiation by default, and created
|
|
|
+ a "yes we know what we're doing" option we need to set to
|
|
|
+ turn it back on. (Two options, actually: one for openssl
|
|
|
+ 0.9.8l and one for 0.9.8m and later.)
|
|
|
+
|
|
|
+ 2) Some vendors have removed all renegotiation support from
|
|
|
+ their versions of OpenSSL entirely, forcing us to tell
|
|
|
+ users to either replace their versions of OpenSSL or to
|
|
|
+ link Tor against a hand-built one.
|
|
|
+
|
|
|
+ 3) Because of 1 and 2, I'd expect TLS renegotiation to become
|
|
|
+ rarer and rarer in the wild, making our own use stand out
|
|
|
+ more.
|
|
|
+
|
|
|
+ Furthermore, there are other issues related to TLS and
|
|
|
+ fingerprinting that we want to fix in any revised handshake:
|
|
|
+
|
|
|
+ 1) We should make it easier to use self-signed certs, or maybe
|
|
|
+ even existing HTTPS certificates, for the server side
|
|
|
+ handshake, since most non-Tor SSL handshakes use either
|
|
|
+ self-signed certificates or
|
|
|
+
|
|
|
+ 2) We should make it harder to probe for a Tor server. Right
|
|
|
+ now, you can just do a handshake with a server,
|
|
|
+ renegotiate, then see if it gives you a VERSIONS cell.
|
|
|
+ That's no good.
|
|
|
+
|
|
|
+ 3) We should allow other changes in our use of TLS and in our
|
|
|
+ certificates so as to resist fingerprinting based on how
|
|
|
+ our certificates look.
|
|
|
+
|
|
|
+3. Design
|
|
|
+
|
|
|
+3.1. The view in the large
|
|
|
+
|
|
|
+ Taking a cue from Steven Murdoch's proposal 124 and my old
|
|
|
+ proposal 169, I propose that we move the work currently done by
|
|
|
+ the TLS renegotiation step (that is, authenticating the parties
|
|
|
+ to one another) and do it with Tor cells instead of with TLS
|
|
|
+ alone.
|
|
|
+
|
|
|
+ This section outlines the protocol; we go into more detail below.
|
|
|
+
|
|
|
+ To tell the client that it can use the new cell-based
|
|
|
+ authentication system, the server sends a "V3 certificate" during
|
|
|
+ the initial TLS handshake. (More on what makes a certificate
|
|
|
+ "v3" below.) If the client recognizes the format of the
|
|
|
+ certificate and decides to pursue the V3 handshake, then instead
|
|
|
+ of renegotiating immediately on completion of the initial TLS
|
|
|
+ handshake, the client instead sends a VERSIONS cell (and the
|
|
|
+ negotiation begins).
|
|
|
+
|
|
|
+ So the flowchart on the server side is:
|
|
|
+
|
|
|
+ Wait for a ClientHello.
|
|
|
+ IF the client sends a ClientHello that indicates V1:
|
|
|
+ - Send a certificate chain.
|
|
|
+ - When the TLS handshake is done, if the client sent us a
|
|
|
+ certificate chain, then check it.
|
|
|
+ If the client sends a ClientHello that indicates V2 or V3:
|
|
|
+ - Send a self-signed certificate or a CA-signed certificate
|
|
|
+ - When the TLS handshake is done, wait for renegotiation or data.
|
|
|
+ - If renegotiation occurs, the client is V2: send a
|
|
|
+ certificate chain and maybe receive one. Check the
|
|
|
+ certificate chain as in V1.
|
|
|
+ - If the client sends data without renegotiating, it is
|
|
|
+ starting the V3 handshake. Proceed with the V3
|
|
|
+ handshake as below.
|
|
|
+
|
|
|
+ And the client-side flowchart is:
|
|
|
+
|
|
|
+ - Send a ClientHello with a set of ciphers that indicates V2/V3.
|
|
|
+ - After the handshake is done:
|
|
|
+ - If the server sent us a certificate chain, check it: we
|
|
|
+ are using the V1 handshake.
|
|
|
+ - If the server sent us a single "V2 certificate", we are
|
|
|
+ using the v2 handshake: the client begins to renegotiate
|
|
|
+ and proceeds as before.
|
|
|
+ - Finally, if the server sent us a "v3 certificate", we are
|
|
|
+ doing the V3 handshake below.
|
|
|
+
|
|
|
+ And the cell-based part of the V3 handshake, in summary, is:
|
|
|
+
|
|
|
+ C<->S: TLS handshake where S sends a "v3 certificate"
|
|
|
+
|
|
|
+ In TLS:
|
|
|
+
|
|
|
+ C->S: VERSIONS cell
|
|
|
+ S->C: VERSIONS cell, CERT cell, AUTH_CHALLENGE cell, NETINFO cell
|
|
|
+
|
|
|
+ C->S: Optionally: CERT cell, AUTHENTICATE cell
|
|
|
+
|
|
|
+ A "CERTS" cell contains a set of certificates; an "AUTHENTICATE"
|
|
|
+ cell authenticates the client to the server. More on these
|
|
|
+ later.
|
|
|
+
|
|
|
+3.2. Distinguishing V2 and V3 certificates
|
|
|
+
|
|
|
+ In the protocol outline above, we require that the client can
|
|
|
+ distinguish between v2 certificates (that is, those sent by
|
|
|
+ current servers) and a v3 certificates. We further require that
|
|
|
+ existing clients will accept v3 certificates as they currently
|
|
|
+ accept v2 certificates.
|
|
|
+
|
|
|
+ Fortunately, current certificates have a few characteristics that
|
|
|
+ make them fairly mannered as it is. We say that a certificate
|
|
|
+ indicates a V2-only server if ALL of the following hold:
|
|
|
+ * The certificate is not self-signed.
|
|
|
+ * There is no DN field set in the certificate's issuer or
|
|
|
+ subject other than "commonName".
|
|
|
+ * The commonNames of the issuer and subject both end with
|
|
|
+ ".net"
|
|
|
+ * The public modulus is at most 1024 bits long.
|
|
|
+
|
|
|
+ Otherwise, the client should assume that the server supports the
|
|
|
+ V3 handshake.
|
|
|
+
|
|
|
+ To the best of my knowledge, current clients will behave properly
|
|
|
+ on receiving non-v2 certs during the initial TLS handshake so
|
|
|
+ long as they eventually get the correct V2 cert chain during the
|
|
|
+ renegotiation.
|
|
|
+
|
|
|
+ The v3 requirements are easy to meet: any certificate designed to
|
|
|
+ resist fingerprinting will likely be self-signed, or if it's
|
|
|
+ signed by a CA, then the issuer will surely have more DN fields
|
|
|
+ set. Certificates that aren't trying to resist fingerprinting
|
|
|
+ can trivially become v3 by using a CN that doesn't end with .net,
|
|
|
+ or using a 1024-bit key.
|
|
|
+
|
|
|
+
|
|
|
+3.3. Authenticating via Tor cells: server authentication
|
|
|
+
|
|
|
+ Once the TLS handshake is finished, if the client renegotiates,
|
|
|
+ then the server should go on as it does currently.
|
|
|
+
|
|
|
+ If the client implements this proposal, however, and the server
|
|
|
+ has shown it can understand the V3+ handshake protocol, the
|
|
|
+ client immediately sends a VERSIONS cell to the server
|
|
|
+ and waits to receive a VERSIONS cell in return. We negotiate
|
|
|
+ the Tor link protocol version _before_ we proceed with the
|
|
|
+ negotiation, in case we need to change the authentication
|
|
|
+ protocol in the future.
|
|
|
+
|
|
|
+ Once either party has seen the VERSIONS cell from the other, it
|
|
|
+ knows which version they will pick (that is, the highest version
|
|
|
+ shared by both parties' VERSIONS cells). All Tor instances using
|
|
|
+ the handshake protocol described in 3.2 MUST support at least
|
|
|
+ link protocol version 3 as described here. If a version lower
|
|
|
+ than 3 is negotiated with the V3 handshake in place, a Tor
|
|
|
+ instance MUST close the connection.
|
|
|
+
|
|
|
+ On learning the link protocol, the server then sends the client a
|
|
|
+ CERT cell and a NETINFO cell. If the client wants to
|
|
|
+ authenticate to the server, it sends a CERT cell, an AUTHENTICATE
|
|
|
+ cell, and a NETINFO cell, or it may simply send a NETINFO cell if
|
|
|
+ it does not want to authenticate.
|
|
|
+
|
|
|
+ The CERT cell describes the keys that a Tor instance is claiming
|
|
|
+ to have. It is a variable-length cell. Its payload format is:
|
|
|
+
|
|
|
+ N: Number of certs in cell [1 octet]
|
|
|
+ N times:
|
|
|
+ CertType [1 octet]
|
|
|
+ CLEN [2 octets]
|
|
|
+ Certificate [CLEN octets]
|
|
|
+
|
|
|
+ Any extra octets at the end of a CERT cell MUST be ignored.
|
|
|
+
|
|
|
+ CertType values are:
|
|
|
+ 1: Link key certificate from RSA1024 identity
|
|
|
+ 2: RSA1024 Identity certificate
|
|
|
+ 3: RSA1024 AUTHENTICATE cell link certificate
|
|
|
+
|
|
|
+ The certificate format is X509.
|
|
|
+
|
|
|
+ To authenticate the server, the client MUST check the following:
|
|
|
+ * The CERTS cell contains exactly one CertType 1 "Link" certificate.
|
|
|
+ * The CERTS cell contains exactly one CertType 2 "ID"
|
|
|
+ certificate.
|
|
|
+ * Both certificates have validAfter and validUntil dates that
|
|
|
+ are not expired.
|
|
|
+ * The certified key in the Link certificate matches the
|
|
|
+ link key that was used to negotiate the TLS connection.
|
|
|
+ * The certified key in the ID certificate is a 1024-bit RSA key.
|
|
|
+ * The certified key in the ID certificate was used to sign both
|
|
|
+ certificates.
|
|
|
+ * The link certificate is correctly signed with the key in the
|
|
|
+ ID certificate
|
|
|
+ * The ID certificate is correctly self-signed.
|
|
|
+
|
|
|
+ If all of these conditions hold, then the client knows that it is
|
|
|
+ connected to the server whose identity key is certified in the ID
|
|
|
+ certificate. If any condition does not hold, the client closes
|
|
|
+ the connection. If the client wanted to connect to a server with
|
|
|
+ a different identity key, the client closes the connection.
|
|
|
+
|
|
|
+
|
|
|
+ An AUTH_CHALLENGE cell is a variable-length cell with the following
|
|
|
+ fields:
|
|
|
+ Challenge [32 octets]
|
|
|
+ It is sent from the server to the client. Clients MUST ignore
|
|
|
+ unexpected bytes at the end of the cell. Servers MUST generate
|
|
|
+ every challenge using a strong RNG or PRNG.
|
|
|
+
|
|
|
+3.4. Authenticating via Tor cells: Client authentication
|
|
|
+
|
|
|
+ A client does not need to authenticate to the server. If it
|
|
|
+ does not wish to, it responds to the server's valid CERT cell by
|
|
|
+ sending NETINFO cell: once it has gotten a valid NETINFO cell
|
|
|
+ back, the client should consider the connection open, and the
|
|
|
+ server should consider the connection as opened by an
|
|
|
+ unauthenticated client.
|
|
|
+
|
|
|
+ If a client wants to authenticate, it responds to the
|
|
|
+ AUTH_CHALLENGE cell with a CERT cell and an AUTHENTICATE cell.
|
|
|
+ The CERT cell is as a server would send, except that instead of
|
|
|
+ sending a CertType 1 cert for an arbitrary link certificate, the
|
|
|
+ client sends a CertType 3 cert for an RSA AUTHENTICATE key.
|
|
|
+ (This difference is because we allow any link key type on a TLS
|
|
|
+ link, but the protocol described here will only work for 1024-bit
|
|
|
+ RSA keys. A later protocol version should extend the protocol
|
|
|
+ here to work with non-1024-bit, non-RSA keys.)
|
|
|
+
|
|
|
+ AuthType [2 octets]
|
|
|
+ AuthLen [2 octets]
|
|
|
+ Authentication [AuthLen octets]
|
|
|
+
|
|
|
+
|
|
|
+ Servers MUST ignore extra bytes at the end of an AUTHENTICATE
|
|
|
+ cell. If AuthType is 1 (meaning "RSA-SHA256-TLSSecret"), then the
|
|
|
+ Authentication contains the following:
|
|
|
+
|
|
|
+ CID: A SHA256 hash of the client's RSA1024 identity key [32 octets]
|
|
|
+ SID: A SHA256 hash of the server's RSA1024 identity key [32 octets]
|
|
|
+ SLOG: A SHA256 hash of all bytes sent from the server to the client
|
|
|
+ as part of the negotiation up to and including the
|
|
|
+ AUTH_CHALLENGE cell; that is, the VERSIONS cell,
|
|
|
+ the CERT cell, and the AUTH_CHALLENGE cell. [32 octets]
|
|
|
+ CLOG: A SHA256 hash of all byte sent from the client to the
|
|
|
+ server as part of the negotiation so far; that is, the
|
|
|
+ VERSIONS cell and the CERT cell. [32 octets]
|
|
|
+ SCERT: A SHA256 hash of the server's TLS link
|
|
|
+ certificate. [32 octets]
|
|
|
+ TLSSECRETS: Either 32 zero octets, or a SHA256 HMAC, using
|
|
|
+ the TLS master secret as the secret key, of the following:
|
|
|
+ - client_random, as sent in the TLS Client Hello
|
|
|
+ - server_random, as sent in the TLS Server Hello
|
|
|
+ - the NUL terminated ASCII string:
|
|
|
+ "Tor V3 handshake TLS cross-certification"
|
|
|
+ [32 octets]
|
|
|
+ TIME: The time of day in seconds since the POSIX epoch. [8 octets]
|
|
|
+ SIG: A signature of a SHA256 hash of all the previous fields
|
|
|
+ using the client's "Authenticate" key as presented. (As
|
|
|
+ always in Tor, we use OAEP-MGF1 padding; see tor-spec.txt
|
|
|
+ section 0.3.)
|
|
|
+ [variable length]
|
|
|
+
|
|
|
+ To check the AUTHENTICATE cell, a server checks that all fields
|
|
|
+ containing a hash contain the correct value, then verifies the
|
|
|
+ signature. The server MUST ignore any extra bytes after
|
|
|
+ the SHA256 hash.
|
|
|
+
|
|
|
+ When possible (that is, when implemented using C TLS API),
|
|
|
+ implementations SHOULD include and verify the TLSSECRETS field.
|
|
|
+
|
|
|
+3.5. Responding to extra cells, and other security checks.
|
|
|
+
|
|
|
+ If the handshake is a V3+ TLS handshake, both parties MUST reject
|
|
|
+ any negotiated link version less than 3. Both parties MUST check
|
|
|
+ this and close the connection if it is violated.
|
|
|
+
|
|
|
+ If the handshake is not a V3+ TLS handshake, both parties MUST
|
|
|
+ still advertise all link protocols they support in their versions
|
|
|
+ cell. Both parties MUST close the link if it turns out they both
|
|
|
+ would have supported version 3 or higher, but they somehow wound
|
|
|
+ up using a v2 or v1 handshake. (More on this in section 6.4.)
|
|
|
+
|
|
|
+ A server SHOULD NOT send any sequence of cells when starting a v3
|
|
|
+ negotiation other than "VERSIONS, CERT, AUTH_CHALLENGE,
|
|
|
+ NETINFO". A client SHOULD drop a CERT, AUTH_CHALLENGE, or
|
|
|
+ NETINFO cell that appears at any other time or out of sequence.
|
|
|
+
|
|
|
+ A client should not begin a v3 negotiation with any sequence
|
|
|
+ other than "VERSIONS, NETINFO" or "VERSIONS, CERT, AUTHENTICATE,
|
|
|
+ NETINFO". A server SHOULD drop a CERT, AUTH_CHALLENGE, or
|
|
|
+ NETINFO cell that appears at any other time or out of sequence.
|
|
|
+
|
|
|
+4. Numbers to assign
|
|
|
+
|
|
|
+ We need a version number for this link protocol. I've been
|
|
|
+ calling it "3".
|
|
|
+
|
|
|
+ We need to reserve command numbers for CERT, AUTH_CHALLENGE, and
|
|
|
+ AUTHENTICATE. I suggest that in link protocol 3 and higher, we
|
|
|
+ reserve a separate range of commands for variable-length cells.
|
|
|
+
|
|
|
+5. Efficiency
|
|
|
+
|
|
|
+ This protocol adds a round-trip step when the client sends a
|
|
|
+ VERSIONS cell to the server, and waits for the {VERSIONS, CERT,
|
|
|
+ NETINFO} response in turn. (The server then waits for the
|
|
|
+ client's {NETINFO} or {CERT, AUTHENTICATE, NETINFO} reply,
|
|
|
+ but it would have already been waiting for the client's NETINFO,
|
|
|
+ so that's not an additional wait.)
|
|
|
+
|
|
|
+ This is actually fewer round-trip steps than required before for
|
|
|
+ TLS renegotiation, so that's a win over v2.
|
|
|
+
|
|
|
+6. Security argument
|
|
|
+
|
|
|
+ These aren't crypto proofs, since I don't write those. They are
|
|
|
+ meant be reasonably convincing.
|
|
|
+
|
|
|
+6.1. The server is authenticated
|
|
|
+
|
|
|
+ TLS guarantees that if the TLS handshake completes successfully,
|
|
|
+ the client knows that it is speaking to somebody who knows the
|
|
|
+ private key corresponding to the public link key that was used in
|
|
|
+ the TLS handshake.
|
|
|
+
|
|
|
+ Because this public link key is signed by the server's identity
|
|
|
+ key in the CERT cell, the client knows that somebody who holds
|
|
|
+ the server's private identity key says that the server's public
|
|
|
+ link key corresponds to the server's public identity key.
|
|
|
+
|
|
|
+ Therefore, if the crypto works, and if TLS works, and if the keys
|
|
|
+ aren't compromised, then the client is talking to somebody who
|
|
|
+ holds the server's private identity key.
|
|
|
+
|
|
|
+6.2. The client is authenticated
|
|
|
+
|
|
|
+ Once the server has checked the client's certificates, the server
|
|
|
+ knows that somebody who knows the client's private identity key
|
|
|
+ says that he is the one holding the private key corresponding to
|
|
|
+ the client's presented link-authentication public key.
|
|
|
+
|
|
|
+ Once the server has checked the signature in the AUTHENTICATE
|
|
|
+ cell, the server knows that somebody holding the client's
|
|
|
+ link-authentication private key signed the data in question. By
|
|
|
+ the standard certification argument above, the server knows that
|
|
|
+ somebody holding the client's private identity key signed the
|
|
|
+ data in question.
|
|
|
+
|
|
|
+ So the server's remaining question is: am I really talking to
|
|
|
+ somebody holding the client's identity key, or am I getting a
|
|
|
+ replayed or MITM'd AUTHENTICATE cell that was previously sent by
|
|
|
+ the client?
|
|
|
+
|
|
|
+ If the client included a non-zero TLSSECRET component, and the
|
|
|
+ server is able to verify it, then the answer is easy: the server
|
|
|
+ knows for certain that it is talking to the party with whom it
|
|
|
+ did the TLS handshake, since if somebody else generated a correct
|
|
|
+ TLSSECRET, they would have to know the master secret of the TLS
|
|
|
+ connection, which would require them to have broken TLS.
|
|
|
+
|
|
|
+ If the client was not able to include a non-zero TLSSECRET
|
|
|
+ component, or the server can't check it, the answer is a little
|
|
|
+ trickier. The server knows that it is not getting a replayed
|
|
|
+ AUTHENTICATE cell, since the cell authenticates (among other
|
|
|
+ stuff) the server's AUTH_CHALLENGE cell, which it has never used
|
|
|
+ before. The server knows that it is not getting a MITM'd
|
|
|
+ AUTHENTICATE cell, since the cell includes a hash of the server's
|
|
|
+ link certificate, which nobody else should have been able to use
|
|
|
+ in a successful TLS negotiation.
|
|
|
+
|
|
|
+6.3. MITM attacks won't work any better than they do against TLS
|
|
|
+
|
|
|
+ TLS guarantees that a man-in-the-middle attacker can't read the
|
|
|
+ content of a successfully negotiated encrypted connection, nor
|
|
|
+ alter the content in any way other than truncating it, unless he
|
|
|
+ compromises the session keys or one of the key-exchange secret
|
|
|
+ keys used to establish that connection. Let's make sure we do at
|
|
|
+ least that well.
|
|
|
+
|
|
|
+ Suppose that a client Alice connects to an MITM attacker Mallory,
|
|
|
+ thinking that he is connecting to some server Bob. Let's assume
|
|
|
+ that the TLS handshake between Alice and Mallory finishes
|
|
|
+ successfully and the v3 protocol is chosen. [If the v1 or v2
|
|
|
+ protocol is chosen, those already resist MITM. If the TLS
|
|
|
+ handshake doesn't complete, then Alice isn't connected to anybody.]
|
|
|
+
|
|
|
+ During the v3 handshake, Mallory can't convince Alice that she is
|
|
|
+ talking to Bob, since she should not be able to produce a CERT
|
|
|
+ cell containing a certificate chain signed by Bob's identity key
|
|
|
+ and used to authenticate the link key that Mallory used during
|
|
|
+ TLS. (If Mallory used her own link key for the TLS handshake, it
|
|
|
+ won't match anything Bob signed unless Bob is compromised.
|
|
|
+ Mallory can't use any key that Bob _did_ produce a certificate
|
|
|
+ for, since she doesn't know the private key.)
|
|
|
+
|
|
|
+ Even if Alice fails to check the certificates from Bob, Mallory
|
|
|
+ still can't convince Bob that she is really Alice. Assuming that
|
|
|
+ Alice's keys aren't compromised, Mallory can't sent a CERT cell
|
|
|
+ with a cert chain from Alice's identity key to a key that Mallory
|
|
|
+ controls, so if Mallory wants to impersonate Alice's identity
|
|
|
+ key, she can only do so by sending an AUTHENTICATE cell really
|
|
|
+ generated by Alice. Because Bob will check that the random bytes
|
|
|
+ in the AUTH_CHALLENGE cell will influence the SLOG hash, Mallory
|
|
|
+ needs to send Bob's challenge to Alice, and can't use any other
|
|
|
+ AUTHENTICATE cell that Alice generated before. But because the
|
|
|
+ AUTHENTICATE cell Alice will generate will include in the SCERT
|
|
|
+ field a hash of the link certificate used by Mallory, Bob will
|
|
|
+ reject it as not being valid to connect to him.
|
|
|
+
|
|
|
+6.4. Protocol downgrade attacks won't work.
|
|
|
+
|
|
|
+ Assuming that Alice checks the certificates from Bob, she knows
|
|
|
+ that Bob really sent her the VERSION cell that she received.
|
|
|
+
|
|
|
+ Because the AUTHENTICATE cell from Alice includes signed hashes
|
|
|
+ of the VERSIONS cells from Alice and Bob, Bob knows that Alice
|
|
|
+ got the VERSIONS cell he sent and sent the VERSIONS cell that he
|
|
|
+ received.
|
|
|
+
|
|
|
+ But what about attempts to downgrade the protocol earlier in the
|
|
|
+ handshake? Here TLS comes to the rescue: because the TLS
|
|
|
+ Finished handshake message includes an authenticated digest of
|
|
|
+ everything previously said during the handshake, an attacker
|
|
|
+ can't replace the client's ciphersuite list (to trigger a
|
|
|
+ downgrade to the v1 protocol) or the server's certificate [chain]
|
|
|
+ (to trigger a downgrade to the v1 or v2 protocol).
|
|
|
+
|
|
|
+7. Design considerations
|
|
|
+
|
|
|
+ I previously considered adding our own certificate format in
|
|
|
+ order to avoid the pain associated with X509, but decided instead
|
|
|
+ to simply use X509 since a correct Tor implementation will
|
|
|
+ already need to have X509 code to handle the other handshake
|
|
|
+ versions and to use TLS.
|
|
|
+
|
|
|
+ The trickiest part of the design here is deciding what to stick
|
|
|
+ in the AUTHENTICATE cell. Some of it is strictly necessary, and
|
|
|
+ some of it is left there for security margin in case my other
|
|
|
+ security arguments fail. Because of the CID and SID elements
|
|
|
+ you can't use an AUTHENTICATE cell for anything other than
|
|
|
+ authenticating a client ID to a server with an appropriate
|
|
|
+ server ID. The SLOG and CLOG elements are there mostly to
|
|
|
+ authenticate the VERSIONS cells and resist downgrade attacks
|
|
|
+ once there are two versions of this. The presence of the
|
|
|
+ AUTH_CHALLENGE field in the stuff authenticated in SLOG
|
|
|
+ prevents replays and ensures that the AUTHENTICATE cell was
|
|
|
+ really generated by somebody who is reading what the server is
|
|
|
+ sending over the TLS connection. The SCERT element is meant to
|
|
|
+ prevent MITM attacks. When the TLSSECRET field is
|
|
|
+ used, it should prevent the use of the AUTHENTICATE cell for
|
|
|
+ anything other than the TLS connection the client had in mind.
|
|
|
+
|
|
|
+ A signature of the TLSSECRET element on its own should be
|
|
|
+ sufficient to prevent the attacks we care about, but because we
|
|
|
+ don't necessarily have access to the TLS master secret when using
|
|
|
+ a non-C TLS library, we can't depend on it. I added it anyway
|
|
|
+ so that, if there is some problem with the rest of the protocol,
|
|
|
+ clients and servers that _are_ written in C (that is, the official
|
|
|
+ Tor implementation) can still be secure.
|
|
|
+
|
|
|
+ If the client checks the server's certificates and matches them
|
|
|
+ to the TLS connection link key before proceding with the
|
|
|
+ handshake, then signing the contents of the AUTH_CHALLENGE cell
|
|
|
+ would be sufficient to authenticate the client. But implementers
|
|
|
+ of allegedly compatible Tor clients have in the past skipped
|
|
|
+ certificate verification steps, and I didn't want a client's
|
|
|
+ failure to verify certificates to mean that a server couldn't
|
|
|
+ trust that he was really talking to the client. To prevent this,
|
|
|
+ I added the TLS link certificate to the authenticated data: even
|
|
|
+ if the Tor client code doesn't check any certificates, the TLS
|
|
|
+ library code will still check that the certificate used in the
|
|
|
+ handshake contains a link key that matches the one used in the
|
|
|
+ handshake.
|
|
|
+
|
|
|
+8. Open questions:
|
|
|
+
|
|
|
+ - May we cache which certificates we've already verified? It
|
|
|
+ might leak in timing whether we've connected with a given server
|
|
|
+ before, and how recently.
|
|
|
+
|
|
|
+ - With which TLS libraries is it feasible to yoink client_random,
|
|
|
+ server_random, and the master secret? If the answer is "All
|
|
|
+ free C TLS libraries", great. If the answer is "OpenSSL only",
|
|
|
+ not so great.
|
|
|
+
|
|
|
+ - Should we do anything to check the timestamp in the AUTHENTICATE
|
|
|
+ cell?
|
|
|
+
|
|
|
+ - Can we give some way for clients to signal "I want to use the
|
|
|
+ V3 protocol if possible, but I can't renegotiate, so don't give
|
|
|
+ me the V2"? Clients currently have a fair idea of server
|
|
|
+ versions, so they could potentially do the V3+ handshake with
|
|
|
+ servers that support it, and fall back to V1 otherwise.
|
|
|
+
|
|
|
+ - What should servers that don't have TLS renegotiation do? For
|
|
|
+ now, I think they should just stick with V1. Eventually we can
|
|
|
+ deprecate the V2 handshake as we did with the V1 handshake.
|
|
|
+ When that happens, servers can be V3-only.
|
Nick Mathewson