121-hidden-service-authentication.txt 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778
  1. Filename: 121-hidden-service-authentication.txt
  2. Title: Hidden Service Authentication
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Tobias Kamm, Thomas Lauterbach, Karsten Loesing, Ferdinand Rieger,
  6. Christoph Weingarten
  7. Created: 10-Sep-2007
  8. Status: Finished
  9. Implemented-In: 0.2.1.x
  10. Change history:
  11. 26-Sep-2007 Initial proposal for or-dev
  12. 08-Dec-2007 Incorporated comments by Nick posted to or-dev on 10-Oct-2007
  13. 15-Dec-2007 Rewrote complete proposal for better readability, modified
  14. authentication protocol, merged in personal notes
  15. 24-Dec-2007 Replaced misleading term "authentication" by "authorization"
  16. and added some clarifications (comments by Sven Kaffille)
  17. 28-Apr-2008 Updated most parts of the concrete authorization protocol
  18. 04-Jul-2008 Add a simple algorithm to delay descriptor publication for
  19. different clients of a hidden service
  20. 19-Jul-2008 Added INTRODUCE1V cell type (1.2), improved replay
  21. protection for INTRODUCE2 cells (1.3), described limitations
  22. for auth protocols (1.6), improved hidden service protocol
  23. without client authorization (2.1), added second, more
  24. scalable authorization protocol (2.2), rewrote existing
  25. authorization protocol (2.3); changes based on discussion
  26. with Nick
  27. 31-Jul-2008 Limit maximum descriptor size to 20 kilobytes to prevent
  28. abuse.
  29. 01-Aug-2008 Use first part of Diffie-Hellman handshake for replay
  30. protection instead of rendezvous cookie.
  31. 01-Aug-2008 Remove improved hidden service protocol without client
  32. authorization (2.1). It might get implemented in proposal
  33. 142.
  34. Overview:
  35. This proposal deals with a general infrastructure for performing
  36. authorization (not necessarily implying authentication) of requests to
  37. hidden services at three points: (1) when downloading and decrypting
  38. parts of the hidden service descriptor, (2) at the introduction point,
  39. and (3) at Bob's Tor client before contacting the rendezvous point. A
  40. service provider will be able to restrict access to his service at these
  41. three points to authorized clients only. Further, the proposal contains
  42. specific authorization protocols as instances that implement the
  43. presented authorization infrastructure.
  44. This proposal is based on v2 hidden service descriptors as described in
  45. proposal 114 and introduced in version 0.2.0.10-alpha.
  46. The proposal is structured as follows: The next section motivates the
  47. integration of authorization mechanisms in the hidden service protocol.
  48. Then we describe a general infrastructure for authorization in hidden
  49. services, followed by specific authorization protocols for this
  50. infrastructure. At the end we discuss a number of attacks and non-attacks
  51. as well as compatibility issues.
  52. Motivation:
  53. The major part of hidden services does not require client authorization
  54. now and won't do so in the future. To the contrary, many clients would
  55. not want to be (pseudonymously) identifiable by the service (though this
  56. is unavoidable to some extent), but rather use the service
  57. anonymously. These services are not addressed by this proposal.
  58. However, there may be certain services which are intended to be accessed
  59. by a limited set of clients only. A possible application might be a
  60. wiki or forum that should only be accessible for a closed user group.
  61. Another, less intuitive example might be a real-time communication
  62. service, where someone provides a presence and messaging service only to
  63. his buddies. Finally, a possible application would be a personal home
  64. server that should be remotely accessed by its owner.
  65. Performing authorization for a hidden service within the Tor network, as
  66. proposed here, offers a range of advantages compared to allowing all
  67. client connections in the first instance and deferring authorization to
  68. the transported protocol:
  69. (1) Reduced traffic: Unauthorized requests would be rejected as early as
  70. possible, thereby reducing the overall traffic in the network generated
  71. by establishing circuits and sending cells.
  72. (2) Better protection of service location: Unauthorized clients could not
  73. force Bob to create circuits to their rendezvous points, thus preventing
  74. the attack described by Øverlier and Syverson in their paper "Locating
  75. Hidden Servers" even without the need for guards.
  76. (3) Hiding activity: Apart from performing the actual authorization, a
  77. service provider could also hide the mere presence of his service from
  78. unauthorized clients when not providing hidden service descriptors to
  79. them, rejecting unauthorized requests already at the introduction
  80. point (ideally without leaking presence information at any of these
  81. points), or not answering unauthorized introduction requests.
  82. (4) Better protection of introduction points: When providing hidden
  83. service descriptors to authorized clients only and encrypting the
  84. introduction points as described in proposal 114, the introduction points
  85. would be unknown to unauthorized clients and thereby protected from DoS
  86. attacks.
  87. (5) Protocol independence: Authorization could be performed for all
  88. transported protocols, regardless of their own capabilities to do so.
  89. (6) Ease of administration: A service provider running multiple hidden
  90. services would be able to configure access at a single place uniformly
  91. instead of doing so for all services separately.
  92. (7) Optional QoS support: Bob could adapt his node selection algorithm
  93. for building the circuit to Alice's rendezvous point depending on a
  94. previously guaranteed QoS level, thus providing better latency or
  95. bandwidth for selected clients.
  96. A disadvantage of performing authorization within the Tor network is
  97. that a hidden service cannot make use of authorization data in
  98. the transported protocol. Tor hidden services were designed to be
  99. independent of the transported protocol. Therefore it's only possible to
  100. either grant or deny access to the whole service, but not to specific
  101. resources of the service.
  102. Authorization often implies authentication, i.e. proving one's identity.
  103. However, when performing authorization within the Tor network, untrusted
  104. points should not gain any useful information about the identities of
  105. communicating parties, neither server nor client. A crucial challenge is
  106. to remain anonymous towards directory servers and introduction points.
  107. However, trying to hide identity from the hidden service is a futile
  108. task, because a client would never know if he is the only authorized
  109. client and therefore perfectly identifiable. Therefore, hiding client
  110. identity from the hidden service is not an aim of this proposal.
  111. The current implementation of hidden services does not provide any kind
  112. of authorization. The hidden service descriptor version 2, introduced by
  113. proposal 114, was designed to use a descriptor cookie for downloading and
  114. decrypting parts of the descriptor content, but this feature is not yet
  115. in use. Further, most relevant cell formats specified in rend-spec
  116. contain fields for authorization data, but those fields are neither
  117. implemented nor do they suffice entirely.
  118. Details:
  119. 1. General infrastructure for authorization to hidden services
  120. We spotted three possible authorization points in the hidden service
  121. protocol:
  122. (1) when downloading and decrypting parts of the hidden service
  123. descriptor,
  124. (2) at the introduction point, and
  125. (3) at Bob's Tor client before contacting the rendezvous point.
  126. The general idea of this proposal is to allow service providers to
  127. restrict access to some or all of these points to authorized clients
  128. only.
  129. 1.1. Client authorization at directory
  130. Since the implementation of proposal 114 it is possible to combine a
  131. hidden service descriptor with a so-called descriptor cookie. If done so,
  132. the descriptor cookie becomes part of the descriptor ID, thus having an
  133. effect on the storage location of the descriptor. Someone who has learned
  134. about a service, but is not aware of the descriptor cookie, won't be able
  135. to determine the descriptor ID and download the current hidden service
  136. descriptor; he won't even know whether the service has uploaded a
  137. descriptor recently. Descriptor IDs are calculated as follows (see
  138. section 1.2 of rend-spec for the complete specification of v2 hidden
  139. service descriptors):
  140. descriptor-id =
  141. H(service-id | H(time-period | descriptor-cookie | replica))
  142. Currently, service-id is equivalent to permanent-id which is calculated
  143. as in the following formula. But in principle it could be any public
  144. key.
  145. permanent-id = H(permanent-key)[:10]
  146. The second purpose of the descriptor cookie is to encrypt the list of
  147. introduction points, including optional authorization data. Hence, the
  148. hidden service directories won't learn any introduction information from
  149. storing a hidden service descriptor. This feature is implemented but
  150. unused at the moment. So this proposal will harness the advantages
  151. of proposal 114.
  152. The descriptor cookie can be used for authorization by keeping it secret
  153. from everyone but authorized clients. A service could then decide whether
  154. to publish hidden service descriptors using that descriptor cookie later
  155. on. An authorized client being aware of the descriptor cookie would be
  156. able to download and decrypt the hidden service descriptor.
  157. The number of concurrently used descriptor cookies for one hidden service
  158. is not restricted. A service could use a single descriptor cookie for all
  159. users, a distinct cookie per user, or something in between, like one
  160. cookie per group of users. It is up to the specific protocol and how it
  161. is applied by a service provider.
  162. Two or more hidden service descriptors for different groups or users
  163. should not be uploaded at the same time. A directory node could conclude
  164. easily that the descriptors were issued by the same hidden service, thus
  165. being able to link the two groups or users. Therefore, descriptors for
  166. different users or clients that ought to be stored on the same directory
  167. are delayed, so that only one descriptor is uploaded to a directory at a
  168. time. The remaining descriptors are uploaded with a delay of up to
  169. 30 seconds.
  170. Further, descriptors for different groups or users that are to be stored
  171. on different directories are delayed for a random time of up to 30
  172. seconds to hide relations from colluding directories. Certainly, this
  173. does not prevent linking entirely, but it makes it somewhat harder.
  174. There is a conflict between hiding links between clients and making a
  175. service available in a timely manner.
  176. Although this part of the proposal is meant to describe a general
  177. infrastructure for authorization, changing the way of using the
  178. descriptor cookie to look up hidden service descriptors, e.g. applying
  179. some sort of asymmetric crypto system, would require in-depth changes
  180. that would be incompatible to v2 hidden service descriptors. On the
  181. contrary, using another key for en-/decrypting the introduction point
  182. part of a hidden service descriptor, e.g. a different symmetric key or
  183. asymmetric encryption, would be easy to implement and compatible to v2
  184. hidden service descriptors as understood by hidden service directories
  185. (clients and services would have to be upgraded anyway for using the new
  186. features).
  187. An adversary could try to abuse the fact that introduction points can be
  188. encrypted by storing arbitrary, unrelated data in the hidden service
  189. directory. This abuse can be limited by setting a hard descriptor size
  190. limit, forcing the adversary to split data into multiple chunks. There
  191. are some limitations that make splitting data across multiple descriptors
  192. unattractive: 1) The adversary would not be able to choose descriptor IDs
  193. freely and would therefore have to implement his own indexing
  194. structure. 2) Validity of descriptors is limited to at most 24 hours
  195. after which descriptors need to be republished.
  196. The regular descriptor size in bytes is 745 + num_ipos * 837 + auth_data.
  197. A large descriptor with 7 introduction points and 5 kilobytes of
  198. authorization data would be 11724 bytes in size. The upper size limit of
  199. descriptors should be set to 20 kilobytes, which limits the effect of
  200. abuse while retaining enough flexibility in designing authorization
  201. protocols.
  202. 1.2. Client authorization at introduction point
  203. The next possible authorization point after downloading and decrypting
  204. a hidden service descriptor is the introduction point. It may be important
  205. for authorization, because it bears the last chance of hiding presence
  206. of a hidden service from unauthorized clients. Further, performing
  207. authorization at the introduction point might reduce traffic in the
  208. network, because unauthorized requests would not be passed to the
  209. hidden service. This applies to those clients who are aware of a
  210. descriptor cookie and thereby of the hidden service descriptor, but do
  211. not have authorization data to pass the introduction point or access the
  212. service (such a situation might occur when authorization data for
  213. authorization at the directory is not issued on a per-user basis, but
  214. authorization data for authorization at the introduction point is).
  215. It is important to note that the introduction point must be considered
  216. untrustworthy, and therefore cannot replace authorization at the hidden
  217. service itself. Nor should the introduction point learn any sensitive
  218. identifiable information from either the service or the client.
  219. In order to perform authorization at the introduction point, three
  220. message formats need to be modified: (1) v2 hidden service descriptors,
  221. (2) ESTABLISH_INTRO cells, and (3) INTRODUCE1 cells.
  222. A v2 hidden service descriptor needs to contain authorization data that
  223. is introduction-point-specific and sometimes also authorization data
  224. that is introduction-point-independent. Therefore, v2 hidden service
  225. descriptors as specified in section 1.2 of rend-spec already contain two
  226. reserved fields "intro-authorization" and "service-authorization"
  227. (originally, the names of these fields were "...-authentication")
  228. containing an authorization type number and arbitrary authorization
  229. data. We propose that authorization data consists of base64 encoded
  230. objects of arbitrary length, surrounded by "-----BEGIN MESSAGE-----" and
  231. "-----END MESSAGE-----". This will increase the size of hidden service
  232. descriptors, but this is allowed since there is no strict upper limit.
  233. The current ESTABLISH_INTRO cells as described in section 1.3 of
  234. rend-spec do not contain either authorization data or version
  235. information. Therefore, we propose a new version 1 of the ESTABLISH_INTRO
  236. cells adding these two issues as follows:
  237. V Format byte: set to 255 [1 octet]
  238. V Version byte: set to 1 [1 octet]
  239. KL Key length [2 octets]
  240. PK Bob's public key [KL octets]
  241. HS Hash of session info [20 octets]
  242. AUTHT The auth type that is supported [1 octet]
  243. AUTHL Length of auth data [2 octets]
  244. AUTHD Auth data [variable]
  245. SIG Signature of above information [variable]
  246. From the format it is possible to determine the maximum allowed size for
  247. authorization data: given the fact that cells are 512 octets long, of
  248. which 498 octets are usable (see section 6.1 of tor-spec), and assuming
  249. 1024 bit = 128 octet long keys, there are 215 octets left for
  250. authorization data. Hence, authorization protocols are bound to use no
  251. more than these 215 octets, regardless of the number of clients that
  252. shall be authenticated at the introduction point. Otherwise, one would
  253. need to send multiple ESTABLISH_INTRO cells or split them up, which we do
  254. not specify here.
  255. In order to understand a v1 ESTABLISH_INTRO cell, the implementation of
  256. a relay must have a certain Tor version. Hidden services need to be able
  257. to distinguish relays being capable of understanding the new v1 cell
  258. formats and perform authorization. We propose to use the version number
  259. that is contained in networkstatus documents to find capable
  260. introduction points.
  261. The current INTRODUCE1 cell as described in section 1.8 of rend-spec is
  262. not designed to carry authorization data and has no version number, too.
  263. Unfortunately, unversioned INTRODUCE1 cells consist only of a fixed-size,
  264. seemingly random PK_ID, followed by the encrypted INTRODUCE2 cell. This
  265. makes it impossible to distinguish unversioned INTRODUCE1 cells from any
  266. later format. In particular, it is not possible to introduce some kind of
  267. format and version byte for newer versions of this cell. That's probably
  268. where the comment "[XXX011 want to put intro-level auth info here, but no
  269. version. crap. -RD]" that was part of rend-spec some time ago comes from.
  270. We propose that new versioned INTRODUCE1 cells use the new cell type 41
  271. RELAY_INTRODUCE1V (where V stands for versioned):
  272. Cleartext
  273. V Version byte: set to 1 [1 octet]
  274. PK_ID Identifier for Bob's PK [20 octets]
  275. AUTHT The auth type that is included [1 octet]
  276. AUTHL Length of auth data [2 octets]
  277. AUTHD Auth data [variable]
  278. Encrypted to Bob's PK:
  279. (RELAY_INTRODUCE2 cell)
  280. The maximum length of contained authorization data depends on the length
  281. of the contained INTRODUCE2 cell. A calculation follows below when
  282. describing the INTRODUCE2 cell format we propose to use.
  283. 1.3. Client authorization at hidden service
  284. The time when a hidden service receives an INTRODUCE2 cell constitutes
  285. the last possible authorization point during the hidden service
  286. protocol. Performing authorization here is easier than at the other two
  287. authorization points, because there are no possibly untrusted entities
  288. involved.
  289. In general, a client that is successfully authorized at the introduction
  290. point should be granted access at the hidden service, too. Otherwise, the
  291. client would receive a positive INTRODUCE_ACK cell from the introduction
  292. point and conclude that it may connect to the service, but the request
  293. will be dropped without notice. This would appear as a failure to
  294. clients. Therefore, the number of cases in which a client successfully
  295. passes the introduction point but fails at the hidden service should be
  296. zero. However, this does not lead to the conclusion that the
  297. authorization data used at the introduction point and the hidden service
  298. must be the same, but only that both authorization data should lead to
  299. the same authorization result.
  300. Authorization data is transmitted from client to server via an
  301. INTRODUCE2 cell that is forwarded by the introduction point. There are
  302. versions 0 to 2 specified in section 1.8 of rend-spec, but none of these
  303. contain fields for carrying authorization data. We propose a slightly
  304. modified version of v3 INTRODUCE2 cells that is specified in section
  305. 1.8.1 and which is not implemented as of December 2007. In contrast to
  306. the specified v3 we avoid specifying (and implementing) IPv6 capabilities,
  307. because Tor relays will be required to support IPv4 addresses for a long
  308. time in the future, so that this seems unnecessary at the moment. The
  309. proposed format of v3 INTRODUCE2 cells is as follows:
  310. VER Version byte: set to 3. [1 octet]
  311. AUTHT The auth type that is used [1 octet]
  312. AUTHL Length of auth data [2 octets]
  313. AUTHD Auth data [variable]
  314. TS Timestamp (seconds since 1-1-1970) [4 octets]
  315. IP Rendezvous point's address [4 octets]
  316. PORT Rendezvous point's OR port [2 octets]
  317. ID Rendezvous point identity ID [20 octets]
  318. KLEN Length of onion key [2 octets]
  319. KEY Rendezvous point onion key [KLEN octets]
  320. RC Rendezvous cookie [20 octets]
  321. g^x Diffie-Hellman data, part 1 [128 octets]
  322. The maximum possible length of authorization data is related to the
  323. enclosing INTRODUCE1V cell. A v3 INTRODUCE2 cell with
  324. 1024 bit = 128 octets long public key without any authorization data
  325. occupies 306 octets (AUTHL is only used when AUTHT has a value != 0),
  326. plus 58 octets for hybrid public key encryption (see
  327. section 5.1 of tor-spec on hybrid encryption of CREATE cells). The
  328. surrounding INTRODUCE1V cell requires 24 octets. This leaves only 110
  329. of the 498 available octets free, which must be shared between
  330. authorization data to the introduction point _and_ to the hidden
  331. service.
  332. When receiving a v3 INTRODUCE2 cell, Bob checks whether a client has
  333. provided valid authorization data to him. He also requires that the
  334. timestamp is no more than 30 minutes in the past or future and that the
  335. first part of the Diffie-Hellman handshake has not been used in the past
  336. 60 minutes to prevent replay attacks by rogue introduction points. (The
  337. reason for not using the rendezvous cookie to detect replays---even
  338. though it is only sent once in the current design---is that it might be
  339. desirable to re-use rendezvous cookies for multiple introduction requests
  340. in the future.) If all checks pass, Bob builds a circuit to the provided
  341. rendezvous point. Otherwise he drops the cell.
  342. 1.4. Summary of authorization data fields
  343. In summary, the proposed descriptor format and cell formats provide the
  344. following fields for carrying authorization data:
  345. (1) The v2 hidden service descriptor contains:
  346. - a descriptor cookie that is used for the lookup process, and
  347. - an arbitrary encryption schema to ensure authorization to access
  348. introduction information (currently symmetric encryption with the
  349. descriptor cookie).
  350. (2) For performing authorization at the introduction point we can use:
  351. - the fields intro-authorization and service-authorization in
  352. hidden service descriptors,
  353. - a maximum of 215 octets in the ESTABLISH_INTRO cell, and
  354. - one part of 110 octets in the INTRODUCE1V cell.
  355. (3) For performing authorization at the hidden service we can use:
  356. - the fields intro-authorization and service-authorization in
  357. hidden service descriptors,
  358. - the other part of 110 octets in the INTRODUCE2 cell.
  359. It will also still be possible to access a hidden service without any
  360. authorization or only use a part of the authorization infrastructure.
  361. However, this requires to consider all parts of the infrastructure. For
  362. example, authorization at the introduction point relying on confidential
  363. intro-authorization data transported in the hidden service descriptor
  364. cannot be performed without using an encryption schema for introduction
  365. information.
  366. 1.5. Managing authorization data at servers and clients
  367. In order to provide authorization data at the hidden service and the
  368. authenticated clients, we propose to use files---either the Tor
  369. configuration file or separate files. The exact format of these special
  370. files depends on the authorization protocol used.
  371. Currently, rend-spec contains the proposition to encode client-side
  372. authorization data in the URL, like in x.y.z.onion. This was never used
  373. and is also a bad idea, because in case of HTTP the requested URL may be
  374. contained in the Host and Referer fields.
  375. 1.6. Limitations for authorization protocols
  376. There are two limitations of the current hidden service protocol for
  377. authorization protocols that shall be identified here.
  378. 1. The three cell types ESTABLISH_INTRO, INTRODUCE1V, and INTRODUCE2
  379. restricts the amount of data that can be used for authorization.
  380. This forces authorization protocols that require per-user
  381. authorization data at the introduction point to restrict the number
  382. of authorized clients artificially. A possible solution could be to
  383. split contents among multiple cells and reassemble them at the
  384. introduction points.
  385. 2. The current hidden service protocol does not specify cell types to
  386. perform interactive authorization between client and introduction
  387. point or hidden service. If there should be an authorization
  388. protocol that requires interaction, new cell types would have to be
  389. defined and integrated into the hidden service protocol.
  390. 2. Specific authorization protocol instances
  391. In the following we present two specific authorization protocols that
  392. make use of (parts of) the new authorization infrastructure:
  393. 1. The first protocol allows a service provider to restrict access
  394. to clients with a previously received secret key only, but does not
  395. attempt to hide service activity from others.
  396. 2. The second protocol, albeit being feasible for a limited set of about
  397. 16 clients, performs client authorization and hides service activity
  398. from everyone but the authorized clients.
  399. These two protocol instances extend the existing hidden service protocol
  400. version 2. Hidden services that perform client authorization may run in
  401. parallel to other services running versions 0, 2, or both.
  402. 2.1. Service with large-scale client authorization
  403. The first client authorization protocol aims at performing access control
  404. while consuming as few additional resources as possible. A service
  405. provider should be able to permit access to a large number of clients
  406. while denying access for everyone else. However, the price for
  407. scalability is that the service won't be able to hide its activity from
  408. unauthorized or formerly authorized clients.
  409. The main idea of this protocol is to encrypt the introduction-point part
  410. in hidden service descriptors to authorized clients using symmetric keys.
  411. This ensures that nobody else but authorized clients can learn which
  412. introduction points a service currently uses, nor can someone send a
  413. valid INTRODUCE1 message without knowing the introduction key. Therefore,
  414. a subsequent authorization at the introduction point is not required.
  415. A service provider generates symmetric "descriptor cookies" for his
  416. clients and distributes them outside of Tor. The suggested key size is
  417. 128 bits, so that descriptor cookies can be encoded in 22 base64 chars
  418. (which can hold up to 22 * 5 = 132 bits, leaving 4 bits to encode the
  419. authorization type (here: "0") and allow a client to distinguish this
  420. authorization protocol from others like the one proposed below).
  421. Typically, the contact information for a hidden service using this
  422. authorization protocol looks like this:
  423. v2cbb2l4lsnpio4q.onion Ll3X7Xgz9eHGKCCnlFH0uz
  424. When generating a hidden service descriptor, the service encrypts the
  425. introduction-point part with a single randomly generated symmetric
  426. 128-bit session key using AES-CTR as described for v2 hidden service
  427. descriptors in rend-spec. Afterwards, the service encrypts the session
  428. key to all descriptor cookies using AES. Authorized client should be able
  429. to efficiently find the session key that is encrypted for him/her, so
  430. that 4 octet long client ID are generated consisting of descriptor cookie
  431. and initialization vector. Descriptors always contain a number of
  432. encrypted session keys that is a multiple of 16 by adding fake entries.
  433. Encrypted session keys are ordered by client IDs in order to conceal
  434. addition or removal of authorized clients by the service provider.
  435. ATYPE Authorization type: set to 1. [1 octet]
  436. ALEN Number of clients := 1 + ((clients - 1) div 16) [1 octet]
  437. for each symmetric descriptor cookie:
  438. ID Client ID: H(descriptor cookie | IV)[:4] [4 octets]
  439. SKEY Session key encrypted with descriptor cookie [16 octets]
  440. (end of client-specific part)
  441. RND Random data [(15 - ((clients - 1) mod 16)) * 20 octets]
  442. IV AES initialization vector [16 octets]
  443. IPOS Intro points, encrypted with session key [remaining octets]
  444. An authorized client needs to configure Tor to use the descriptor cookie
  445. when accessing the hidden service. Therefore, a user adds the contact
  446. information that she received from the service provider to her torrc
  447. file. Upon downloading a hidden service descriptor, Tor finds the
  448. encrypted introduction-point part and attempts to decrypt it using the
  449. configured descriptor cookie. (In the rare event of two or more client
  450. IDs being equal a client tries to decrypt all of them.)
  451. Upon sending the introduction, the client includes her descriptor cookie
  452. as auth type "1" in the INTRODUCE2 cell that she sends to the service.
  453. The hidden service checks whether the included descriptor cookie is
  454. authorized to access the service and either responds to the introduction
  455. request, or not.
  456. 2.2. Authorization for limited number of clients
  457. A second, more sophisticated client authorization protocol goes the extra
  458. mile of hiding service activity from unauthorized clients. With all else
  459. being equal to the preceding authorization protocol, the second protocol
  460. publishes hidden service descriptors for each user separately and gets
  461. along with encrypting the introduction-point part of descriptors to a
  462. single client. This allows the service to stop publishing descriptors for
  463. removed clients. As long as a removed client cannot link descriptors
  464. issued for other clients to the service, it cannot derive service
  465. activity any more. The downside of this approach is limited scalability.
  466. Even though the distributed storage of descriptors (cf. proposal 114)
  467. tackles the problem of limited scalability to a certain extent, this
  468. protocol should not be used for services with more than 16 clients. (In
  469. fact, Tor should refuse to advertise services for more than this number
  470. of clients.)
  471. A hidden service generates an asymmetric "client key" and a symmetric
  472. "descriptor cookie" for each client. The client key is used as
  473. replacement for the service's permanent key, so that the service uses a
  474. different identity for each of his clients. The descriptor cookie is used
  475. to store descriptors at changing directory nodes that are unpredictable
  476. for anyone but service and client, to encrypt the introduction-point
  477. part, and to be included in INTRODUCE2 cells. Once the service has
  478. created client key and descriptor cookie, he tells them to the client
  479. outside of Tor. The contact information string looks similar to the one
  480. used by the preceding authorization protocol (with the only difference
  481. that it has "1" encoded as auth-type in the remaining 4 of 132 bits
  482. instead of "0" as before).
  483. When creating a hidden service descriptor for an authorized client, the
  484. hidden service uses the client key and descriptor cookie to compute
  485. secret ID part and descriptor ID:
  486. secret-id-part = H(time-period | descriptor-cookie | replica)
  487. descriptor-id = H(client-key[:10] | secret-id-part)
  488. The hidden service also replaces permanent-key in the descriptor with
  489. client-key and encrypts introduction-points with the descriptor cookie.
  490. ATYPE Authorization type: set to 2. [1 octet]
  491. IV AES initialization vector [16 octets]
  492. IPOS Intro points, encr. with descriptor cookie [remaining octets]
  493. When uploading descriptors, the hidden service needs to make sure that
  494. descriptors for different clients are not uploaded at the same time (cf.
  495. Section 1.1) which is also a limiting factor for the number of clients.
  496. When a client is requested to establish a connection to a hidden service
  497. it looks up whether it has any authorization data configured for that
  498. service. If the user has configured authorization data for authorization
  499. protocol "2", the descriptor ID is determined as described in the last
  500. paragraph. Upon receiving a descriptor, the client decrypts the
  501. introduction-point part using its descriptor cookie. Further, the client
  502. includes its descriptor cookie as auth-type "2" in INTRODUCE2 cells that
  503. it sends to the service.
  504. 2.3. Hidden service configuration
  505. A hidden service that is meant to perform client authorization adds a
  506. new option HiddenServiceAuthorizeClient to its hidden service
  507. configuration. This option contains the authorization type which is
  508. either "1" for the protocol described in 2.1 or "2" for the protocol in
  509. 2.2 and a comma-separated list of human-readable client names, so that
  510. Tor can create authorization data for these clients:
  511. HiddenServiceAuthorizeClient auth-type client-name,client-name,...
  512. If this option is configured, HiddenServiceVersion is automatically
  513. reconfigured to contain only version numbers of 2 or higher.
  514. Tor stores all generated authorization data for the authorization
  515. protocols described in Sections 2.1 and 2.2 in a new file using the
  516. following file format:
  517. "client-name" human-readable client identifier NL
  518. "descriptor-cookie" 128-bit key ^= 22 base64 chars NL
  519. If the authorization protocol of Section 2.2 is used, Tor also generates
  520. and stores the following data:
  521. "client-key" NL a public key in PEM format
  522. 2.4. Client configuration
  523. Clients need to make their authorization data known to Tor using another
  524. configuration option that contains a service name (mainly for the sake of
  525. convenience), the service address, and the descriptor cookie that is
  526. required to access a hidden service (the authorization protocol number is
  527. encoded in the descriptor cookie):
  528. HidServAuth service-name service-address descriptor-cookie
  529. Security implications:
  530. In the following we want to discuss possible attacks by dishonest
  531. entities in the presented infrastructure and specific protocol. These
  532. security implications would have to be verified once more when adding
  533. another protocol. The dishonest entities (theoretically) include the
  534. hidden service itself, the authenticated clients, hidden service directory
  535. nodes, introduction points, and rendezvous points. The relays that are
  536. part of circuits used during protocol execution, but never learn about
  537. the exchanged descriptors or cells by design, are not considered.
  538. Obviously, this list makes no claim to be complete. The discussed attacks
  539. are sorted by the difficulty to perform them, in ascending order,
  540. starting with roles that everyone could attempt to take and ending with
  541. partially trusted entities abusing the trust put in them.
  542. (1) A hidden service directory could attempt to conclude presence of a
  543. service from the existence of a locally stored hidden service descriptor:
  544. This passive attack is possible only for a single client-service
  545. relation, because descriptors need to contain a publicly visible
  546. signature of the service using the client key.
  547. A possible protection would be to increase the number of hidden service
  548. directories in the network.
  549. (2) A hidden service directory could try to break the descriptor cookies
  550. of locally stored descriptors: This attack can be performed offline. The
  551. only useful countermeasure against it might be using safe passwords that
  552. are generated by Tor.
  553. [passwords? where did those come in? -RD]
  554. (3) An introduction point could try to identify the pseudonym of the
  555. hidden service on behalf of which it operates: This is impossible by
  556. design, because the service uses a fresh public key for every
  557. establishment of an introduction point (see proposal 114) and the
  558. introduction point receives a fresh introduction cookie, so that there is
  559. no identifiable information about the service that the introduction point
  560. could learn. The introduction point cannot even tell if client accesses
  561. belong to the same client or not, nor can it know the total number of
  562. authorized clients. The only information might be the pattern of
  563. anonymous client accesses, but that is hardly enough to reliably identify
  564. a specific service.
  565. (4) An introduction point could want to learn the identities of accessing
  566. clients: This is also impossible by design, because all clients use the
  567. same introduction cookie for authorization at the introduction point.
  568. (5) An introduction point could try to replay a correct INTRODUCE1 cell
  569. to other introduction points of the same service, e.g. in order to force
  570. the service to create a huge number of useless circuits: This attack is
  571. not possible by design, because INTRODUCE1 cells are encrypted using a
  572. freshly created introduction key that is only known to authorized
  573. clients.
  574. (6) An introduction point could attempt to replay a correct INTRODUCE2
  575. cell to the hidden service, e.g. for the same reason as in the last
  576. attack: This attack is stopped by the fact that a service will drop
  577. INTRODUCE2 cells containing a DH handshake they have seen recently.
  578. (7) An introduction point could block client requests by sending either
  579. positive or negative INTRODUCE_ACK cells back to the client, but without
  580. forwarding INTRODUCE2 cells to the server: This attack is an annoyance
  581. for clients, because they might wait for a timeout to elapse until trying
  582. another introduction point. However, this attack is not introduced by
  583. performing authorization and it cannot be targeted towards a specific
  584. client. A countermeasure might be for the server to periodically perform
  585. introduction requests to his own service to see if introduction points
  586. are working correctly.
  587. (8) The rendezvous point could attempt to identify either server or
  588. client: This remains impossible as it was before, because the
  589. rendezvous cookie does not contain any identifiable information.
  590. (9) An authenticated client could swamp the server with valid INTRODUCE1
  591. and INTRODUCE2 cells, e.g. in order to force the service to create
  592. useless circuits to rendezvous points; as opposed to an introduction
  593. point replaying the same INTRODUCE2 cell, a client could include a new
  594. rendezvous cookie for every request: The countermeasure for this attack
  595. is the restriction to 10 connection establishments per client per hour.
  596. Compatibility:
  597. An implementation of this proposal would require changes to hidden
  598. services and clients to process authorization data and encode and
  599. understand the new formats. However, both services and clients would
  600. remain compatible to regular hidden services without authorization.
  601. Implementation:
  602. The implementation of this proposal can be divided into a number of
  603. changes to hidden service and client side. There are no
  604. changes necessary on directory, introduction, or rendezvous nodes. All
  605. changes are marked with either [service] or [client] do denote on which
  606. side they need to be made.
  607. /1/ Configure client authorization [service]
  608. - Parse configuration option HiddenServiceAuthorizeClient containing
  609. authorized client names.
  610. - Load previously created client keys and descriptor cookies.
  611. - Generate missing client keys and descriptor cookies, add them to
  612. client_keys file.
  613. - Rewrite the hostname file.
  614. - Keep client keys and descriptor cookies of authorized clients in
  615. memory.
  616. [- In case of reconfiguration, mark which client authorizations were
  617. added and whether any were removed. This can be used later when
  618. deciding whether to rebuild introduction points and publish new
  619. hidden service descriptors. Not implemented yet.]
  620. /2/ Publish hidden service descriptors [service]
  621. - Create and upload hidden service descriptors for all authorized
  622. clients.
  623. [- See /1/ for the case of reconfiguration.]
  624. /3/ Configure permission for hidden services [client]
  625. - Parse configuration option HidServAuth containing service
  626. authorization, store authorization data in memory.
  627. /5/ Fetch hidden service descriptors [client]
  628. - Look up client authorization upon receiving a hidden service request.
  629. - Request hidden service descriptor ID including client key and
  630. descriptor cookie. Only request v2 descriptors, no v0.
  631. /6/ Process hidden service descriptor [client]
  632. - Decrypt introduction points with descriptor cookie.
  633. /7/ Create introduction request [client]
  634. - Include descriptor cookie in INTRODUCE2 cell to introduction point.
  635. - Pass descriptor cookie around between involved connections and
  636. circuits.
  637. /8/ Process introduction request [service]
  638. - Read descriptor cookie from INTRODUCE2 cell.
  639. - Check whether descriptor cookie is authorized for access, including
  640. checking access counters.
  641. - Log access for accountability.