103-multilevel-keys.txt 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206
  1. Filename: 103-multilevel-keys.txt
  2. Title: Splitting identity key from regularly used signing key.
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Nick Mathewson
  6. Created:
  7. Status: Closed
  8. Implemented-In: 0.2.0.x
  9. Overview:
  10. This document proposes a change in the way identity keys are used, so that
  11. highly sensitive keys can be password-protected and seldom loaded into RAM.
  12. It presents options; it is not yet a complete proposal.
  13. Proposal:
  14. Replacing a directory authority's identity key in the event of a compromise
  15. would be tremendously annoying. We'd need to tell every client to switch
  16. their configuration, or update to a new version with an uploaded list. So
  17. long as some weren't upgraded, they'd be at risk from whoever had
  18. compromised the key.
  19. With this in mind, it's a shame that our current protocol forces us to
  20. store identity keys unencrypted in RAM. We need some kind of signing key
  21. stored unencrypted, since we need to generate new descriptors/directories
  22. and rotate link and onion keys regularly. (And since, of course, we can't
  23. ask server operators to be on-hand to enter a passphrase every time we
  24. want to rotate keys or sign a descriptor.)
  25. The obvious solution seems to be to have a signing-only key that lives
  26. indefinitely (months or longer) and signs descriptors and link keys, and a
  27. separate identity key that's used to sign the signing key. Tor servers
  28. could run in one of several modes:
  29. 1. Identity key stored encrypted. You need to pick a passphrase when
  30. you enable this mode, and re-enter this passphrase every time you
  31. rotate the signing key.
  32. 1'. Identity key stored separate. You save your identity key to a
  33. floppy, and use the floppy when you need to rotate the signing key.
  34. 2. All keys stored unencrypted. In this case, we might not want to even
  35. *have* a separate signing key. (We'll need to support no-separate-
  36. signing-key mode anyway to keep old servers working.)
  37. 3. All keys stored encrypted. You need to enter a passphrase to start
  38. Tor.
  39. (Of course, we might not want to implement all of these.)
  40. Case 1 is probably most usable and secure, if we assume that people don't
  41. forget their passphrases or lose their floppies. We could mitigate this a
  42. bit by encouraging people to PGP-encrypt their passphrases to themselves,
  43. or keep a cleartext copy of their secret key secret-split into a few
  44. pieces, or something like that.
  45. Migration presents another difficulty, especially with the authorities. If
  46. we use the current set of identity keys as the new identity keys, we're in
  47. the position of having sensitive keys that have been stored on
  48. media-of-dubious-encryption up to now. Also, we need to keep old clients
  49. (who will expect descriptors to be signed by the identity keys they know
  50. and love, and who will not understand signing keys) happy.
  51. A possible solution:
  52. One thing to consider is that router identity keys are not very sensitive:
  53. if an OR disappears and reappears with a new key, the network treats it as
  54. though an old router had disappeared and a new one had joined the network.
  55. The Tor network continues unharmed; this isn't a disaster.
  56. Thus, the ideas above are mostly relevant for authorities.
  57. The most straightforward solution for the authorities is probably to take
  58. advantage of the protocol transition that will come with proposal 101, and
  59. introduce a new set of signing _and_ identity keys used only to sign votes
  60. and consensus network-status documents. Signing and identity keys could be
  61. delivered to users in a separate, rarely changing "keys" document, so that
  62. the consensus network-status documents wouldn't need to include N signing
  63. keys, N identity keys, and N certifications.
  64. Note also that there is no reason that the identity/signing keys used by
  65. directory authorities would necessarily have to be the same as the identity
  66. keys those authorities use in their capacity as routers. Decoupling these
  67. keys would give directory authorities the following set of keys:
  68. Directory authority identity:
  69. Highly confidential; stored encrypted and/or offline. Used to
  70. identity directory authorities. Shipped with clients. Used to
  71. sign Directory authority signing keys.
  72. Directory authority signing key:
  73. Stored online, accessible to regular Tor process. Used to sign
  74. votes and consensus directories. Downloaded as part of a "keys"
  75. document.
  76. [Administrators SHOULD rotate their signing keys every month or
  77. two, just to keep in practice and keep from forgetting the
  78. password to the authority identity.]
  79. V1-V2 directory authority identity:
  80. Stored online, never changed. Used to sign legacy network-status
  81. and directory documents.
  82. Router identity:
  83. Stored online, seldom changed. Used to sign server descriptors
  84. for this authority in its role as a router. Implicitly certified
  85. by being listed in network-status documents.
  86. Onion key, link key:
  87. As in tor-spec.txt
  88. Extensions to Proposal 101.
  89. Define a new document type, "Key certificate". It contains the
  90. following fields, in order:
  91. "dir-key-certificate-version": As network-status-version. Must be
  92. "3".
  93. "fingerprint": Hex fingerprint, with spaces, based on the directory
  94. authority's identity key.
  95. "dir-identity-key": The long-term identity key for this authority.
  96. "dir-key-published": The time when this directory's signing key was
  97. last changed.
  98. "dir-key-expires": A time after which this key is no longer valid.
  99. "dir-signing-key": As in proposal 101.
  100. "dir-key-certification": A signature of the above fields, in order.
  101. The signed material extends from the beginning of
  102. "dir-key-certicate-version" through the newline after
  103. "dir-key-certification". The identity key is used to generate
  104. this signature.
  105. These elements together constitute a "key certificate". These are
  106. generated offline when starting a v3 authority. Private identity
  107. keys SHOULD be stored offline, encrypted, or both. A running
  108. authority only needs access to the signing key.
  109. Unlike other keys currently used by Tor, the authority identity
  110. keys and directory signing keys MAY be longer than 1024 bits.
  111. (They SHOULD be 2048 bits or longer; they MUST NOT be shorter than
  112. 1024.)
  113. Vote documents change as follows:
  114. A key certificate MUST be included in-line in every vote document. With
  115. the exception of "fingerprint", its elements MUST NOT appear in consensus
  116. documents.
  117. Consensus network statuses change as follows:
  118. Remove dir-signing-key.
  119. Change "directory-signature" to take a fingerprint of the authority's
  120. identity key and a fingerprint of the authority's current signing key
  121. rather than the authority's nickname.
  122. Change "dir-source" to take the a fingerprint of the authority's
  123. identity key rather than the authority's nickname or hostname.
  124. Add a new document type:
  125. A "keys" document contains all currently known key certificates.
  126. All authorities serve it at
  127. http://<hostname>/tor/status/keys.z
  128. Caches and clients download the keys document whenever they receive a
  129. consensus vote that uses a key they do not recognize. Caches download
  130. from authorities; clients download from caches.
  131. Processing votes:
  132. When receiving a vote, authorities check to see if the key
  133. certificate for the voter is different from the one they have. If
  134. the key certificate _is_ different, and its dir-key-published is
  135. more recent than the most recently known one, and it is
  136. well-formed and correctly signed with the correct identity key,
  137. then authorities remember it as the new canonical key certificate
  138. for that voter.
  139. A key certificate is invalid if any of the following hold:
  140. * The version is unrecognized.
  141. * The fingerprint does not match the identity key.
  142. * The identity key or the signing key is ill-formed.
  143. * The published date is very far in the past or future.
  144. * The signature is not a valid signature of the key certificate
  145. generated with the identity key.
  146. When processing the signatures on consensus, clients and caches act as
  147. follows:
  148. 1. Only consider the directory-signature entries whose identity
  149. key hashes match trusted authorities.
  150. 2. If any such entries have signing key hashes that match unknown
  151. signing keys, download a new keys document.
  152. 3. For every entry with a known (identity key,signing key) pair,
  153. check the signature on the document.
  154. 4. If the document has been signed by more than half of the
  155. authorities the client recognizes, treat the consensus as
  156. correctly signed.
  157. If not, but the number entries with known identity keys but
  158. unknown signing keys might be enough to make the consensus
  159. correctly signed, do not use the consensus, but do not discard
  160. it until we have a new keys document.