114-distributed-storage.txt 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964
  1. Filename: 114-distributed-storage.txt
  2. Title: Distributed Storage for Tor Hidden Service Descriptors
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Karsten Loesing
  6. Created: 13-May-2007
  7. Status: Open
  8. Change history:
  9. 13-May-2007 Initial proposal
  10. 14-May-2007 Added changes suggested by Lasse Øverlier
  11. 30-May-2007 Changed descriptor format, key length discussion, typos
  12. 09-Jul-2007 Incorporated suggestions by Roger, added status of specification
  13. and implementation for upcoming GSoC mid-term evaluation
  14. 11-Aug-2007 Updated implementation statuses, included non-consecutive
  15. replication to descriptor format
  16. 20-Aug-2007 Renamed config option HSDir as HidServDirectoryV2
  17. Overview:
  18. The basic idea of this proposal is to distribute the tasks of storing and
  19. serving hidden service descriptors from currently three authoritative
  20. directory nodes among a large subset of all onion routers. The three
  21. reasons to do this are better robustness (availability), better
  22. scalability, and improved security properties. Further,
  23. this proposal suggests changes to the hidden service descriptor format to
  24. prevent new security threats coming from decentralization and to gain even
  25. better security properties.
  26. Motivation:
  27. The current design of hidden services exhibits the following performance and
  28. security problems:
  29. First, the three hidden service authoritative directories constitute a
  30. performance bottleneck in the system. The directory nodes are responsible for
  31. storing and serving all hidden service descriptors. At the moment there are
  32. about 1000 descriptors at a time, but this number is assumed to increase in
  33. the future. Further, there is no replication protocol for descriptors between
  34. the three directory nodes, so that hidden services must ensure the
  35. availability of their descriptors by manually publishing them on all
  36. directory nodes. Whenever a fourth or fifth hidden service authoritative
  37. directory is added, hidden services will need to maintain an equally
  38. increasing number of replicas. These scalability issues have an impact on the
  39. current usage of hidden services and put an even higher burden on the
  40. development of new kinds of applications for hidden services that might
  41. require storing even more descriptors.
  42. Second, besides posing a limitation to scalability, storing all hidden
  43. service descriptors on three directory nodes also constitutes a security
  44. risk. The directory node operators could easily analyze the publish and fetch
  45. requests to derive information on service activity and usage and read the
  46. descriptor contents to determine which onion routers work as introduction
  47. points for a given hidden service and need to be attacked or threatened to
  48. shut it down. Furthermore, the contents of a hidden service descriptor offer
  49. only minimal security properties to the hidden service. Whoever gets aware of
  50. the service ID can easily find out whether the service is active at the
  51. moment and which introduction points it has. This applies to (former)
  52. clients, (former) introduction points, and of course to the directory nodes.
  53. It requires only to request the descriptor for the given service ID, which
  54. can be performed by anyone anonymously.
  55. This proposal suggests two major changes to approach the described
  56. performance and security problems:
  57. The first change affects the storage location for hidden service descriptors.
  58. Descriptors are distributed among a large subset of all onion routers instead
  59. of three fixed directory nodes. Each storing node is responsible for a subset
  60. of descriptors for a limited time only. It is not able to choose which
  61. descriptors it stores at a certain time, because this is determined by its
  62. onion ID which is hard to change frequently and in time (only routers which
  63. are stable for a given time are accepted as storing nodes). In order to
  64. resist single node failures and untrustworthy nodes, descriptors are
  65. replicated among a certain number of storing nodes. A first replication
  66. protocol makes sure that descriptors don't get lost when the node population
  67. changes; therefore, a storing node periodically requests the descriptors from
  68. its siblings. A second replication protocol distributes descriptors among
  69. non-consecutive nodes of the ID ring to prevent a group of adversaries from
  70. generating new onion keys until they have consecutive IDs to create a 'black
  71. hole' in the ring and make random services unavailable. Connections to
  72. storing nodes are established by extending existing circuits by one hop to
  73. the storing node. This also ensures that contents are encrypted. The effect
  74. of this first change is that the probability that a single node operator
  75. learns about a certain hidden service is very small and that it is very hard
  76. to track a service over time, even when it collaborates with other node
  77. operators.
  78. The second change concerns the content of hidden service descriptors.
  79. Obviously, security problems cannot be solved only by decentralizing storage;
  80. in fact, they could also get worse if done without caution. At first, a
  81. descriptor ID needs to change periodically in order to be stored on changing
  82. nodes over time. Next, the descriptor ID needs to be computable only for the
  83. service's clients, but should be unpredictable for all other nodes. Further,
  84. the storing node needs to be able to verify that the hidden service is the
  85. true originator of the descriptor with the given ID even though it is not a
  86. client. Finally, a storing node should learn as little information as
  87. necessary by storing a descriptor, because it might not be as trustworthy as
  88. a directory node; for example it does not need to know the list of
  89. introduction points. Therefore, a second key is applied that is only known to
  90. the hidden service provider and its clients and that is not included in the
  91. descriptor. It is used to calculate descriptor IDs and to encrypt the
  92. introduction points. This second key can either be given to all clients
  93. together with the hidden service ID, or to a group or a single client as
  94. an authentication token. In the future this second key could be the result of
  95. some key agreement protocol between the hidden service and one or more
  96. clients. A new text-based format is proposed for descriptors instead of an
  97. extension of the existing binary format for reasons of future extensibility.
  98. Design:
  99. The proposed design is described by the required changes to the current
  100. design. These requirements are grouped by content, rather than by affected
  101. specification documents or code files, and numbered for reference below.
  102. Hidden service clients, servers, and directories:
  103. /1/ Create routing list
  104. All participants can filter the consensus status document received from the
  105. directory authorities to one routing list containing only those servers
  106. that store and serve hidden service descriptors and which are running for
  107. at least 24 hours. A participant only trusts its own routing list and never
  108. learns about routing information from other parties.
  109. - rend-spec.txt, section 1.4: Added description of how to obtain a routing
  110. list of hidden service directories.
  111. - routerparse.c: Changed routerstatus_parse_entry_from_string to parse the
  112. "HSDir" flag in vote and consensus status documents.
  113. - routerlist.c: Changed router_get_routerlist() to initialize routing list.
  114. - or.h: Added hs_dirs member to routerlist_t.
  115. - Changed routerlist_free() to free storage held by routing list.
  116. - Added UPDATE_HS_DIRS_INTERVAL.
  117. - Added update_hs_dir_routing_table().
  118. - Changed run_scheduled_events().
  119. - Added is_hs_dir member to routerstatus_t.
  120. [Aug 11: Specified and running.]
  121. /2/ Determine responsible hidden service directory
  122. All participants can determine the hidden service directory that is
  123. responsible for storing and serving a given ID, as well as the hidden
  124. service directories that replicate its content. Every hidden service
  125. directory is responsible for the descriptor IDs in the interval from
  126. its predecessor, exclusive, to its own ID, inclusive. Further, a hidden
  127. service directory holds replicas for its n predecessors, where n denotes
  128. the number of consecutive replicas. (requires /1/)
  129. - rend-spec.txt, section 1.4: Added description of how to determine the
  130. responsible node(s) for a given descriptor ID.
  131. - routerlist.c: Added get_responsible_hs_dirs() to determine the routers
  132. that are responsible for a given descriptor ID.
  133. - Added is_hs_dir member to routerstatus_t.
  134. - Added have_enough_hs_dirs().
  135. - Added next_hs_dir().
  136. [July 9: Specified and running.]
  137. Hidden service clients and providers:
  138. /3/ Send tunneled HTTP request to hidden service directory in BEGIN_DIR cell
  139. - rend-spec.txt, section 1.4: Added the requirement that requests need to
  140. be sent via Tor.
  141. - rend-spec.txt, section 1.6: Added the requirement that requests need to
  142. be sent via Tor.
  143. [July 9: Pending]
  144. Hidden service directory nodes:
  145. /4/ Process tunneled HTTP request in BEGIN_DIR cell
  146. - rend-spec.txt, section 3.2: Added the requirement that requests need to
  147. be contained within BEGIN_DIR cells.
  148. - rend-spec.txt, section 3.3: Added the requirement that requests need to
  149. be contained within BEGIN_DIR cells.
  150. [July 9: Pending]
  151. /5/ Advertise hidden service directory functionality
  152. Every onion router that has its directory port open can decide whether it
  153. wants to store and serve hidden service descriptors by setting a new config
  154. option "HidServDirectoryV2" 0|1 to 1. An onion router with this config
  155. option being set includes the flag "hidden-service-dir" in its router
  156. descriptors that it sends to directory authorities.
  157. - tor.1.in: Added the config option HidServDirectoryV2.
  158. - dir-spec.txt, section 2.1: Added the flag hidden-service-dir to the
  159. router descriptor format.
  160. - rend-spec.txt, section 3.1: Added process of configuring a hidden service
  161. directory.
  162. - router.c: Changed router_dump_router_to_string() to include the
  163. hidden-service-dir flag in a router descriptor if configured.
  164. - or.h: Added HidServDirectoryV2 to or_options_t.
  165. - config.c: Added config option HidServDirectoryV2.
  166. [July 9: Specified and running.]
  167. /6/ Accept v2 publish requests, parse and store v2 descriptors
  168. Hidden service directory nodes accept publish requests for hidden service
  169. descriptors and store them to their local memory. (It is not necessary to
  170. make descriptors persistent, because after disconnecting, the onion router
  171. would not be accepted as storing node anyway, because it has not been
  172. running for at least 24 hours.) All requests and replies are formatted as
  173. HTTP messages. Requests are directed to the router's directory port and are
  174. contained within BEGIN_DIR cells. A hidden service directory node stores a
  175. descriptor only when it thinks that it is responsible for storing that
  176. descriptor based on its own routing table. Every hidden service directory
  177. node is responsible for the descriptor IDs in the interval of its n-th
  178. predecessor in the ID circle up to its own ID (n denotes the number of
  179. consecutive replicas). (requires /1/ and /4/)
  180. - rend-spec.txt, section 1.2: Added the new v2 hidden service descriptor
  181. format.
  182. - rend-spec.txt, section 3.2: Added the acceptance of v2 publish requests.
  183. - routerparse.c: Added rend_parse_v2_service_descriptor() to parse a v2
  184. hidden service descriptor.
  185. - routerparse.c: Added desc_token_table[] to parse v2 hidden service
  186. descriptors.
  187. - routerparse.c: Added 8 keywords to directory_keyword to parse v2 hidden
  188. service descriptors.
  189. - rendcommon.c: Added rend_cache_store_v2_dir() to allow a hidden service
  190. directory to parse a v2 descriptor and store it in the local cache under
  191. its descriptor ID instead of its service ID.
  192. - or.h: Added constant REND_DESC_ID_V2_LEN to reflect that v2 descriptor
  193. IDs are longer than v0/1 onion addresses.
  194. - Changed directory_handle_command_post().
  195. [Aug 11: Specified and running.]
  196. /7/ Accept v2 fetch requests
  197. Same as /6/, but with fetch requests for hidden service descriptors.
  198. (requires /2/ and /4/)
  199. - rend-spec.txt, section 3.3: Added the processing of v2 fetch requests.
  200. - rendcommon.c: Added rend_cache_lookup_v2_dir() to allow a hidden service
  201. directory to look up a v2 descriptor in the local cache under its
  202. descriptor ID instead of its service ID.
  203. - or.h: Added constant REND_DESC_ID_V2_LEN to reflect that v2 descriptor
  204. IDs are longer than v0/1 onion addresses.
  205. - Changed directory_handle_command_get().
  206. [Aug 11: Specified and running.]
  207. /8/ Replicate descriptors with neighbors
  208. A hidden service directory node replicates descriptors from its two
  209. predecessors by downloading them once an hour. Further, it checks its
  210. routing table periodically for changes. Whenever it realizes that a
  211. predecessor has left the network, it establishes a connection to the new
  212. n-th predecessor and requests its stored descriptors in the interval of its
  213. (n+1)-th predecessor and the requested n-th predecessor. Whenever it
  214. realizes that a new onion router has joined with an ID higher than its
  215. former n-th predecessor, it adds it to its predecessors and discards all
  216. descriptors in the interval of its (n+1)-th and its n-th predecessor.
  217. (requires /1/)
  218. - rend-spec.txt, section 3.3: Added the replication of v2 descriptors.
  219. - Added HS_DIR_REPLICATION_INTERVAL.
  220. - Added next_hs_dir and previous_hs_dir.
  221. - Changed directory_handle_command_get().
  222. - Changed run_scheduled_events.
  223. - Added hs_dir_perform_replication().
  224. - Added rend_cache_lookup_v2_replicas.
  225. - Added DIR_PURPOSE_REPLICATE_RENDDESC_V2.
  226. - Changed directory_initiate_command.
  227. - directory_send_command.
  228. - Changed connection_dir_client_reached_eof.
  229. [Aug 11: To some extend specified, running.]
  230. Authoritative directory nodes:
  231. /9/ Confirm a router's hidden service directory functionality
  232. Directory nodes include a new flag "HSDir" for routers that decided to
  233. provide storage for hidden service descriptors and that are running for at
  234. least 24 hours. The last requirement prevents a node from frequently
  235. changing its onion key to become responsible for an identifier it wants to
  236. target.
  237. - dir-spec.txt, section 3.2: Added the status flag "HSDir" to the vote and
  238. consensus status document format.
  239. - dir-spec.txt, section 3.3: Added a rule for how an authority decides
  240. whether a router is assigned the flag "HSDir".
  241. - rend-spec.txt, section 3.1: Added the decision on whether an onion router
  242. is confirmed to act as hidden service directory or not.
  243. - routerparse.c: Changed router_parse_entry_from_string() to parse the
  244. "hidden-service-dir" flag in router descriptors.
  245. - routerparse.c: Added an entry to routerdesc_token_table[] to parse the
  246. "hidden-service-directory" flag in router descriptors.
  247. - routerparse.c: Added 1 keyword to directory_keyword to parse the
  248. "hidden-service-dir" flag in router descriptors.
  249. - or.h: Added is_hs_dir and wants_to_be_hs_dir members to routerinfo_t.
  250. - dirserv.c: Changed routerstatus_format_entry() to include the "HSDir"
  251. flag in vote and consensus status documents.
  252. - dirserv.c: Changed set_routerstatus_from_routerinfo() to set the "HSDir"
  253. flag.
  254. - Added dirserv_thinks_router_is_hs_dir().
  255. - Added MIN_UPTIME_HS_DIR and HS_DIR_REACHABLE_TIMEOUT.
  256. [Aug 11: Specified and running.]
  257. Hidden service provider:
  258. /10/ Configure v2 hidden service
  259. Each hidden service provider that has set the config option
  260. "PublishV2HidServDescriptors" 0|1 to 1 is configured to publish v2
  261. descriptors and conform to the v2 connection establishment protocol. When
  262. configuring a hidden service, a hidden service provider checks if it has
  263. already created a random secret_cookie and a hostname2 file; if not, it
  264. creates both of them. (requires /2/)
  265. - tor.1.in: Added the config option PublishV2HidServDescriptors.
  266. - tor.1.in: Added the files hostname2 and secret_cookie.
  267. - rend-spec.txt, section 1.1: Added requirement to create secret_cookie and
  268. hostname2 file.
  269. - rendservice.c: Added rend_get_hostname2() to assemble a v2 onion address.
  270. - rendservice.c: Changed rend_service_load_keys() to write a secret_cookie
  271. and a hostname2 file.
  272. - rendservice.c: Extended rend_service_t by a member secret_cookie.
  273. - or.h: Added PublishV2HidServDescriptors to or_options_t.
  274. - config.c: Added config option PublishV2HidServDescriptors.
  275. [July 9: Specified and running.]
  276. /11/ Establish introduction points with fresh key
  277. If configured to publish only v2 descriptors and no v0/v1 descriptors any
  278. more, a hidden service provider that is setting up the hidden service at
  279. introduction points does not pass its own public key, but the public key
  280. of a freshly generated key pair. It also includes these fresh public keys
  281. in the hidden service descriptor together with the other introduction point
  282. information. The reason is that the introduction point does not need to and
  283. therefore should not know for which hidden service it works, so as to
  284. prevent it from tracking the hidden service's activity. (If a hidden
  285. service provider supports both, v0/v1 and v2 descriptors, v0/v1 clients
  286. rely on the fact that all introduction points accept the same public key,
  287. so that this new feature cannot be used.)
  288. - rend-spec.txt, section 1.3: Instead of Bob's public key, the hidden
  289. service provider uses a freshly generated public key for every
  290. introduction point.
  291. - TODO: Change in rend_encode_v2_descriptors.
  292. [July 9: Specified, but not yet implemented.]
  293. /12/ Encode v2 descriptors and send v2 publish requests
  294. If configured to publish v2 descriptors, a hidden service provider
  295. publishes a new descriptor whenever its content changes or a new
  296. publication period starts for this descriptor. If the current publication
  297. period would only last for less than 60 minutes (= 2 x 30 minutes to allow
  298. the server to be 30 minutes behind and the client 30 minutes ahead), the
  299. hidden service provider publishes both a current descriptor and one for
  300. the next period. Publication is performed by sending the descriptor to all
  301. hidden service directories that are responsible for keeping replicas for
  302. the descriptor ID. This includes two non-consecutive replicas that are
  303. stored at 3 consecutive nodes each. (requires /1/, /2/, and /3/)
  304. - rend-spec.txt, section 1.2: Added the new v2 hidden service descriptor
  305. format.
  306. - rend-spec.txt, section 1.4: Bob's OP does not only upload v0/v1 service
  307. descriptors to the authoritative directories, but also v2 service
  308. descriptors to the hidden service directories.
  309. - rendservice.c: Changed upload_service_descriptor() to upload v2 hidden
  310. service descriptors, if configured.
  311. - rendservice.c: Changed rend_consider_services_upload() to also initiate
  312. the upload of v2 descriptors, if configured.
  313. - rendservice.c: Extended rend_service_t by a member secret_cookie.
  314. - rendcommon.c: Added rend_encode_v2_descriptor() to encode a v2
  315. descriptor.
  316. - or.h: Added constant DIR_PURPOSE_UPLOAD_RENDDESC_V2.
  317. - directory.c: Added directory_post_to_hs_dir().
  318. - directory.c: Changed directory_initiate_command() to also recognize v2
  319. publish requests.
  320. - directory.c: Changed directory_send_command() to also prepare v2 publish
  321. requests.
  322. - crypto.c: Added implementation for crypto_cipher_encrypt_cbc().
  323. - Changed connection_dir_client_reached_eof().
  324. [Aug 11: Specified and running.]
  325. Hidden service client:
  326. /13/ Send v2 fetch requests
  327. A hidden service client that has set the config option
  328. "FetchV2HidServDescriptors" 0|1 to 1 handles SOCKS requests for v2 onion
  329. addresses by requesting a v2 descriptor from a randomly chosen hidden
  330. service directory that is responsible for keeping replica for the
  331. descriptor ID. In total there are six replicas of which the first and the
  332. last three are stored on consecutive nodes. The probability of picking one
  333. of the three consecutive replicas is 1/6, 2/6, and 3/6 to incorporate the
  334. fact that the availability will be the highest on the node with next higher
  335. ID. A hidden service client relies on the hidden service provider to store
  336. two sets of descriptors to compensate clock skew between service and
  337. client. (requires /1/, /2/, and /3/)
  338. - tor.1.in: Added the config option FetchV2HidServDescriptors.
  339. - rend-spec.txt, section 1.5: Added the new v2 onion address format.
  340. - rend-spec.txt, section 1.6: Alice's OP downloads the service descriptors
  341. similarly as Bob's OP uploaded them in 1.4.
  342. - rendcommon.c: Changed rend_cache_lookup_entry to enable it to also lookup
  343. v2 descriptors.
  344. - rendcommon.c: Added rend_compute_v2_desc_id() to generate v2 descriptor IDs
  345. from v2 onion addresses.
  346. - rendcommon.c: Changed rend_valid_service_id() to also consider v2 onion
  347. addresses as valid and return the version number of the request (0 or 2).
  348. - rendclient.c: Added rend_client_refetch_v2_renddesc() to fetch v2 service
  349. descriptors using the secret cookie.
  350. - rendclient.c: Changed rend_client_remove_intro_point() to copy the secret
  351. cookie if the local descriptor has expired or there are no introduction
  352. points left.
  353. - or.h: Added FetchV2HidServDescriptors to or_options_t.
  354. - or.h: Added constant REND_DESC_ID_V2_LEN to reflect that v2 descriptor
  355. IDs are longer than v0/1 onion addresses.
  356. - or.h: Added constant DIR_PURPOSE_FETCH_RENDDESC_V2.
  357. - directory.c: Added directory_get_from_hs_dir().
  358. - directory.c: Changed directory_initiate_command() to also recognize v2
  359. fetch requests.
  360. - directory.c: Changed directory_send_command() to also prepare v2 fetch
  361. requests.
  362. - connection_edge.c: Changed connection_ap_handshake_rewrite_and_attach()
  363. to fetch v2 service descriptors.
  364. - connection_edge.c: Changed parse_extended_hostname() to accept both,
  365. current and v2 onion addresses.
  366. - config.c: Added config options FetchV2HidServDescriptors.
  367. [Aug 11: Base version specified and running, but no memory of failed
  368. hidden service directories, yet.]
  369. /14/ Process v2 fetch reply and parse v2 descriptors
  370. A hidden service client that has sent a request for a v2 descriptor can
  371. parse it and store it to the local cache of rendezvous service descriptors.
  372. - rend-spec.txt, section 1.2: Added the new v2 hidden service descriptor
  373. format.
  374. - rend-spec.txt, section 1.6: Alice's OP parses the reply received from the
  375. hidden service directory.
  376. - routerparse.c: Added rend_parse_v2_service_descriptor() to parse a v2
  377. hidden service descriptor.
  378. - routerparse.c: Added rend_decrypt_introduction_points() to decrypt and
  379. parse the list of introduction points.
  380. - routerparse.c: Added ipo_token_table[] to parse the decrypted
  381. introduction points of v2 hidden service descriptors.
  382. - routerparse.c: Added desc_token_table[] to parse v2 hidden service
  383. descriptors.
  384. - routerparse.c: Added 8 keywords to directory_keyword to parse v2 hidden
  385. service descriptors, and 5 to parse the decrypted list of introduction
  386. points.
  387. - rendcommon.c: Added rend_cache_store_v2_client() to parse a v2 descriptor
  388. and parse the encrypted list of introduction points.
  389. - or.h: Added rend_version and secret_cookie to edge_connection_t, to
  390. dir_connection_t, and to origin_circuit_t to be able to decrypt
  391. introduction points when receiving a v2 descriptor.
  392. - directory.c: Changed connection_dir_client_reached_eof() to also parse v2
  393. fetch replies.
  394. - crypto.c: Added implementation for crypto_cipher_decrypt_cbc().
  395. [July 9: Specified and running.]
  396. /15/ Establish connection to v2 hidden service
  397. A hidden service client can establish a connection to a hidden service
  398. using a v2 descriptor. This includes using the secret cookie for decrypting
  399. the introduction points contained in the descriptor. When contacting an
  400. introduction point, the client does not use the public key of the hidden
  401. service provider, but the freshly-generated public key that is included in
  402. the hidden service descriptor. Whether or not a fresh key is used instead
  403. of the key of the hidden service depends on the available protocol versions
  404. that are included in the descriptor; by this, connection establishment is
  405. to a certain extend decoupled from fetching the descriptor.
  406. - rend-spec.txt, section 1.8: Alice uses the public key that is included in
  407. the descriptor instead of Bob's permanent service key.
  408. - rendclient.c: Changed rend_client_introduction_acked() to copy the secret
  409. cookie in case the introduction point denied the request.
  410. - rendclient.c: Changed rend_client_remove_intro_point() to copy the secret
  411. cookie if the local descriptor has expired or there are no introduction
  412. points left.
  413. - or.h: Added secret_cookie to edge_connection_t, to dir_connection_t, and
  414. to origin_circuit_t to be able to decrypt introduction points when
  415. receiving a v2 descriptor.
  416. - circuitlist.c: Changed _circuit_mark_for_close() to pass the secret
  417. cookie to rend_client_remove_intro_point() when an intro circ has failed.
  418. - circuituse.c: Changed circuit_get_open_circ_or_launch() to fetch a v2
  419. descriptor with the secret cookie, if no descriptor is available, or copy
  420. the secret cookie to the circuit, in case it dies later, so that it can
  421. be used to fetch a new descriptor.
  422. [July 9: Base version specified and running, but without fresh key.]
  423. Hidden service descriptor:
  424. (Requirements concerning the descriptor format are contained in /6/ and /7/.)
  425. The new v2 hidden service descriptor format looks like this:
  426. onion-address = h(public-key) + cookie
  427. descriptor-id = h(h(public-key) + h(time-period + cookie + relica))
  428. descriptor-content = {
  429. descriptor-id,
  430. version,
  431. public-key,
  432. h(time-period + cookie + replica),
  433. timestamp,
  434. protocol-versions,
  435. { introduction-points } encrypted with cookie
  436. } signed with private-key
  437. The "descriptor-id" needs to change periodically in order for the
  438. descriptor to be stored on changing nodes over time. It may only be
  439. computable by a hidden service provider and all of his clients to prevent
  440. unauthorized nodes from tracking the service activity by periodically
  441. checking whether there is a descriptor for this service. Finally, the
  442. hidden service directory needs to be able to verify that the hidden service
  443. provider is the true originator of the descriptor with the given ID.
  444. Therefore, "descriptor-id" is derived from the "public-key" of the hidden
  445. service provider, the current "time-period" which changes every 24 hours,
  446. a secret "cookie" shared between hidden service provider and clients, and
  447. a "replica" denoting the number of this non-consecutive replica. (The
  448. "time-period" is constructed in a way that time periods do not change at
  449. the same moment for all descriptors by deriving a value between 0:00 and
  450. 23:59 hours from h(public-key) and making the descriptors of this hidden
  451. service provider expire at that time of the day.) The "descriptor-id" is
  452. defined to be 160 bits long. [extending the "descriptor-id" length
  453. suggested by LØ]
  454. Only the hidden service provider and the clients are able to generate
  455. future "descriptor-ID"s. Hence, the "onion-address" is extended from now
  456. the hash value of "public-key" by the secret "cookie". The "public-key" is
  457. determined to be 80 bits long, whereas the "cookie" is dimensioned to be
  458. 120 bits long. This makes a total of 200 bits or 40 base32 chars, which is
  459. quite a lot to handle for a human, but necessary to provide sufficient
  460. protection against an adversary from generating a key pair with same
  461. "public-key" hash or guessing the "cookie".
  462. A hidden service directory can verify that a descriptor was created by the
  463. hidden service provider by checking if the "descriptor-id" corresponds to
  464. the "public-key" and if the signature can be verified with the
  465. "public-key".
  466. The "introduction-points" that are included in the descriptor are encrypted
  467. using the same "cookie" that is shared between hidden service provider and
  468. clients. [correction to use another key than h(time-period + cookie) as
  469. encryption key for introduction points made by LØ]
  470. A new text-based format is proposed for descriptors instead of an extension
  471. of the existing binary format for reasons of future extensibility.
  472. Security implications:
  473. The security implications of the proposed changes are grouped by the roles of
  474. nodes that could perform attacks or on which attacks could be performed.
  475. Attacks by authoritative directory nodes
  476. Authoritative directory nodes are no longer the single places in the
  477. network that know about a hidden service's activity and introduction
  478. points. Thus, they cannot perform attacks using this information, e.g.
  479. track a hidden service's activity or usage pattern or attack its
  480. introduction points. Formerly, it would only require a single corrupted
  481. authoritative directory operator to perform such an attack.
  482. Attacks by hidden service directory nodes
  483. A hidden service directory node could misuse a stored descriptor to track a
  484. hidden service's activity and usage pattern by clients. Though there is no
  485. countermeasure against this kind of attack, it is very expensive to track a
  486. certain hidden service over time. An attacker would need to run a large
  487. number of stable onion routers that work as hidden service directory nodes
  488. to have a good probability to become responsible for its changing
  489. descriptor IDs. For each period, the probability is:
  490. 1-(N-c choose r)/(N choose r) for N-c>=r and 1 otherwise, with N
  491. as total
  492. number of hidden service directories, c as compromised nodes, and r as
  493. number of replicas
  494. The hidden service directory nodes could try to make a certain hidden
  495. service unavailable to its clients. Therefore, they could discard all
  496. stored descriptors for that hidden service and reply to clients that there
  497. is no descriptor for the given ID or return an old or false descriptor
  498. content. The client would detect a false descriptor, because it could not
  499. contain a correct signature. But an old content or an empty reply could
  500. confuse the client. Therefore, the countermeasure is to replicate
  501. descriptors among a small number of hidden service directories, e.g. 5.
  502. The probability of a group of collaborating nodes to make a hidden service
  503. completely unavailable is in each period:
  504. (c choose r)/(N choose r) for c>=r and N>=r, and 0 otherwise,
  505. with N as total
  506. number of hidden service directories, c as compromised nodes, and r as
  507. number of replicas
  508. A hidden service directory could try to find out which introduction points
  509. are working on behalf of a hidden service. In contrast to the previous
  510. design, this is not possible anymore, because this information is encrypted
  511. to the clients of a hidden service.
  512. Attacks on hidden service directory nodes
  513. An anonymous attacker could try to swamp a hidden service directory with
  514. false descriptors for a given descriptor ID. This is prevented by requiring
  515. that descriptors are signed.
  516. Anonymous attackers could swamp a hidden service directory with correct
  517. descriptors for non-existing hidden services. There is no countermeasure
  518. against this attack. However, the creation of valid descriptors is more
  519. expensive than verification and storage in local memory. This should make
  520. this kind of attack unattractive.
  521. Attacks by introduction points
  522. Current or former introduction points could try to gain information on the
  523. hidden service they serve. But due to the fresh key pair that is used by
  524. the hidden service, this attack is not possible anymore.
  525. Attacks by clients
  526. Current or former clients could track a hidden service's activity, attack
  527. its introduction points, or determine the responsible hidden service
  528. directory nodes and attack them. There is nothing that could prevent them
  529. from doing so, because honest clients need the full descriptor content to
  530. establish a connection to the hidden service. At the moment, the only
  531. countermeasure against dishonest clients is to change the secret cookie and
  532. pass it only to the honest clients.
  533. Compatibility:
  534. The proposed design is meant to replace the current design for hidden service
  535. descriptors and their storage in the long run.
  536. There should be a first transition phase in which both, the current design
  537. and the proposed design are served in parallel. Onion routers should start
  538. serving as hidden service directories, and hidden service providers and
  539. clients should make use of the new design if both sides support it. Hidden
  540. service providers should be allowed to publish descriptors of the current
  541. format in parallel, and authoritative directories should continue storing and
  542. serving these descriptors.
  543. After the first transition phase, hidden service providers should stop
  544. publishing descriptors on authoritative directories, and hidden service
  545. clients should not try to fetch descriptors from the authoritative
  546. directories. However, the authoritative directories should continue serving
  547. hidden service descriptors for a second transition phase. As of this point,
  548. all v2 config options should be set to a default value of 1.
  549. After the second transition phase, the authoritative directories should stop
  550. serving hidden service descriptors.
  551. Specification:
  552. The proposed changes affect multiple sections in several specification
  553. documents that are only mentioned in the following. (As for now, all changes
  554. to specification documents are limited to the SVN branch 114-dist-storage.)
  555. tor.1.in
  556. Added the config options HidServDirectoryV2 (/5/),
  557. PublishV2HidServDescriptors (/10/), and FetchV2HidServDescriptors (/13/).
  558. Added the files hostname2 and secret_cookie (/10/).
  559. dir-spec.txt
  560. 2.1 Added the flag hidden-service-dir to the router descriptor format
  561. (/5/).
  562. 3.2 Added the status flag HSDir to the vote and consensus status
  563. document format (/9/).
  564. 3.3 Added a rule for how an authority decides whether a router is assigned
  565. the flag HSDir (/9/).
  566. rend-spec.txt
  567. 0.4 Added history
  568. 1.1 Added requirement to create secret_cookie and hostname2 file (/10/).
  569. 1.2 Added the new v2 hidden service descriptor format (/6/, /12/ and
  570. /14/).
  571. 1.3 Instead of Bob's public key, the hidden service provider uses a
  572. freshly generated public key for every introduction point (/11/).
  573. 1.4 Added description of how to obtain a routing list of hidden service
  574. directories (/1/).
  575. 1.4 Added description of how to determine the responsible node(s) for a
  576. given descriptor ID (/2/).
  577. 1.4 Bob's OP does not only upload v0/v1 service descriptors to the
  578. authoritative directories, but also v2 service descriptors to the hidden
  579. service directories (/12/).
  580. 1.4 Added the requirement that requests need to be sent via Tor (/3/).
  581. 1.5 Added the new v2 onion address format (/13/).
  582. 1.6 Added the requirement that requests need to be sent via Tor (/3/).
  583. 1.6 Alice's OP downloads the service descriptors similarly as Bob's OP
  584. uploaded them in 1.4 (/13/).
  585. 1.6 Alice's OP parses the reply received from the hidden service directory
  586. (/14/).
  587. 1.8 Alice uses the public key that is included in the descriptor instead
  588. of Bob's permanent service key (/15/).
  589. 3.1: Added process of configuring a hidden service directory (/5/).
  590. 3.1: Added the decision on whether an onion router is confirmed to act as
  591. hidden service directory or not (/9/).
  592. 3.2: Added the requirement that requests need to be contained within
  593. BEGIN_DIR cells (/4/).
  594. 3.2: Added the acceptance of v2 publish requests (/6/).
  595. 3.3: Added the requirement that requests need to be contained within
  596. BEGIN_DIR cells (/4/).
  597. 3.3: Added the processing of v2 fetch requests (/7/).
  598. 3.3: Added the replication of v2 descriptors (/8/).
  599. Implementation:
  600. The proposed changes affect the following changes in the source code. (As for
  601. now, all changes to code are limited to the SVN branch 114-dist-storage.)
  602. container.h
  603. Added prototype for smartlist_digest_next_circular() (/2/).
  604. container.c
  605. Added implementation for smartlist_digest_next_circular() (/2/).
  606. crypto.h
  607. Added 3 prototypes according to the changes in crypto.c (various
  608. requirements).
  609. crypto.c
  610. Added implementation for crypto_cipher_encrypt_cbc() (/12/).
  611. Added implementation for crypto_cipher_decrypt_cbc() (/14/).
  612. Added implementation for base32_decode() (various requirements).
  613. circuitlist.c
  614. Changed _circuit_mark_for_close() to pass the secret cookie to
  615. rend_client_remove_intro_point() when an intro circ has failed (/15/).
  616. circuituse.c
  617. Changed circuit_get_open_circ_or_launch() to fetch a v2 descriptor with the
  618. secret cookie, if no descriptor is available, or copy the secret cookie to
  619. the circuit, in case it dies later, so that it can be used to fetch a new
  620. descriptor (/15/).
  621. config.c
  622. Added config options FetchV2HidServDescriptors (/13/),
  623. HidServDirectoryV2 (/5/), and PublishV2HidServDescriptors (/10/).
  624. connection_edge.c
  625. Changed connection_ap_handshake_rewrite_and_attach() to fetch v2 service
  626. descriptors (/13/).
  627. Changed parse_extended_hostname() to accept both, current and v2 onion
  628. addresses (/13/).
  629. directory.c
  630. Added directory_post_to_hs_dir() (/12/).
  631. Added directory_get_from_hs_dir() (/13/).
  632. Changed directory_initiate_command() to also recognize v2 publish (/12/)
  633. and fetch (/13/) requests.
  634. Changed directory_send_command() to also prepare v2 publish (/12/) and
  635. fetch (/13/) requests.
  636. Changed connection_dir_client_reached_eof() to also parse v2 fetch replies
  637. (/14/).
  638. Changed directory_handle_command_get() to handle v2 fetch requests (/13/).
  639. Changed directory_handle_command_post() to handle v2 publish requests
  640. (/12/).
  641. dirserv.c
  642. Changed routerstatus_format_entry() to include the "HSDir" flag in vote and
  643. consensus status documents (/9/).
  644. Changed set_routerstatus_from_routerinfo() to set the "HSDir" flag (/9/).
  645. or.h
  646. Added constants DIR_PURPOSE_UPLOAD_RENDDESC_V2 (/12/) and
  647. DIR_PURPOSE_FETCH_RENDDESC_V2 (/13/).
  648. Added constant REND_DESC_ID_V2_LEN to reflect that v2 descriptor IDs are
  649. longer than v0/1 onion addresses (/6/, /7/, and /13/).
  650. Added rend_version and secret_cookie to edge_connection_t, to
  651. dir_connection_t, and to origin_circuit_t to be able to decrypt
  652. introduction points when receiving a v2 descriptor (/14/ and /15/).
  653. Added is_hs_dir member to routerinfo_t and to routerstatus_t (/9/).
  654. Added hs_dirs member to routerlist_t (/1/).
  655. Added FetchV2HidServDescriptors (/13/), HidServDirectoryV2 (/5/), and
  656. PublishV2HidServDescriptors (/10/) to or_options_t.
  657. Added 7 new members to rend_service_descriptor_t to store v2-specific
  658. information (/12/, /14/, and /15/).
  659. Added 11 prototypes and changed the signature of 1 according to the
  660. changes in .c files (various requirements).
  661. rendclient.c
  662. Changed rend_client_introduction_acked() to copy the secret cookie in case
  663. the introduction point denied the request (/15/).
  664. Added rend_client_refetch_v2_renddesc() to fetch v2 service descriptors
  665. using the secret cookie (/13/).
  666. Changed rend_client_remove_intro_point() to copy the secret cookie if the
  667. local descriptor has expired or there are no introduction points left (/13/
  668. and /15/).
  669. rendcommon.c
  670. Added rend_compute_v2_descriptor_fields() to prepare the encoding of a v2
  671. descriptor (/12/).
  672. Added rend_compute_desc_id() to generate v2 descriptor IDs from v2 onion
  673. addresses (/13/).
  674. Added rend_encode_v2_descriptor() to encode a v2 descriptor (/12/).
  675. Changed rend_valid_service_id() to also consider v2 onion addresses as
  676. valid and return the version number of the request (1 or 2) (/13/).
  677. Changed rend_cache_lookup_entry to enable it to also lookup v2 descriptors
  678. (/13/).
  679. Added rend_cache_lookup_v2_dir() to allow a hidden service directory to
  680. look up a v2 descriptor in the local cache under its descriptor ID instead
  681. of its service ID (/7/).
  682. Moved the parsing part from rend_cache_store() to the new function
  683. rend_cache_store_parse() to reuse it for v2 descriptors (/6/).
  684. Added rend_cache_store_v2_client() to parse a v2 descriptor and parse the
  685. encrypted list of introduction points (/14/).
  686. Added rend_cache_store_v2_dir() to allow a hidden service directory to
  687. store a v2 descriptor in the local cache under its descriptor ID instead of
  688. its service ID (/6/).
  689. rendservice.c
  690. Extended rend_service_t by a member secret_cookie (/10/ and /12/).
  691. Added rend_get_hostname2() to assemble a v2 onion address (/10/).
  692. Changed rend_service_load_keys() to write a secret_cookie and a hostname2
  693. file (/10/).
  694. Changed upload_service_descriptor() to upload v2 hidden service
  695. descriptors, if configured (/12/).
  696. Changed rend_consider_services_upload() to also initiate the upload of v2
  697. descriptors, if configured (/12/).
  698. router.c
  699. Changed router_dump_router_to_string() to include the "hidden-service-dir"
  700. flag in a router descriptor if configured (/5/).
  701. routerlist.c
  702. Changed router_get_routerlist() to initialize routing list (/1/).
  703. Added get_responsible_hs_dir() to determine the router that is responsible
  704. for a given descriptor ID (/2/).
  705. routerparse.c
  706. Added 14 keywords to directory_keyword; 1 to parse the "hidden-service-dir"
  707. flag in router descriptors (/9/), 8 to parse v2 hidden service descriptors
  708. (/6/ and /14/), and 5 to parse the decrypted list of introduction points
  709. (/14/).
  710. Added an entry to routerdesc_token_table[] to parse the
  711. "hidden-service-directory" flag in router descriptors (/9/).
  712. Added desc_token_table[] to parse v2 hidden service descriptors (/6/ and
  713. /14/).
  714. Added ipo_token_table[] to parse the decrypted introduction points of v2
  715. hidden service descriptors (/14/).
  716. Changed router_parse_entry_from_string() to parse the "hidden-service-dir"
  717. flag in router descriptors (/9/).
  718. Changed routerstatus_parse_entry_from_string to parse the "HSDir" flag in
  719. vote and consensus status documents (/1/).
  720. Added rend_parse_v2_service_descriptor() to parse a v2 hidden service
  721. descriptor (/6/ and /14/).
  722. Added rend_decrypt_introduction_points() to decrypt and parse the list of
  723. introduction points (/14/).
  724. Test:
  725. The changes were tested via test functions in test.c for separate,
  726. short-running functionality and using an automatic validation based on
  727. PuppeTor.