Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e9f6456b2c
Branches Tags
tor
/
doc
/
spec
/
proposals
/
103-multilevel-keys.txt

103-multilevel-keys.txt 2.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 
  1. 

  2.            Splitting identity key from regularly-used signing key.
    3. 

  3. 

  4. 

  5. 

  6.   Replacing a directory authority's identity key in the event of a compromise
    7. 

  7.   would be tremendously annoying.  We'd need to tell every client to switch
    8. 

  8.   their configuration, or update to a new version with an uploaded list.  So
    9. 

  9.   long as some weren't upgraded, they'd be at risk from whoever had
    10. 

  10.   compromised the key.
    11. 

  11. 

  12.   With this in mind, it's a shame that our current protocol forces us to
    13. 

  13.   store identity keys unencrypted in RAM.  We need some kind of signing key
    14. 

  14.   stored unencrypted, since we need to generate new descriptors/directories
    15. 

  15.   and rotate link and onion keys regularly.  (And since, of course, we can't
    16. 

  16.   ask server operators to be on-hand to enter a passphrase every time we
    17. 

  17.   want to rotate keys or sign a descriptor.)
    18. 

  18. 

  19.   The obvious solution seems to be to have a signing-only key that lives
    20. 

  20.   indefinitely (months or longer) and signs descriptors and link keys, and a
    21. 

  21.   separate identity key that's used to sign the signing key.  Tor servers
    22. 

  22.   could run in one of several modes:
    23. 

  23.     1. Identity key stored encrypted.  You need to pick a passphrase when
    24. 

  24.        you enable this mode, and re-enter this passphrase every time you
    25. 

  25.        rotate the signing key.
    26. 

  26.     1'. Identity key stored separate.  You save your identity key to a
    27. 

  27.        floppy, and use the floppy when you need to rotate the signing key.
    28. 

  28.     2. All keys stored unencrypted.  In this case, we might not want to even
    29. 

  29.        *have* a separate signing key.  (We'll need to support no-separate-
    30. 

  30.        signing-key mode anyway to keep old servers working.)
    31. 

  31.     3. All keys stored encrypted. You need to enter a passphrase to start
    32. 

  32.        Tor.
    33. 

  33.   (Of course, we might not want to implement all of these.)
    34. 

  34. 

  35.   Case 1 is probably most usable and secure, if we assume that people don't
    36. 

  36.   forget their passphrases or lose their floppies.  We could mitigate this a
    37. 

  37.   bit by encouraging people to PGP-encrypt their passphrases to themselves,
    38. 

  38.   or keep a cleartext copy of their secret key secret-split into a few
    39. 

  39.   pieces, or something like that.
    40. 

  40. 

  41.   Migration presents another difficulty, especially with the authorities.  If
    42. 

  42.   we use the current set of identity keys as the new identity keys, we're in
    43. 

  43.   the position of having sensitive keys that have been stored on
    44. 

  44.   media-of-dubious-encryption up to now.  Also, we need to keep old clients
    45. 

  45.   (who will expect descriptors to be signed by the identity keys they know
    46. 

  46.   and love, and who will not understand signing keys) happy.
    47. 

  47. 

  48.   I'd enumerate designs here, but I'm hoping that somebody will come up with
    49. 

  49.   a better one, so I'll try not to prejudice them with more ideas yet.
    50. 

  50. 

  51.   Oh, and of course, we'll want to make sure that the keys are
    52. 

  52.   cross-certified. :)
    53. 

  53. 

  54.   Ideas? -NM
    55.