169-eliminating-renegotiation.txt 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404
  1. Filename: 169-eliminating-renegotiation.txt
  2. Title: Eliminate TLS renegotiation for the Tor connection handshake
  3. Author: Nick Mathewson
  4. Created: 27-Jan-2010
  5. Status: Draft
  6. Target: 0.2.2
  7. 1. Overview
  8. I propose a backward-compatible change to the Tor connection
  9. establishment protocol to avoid the use of TLS renegotiation.
  10. Rather than doing a TLS renegotiation to exchange certificates
  11. and authenticate the original handshake, this proposal takes an
  12. approach similar to Steven Murdoch's proposal 124, and uses Tor
  13. cells to finish authenticating the parties' identities once the
  14. initial TLS handshake is finished.
  15. Terminological note: I use "client" below to mean the Tor
  16. instance (a client or a relay) that initiates a TLS connection,
  17. and "server" to mean the Tor instance (a relay) that accepts it.
  18. 2. Motivation and history
  19. In the original Tor TLS connection handshake protocol ("V1", or
  20. "two-cert"), parties that wanted to authenticate provided a
  21. two-cert chain of X.509 certificates during the handshake setup
  22. phase. Every party that wanted to authenticate sent these
  23. certificates.
  24. In the current Tor TLS connection handshake protocol ("V2", or
  25. "renegotiating"), the parties begin with a single certificate
  26. sent from the server (responder) to the client (initiator), and
  27. then renegotiate to a two-certs-from-each-authenticating party.
  28. We made this change to make Tor's handshake look like a browser
  29. speaking SSL to a webserver. (See proposal 130, and
  30. tor-spec.txt.) To tell whether to use the V1 or V2 handshake,
  31. servers look at the list of ciphers sent by the client. (This is
  32. ugly, but there's not much else in the ClientHello that they can
  33. look at.) If the list contains any cipher not used by the V1
  34. protocol, the server sends back a single cert and expects a
  35. renegotiation. If the client gets back a single cert, then it
  36. withholds its own certificates until the TLS renegotiation phase.
  37. In other words, initiator behavior now looks like this:
  38. - Begin TLS negotiation with V2 cipher list; wait for
  39. certificate(s).
  40. - If we get a certificate chain:
  41. - Then we are using the V1 handshake. Send our own
  42. certificate chain as part of this initial TLS handshake
  43. if we want to authenticate; otherwise, send no
  44. certificates. When the handshake completes, check
  45. certificates. We are now mutually authenticated.
  46. Otherwise, if we get just a single certificate:
  47. - Then we are using the V2 handshake. Do not send any
  48. certificates during this handshake.
  49. - When the handshake is done, immediately start a TLS
  50. renegotiation. During the renegotiation, expect
  51. a certificate chain from the server; send a certificate
  52. chain of our own if we want to authenticate ourselves.
  53. - After the renegotiation, check the certificates. Then
  54. send (and expect) a VERSIONS cell from the other side to
  55. establish the link protocol version.
  56. And V2 responder behavior now looks like this:
  57. - When we get a TLS ClientHello request, look at the cipher
  58. list.
  59. - If the cipher list contains only the V1 ciphersuites:
  60. - Then we're doing a V1 handshake. Send a certificate
  61. chain. Expect a possible client certificate chain in
  62. response.
  63. Otherwise, if we get other ciphersuites:
  64. - We're using the V2 handshake. Send back a single
  65. certificate and let the handshake complete.
  66. - Do not accept any data until the client has renegotiated.
  67. - When the client is renegotiating, send a certificate
  68. chain, and expect (possibly multiple) certificates in
  69. reply.
  70. - Check the certificates when the renegotiation is done.
  71. Then exchange VERSIONS cells.
  72. Late in 2009, researchers found a flaw in most applications' use
  73. of TLS renegotiation: Although TLS renegotiation does not
  74. reauthenticate any information exchanged before the renegotiation
  75. takes place, many applications were treating it as though it did,
  76. and assuming that data sent _before_ the renegotiation was
  77. authenticated with the credentials negotiated _during_ the
  78. renegotiation. This problem was exacerbated by the fact that
  79. most TLS libraries don't actually give you an obvious good way to
  80. tell where the renegotiation occurred relative to the datastream.
  81. Tor wasn't directly affected by this vulnerability, but its
  82. aftermath hurts us in a few ways:
  83. 1) OpenSSL has disabled renegotiation by default, and created
  84. a "yes we know what we're doing" option we need to set to
  85. turn it back on. (Two options, actually: one for openssl
  86. 0.9.8l and one for 0.9.8m and later.)
  87. 2) Some vendors have removed all renegotiation support from
  88. their versions of OpenSSL entirely, forcing us to tell
  89. users to either replace their versions of OpenSSL or to
  90. link Tor against a hand-built one.
  91. 3) Because of 1 and 2, I'd expect TLS renegotiation to become
  92. rarer and rarer in the wild, making our own use stand out
  93. more.
  94. 3. Design
  95. 3.1. The view in the large
  96. Taking a cue from Steven Murdoch's proposal 124, I propose that
  97. we move the work currently done by the TLS renegotiation step
  98. (that is, authenticating the parties to one another) and do it
  99. with Tor cells instead of with TLS.
  100. Using _yet another_ variant response from the responder (server),
  101. we allow the client to learn that it doesn't need to rehandshake
  102. and can instead use a cell-based authentication system. Once the
  103. TLS handshake is done, the client and server exchange VERSIONS
  104. cells to determine link protocol version (including
  105. handshake version). If they're using the handshake version
  106. specified here, the client and server arrive at link protocol
  107. version 3 (or higher), and use cells to exchange further
  108. authentication information.
  109. 3.2. New TLS handshake variant
  110. We already used the list of ciphers from the clienthello to
  111. indicate whether the client can speak the V2 ("renegotiating")
  112. handshake or later, so we can't encode more information there.
  113. We can, however, change the DN in the certificate passed by the
  114. server back to the client. Currently, all V2 certificates are
  115. generated with CN values ending with ".net". I propose that we
  116. have the ".net" commonName ending reserved to indicate the V2
  117. protocol, and use commonName values ending with ".com" to
  118. indicate the V3 ("minimal") handshake described herein.
  119. Now, once the initial TLS handshake is done, the client can look
  120. at the server's certificate(s). If there is a certificate chain,
  121. the handshake is V1. If there is a single certificate whose
  122. subject commonName ends in ".net", the handshake is V2 and the
  123. client should try to renegotiate as it would currently.
  124. Otherwise, the client should assume that the handshake is V3+.
  125. [Servers should _only_ send ".com" addesses, to allow room for
  126. more signaling in the future.]
  127. 3.3. Authenticating inside Tor
  128. Once the TLS handshake is finished, if the client renegotiates,
  129. then the server should go on as it does currently.
  130. If the client implements this proposal, however, and the server
  131. has shown it can understand the V3+ handshake protocol, the
  132. client immediately sends a VERSIONS cell to the server
  133. and waits to receive a VERSIONS cell in return. We negotiate
  134. the Tor link protocol version _before_ we proceed with the
  135. negotiation, in case we need to change the authentication
  136. protocol in the future.
  137. Once either party has seen the VERSIONS cell from the other, it
  138. knows which version they will pick (that is, the highest version
  139. shared by both parties' VERSIONS cells). All Tor instances using
  140. the handshake protocol described in 3.2 MUST support at least
  141. link protocol version 3 as described here.
  142. On learning the link protocol, the server then sends the client a
  143. CERT cell and a NETINFO cell. If the client wants to
  144. authenticate to the server, it sends a CERT cell, an AUTHENTICATE
  145. cell, and a NETINFO cell, or it may simply send a NETINFO cell if
  146. it does not want to authenticate.
  147. The CERT cell describes the keys that a Tor instance is claiming
  148. to have. It is a variable-length cell. Its payload format is:
  149. N: Number of certs in cell [1 octet]
  150. N times:
  151. CLEN [2 octets]
  152. Certificate [CLEN octets]
  153. Any extra octets at the end of a CERT cell MUST be ignored.
  154. Each certificate has the form:
  155. CertType [1 octet]
  156. CertPurpose [1 octet]
  157. PublicKeyLen [2 octets]
  158. PublicKey [PublicKeyLen octets]
  159. NotBefore [4 octets]
  160. NotAfter [4 octets]
  161. SignerID [HASH256_LEN octets]
  162. SignatureLen [2 octets]
  163. Signature [SignatureLen octets]
  164. where CertType is 1 (meaning "RSA/SHA256")
  165. CertPurpose is 1 (meaning "link certificate")
  166. PublicKey is the DER encoding of the ASN.1 representation
  167. of the RSA key of the subject of this certificate,
  168. NotBefore is a time in HOURS since January 1, 1970, 00:00
  169. UTC before which this certificate should not be
  170. considered valid.
  171. NotAfter is a time in HOURS since January 1, 1970, 00:00
  172. UTC after which this certificate should not be
  173. considered valid.
  174. SignerID is the SHA-256 digest of the public key signing
  175. this certificate
  176. and Signature is the signature of the all other fields in
  177. this certificate, using SHA256 as described in proposal
  178. 158.
  179. While authenticating, a server need send only a self-signed
  180. certificate for its identity key. (Its TLS certificate already
  181. contains its link key signed by its identity key.) A client that
  182. wants to authenticate MUST send two certificates: one containing
  183. a public link key signed by its identity key, and one self-signed
  184. cert for its identity.
  185. Tor instances MUST ignore any certificate with an unrecognized
  186. CertType or CertPurpose, and MUST ignore extra bytes in the cert.
  187. The AUTHENTICATE cell proves to the server that the client with
  188. whom it completed the initial TLS handshake is the one possessing
  189. the link public key in its certificate. It is a variable-length
  190. cell. Its contents are:
  191. SignatureType [2 octets]
  192. SignatureLen [2 octets]
  193. Signature [SignatureLen octets]
  194. where SignatureType is 1 (meaning "RSA-SHA256") and Signature is
  195. an RSA-SHA256 signature of the HMAC-SHA256, using the TLS master
  196. secret key as its key, of the following elements:
  197. - The SignatureType field (0x00 0x01)
  198. - The NUL terminated ASCII string: "Tor certificate verification"
  199. - client_random, as sent in the Client Hello
  200. - server_random, as sent in the Server Hello
  201. Once the above handshake is complete, the client knows (from the
  202. initial TLS handshake) that it has a secure connection to an
  203. entity that controls a given link public key, and knows (from the
  204. CERT cell) that the link public key is a valid public key for a
  205. given Tor identity.
  206. If the client authenticates, the server learns from the CERT cell
  207. that a given Tor identity has a given current public link key.
  208. From the AUTHENTICATE cell, it knows that an entity with that
  209. link key knows the master secret for the TLS connection, and
  210. hence must be the party with whom it's talking, if TLS works.
  211. 3.4. Security checks
  212. If the TLS handshake indicates a V2 or V3+ connection, the server
  213. MUST reject any connection from the client that does not begin
  214. with either a renegotiation attempt or a VERSIONS cell containing
  215. at least link protocol version "3". If the TLS handshake
  216. indicates a V3+ connection, the client MUST reject any connection
  217. where the server sends anything before the client has sent a
  218. VERSIONS cell, and any connection where the VERSIONS cell does
  219. not contain at least link protocol version "3".
  220. If link protocol version 3 is chosen:
  221. Clients and servers MUST check that all digests and signatures
  222. on the certificates in CERT cells they are given are as
  223. described above.
  224. After the VERSIONS cell, clients and servers MUST close the
  225. connection if anything besides a CERT or AUTH cell is sent
  226. before the
  227. CERT or AUTHENTICATE cells anywhere after the first NETINFO
  228. cell must be rejected.
  229. ... [write more here. What else?] ...
  230. 3.5. Summary
  231. We now revisit the protocol outlines from section 2 to incorporate
  232. our changes. New or modified steps are marked with a *.
  233. The new initiator behavior now looks like this:
  234. - Begin TLS negotiation with V2 cipher list; wait for
  235. certificate(s).
  236. - If we get a certificate chain:
  237. - Then we are using the V1 handshake. Send our own
  238. certificate chain as part of this initial TLS handshake
  239. if we want to authenticate; otherwise, send no
  240. certificates. When the handshake completes, check
  241. certificates. We are now mutually authenticated.
  242. Otherwise, if we get just a single certificate:
  243. - Then we are using the V2 or the V3+ handshake. Do not
  244. send any certificates during this handshake.
  245. * When the handshake is done, look at the server's
  246. certificate's subject commonName.
  247. * If it ends with ".net", we're doing a V2 handshake:
  248. - Immediately start a TLS renegotiation. During the
  249. renegotiation, expect a certificate chain from the
  250. server; send a certificate chain of our own if we
  251. want to authenticate ourselves.
  252. - After the renegotiation, check the certificates. Then
  253. send (and expect) a VERSIONS cell from the other side
  254. to establish the link protocol version.
  255. * If it ends with anything else, assume a V3 or later
  256. handshake:
  257. * Send a VERSIONS cell, and wait for a VERSIONS cell
  258. from the server.
  259. * If we are authenticating, send CERT and AUTHENTICATE
  260. cells.
  261. * Send a NETINFO cell. Wait for a CERT and a NETINFO
  262. cell from the server.
  263. * If the CERT cell contains a valid self-identity cert,
  264. and the identity key in the cert can be used to check
  265. the signature on the x.509 certificate we got during
  266. the TLS handshake, then we know we connected to the
  267. server with that identity. If any of these checks
  268. fail, or the identity key was not what we expected,
  269. then we close the connection.
  270. * Once the NETINFO cell arrives, continue as before.
  271. And V3+ responder behavior now looks like this:
  272. - When we get a TLS ClientHello request, look at the cipher
  273. list.
  274. - If the cipher list contains only the V1 ciphersuites:
  275. - Then we're doing a V1 handshake. Send a certificate
  276. chain. Expect a possible client certificate chain in
  277. response.
  278. Otherwise, if we get other ciphersuites:
  279. - We're using the V2 handshake. Send back a single
  280. certificate whose subject commonName ends with ".com",
  281. and let the handshake complete.
  282. * If the client does anything besides renegotiate or send a
  283. VERSIONS cell, drop the connection.
  284. - If the client renegotiates immediately, it's a V2
  285. connection:
  286. - When the client is renegotiating, send a certificate
  287. chain, and expect (possibly multiple certificates in
  288. reply).
  289. - Check the certificates when the renegotiation is done.
  290. Then exchange VERSIONS cells.
  291. * Otherwise we got a VERSIONS cell and it's a V3 handshake.
  292. * Send a VERSIONS cell, a CERT cell, an AUTHENTICATE
  293. cell, and a NETINFO cell.
  294. * Wait for the client to send cells in reply. If the
  295. client sends a CERT and an AUTHENTICATE and a NETINFO,
  296. use them to authenticate the client. If the client
  297. sends a NETINFO, it is unauthenticated. If it sends
  298. anything else before its NETINFO, it's rejected.
  299. 4. Numbers to assign
  300. We need a version number for this link protocol. I've been
  301. calling it "3".
  302. We need to reserve command numbers for CERT and AUTH cells. I
  303. suggest that in link protocol 3 and higher, we reserve command
  304. numbers 128..240 for variable-length cells. (241-256 we can hold
  305. for future extensions.
  306. 5. Efficiency
  307. This protocol add a round-trip step when the client sends a
  308. VERSIONS cell to the server, and waits for the {VERSIONS, CERT,
  309. NETINFO} response in turn. (The server then waits for the
  310. client's {NETINFO} or {CERT, AUTHENTICATE, NETINFO} reply,
  311. but it would have already been waiting for the client's NETINFO,
  312. so that's not an additional wait.)
  313. This is actually fewer round-trip steps than required before for
  314. TLS renegotiation, so that's a win.
  315. 6. Open questions:
  316. - Should we use X.509 certificates instead of the certificate-ish
  317. things we describe here? They are more standard, but more ugly.
  318. - May we cache which certificates we've already verified? It
  319. might leak in timing whether we've connected with a given server
  320. before, and how recently.
  321. - Is there a better secret than the master secret to use in the
  322. AUTHENTICATE cell? Say, a portable one? Can we get at it for
  323. other libraries besides OpenSSL?
  324. - Does using the client_random and server_random data in the
  325. AUTHENTICATE message actually help us? How hard is it to pull
  326. them out of the OpenSSL data structure?
  327. - Can we give some way for clients to signal "I want to use the
  328. V3 protocol if possible, but I can't renegotiate, so don't give
  329. me the V2"? Clients currently have a fair idea of server
  330. versions, so they could potentially do the V3+ handshake with
  331. servers that support it, and fall back to V1 otherwise.
  332. - What should servers that don't have TLS renegotiation do? For
  333. now, I think they should just get it. Eventually we can
  334. deprecate the V2 handshake as we did with the V1 handshake.