Proposal 121: Add a simple algorithm to delay descriptor publication for different clients of a hidden service;

Proposal 142: Give first security property the new name "Responsibility" and change new cell formats according to rendezvous protocol version 3 draft.

svn:r15655

doc/spec/proposals/121-hidden-service-authentication.txt

@@ -16,6 +16,8 @@ Change history:
   24-Dec-2007  Replaced misleading term "authentication" by "authorization"
                and added some clarifications (comments by Sven Kaffille)
   28-Apr-2008  Updated most parts of the concrete authorization protocol
+  04-Jul-2008  Add a simple algorithm to delay descriptor publication for
+               different clients of a hidden service
 
 Overview:
 
@@ -176,6 +178,20 @@ Details:
   cookie per group of users. It is up to the specific protocol and how it
   is applied by a service provider.
 
+  Two or more hidden service descriptors for different groups or users
+  should not be uploaded at the same time. A directory node could conclude
+  easily that the descriptors, were issued by the same hidden service, thus
+  being able to link the two groups or users. Therefore, descriptors for
+  different users or clients that ought to be stored on the same directory
+  are delayed, so that only one descriptor is uploaded to a directory at a
+  time. The remaining descriptors are uploaded with a delay of 30 seconds.
+  Further, descriptors for different groups or users that are to be stored
+  on different directories are delayed for a random time of up to 30
+  seconds to hide relations from colluding directories. Certainly, this
+  does not prevent linking entirely, but it makes it somewhat harder.
+  There is a conflict between hiding links between clients and making a
+  service available in a timely manner.
+
   Although this part of the proposal is meant to describe a general
   infrastructure for authorization, changing the way of using the
   descriptor cookie to look up hidden service descriptors, e.g. applying
@@ -360,8 +376,8 @@ Details:
   services maintain a history of received INTRODUCE2 cells within the last
   hour and only accept INTRODUCE2 cells matching the following rules:
 
-    (1) a maximum of 3 cells coming from the same client and containing the
+    (1) no duplicate requests coming from the same client and containing
-        same rendezvous cookie, and
+        the same rendezvous cookie, and
     (2) a maximum of 10 cells coming from the same client with different
         rendezvous cookies.
 
@@ -467,7 +483,7 @@ Details:
   in INTRODUCE2 cells that it sends to the server.
   The server compares authorization data of incoming INTRODUCE2 cells with
   the locally stored value that it would expect. The authorization type
-  number of this protocol for INTRODUCE2 cells is "1".
+  number of this protocol for INTRODUCE2 cells is "2".
 
   2.4. Providing authorization data
 
@@ -483,6 +499,7 @@ Details:
   or generated and appended to that file. The file format is:
 
      "client-name" human-readable client identifier NL
+     "service-address" onion-address NL
      "descriptor-cookie" 128-bit key ^= 22 base64 chars NL
      "client-key" NL a public key in PEM format
 

doc/spec/proposals/142-combine-intro-and-rend-points.txt

@@ -9,6 +9,9 @@ Status: Open
 Change history:
 
   27-Jun-2008  Initial proposal for or-dev
+  04-Jul-2008  Give first security property the new name "Responsibility"
+               and change new cell formats according to rendezvous protocol
+               version 3 draft.
 
 Overview:
 
@@ -22,7 +25,7 @@ Overview:
   service.
 
   There are some reasons for separating the two roles of introduction and
-  rendezvous point: (1) Plausible deniability: A relay shall not be made
+  rendezvous point: (1) Responsibility: A relay shall not be made
   responsible that it relays data for a certain hidden service; in the
   original design as described in [1] an introduction point relays no
   application data, and a rendezvous points neither knows the hidden
@@ -44,8 +47,8 @@ Overview:
   introduced new introduction keys for introduction points and provides for
   user authorization data in hidden service descriptors; it will be shown
   in this proposal that introduction keys in combination with new
-  introduction cookies provide for the first security property of plausible
+  introduction cookies provide for the first security property
-  deniability. Further, eliminating the need for a separate introduction
+  responsibility. Further, eliminating the need for a separate introduction
   connection benefits the overall network load by decreasing the number of
   circuit extensions. After all, having only one connection between client
   and hidden service reduces the overall protocol complexity.
@@ -69,17 +72,15 @@ Design:
   version that implements this proposal.
 
   The easiest way to implement establishment of contact points is to
-  introduce v2 ESTABLISH_INTRO cells and use the currently unused auth type
+  introduce v2 ESTABLISH_INTRO cells. By convention, the relay recognizes
-  number 1 for contact points.
+  version 2 ESTABLISH_INTRO cells as requests to establish a contact point
+  rather than an introduction point.
 
      V      Format byte: set to 255               [1 octet]
      V      Version byte: set to 2                [1 octet]
      KLEN   Key length                           [2 octets]
-     PK     Bob's public key                  [KLEN octets]
+     PK     Public introduction key           [KLEN octets]
      HS     Hash of session info                [20 octets]
-     AUTHT  The auth type that is supported       [1 octet]
-     AUTHL  Length of auth data                  [2 octets]
-     AUTHD  Auth data                            [variable]
      SIG    Signature of above information       [variable]
 
   The hidden service does not create a fixed number of contact points, like
@@ -98,16 +99,17 @@ Design:
   established introduction point. By requiring clients to use this cookie
   in a later connection establishment, an introduction point cannot access
   the hidden service that it works for. Together with the fresh
-  introduction key that was introduced in proposal 114, this results in
+  introduction key that was introduced in proposal 114, this reduces
-  plausible deniability for the contact point.
+  responsibility of a contact point for a specific hidden service.
 
   The v2 hidden service descriptor format contains an
   "intro-authentication" field that may contain introduction-point specific
   keys. The hidden service creates a random string, comparable to the
   rendezvous cookie, and includes it in the descriptor as introduction
-  cookie. Existing clients that do not understand this new protocol simply
+  cookie for auth-type "1". By convention, clients recognize existence of
-  ignore that cookie. Further, the hidden service lists in the
+  auth-type 1 as possibility to connect to a hidden service via a contact
-  "protocol-versions" field that it supports this protocol.
+  point rather than an introduction point. Older clients that do not
+  understand this new protocol simply ignore that cookie.
 
   4. Connection Establishment
 
@@ -128,30 +130,22 @@ Design:
   Cleartext
      V      Version byte: set to 2                [1 octet]
      PK_ID  Identifier for Bob's PK             [20 octets]
-     AUTHT  The auth type that is supported       [1 octet]
+     RC     Rendezvous cookie                   [20 octets]
-     AUTHL  Length of auth data                  [2 octets]
+  Encrypted to introduction key:
-     AUTHD  Auth data                            [variable]
-  Encrypted to Bob's PK:
      VER    Version byte: set to 3.               [1 octet]
      AUTHT  The auth type that is supported       [1 octet]
      AUTHL  Length of auth data                  [2 octets]
      AUTHD  Auth data                            [variable]
-     IP     Rendezvous point's address           [4 octets]
-     PORT   Rendezvous point's OR port           [2 octets]
-     ID     Rendezvous point identity ID        [20 octets]
-     KLEN   Length of onion key                  [2 octets]
-     KEY    Rendezvous point onion key        [KLEN octets]
      RC     Rendezvous cookie                   [20 octets]
      g^x    Diffie-Hellman data, part 1        [128 octets]
 
-  The cleartext part contains the rendezvous cookie as auth data for the
+  The cleartext part contains the rendezvous cookie that the contact point
-  currently unused auth type 1. The contact point remembers the rendezvous
+  remembers just as a rendezvous point would do.
-  cookie just as a rendezvous point would do.
 
   The encrypted part contains the introduction cookie as auth data for the
-  likewise unused auth type 1. The rendezvous cookie is contained as
+  auth type 1. The rendezvous cookie is contained as before, but there is
-  before, but the remaining rendezvous point information is left empty, as
+  no further rendezvous point information, as there is no separate
-  there is no separate rendezvous point.
+  rendezvous point.
 
   5. Rendezvous Establishment
 
@@ -177,7 +171,7 @@ Design:
 
 Security Implications:
 
-  (1) Plausible deniability
+  (1) Responsibility
 
   One of the original reasons for the separation of introduction and
   rendezvous points is that a relay shall not be made responsible that it
@@ -191,11 +185,10 @@ Security Implications:
   cookie, which is unknown to the contact point, prevents it from accessing
   the hidden service itself. The only way for a contact point to access a
   hidden service is to look up whether it is contained in the descriptors
-  of known hidden services. A contact point can plausibly deny knowledge of
+  of known hidden services. A contact point cannot directly be made
-  any hidden services, so that it cannot know for which hidden service it
+  responsible for which hidden service it is working. In addition to that,
-  is working. In addition to that, it cannot learn the data that it
+  it cannot learn the data that it transfers, because all communication
-  transfers, because all communication between client and hidden service
+  between client and hidden service are end-to-end encrypted.
-  are end-to-end encrypted.
 
   (2) Scalability
 
@@ -205,7 +198,7 @@ Security Implications:
   better scalability.
 
   The new protocol eliminates the need for a hidden service to extend
-  circuits on demand, which has a positive effect circuits establishment
+  circuits on demand, which has a positive effect on circuits establishment
   times and overall network load. The solution presented here to establish
   a number of contact points proportional to the history of connection
   requests reduces the number of circuits to a minimum number that fits the