142-combine-intro-and-rend-points.txt 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279
  1. Filename: 142-combine-intro-and-rend-points.txt
  2. Title: Combine Introduction and Rendezvous Points
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Karsten Loesing, Christian Wilms
  6. Created: 27-Jun-2008
  7. Status: Dead
  8. Change history:
  9. 27-Jun-2008 Initial proposal for or-dev
  10. 04-Jul-2008 Give first security property the new name "Responsibility"
  11. and change new cell formats according to rendezvous protocol
  12. version 3 draft.
  13. 19-Jul-2008 Added comment by Nick (but no solution, yet) that sharing of
  14. circuits between multiple clients is not supported by Tor.
  15. Overview:
  16. Establishing a connection to a hidden service currently involves two Tor
  17. relays, introduction and rendezvous point, and 10 more relays distributed
  18. over four circuits to connect to them. The introduction point is
  19. established in the mid-term by a hidden service to transfer introduction
  20. requests from client to the hidden service. The rendezvous point is set
  21. up by the client for a single hidden service request and actually
  22. transfers end-to-end encrypted application data between client and hidden
  23. service.
  24. There are some reasons for separating the two roles of introduction and
  25. rendezvous point: (1) Responsibility: A relay shall not be made
  26. responsible that it relays data for a certain hidden service; in the
  27. original design as described in [1] an introduction point relays no
  28. application data, and a rendezvous points neither knows the hidden
  29. service nor can it decrypt the data. (2) Scalability: The hidden service
  30. shall not have to maintain a number of open circuits proportional to the
  31. expected number of client requests. (3) Attack resistance: The effect of
  32. an attack on the only visible parts of a hidden service, its introduction
  33. points, shall be as small as possible.
  34. However, elimination of a separate rendezvous connection as proposed by
  35. Øverlier and Syverson [2] is the most promising approach to improve the
  36. delay in connection establishment. From all substeps of connection
  37. establishment extending a circuit by only a single hop is responsible for
  38. a major part of delay. Reducing on-demand circuit extensions from two to
  39. one results in a decrease of mean connection establishment times from 39
  40. to 29 seconds [3]. Particularly, eliminating the delay on hidden-service
  41. side allows the client to better observe progress of connection
  42. establishment, thus allowing it to use smaller timeouts. Proposal 114
  43. introduced new introduction keys for introduction points and provides for
  44. user authorization data in hidden service descriptors; it will be shown
  45. in this proposal that introduction keys in combination with new
  46. introduction cookies provide for the first security property
  47. responsibility. Further, eliminating the need for a separate introduction
  48. connection benefits the overall network load by decreasing the number of
  49. circuit extensions. After all, having only one connection between client
  50. and hidden service reduces the overall protocol complexity.
  51. Design:
  52. 1. Hidden Service Configuration
  53. Hidden services should be able to choose whether they would like to use
  54. this protocol. This might be opt-in for 0.2.1.x and opt-out for later
  55. major releases.
  56. 2. Contact Point Establishment
  57. When preparing a hidden service, a Tor client selects a set of relays to
  58. act as contact points instead of introduction points. The contact point
  59. combines both roles of introduction and rendezvous point as proposed in
  60. [2]. The only requirement for a relay to be picked as contact point is
  61. its capability of performing this role. This can be determined from the
  62. Tor version number that needs to be equal or higher than the first
  63. version that implements this proposal.
  64. The easiest way to implement establishment of contact points is to
  65. introduce v2 ESTABLISH_INTRO cells. By convention, the relay recognizes
  66. version 2 ESTABLISH_INTRO cells as requests to establish a contact point
  67. rather than an introduction point.
  68. V Format byte: set to 255 [1 octet]
  69. V Version byte: set to 2 [1 octet]
  70. KLEN Key length [2 octets]
  71. PK Public introduction key [KLEN octets]
  72. HS Hash of session info [20 octets]
  73. SIG Signature of above information [variable]
  74. The hidden service does not create a fixed number of contact points, like
  75. 3 in the current protocol. It uses a minimum of 3 contact points, but
  76. increases this number depending on the history of client requests within
  77. the last hour. The hidden service also increases this number depending on
  78. the frequency of failing contact points in order to defend against
  79. attacks on its contact points. When client authorization as described in
  80. proposal 121 is used, a hidden service can also use the number of
  81. authorized clients as first estimate for the required number of contact
  82. points.
  83. 3. Hidden Service Descriptor Creation
  84. A hidden service needs to issue a fresh introduction cookie for each
  85. established introduction point. By requiring clients to use this cookie
  86. in a later connection establishment, an introduction point cannot access
  87. the hidden service that it works for. Together with the fresh
  88. introduction key that was introduced in proposal 114, this reduces
  89. responsibility of a contact point for a specific hidden service.
  90. The v2 hidden service descriptor format contains an
  91. "intro-authentication" field that may contain introduction-point specific
  92. keys. The hidden service creates a random string, comparable to the
  93. rendezvous cookie, and includes it in the descriptor as introduction
  94. cookie for auth-type "1". By convention, clients recognize existence of
  95. auth-type 1 as possibility to connect to a hidden service via a contact
  96. point rather than an introduction point. Older clients that do not
  97. understand this new protocol simply ignore that cookie.
  98. 4. Connection Establishment
  99. When establishing a connection to a hidden service a client learns about
  100. the capability of using the new protocol from the hidden service
  101. descriptor. It may choose whether to use this new protocol or not,
  102. whereas older clients cannot understand the new capability and can only
  103. use the current protocol. Client using version 0.2.1.x should be able to
  104. opt-in for using the new protocol, which should change to opt-out for
  105. later major releases.
  106. When using the new capability the client creates a v2 INTRODUCE1 cell
  107. that extends an unversioned INTRODUCE1 cell by adding the content of an
  108. ESTABLISH_RENDEZVOUS cell. Further, the client sends this cell using the
  109. new cell type 41 RELAY_INTRODUCE1_VERSIONED to the introduction point,
  110. because unversioned and versioned INTRODUCE1 cells are indistinguishable:
  111. Cleartext
  112. V Version byte: set to 2 [1 octet]
  113. PK_ID Identifier for Bob's PK [20 octets]
  114. RC Rendezvous cookie [20 octets]
  115. Encrypted to introduction key:
  116. VER Version byte: set to 3. [1 octet]
  117. AUTHT The auth type that is supported [1 octet]
  118. AUTHL Length of auth data [2 octets]
  119. AUTHD Auth data [variable]
  120. RC Rendezvous cookie [20 octets]
  121. g^x Diffie-Hellman data, part 1 [128 octets]
  122. The cleartext part contains the rendezvous cookie that the contact point
  123. remembers just as a rendezvous point would do.
  124. The encrypted part contains the introduction cookie as auth data for the
  125. auth type 1. The rendezvous cookie is contained as before, but there is
  126. no further rendezvous point information, as there is no separate
  127. rendezvous point.
  128. 5. Rendezvous Establishment
  129. The contact point recognizes a v2 INTRODUCE1 cell with auth type 1 as a
  130. request to be used in the new protocol. It remembers the contained
  131. rendezvous cookie, replies to the client with an INTRODUCE_ACK cell
  132. (omitting the RENDEZVOUS_ESTABLISHED cell), and forwards the encrypted
  133. part of the INTRODUCE1 cell as INTRODUCE2 cell to the hidden service.
  134. 6. Introduction at Hidden Service
  135. The hidden services recognizes an INTRODUCE2 cell containing an
  136. introduction cookie as authorization data. In this case, it does not
  137. extend a circuit to a rendezvous point, but sends a RENDEZVOUS1 cell
  138. directly back to its contact point as usual.
  139. 7. Rendezvous at Contact Point
  140. The contact point processes a RENDEZVOUS1 cell just as a rendezvous point
  141. does. The only difference is that the hidden-service-side circuit is not
  142. exclusive for the client connection, but shared among multiple client
  143. connections.
  144. [Tor does not allow sharing of a single circuit among multiple client
  145. connections easily. We need to think about a smart and efficient way to
  146. implement this. Comment by Nick. -KL]
  147. Security Implications:
  148. (1) Responsibility
  149. One of the original reasons for the separation of introduction and
  150. rendezvous points is that a relay shall not be made responsible that it
  151. relays data for a certain hidden service. In the current design an
  152. introduction point relays no application data and a rendezvous points
  153. neither knows the hidden service nor can it decrypt the data.
  154. This property is also fulfilled in this new design. A contact point only
  155. learns a fresh introduction key instead of the hidden service key, so
  156. that it cannot recognize a hidden service. Further, the introduction
  157. cookie, which is unknown to the contact point, prevents it from accessing
  158. the hidden service itself. The only way for a contact point to access a
  159. hidden service is to look up whether it is contained in the descriptors
  160. of known hidden services. A contact point cannot directly be made
  161. responsible for which hidden service it is working. In addition to that,
  162. it cannot learn the data that it transfers, because all communication
  163. between client and hidden service are end-to-end encrypted.
  164. (2) Scalability
  165. Another goal of the existing hidden service protocol is that a hidden
  166. service does not have to maintain a number of open circuits proportional
  167. to the expected number of client requests. The rationale behind this is
  168. better scalability.
  169. The new protocol eliminates the need for a hidden service to extend
  170. circuits on demand, which has a positive effect on circuits establishment
  171. times and overall network load. The solution presented here to establish
  172. a number of contact points proportional to the history of connection
  173. requests reduces the number of circuits to a minimum number that fits the
  174. hidden service's needs.
  175. (3) Attack resistance
  176. The third goal of separating introduction and rendezvous points is to
  177. limit the effect of an attack on the only visible parts of a hidden
  178. service which are the contact points in this protocol.
  179. In theory, the new protocol is more vulnerable to this attack. An
  180. attacker who can take down a contact point does not only eliminate an
  181. access point to the hidden service, but also breaks current client
  182. connections to the hidden service using that contact point.
  183. Øverlier and Syverson proposed the concept of valet nodes as additional
  184. safeguard for introduction/contact points [4]. Unfortunately, this
  185. increases hidden service protocol complexity conceptually and from an
  186. implementation point of view. Therefore, it is not included in this
  187. proposal.
  188. However, in practice attacking a contact point (or introduction point) is
  189. not as rewarding as it might appear. The cost for a hidden service to set
  190. up a new contact point and publish a new hidden service descriptor is
  191. minimal compared to the efforts necessary for an attacker to take a Tor
  192. relay down. As a countermeasure to further frustrate this attack, the
  193. hidden service raises the number of contact points as a function of
  194. previous contact point failures.
  195. Further, the probability of breaking client connections due to attacking
  196. a contact point is minimal. It can be assumed that the probability of one
  197. of the other five involved relays in a hidden service connection failing
  198. or being shut down is higher than that of a successful attack on a
  199. contact point.
  200. (4) Resistance against Locating Attacks
  201. Clients are no longer able to force a hidden service to create or extend
  202. circuits. This further reduces an attacker's capabilities of locating a
  203. hidden server as described by Øverlier and Syverson [5].
  204. Compatibility:
  205. The presented protocol does not raise compatibility issues with current
  206. Tor versions. New relay versions support both, the existing and the
  207. proposed protocol as introduction/rendezvous/contact points. A contact
  208. point acts as introduction point simultaneously. Hidden services and
  209. clients can opt-in to use the new protocol which might change to opt-out
  210. some time in the future.
  211. References:
  212. [1] Roger Dingledine, Nick Mathewson, and Paul Syverson, Tor: The
  213. Second-Generation Onion Router. In the Proceedings of the 13th USENIX
  214. Security Symposium, August 2004.
  215. [2] Lasse Øverlier and Paul Syverson, Improving Efficiency and Simplicity
  216. of Tor Circuit Establishment and Hidden Services. In the Proceedings of
  217. the Seventh Workshop on Privacy Enhancing Technologies (PET 2007),
  218. Ottawa, Canada, June 2007.
  219. [3] Christian Wilms, Improving the Tor Hidden Service Protocol Aiming at
  220. Better Performance, diploma thesis, June 2008, University of Bamberg.
  221. [4] Lasse Øverlier and Paul Syverson, Valet Services: Improving Hidden
  222. Servers with a Personal Touch. In the Proceedings of the Sixth Workshop
  223. on Privacy Enhancing Technologies (PET 2006), Cambridge, UK, June 2006.
  224. [5] Lasse Øverlier and Paul Syverson, Locating Hidden Servers. In the
  225. Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.