rend-spec.txt 45 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961
  1. Tor Rendezvous Specification
  2. 0. Overview and preliminaries
  3. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
  4. NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
  5. "OPTIONAL" in this document are to be interpreted as described in
  6. RFC 2119.
  7. Read
  8. https://svn.torproject.org/svn/projects/design-paper/tor-design.html#sec:rendezvous
  9. before you read this specification. It will make more sense.
  10. Rendezvous points provide location-hidden services (server
  11. anonymity) for the onion routing network. With rendezvous points,
  12. Bob can offer a TCP service (say, a webserver) via the onion
  13. routing network, without revealing the IP of that service.
  14. Bob does this by anonymously advertising a public key for his
  15. service, along with a list of onion routers to act as "Introduction
  16. Points" for his service. He creates forward circuits to those
  17. introduction points, and tells them about his service. To
  18. connect to Bob, Alice first builds a circuit to an OR to act as
  19. her "Rendezvous Point." She then connects to one of Bob's chosen
  20. introduction points, and asks it to tell him about her Rendezvous
  21. Point (RP). If Bob chooses to answer, he builds a circuit to her
  22. RP, and tells it to connect him to Alice. The RP joins their
  23. circuits together, and begins relaying cells. Alice's 'BEGIN'
  24. cells are received directly by Bob's OP, which passes data to
  25. and from the local server implementing Bob's service.
  26. Below we describe a network-level specification of this service,
  27. along with interfaces to make this process transparent to Alice
  28. (so long as she is using an OP).
  29. 0.1. Notation, conventions and prerequisites
  30. In the specifications below, we use the same notation and terminology
  31. as in "tor-spec.txt". The service specified here also requires the
  32. existence of an onion routing network as specified in that file.
  33. H(x) is a SHA1 digest of x.
  34. PKSign(SK,x) is a PKCS.1-padded RSA signature of x with SK.
  35. PKEncrypt(SK,x) is a PKCS.1-padded RSA encryption of x with SK.
  36. Public keys are all RSA, and encoded in ASN.1.
  37. All integers are stored in network (big-endian) order.
  38. All symmetric encryption uses AES in counter mode, except where
  39. otherwise noted.
  40. In all discussions, "Alice" will refer to a user connecting to a
  41. location-hidden service, and "Bob" will refer to a user running a
  42. location-hidden service.
  43. An OP is (as defined elsewhere) an "Onion Proxy" or Tor client.
  44. An OR is (as defined elsewhere) an "Onion Router" or Tor server.
  45. An "Introduction point" is a Tor server chosen to be Bob's medium-term
  46. 'meeting place'. A "Rendezvous point" is a Tor server chosen by Alice to
  47. be a short-term communication relay between her and Bob. All Tor servers
  48. potentially act as introduction and rendezvous points.
  49. 0.2. Protocol outline
  50. 1. Bob->Bob's OP: "Offer IP:Port as public-key-name:Port". [configuration]
  51. (We do not specify this step; it is left to the implementor of
  52. Bob's OP.)
  53. 2. Bob's OP generates a long-term keypair.
  54. 3. Bob's OP->Introduction point via Tor: [introduction setup]
  55. "This public key is (currently) associated to me."
  56. 4. Bob's OP->directory service via Tor: publishes Bob's service descriptor
  57. [advertisement]
  58. "Meet public-key X at introduction point A, B, or C." (signed)
  59. 5. Out of band, Alice receives a z.onion:port address.
  60. She opens a SOCKS connection to her OP, and requests z.onion:port.
  61. 6. Alice's OP retrieves Bob's descriptor via Tor. [descriptor lookup.]
  62. 7. Alice's OP chooses a rendezvous point, opens a circuit to that
  63. rendezvous point, and establishes a rendezvous circuit. [rendezvous
  64. setup.]
  65. 8. Alice connects to the Introduction point via Tor, and tells it about
  66. her rendezvous point. (Encrypted to Bob.) [Introduction 1]
  67. 9. The Introduction point passes this on to Bob's OP via Tor, along the
  68. introduction circuit. [Introduction 2]
  69. 10. Bob's OP decides whether to connect to Alice, and if so, creates a
  70. circuit to Alice's RP via Tor. Establishes a shared circuit.
  71. [Rendezvous 1]
  72. 11. The Rendezvous point forwards Bob's confirmation to Alice's OP.
  73. [Rendezvous 2]
  74. 12. Alice's OP sends begin cells to Bob's OP. [Connection]
  75. 0.3. Constants and new cell types
  76. Relay cell types
  77. 32 -- RELAY_COMMAND_ESTABLISH_INTRO
  78. 33 -- RELAY_COMMAND_ESTABLISH_RENDEZVOUS
  79. 34 -- RELAY_COMMAND_INTRODUCE1
  80. 35 -- RELAY_COMMAND_INTRODUCE2
  81. 36 -- RELAY_COMMAND_RENDEZVOUS1
  82. 37 -- RELAY_COMMAND_RENDEZVOUS2
  83. 38 -- RELAY_COMMAND_INTRO_ESTABLISHED
  84. 39 -- RELAY_COMMAND_RENDEZVOUS_ESTABLISHED
  85. 40 -- RELAY_COMMAND_INTRODUCE_ACK
  86. 0.4. Version overview
  87. There are several parts in the hidden service protocol that have
  88. changed over time, each of them having its own version number, whereas
  89. other parts remained the same. The following list of potentially
  90. versioned protocol parts should help reduce some confusion:
  91. - Hidden service descriptor: the binary-based v0 was the default for a
  92. long time, and an ASCII-based v2 has been added by proposal 114. The
  93. v0 descriptor format has been deprecated in 0.2.2.1-alpha. See 1.3.
  94. - Hidden service descriptor propagation mechanism: currently related to
  95. the hidden service descriptor version -- v0 publishes to the original
  96. hs directory authorities, whereas v2 publishes to a rotating subset
  97. of relays with the "HSDir" flag; see 1.4 and 1.6.
  98. - Introduction protocol for how to generate an introduction cell:
  99. v0 specified a nickname for the rendezvous point and assumed the
  100. relay would know about it, whereas v2 now specifies IP address,
  101. port, and onion key so the relay doesn't need to already recognize
  102. it. See 1.8.
  103. 1. The Protocol
  104. 1.1. Bob configures his local OP.
  105. We do not specify a format for the OP configuration file. However,
  106. OPs SHOULD allow Bob to provide more than one advertised service
  107. per OP, and MUST allow Bob to specify one or more virtual ports per
  108. service. Bob provides a mapping from each of these virtual ports
  109. to a local IP:Port pair.
  110. 1.2. Bob's OP establishes his introduction points.
  111. The first time the OP provides an advertised service, it generates
  112. a public/private keypair (stored locally).
  113. The OP choses a small number of Tor servers as introduction points.
  114. The OP establishes a new introduction circuit to each introduction
  115. point. These circuits MUST NOT be used for anything but hidden service
  116. introduction. To establish the introduction, Bob sends a
  117. RELAY_COMMAND_ESTABLISH_INTRO cell, containing:
  118. KL Key length [2 octets]
  119. PK Bob's public key or service key [KL octets]
  120. HS Hash of session info [20 octets]
  121. SIG Signature of above information [variable]
  122. KL is the length of PK, in octets.
  123. To prevent replay attacks, the HS field contains a SHA-1 hash based on the
  124. shared secret KH between Bob's OP and the introduction point, as
  125. follows:
  126. HS = H(KH | "INTRODUCE")
  127. That is:
  128. HS = H(KH | [49 4E 54 52 4F 44 55 43 45])
  129. (KH, as specified in tor-spec.txt, is H(g^xy | [00]) .)
  130. Upon receiving such a cell, the OR first checks that the signature is
  131. correct with the included public key. If so, it checks whether HS is
  132. correct given the shared state between Bob's OP and the OR. If either
  133. check fails, the OP discards the cell; otherwise, it associates the
  134. circuit with Bob's public key, and dissociates any other circuits
  135. currently associated with PK. On success, the OR sends Bob a
  136. RELAY_COMMAND_INTRO_ESTABLISHED cell with an empty payload.
  137. Bob's OP uses either Bob's public key or a freshly generated, single-use
  138. service key in the RELAY_COMMAND_ESTABLISH_INTRO cell, depending on the
  139. configured hidden service descriptor version. The public key is used for
  140. v0 descriptors, the service key for v2 descriptors. In the latter case, the
  141. service keys of all introduction points are included in the v2 hidden
  142. service descriptor together with the other introduction point information.
  143. The reason is that the introduction point does not need to and therefore
  144. should not know for which hidden service it works, so as to prevent it from
  145. tracking the hidden service's activity. If the hidden service is configured
  146. to publish both v0 and v2 descriptors, two separate sets of introduction
  147. points are established.
  148. 1.3. Bob's OP generates service descriptors.
  149. For versions before 0.2.2.1-alpha, Bob's OP periodically generates and
  150. publishes a descriptor of type "V0".
  151. The "V0" descriptor contains:
  152. KL Key length [2 octets]
  153. PK Bob's public key [KL octets]
  154. TS A timestamp [4 octets]
  155. NI Number of introduction points [2 octets]
  156. Ipt A list of NUL-terminated ORs [variable]
  157. SIG Signature of above fields [variable]
  158. TS is the number of seconds elapsed since Jan 1, 1970.
  159. The members of Ipt may be either (a) nicknames, or (b) identity key
  160. digests, encoded in hex, and prefixed with a '$'. Clients must
  161. accept both forms. Services must only generate the second form.
  162. Once 0.0.9.x is obsoleted, we can drop the first form.
  163. [It's ok for Bob to advertise 0 introduction points. He might want
  164. to do that if he previously advertised some introduction points,
  165. and now he doesn't have any. -RD]
  166. Beginning with 0.2.0.10-alpha, Bob's OP encodes "V2" descriptors in
  167. addition to (or instead of) "V0" descriptors. The format of a "V2"
  168. descriptor is as follows:
  169. "rendezvous-service-descriptor" descriptor-id NL
  170. [At start, exactly once]
  171. Indicates the beginning of the descriptor. "descriptor-id" is a
  172. periodically changing identifier of 160 bits formatted as 32 base32
  173. chars that is calculated by the hidden service and its clients. The
  174. "descriptor-id" is calculated by performing the following operation:
  175. descriptor-id =
  176. H(permanent-id | H(time-period | descriptor-cookie | replica))
  177. "permanent-id" is the permanent identifier of the hidden service,
  178. consisting of 80 bits. It can be calculated by computing the hash value
  179. of the public hidden service key and truncating after the first 80 bits:
  180. permanent-id = H(public-key)[:10]
  181. "H(time-period | descriptor-cookie | replica)" is the (possibly
  182. secret) id part that is necessary to verify that the hidden service is
  183. the true originator of this descriptor and that is therefore contained
  184. in the descriptor, too. The descriptor ID can only be created by the
  185. hidden service and its clients, but the "signature" below can only be
  186. created by the service.
  187. "time-period" changes periodically as a function of time and
  188. "permanent-id". The current value for "time-period" can be calculated
  189. using the following formula:
  190. time-period = (current-time + permanent-id-byte * 86400 / 256)
  191. / 86400
  192. "current-time" contains the current system time in seconds since
  193. 1970-01-01 00:00, e.g. 1188241957. "permanent-id-byte" is the first
  194. (unsigned) byte of the permanent identifier (which is in network
  195. order), e.g. 143. Adding the product of "permanent-id-byte" and
  196. 86400 (seconds per day), divided by 256, prevents "time-period" from
  197. changing for all descriptors at the same time of the day. The result
  198. of the overall operation is a (network-ordered) 32-bit integer, e.g.
  199. 13753 or 0x000035B9 with the example values given above.
  200. "descriptor-cookie" is an optional secret password of 128 bits that
  201. is shared between the hidden service provider and its clients. If the
  202. descriptor-cookie is left out, the input to the hash function is 128
  203. bits shorter.
  204. "replica" denotes the number of the replica. A service publishes
  205. multiple descriptors with different descriptor IDs in order to
  206. distribute them to different places on the ring.
  207. "version" version-number NL
  208. [Exactly once]
  209. The version number of this descriptor's format. In this case: 2.
  210. "permanent-key" NL a public key in PEM format
  211. [Exactly once]
  212. The public key of the hidden service which is required to verify the
  213. "descriptor-id" and the "signature".
  214. "secret-id-part" secret-id-part NL
  215. [Exactly once]
  216. The result of the following operation as explained above, formatted as
  217. 32 base32 chars. Using this secret id part, everyone can verify that
  218. the signed descriptor belongs to "descriptor-id".
  219. secret-id-part = H(time-period | descriptor-cookie | replica)
  220. "publication-time" YYYY-MM-DD HH:MM:SS NL
  221. [Exactly once]
  222. A timestamp when this descriptor has been created.
  223. "protocol-versions" version-string NL
  224. [Exactly once]
  225. A comma-separated list of recognized and permitted version numbers
  226. for use in INTRODUCE cells; these versions are described in section
  227. 1.8 below.
  228. "introduction-points" NL encrypted-string
  229. [At most once]
  230. A list of introduction points. If the optional "descriptor-cookie" is
  231. used, this list is encrypted with AES in CTR mode with a random
  232. initialization vector of 128 bits that is written to
  233. the beginning of the encrypted string, and the "descriptor-cookie" as
  234. secret key of 128 bits length.
  235. The string containing the introduction point data (either encrypted
  236. or not) is encoded in base64, and surrounded with
  237. "-----BEGIN MESSAGE-----" and "-----END MESSAGE-----".
  238. The unencrypted string may begin with:
  239. "service-authentication" auth-type auth-data NL
  240. [Any number]
  241. The service-specific authentication data can be used to perform
  242. client authentication. This data is independent of the selected
  243. introduction point as opposed to "intro-authentication" below. The
  244. format of auth-data (base64-encoded or PEM format) depends on
  245. auth-type. See section 2 of this document for details on auth
  246. mechanisms.
  247. Subsequently, an arbitrary number of introduction point entries may
  248. follow, each containing the following data:
  249. "introduction-point" identifier NL
  250. [At start, exactly once]
  251. The identifier of this introduction point: the base-32 encoded
  252. hash of this introduction point's identity key.
  253. "ip-address" ip-address NL
  254. [Exactly once]
  255. The IP address of this introduction point.
  256. "onion-port" port NL
  257. [Exactly once]
  258. The TCP port on which the introduction point is listening for
  259. incoming onion requests.
  260. "onion-key" NL a public key in PEM format
  261. [Exactly once]
  262. The public key that can be used to encrypt messages to this
  263. introduction point.
  264. "service-key" NL a public key in PEM format
  265. [Exactly once]
  266. The public key that can be used to encrypt messages to the hidden
  267. service.
  268. "intro-authentication" auth-type auth-data NL
  269. [Any number]
  270. The introduction-point-specific authentication data can be used
  271. to perform client authentication. This data depends on the
  272. selected introduction point as opposed to "service-authentication"
  273. above. The format of auth-data (base64-encoded or PEM format)
  274. depends on auth-type. See section 2 of this document for details
  275. on auth mechanisms.
  276. (This ends the fields in the encrypted portion of the descriptor.)
  277. [It's ok for Bob to advertise 0 introduction points. He might want
  278. to do that if he previously advertised some introduction points,
  279. and now he doesn't have any. -RD]
  280. "signature" NL signature-string
  281. [At end, exactly once]
  282. A signature of all fields above with the private key of the hidden
  283. service.
  284. 1.3.1. Other descriptor formats we don't use.
  285. Support for the V0 descriptor format was dropped in 0.2.2.0-alpha-dev:
  286. KL Key length [2 octets]
  287. PK Bob's public key [KL octets]
  288. TS A timestamp [4 octets]
  289. NI Number of introduction points [2 octets]
  290. Ipt A list of NUL-terminated ORs [variable]
  291. SIG Signature of above fields [variable]
  292. KL is the length of PK, in octets.
  293. TS is the number of seconds elapsed since Jan 1, 1970.
  294. The members of Ipt may be either (a) nicknames, or (b) identity key
  295. digests, encoded in hex, and prefixed with a '$'.
  296. The V1 descriptor format was understood and accepted from
  297. 0.1.1.5-alpha-cvs to 0.2.0.6-alpha-dev, but no Tors generated it and
  298. it was removed:
  299. V Format byte: set to 255 [1 octet]
  300. V Version byte: set to 1 [1 octet]
  301. KL Key length [2 octets]
  302. PK Bob's public key [KL octets]
  303. TS A timestamp [4 octets]
  304. PROTO Protocol versions: bitmask [2 octets]
  305. NI Number of introduction points [2 octets]
  306. For each introduction point: (as in INTRODUCE2 cells)
  307. IP Introduction point's address [4 octets]
  308. PORT Introduction point's OR port [2 octets]
  309. ID Introduction point identity ID [20 octets]
  310. KLEN Length of onion key [2 octets]
  311. KEY Introduction point onion key [KLEN octets]
  312. SIG Signature of above fields [variable]
  313. A hypothetical "V1" descriptor, that has never been used but might
  314. be useful for historical reasons, contains:
  315. V Format byte: set to 255 [1 octet]
  316. V Version byte: set to 1 [1 octet]
  317. KL Key length [2 octets]
  318. PK Bob's public key [KL octets]
  319. TS A timestamp [4 octets]
  320. PROTO Rendezvous protocol versions: bitmask [2 octets]
  321. NA Number of auth mechanisms accepted [1 octet]
  322. For each auth mechanism:
  323. AUTHT The auth type that is supported [2 octets]
  324. AUTHL Length of auth data [1 octet]
  325. AUTHD Auth data [variable]
  326. NI Number of introduction points [2 octets]
  327. For each introduction point: (as in INTRODUCE2 cells)
  328. ATYPE An address type (typically 4) [1 octet]
  329. ADDR Introduction point's IP address [4 or 16 octets]
  330. PORT Introduction point's OR port [2 octets]
  331. AUTHT The auth type that is supported [2 octets]
  332. AUTHL Length of auth data [1 octet]
  333. AUTHD Auth data [variable]
  334. ID Introduction point identity ID [20 octets]
  335. KLEN Length of onion key [2 octets]
  336. KEY Introduction point onion key [KLEN octets]
  337. SIG Signature of above fields [variable]
  338. AUTHT specifies which authentication/authorization mechanism is
  339. required by the hidden service or the introduction point. AUTHD
  340. is arbitrary data that can be associated with an auth approach.
  341. Currently only AUTHT of [00 00] is supported, with an AUTHL of 0.
  342. See section 2 of this document for details on auth mechanisms.
  343. 1.4. Bob's OP advertises his service descriptor(s).
  344. Bob's OP advertises his service descriptor to a fixed set of v0 hidden
  345. service directory servers and/or a changing subset of all v2 hidden service
  346. directories.
  347. For versions before 0.2.2.1-alpha, Bob's OP opens a stream to each v0
  348. directory server's directory port via Tor. (He may re-use old circuits for
  349. this.) Over this stream, Bob's OP makes an HTTP 'POST' request, to a URL
  350. "/tor/rendezvous/publish" relative to the directory server's root,
  351. containing as its body Bob's service descriptor.
  352. Upon receiving a descriptor, the directory server checks the signature,
  353. and discards the descriptor if the signature does not match the enclosed
  354. public key. Next, the directory server checks the timestamp. If the
  355. timestamp is more than 24 hours in the past or more than 1 hour in the
  356. future, or the directory server already has a newer descriptor with the
  357. same public key, the server discards the descriptor. Otherwise, the
  358. server discards any older descriptors with the same public key and
  359. version format, and associates the new descriptor with the public key.
  360. The directory server remembers this descriptor for at least 24 hours
  361. after its timestamp. At least every 18 hours, Bob's OP uploads a
  362. fresh descriptor.
  363. If Bob's OP is configured to publish v2 descriptors, it does so to a
  364. changing subset of all v2 hidden service directories instead of the
  365. authoritative directory servers. Therefore, Bob's OP opens a stream via
  366. Tor to each responsible hidden service directory. (He may re-use old
  367. circuits for this.) Over this stream, Bob's OP makes an HTTP 'POST'
  368. request to a URL "/tor/rendezvous2/publish" relative to the hidden service
  369. directory's root, containing as its body Bob's service descriptor.
  370. At any time, there are 6 hidden service directories responsible for
  371. keeping replicas of a descriptor; they consist of 2 sets of 3 hidden
  372. service directories with consecutive onion IDs. Bob's OP learns about
  373. the complete list of hidden service directories by filtering the
  374. consensus status document received from the directory authorities. A
  375. hidden service directory is deemed responsible for all descriptor IDs in
  376. the interval from its direct predecessor, exclusive, to its own ID,
  377. inclusive; it further holds replicas for its 2 predecessors. A
  378. participant only trusts its own routing list and never learns about
  379. routing information from other parties.
  380. Bob's OP publishes a new v2 descriptor once an hour or whenever its
  381. content changes. V2 descriptors can be found by clients within a given
  382. time period of 24 hours, after which they change their ID as described
  383. under 1.3. If a published descriptor would be valid for less than 60
  384. minutes (= 2 x 30 minutes to allow the server to be 30 minutes behind
  385. and the client 30 minutes ahead), Bob's OP publishes the descriptor
  386. under the ID of both, the current and the next publication period.
  387. 1.5. Alice receives a z.onion address.
  388. When Alice receives a pointer to a location-hidden service, it is as a
  389. hostname of the form "z.onion", where z is a base-32 encoding of a
  390. 10-octet hash of Bob's service's public key, computed as follows:
  391. 1. Let H = H(PK).
  392. 2. Let H' = the first 80 bits of H, considering each octet from
  393. most significant bit to least significant bit.
  394. 3. Generate a 16-character encoding of H', using base32 as defined
  395. in RFC 3548.
  396. (We only use 80 bits instead of the 160 bits from SHA1 because we
  397. don't need to worry about arbitrary collisions, and because it will
  398. make handling the url's more convenient.)
  399. [Yes, numbers are allowed at the beginning. See RFC 1123. -NM]
  400. 1.6. Alice's OP retrieves a service descriptor.
  401. Alice's OP fetches the service descriptor from the fixed set of v0 hidden
  402. service directory servers and/or a changing subset of all v2 hidden service
  403. directories.
  404. For versions before 0.2.2.1-alpha, Alice's OP opens a stream to a directory
  405. server via Tor, and makes an HTTP GET request for the document
  406. '/tor/rendezvous/<z>', where '<z>' is replaced with the encoding of Bob's
  407. public key as described above. (She may re-use old circuits for this.) The
  408. directory replies with a 404 HTTP response if it does not recognize <z>,
  409. and otherwise returns Bob's most recently uploaded service descriptor.
  410. If Alice's OP receives a 404 response, it tries the other directory
  411. servers, and only fails the lookup if none recognize the public key hash.
  412. Upon receiving a service descriptor, Alice verifies with the same process
  413. as the directory server uses, described above in section 1.4.
  414. The directory server gives a 400 response if it cannot understand Alice's
  415. request.
  416. Alice should cache the descriptor locally, but should not use
  417. descriptors that are more than 24 hours older than their timestamp.
  418. [Caching may make her partitionable, but she fetched it anonymously,
  419. and we can't very well *not* cache it. -RD]
  420. If Alice's OP is running 0.2.1.10-alpha or higher, it fetches v2 hidden
  421. service descriptors. Versions before 0.2.2.1-alpha are fetching both v0 and
  422. v2 descriptors in parallel. Similar to the description in section 1.4,
  423. Alice's OP fetches a v2 descriptor from a randomly chosen hidden service
  424. directory out of the changing subset of 6 nodes. If the request is
  425. unsuccessful, Alice retries the other remaining responsible hidden service
  426. directories in a random order. Alice relies on Bob to care about a potential
  427. clock skew between the two by possibly storing two sets of descriptors (see
  428. end of section 1.4).
  429. Alice's OP opens a stream via Tor to the chosen v2 hidden service
  430. directory. (She may re-use old circuits for this.) Over this stream,
  431. Alice's OP makes an HTTP 'GET' request for the document
  432. "/tor/rendezvous2/<z>", where z is replaced with the encoding of the
  433. descriptor ID. The directory replies with a 404 HTTP response if it does
  434. not recognize <z>, and otherwise returns Bob's most recently uploaded
  435. service descriptor.
  436. 1.7. Alice's OP establishes a rendezvous point.
  437. When Alice requests a connection to a given location-hidden service,
  438. and Alice's OP does not have an established circuit to that service,
  439. the OP builds a rendezvous circuit. It does this by establishing
  440. a circuit to a randomly chosen OR, and sending a
  441. RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell to that OR. The body of that cell
  442. contains:
  443. RC Rendezvous cookie [20 octets]
  444. The rendezvous cookie is an arbitrary 20-byte value, chosen randomly by
  445. Alice's OP. Alice SHOULD choose a new rendezvous cookie for each new
  446. connection attempt.
  447. Upon receiving a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell, the OR associates
  448. the RC with the circuit that sent it. It replies to Alice with an empty
  449. RELAY_COMMAND_RENDEZVOUS_ESTABLISHED cell to indicate success.
  450. Alice's OP MUST NOT use the circuit which sent the cell for any purpose
  451. other than rendezvous with the given location-hidden service.
  452. 1.8. Introduction: from Alice's OP to Introduction Point
  453. Alice builds a separate circuit to one of Bob's chosen introduction
  454. points, and sends it a RELAY_COMMAND_INTRODUCE1 cell containing:
  455. Cleartext
  456. PK_ID Identifier for Bob's PK [20 octets]
  457. Encrypted to Bob's PK: (in the v0 intro protocol)
  458. RP Rendezvous point's nickname [20 octets]
  459. RC Rendezvous cookie [20 octets]
  460. g^x Diffie-Hellman data, part 1 [128 octets]
  461. OR (in the v1 intro protocol)
  462. VER Version byte: set to 1. [1 octet]
  463. RP Rendezvous point nick or ID [42 octets]
  464. RC Rendezvous cookie [20 octets]
  465. g^x Diffie-Hellman data, part 1 [128 octets]
  466. OR (in the v2 intro protocol)
  467. VER Version byte: set to 2. [1 octet]
  468. IP Rendezvous point's address [4 octets]
  469. PORT Rendezvous point's OR port [2 octets]
  470. ID Rendezvous point identity ID [20 octets]
  471. KLEN Length of onion key [2 octets]
  472. KEY Rendezvous point onion key [KLEN octets]
  473. RC Rendezvous cookie [20 octets]
  474. g^x Diffie-Hellman data, part 1 [128 octets]
  475. OR (in the v3 intro protocol)
  476. VER Version byte: set to 3. [1 octet]
  477. AUTHT The auth type that is used [1 octet]
  478. AUTHL Length of auth data [2 octets]
  479. AUTHD Auth data [variable]
  480. TS A timestamp [4 octets]
  481. IP Rendezvous point's address [4 octets]
  482. PORT Rendezvous point's OR port [2 octets]
  483. ID Rendezvous point identity ID [20 octets]
  484. KLEN Length of onion key [2 octets]
  485. KEY Rendezvous point onion key [KLEN octets]
  486. RC Rendezvous cookie [20 octets]
  487. g^x Diffie-Hellman data, part 1 [128 octets]
  488. PK_ID is the hash of Bob's public key or the service key, depending on the
  489. hidden service descriptor version. In case of a v0 descriptor, Alice's OP
  490. uses Bob's public key. If Alice has downloaded a v2 descriptor, she uses
  491. the contained public key ("service-key").
  492. RP is NUL-padded and terminated. In version 0 of the intro protocol, RP
  493. must contain a nickname. In version 1, it must contain EITHER a nickname or
  494. an identity key digest that is encoded in hex and prefixed with a '$'.
  495. The hybrid encryption to Bob's PK works just like the hybrid
  496. encryption in CREATE cells (see tor-spec). Thus the payload of the
  497. version 0 RELAY_COMMAND_INTRODUCE1 cell on the wire will contain
  498. 20+42+16+20+20+128=246 bytes, and the version 1 and version 2
  499. introduction formats have other sizes.
  500. Through Tor 0.2.0.6-alpha, clients only generated the v0 introduction
  501. format, whereas hidden services have understood and accepted v0,
  502. v1, and v2 since 0.1.1.x. As of Tor 0.2.0.7-alpha and 0.1.2.18,
  503. clients switched to using the v2 intro format.
  504. 1.9. Introduction: From the Introduction Point to Bob's OP
  505. If the Introduction Point recognizes PK_ID as a public key which has
  506. established a circuit for introductions as in 1.2 above, it sends the body
  507. of the cell in a new RELAY_COMMAND_INTRODUCE2 cell down the corresponding
  508. circuit. (If the PK_ID is unrecognized, the RELAY_COMMAND_INTRODUCE1 cell is
  509. discarded.)
  510. After sending the RELAY_COMMAND_INTRODUCE2 cell, the OR replies to Alice
  511. with an empty RELAY_COMMAND_INTRODUCE_ACK cell. If no
  512. RELAY_COMMAND_INTRODUCE2 cell can be sent, the OR replies to Alice with a
  513. non-empty cell to indicate an error. (The semantics of the cell body may be
  514. determined later; the current implementation sends a single '1' byte on
  515. failure.)
  516. When Bob's OP receives the RELAY_COMMAND_INTRODUCE2 cell, it decrypts it
  517. with the private key for the corresponding hidden service, and extracts the
  518. rendezvous point's nickname, the rendezvous cookie, and the value of g^x
  519. chosen by Alice.
  520. 1.10. Rendezvous
  521. Bob's OP builds a new Tor circuit ending at Alice's chosen rendezvous
  522. point, and sends a RELAY_COMMAND_RENDEZVOUS1 cell along this circuit,
  523. containing:
  524. RC Rendezvous cookie [20 octets]
  525. g^y Diffie-Hellman [128 octets]
  526. KH Handshake digest [20 octets]
  527. (Bob's OP MUST NOT use this circuit for any other purpose.)
  528. If the RP recognizes RC, it relays the rest of the cell down the
  529. corresponding circuit in a RELAY_COMMAND_RENDEZVOUS2 cell, containing:
  530. g^y Diffie-Hellman [128 octets]
  531. KH Handshake digest [20 octets]
  532. (If the RP does not recognize the RC, it discards the cell and
  533. tears down the circuit.)
  534. When Alice's OP receives a RELAY_COMMAND_RENDEZVOUS2 cell on a circuit which
  535. has sent a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell but which has not yet
  536. received a reply, it uses g^y and H(g^xy) to complete the handshake as in
  537. the Tor circuit extend process: they establish a 60-octet string as
  538. K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02])
  539. and generate
  540. KH = K[0..15]
  541. Kf = K[16..31]
  542. Kb = K[32..47]
  543. Subsequently, the rendezvous point passes relay cells, unchanged, from
  544. each of the two circuits to the other. When Alice's OP sends
  545. RELAY cells along the circuit, it first encrypts them with the
  546. Kf, then with all of the keys for the ORs in Alice's side of the circuit;
  547. and when Alice's OP receives RELAY cells from the circuit, it decrypts
  548. them with the keys for the ORs in Alice's side of the circuit, then
  549. decrypts them with Kb. Bob's OP does the same, with Kf and Kb
  550. interchanged.
  551. 1.11. Creating streams
  552. To open TCP connections to Bob's location-hidden service, Alice's OP sends
  553. a RELAY_COMMAND_BEGIN cell along the established circuit, using the special
  554. address "", and a chosen port. Bob's OP chooses a destination IP and
  555. port, based on the configuration of the service connected to the circuit,
  556. and opens a TCP stream. From then on, Bob's OP treats the stream as an
  557. ordinary exit connection.
  558. [ Except he doesn't include addr in the connected cell or the end
  559. cell. -RD]
  560. Alice MAY send multiple RELAY_COMMAND_BEGIN cells along the circuit, to open
  561. multiple streams to Bob. Alice SHOULD NOT send RELAY_COMMAND_BEGIN cells
  562. for any other address along her circuit to Bob; if she does, Bob MUST reject
  563. them.
  564. 2. Authentication and authorization.
  565. The rendezvous protocol as described in Section 1 provides a few options
  566. for implementing client-side authorization. There are two steps in the
  567. rendezvous protocol that can be used for performing client authorization:
  568. when downloading and decrypting parts of the hidden service descriptor and
  569. at Bob's Tor client before contacting the rendezvous point. A service
  570. provider can restrict access to his service at these two points to
  571. authorized clients only.
  572. There are currently two authorization protocols specified that are
  573. described in more detail below:
  574. 1. The first protocol allows a service provider to restrict access
  575. to clients with a previously received secret key only, but does not
  576. attempt to hide service activity from others.
  577. 2. The second protocol, albeit being feasible for a limited set of about
  578. 16 clients, performs client authorization and hides service activity
  579. from everyone but the authorized clients.
  580. 2.1. Service with large-scale client authorization
  581. The first client authorization protocol aims at performing access control
  582. while consuming as few additional resources as possible. A service
  583. provider should be able to permit access to a large number of clients
  584. while denying access for everyone else. However, the price for
  585. scalability is that the service won't be able to hide its activity from
  586. unauthorized or formerly authorized clients.
  587. The main idea of this protocol is to encrypt the introduction-point part
  588. in hidden service descriptors to authorized clients using symmetric keys.
  589. This ensures that nobody else but authorized clients can learn which
  590. introduction points a service currently uses, nor can someone send a
  591. valid INTRODUCE1 message without knowing the introduction key. Therefore,
  592. a subsequent authorization at the introduction point is not required.
  593. A service provider generates symmetric "descriptor cookies" for his
  594. clients and distributes them outside of Tor. The suggested key size is
  595. 128 bits, so that descriptor cookies can be encoded in 22 base64 chars
  596. (which can hold up to 22 * 5 = 132 bits, leaving 4 bits to encode the
  597. authorization type (here: "0") and allow a client to distinguish this
  598. authorization protocol from others like the one proposed below).
  599. Typically, the contact information for a hidden service using this
  600. authorization protocol looks like this:
  601. v2cbb2l4lsnpio4q.onion Ll3X7Xgz9eHGKCCnlFH0uz
  602. When generating a hidden service descriptor, the service encrypts the
  603. introduction-point part with a single randomly generated symmetric
  604. 128-bit session key using AES-CTR as described for v2 hidden service
  605. descriptors in rend-spec. Afterwards, the service encrypts the session
  606. key to all descriptor cookies using AES. Authorized client should be able
  607. to efficiently find the session key that is encrypted for him/her, so
  608. that 4 octet long client ID are generated consisting of descriptor cookie
  609. and initialization vector. Descriptors always contain a number of
  610. encrypted session keys that is a multiple of 16 by adding fake entries.
  611. Encrypted session keys are ordered by client IDs in order to conceal
  612. addition or removal of authorized clients by the service provider.
  613. ATYPE Authorization type: set to 1. [1 octet]
  614. ALEN Number of clients := 1 + ((clients - 1) div 16) [1 octet]
  615. for each symmetric descriptor cookie:
  616. ID Client ID: H(descriptor cookie | IV)[:4] [4 octets]
  617. SKEY Session key encrypted with descriptor cookie [16 octets]
  618. (end of client-specific part)
  619. RND Random data [(15 - ((clients - 1) mod 16)) * 20 octets]
  620. IV AES initialization vector [16 octets]
  621. IPOS Intro points, encrypted with session key [remaining octets]
  622. An authorized client needs to configure Tor to use the descriptor cookie
  623. when accessing the hidden service. Therefore, a user adds the contact
  624. information that she received from the service provider to her torrc
  625. file. Upon downloading a hidden service descriptor, Tor finds the
  626. encrypted introduction-point part and attempts to decrypt it using the
  627. configured descriptor cookie. (In the rare event of two or more client
  628. IDs being equal a client tries to decrypt all of them.)
  629. Upon sending the introduction, the client includes her descriptor cookie
  630. as auth type "1" in the INTRODUCE2 cell that she sends to the service.
  631. The hidden service checks whether the included descriptor cookie is
  632. authorized to access the service and either responds to the introduction
  633. request, or not.
  634. 2.2. Authorization for limited number of clients
  635. A second, more sophisticated client authorization protocol goes the extra
  636. mile of hiding service activity from unauthorized clients. With all else
  637. being equal to the preceding authorization protocol, the second protocol
  638. publishes hidden service descriptors for each user separately and gets
  639. along with encrypting the introduction-point part of descriptors to a
  640. single client. This allows the service to stop publishing descriptors for
  641. removed clients. As long as a removed client cannot link descriptors
  642. issued for other clients to the service, it cannot derive service
  643. activity any more. The downside of this approach is limited scalability.
  644. Even though the distributed storage of descriptors (cf. proposal 114)
  645. tackles the problem of limited scalability to a certain extent, this
  646. protocol should not be used for services with more than 16 clients. (In
  647. fact, Tor should refuse to advertise services for more than this number
  648. of clients.)
  649. A hidden service generates an asymmetric "client key" and a symmetric
  650. "descriptor cookie" for each client. The client key is used as
  651. replacement for the service's permanent key, so that the service uses a
  652. different identity for each of his clients. The descriptor cookie is used
  653. to store descriptors at changing directory nodes that are unpredictable
  654. for anyone but service and client, to encrypt the introduction-point
  655. part, and to be included in INTRODUCE2 cells. Once the service has
  656. created client key and descriptor cookie, he tells them to the client
  657. outside of Tor. The contact information string looks similar to the one
  658. used by the preceding authorization protocol (with the only difference
  659. that it has "1" encoded as auth-type in the remaining 4 of 132 bits
  660. instead of "0" as before).
  661. When creating a hidden service descriptor for an authorized client, the
  662. hidden service uses the client key and descriptor cookie to compute
  663. secret ID part and descriptor ID:
  664. secret-id-part = H(time-period | descriptor-cookie | replica)
  665. descriptor-id = H(client-key[:10] | secret-id-part)
  666. The hidden service also replaces permanent-key in the descriptor with
  667. client-key and encrypts introduction-points with the descriptor cookie.
  668. ATYPE Authorization type: set to 2. [1 octet]
  669. IV AES initialization vector [16 octets]
  670. IPOS Intro points, encr. with descriptor cookie [remaining octets]
  671. When uploading descriptors, the hidden service needs to make sure that
  672. descriptors for different clients are not uploaded at the same time (cf.
  673. Section 1.1) which is also a limiting factor for the number of clients.
  674. When a client is requested to establish a connection to a hidden service
  675. it looks up whether it has any authorization data configured for that
  676. service. If the user has configured authorization data for authorization
  677. protocol "2", the descriptor ID is determined as described in the last
  678. paragraph. Upon receiving a descriptor, the client decrypts the
  679. introduction-point part using its descriptor cookie. Further, the client
  680. includes its descriptor cookie as auth-type "2" in INTRODUCE2 cells that
  681. it sends to the service.
  682. 2.3. Hidden service configuration
  683. A hidden service that is meant to perform client authorization adds a
  684. new option HiddenServiceAuthorizeClient to its hidden service
  685. configuration. This option contains the authorization type which is
  686. either "1" for the protocol described in 2.1 or "2" for the protocol in
  687. 2.2 and a comma-separated list of human-readable client names, so that
  688. Tor can create authorization data for these clients:
  689. HiddenServiceAuthorizeClient auth-type client-name,client-name,...
  690. If this option is configured, HiddenServiceVersion is automatically
  691. reconfigured to contain only version numbers of 2 or higher.
  692. Tor stores all generated authorization data for the authorization
  693. protocols described in Sections 2.1 and 2.2 in a new file using the
  694. following file format:
  695. "client-name" human-readable client identifier NL
  696. "descriptor-cookie" 128-bit key ^= 22 base64 chars NL
  697. If the authorization protocol of Section 2.2 is used, Tor also generates
  698. and stores the following data:
  699. "client-key" NL a public key in PEM format
  700. 2.4. Client configuration
  701. Clients need to make their authorization data known to Tor using another
  702. configuration option that contains a service name (mainly for the sake of
  703. convenience), the service address, and the descriptor cookie that is
  704. required to access a hidden service (the authorization protocol number is
  705. encoded in the descriptor cookie):
  706. HidServAuth service-name service-address descriptor-cookie
  707. 3. Hidden service directory operation
  708. This section has been introduced with the v2 hidden service descriptor
  709. format. It describes all operations of the v2 hidden service descriptor
  710. fetching and propagation mechanism that are required for the protocol
  711. described in section 1 to succeed with v2 hidden service descriptors.
  712. 3.1. Configuring as hidden service directory
  713. Every onion router that has its directory port open can decide whether it
  714. wants to store and serve hidden service descriptors. An onion router which
  715. is configured as such includes the "hidden-service-dir" flag in its router
  716. descriptors that it sends to directory authorities.
  717. The directory authorities include a new flag "HSDir" for routers that
  718. decided to provide storage for hidden service descriptors and that
  719. have been running for at least 24 hours.
  720. 3.2. Accepting publish requests
  721. Hidden service directory nodes accept publish requests for v2 hidden service
  722. descriptors and store them to their local memory. (It is not necessary to
  723. make descriptors persistent, because after restarting, the onion router
  724. would not be accepted as a storing node anyway, because it has not been
  725. running for at least 24 hours.) All requests and replies are formatted as
  726. HTTP messages. Requests are initiated via BEGIN_DIR cells directed to
  727. the router's directory port, and formatted as HTTP POST requests to the URL
  728. "/tor/rendezvous2/publish" relative to the hidden service directory's root,
  729. containing as its body a v2 service descriptor.
  730. A hidden service directory node parses every received descriptor and only
  731. stores it when it thinks that it is responsible for storing that descriptor
  732. based on its own routing table. See section 1.4 for more information on how
  733. to determine responsibility for a certain descriptor ID.
  734. 3.3. Processing fetch requests
  735. Hidden service directory nodes process fetch requests for hidden service
  736. descriptors by looking them up in their local memory. (They do not need to
  737. determine if they are responsible for the passed ID, because it does no harm
  738. if they deliver a descriptor for which they are not (any more) responsible.)
  739. All requests and replies are formatted as HTTP messages. Requests are
  740. initiated via BEGIN_DIR cells directed to the router's directory port,
  741. and formatted as HTTP GET requests for the document "/tor/rendezvous2/<z>",
  742. where z is replaced with the encoding of the descriptor ID.