Etusivu Tutki Apua
Kirjaudu sisään
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: 43385b9bc9
Branchit Tagit
tor-parallel...
/
doc
/
spec
/
proposals
/
103-multilevel-keys.txt

103-multilevel-keys.txt 6.8 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 
  1. Filename: 103-multilevel-keys.txt
    2. 

  2. Title: Splitting identity key from regularly used signing key.
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Nick Mathewson
    6. 

  6. Created:
    7. 

  7. Status: Open
    8. 

  8. 

  9. Overview:
    10. 

  10. 

  11.   This document proposes a change in the way identity keys are used, so that
    12. 

  12.   highly sensitive keys can be password-protected and seldom loaded into RAM.
    13. 

  13. 

  14.   It presents options; it is not yet a complete proposal.
    15. 

  15. 

  16. Proposal:
    17. 

  17. 

  18.   Replacing a directory authority's identity key in the event of a compromise
    19. 

  19.   would be tremendously annoying.  We'd need to tell every client to switch
    20. 

  20.   their configuration, or update to a new version with an uploaded list.  So
    21. 

  21.   long as some weren't upgraded, they'd be at risk from whoever had
    22. 

  22.   compromised the key.
    23. 

  23. 

  24.   With this in mind, it's a shame that our current protocol forces us to
    25. 

  25.   store identity keys unencrypted in RAM.  We need some kind of signing key
    26. 

  26.   stored unencrypted, since we need to generate new descriptors/directories
    27. 

  27.   and rotate link and onion keys regularly.  (And since, of course, we can't
    28. 

  28.   ask server operators to be on-hand to enter a passphrase every time we
    29. 

  29.   want to rotate keys or sign a descriptor.)
    30. 

  30. 

  31.   The obvious solution seems to be to have a signing-only key that lives
    32. 

  32.   indefinitely (months or longer) and signs descriptors and link keys, and a
    33. 

  33.   separate identity key that's used to sign the signing key.  Tor servers
    34. 

  34.   could run in one of several modes:
    35. 

  35.     1. Identity key stored encrypted.  You need to pick a passphrase when
    36. 

  36.        you enable this mode, and re-enter this passphrase every time you
    37. 

  37.        rotate the signing key.
    38. 

  38.     1'. Identity key stored separate.  You save your identity key to a
    39. 

  39.        floppy, and use the floppy when you need to rotate the signing key.
    40. 

  40.     2. All keys stored unencrypted.  In this case, we might not want to even
    41. 

  41.        *have* a separate signing key.  (We'll need to support no-separate-
    42. 

  42.        signing-key mode anyway to keep old servers working.)
    43. 

  43.     3. All keys stored encrypted. You need to enter a passphrase to start
    44. 

  44.        Tor.
    45. 

  45.   (Of course, we might not want to implement all of these.)
    46. 

  46. 

  47.   Case 1 is probably most usable and secure, if we assume that people don't
    48. 

  48.   forget their passphrases or lose their floppies.  We could mitigate this a
    49. 

  49.   bit by encouraging people to PGP-encrypt their passphrases to themselves,
    50. 

  50.   or keep a cleartext copy of their secret key secret-split into a few
    51. 

  51.   pieces, or something like that.
    52. 

  52. 

  53.   Migration presents another difficulty, especially with the authorities.  If
    54. 

  54.   we use the current set of identity keys as the new identity keys, we're in
    55. 

  55.   the position of having sensitive keys that have been stored on
    56. 

  56.   media-of-dubious-encryption up to now.  Also, we need to keep old clients
    57. 

  57.   (who will expect descriptors to be signed by the identity keys they know
    58. 

  58.   and love, and who will not understand signing keys) happy.
    59. 

  59. 

  60. A possible solution:
    61. 

  61. 

  62.   One thing to consider is that router identity keys are not very sensitive:
    63. 

  63.   if an OR disappears and reappears with a new key, the network treats it as
    64. 

  64.   though an old router had disappeared and a new one had joined the network.
    65. 

  65.   The Tor network continues unharmed; this isn't a disaster.
    66. 

  66. 

  67.   Thus, the ideas above are mostly relevant for authorities.
    68. 

  68. 

  69.   The most straightforward solution for the authorities is probably to take
    70. 

  70.   advantage of the protocol transition that will come with proposal 101, and
    71. 

  71.   introduce a new set of signing _and_ identity keys used only to sign votes
    72. 

  72.   and consensus network-status documents.  Signing and identity keys could be
    73. 

  73.   delivered to users in a separate, rarely changing "keys" document, so that
    74. 

  74.   the consensus network-status documents wouldn't need to include N signing
    75. 

  75.   keys, N identity keys, and N certifications.
    76. 

  76. 

  77.   Note also that there is no reason that the identity/signing keys used by
    78. 

  78.   directory authorities would necessarily have to be the same as the identity
    79. 

  79.   keys those authorities use in their capacity as routers.  Decoupling these
    80. 

  80.   keys would give directory authorities the following set of keys:
    81. 

  81. 

  82.        Directory authority identity:
    83. 

  83.            Highly confidential; stored encrypted and/or offline.  Used to
    84. 

  84.            identity directory authorities.  Shipped with clients.  Used to
    85. 

  85.            sign Directory authority signing keys.
    86. 

  86. 

  87.        Directory authority signing key:
    88. 

  88.            Stored online, accessible to regular Tor process.  Used to sign
    89. 

  89.            votes and consensus directories.  Downloaded as part of a "keys"
    90. 

  90.            document.
    91. 

  91. 

  92.            [Administrators SHOULD rotate their signing keys every month or
    93. 

  93.            two, just to keep in practice and keep from forgetting the
    94. 

  94.            password to the authority identity.]
    95. 

  95. 

  96.        V1-V2 directory authority identity:
    97. 

  97.            Stored online, never changed.  Used to sign legacy network-status
    98. 

  98.            and directory documents.
    99. 

  99. 

  100.        Router identity:
    101. 

  101.            Stored online, seldom changed.  Used to sign server descriptors
    102. 

  102.            for this authority in its role as a router.  Implicitly certified
    103. 

  103.            by being listed in network-status documents.
    104. 

  104. 

  105.        Onion key, link key:
    106. 

  106.            As in tor-spec.txt
    107. 

  107. 

  108. 

  109. Extensions to Proposal 101.
    110. 

  110. 

  111.   Add the following elements to vote documents:
    112. 

  112. 

  113.      "dir-identity-key": The long-term identity key for this authority.
    114. 

  114.      "dir-key-published": The time when this directory's signing key was last
    115. 

  115.          changed.
    116. 

  116.      "dir-key-certification": A signature of the fields "fingerprint",
    117. 

  117.          "dir-key-published", "dir-signing-key", and "dir-identity-key",
    118. 

  118.          concatenated, in that order.  The signed material extends from the
    119. 

  119.          beginning of "fingerprint" through the newline after
    120. 

  120.          "dir-key-certification".  The identity key is used to generate this
    121. 

  121.          signature.
    122. 

  122. 

  123.       The elements "fingerprint", "dir-key-published", "dir-signing-key",
    124. 

  124.       "dir-identity-key", and "dir-key-certification" together constitute a
    125. 

  125.       "key certificate".  These are generated offline when starting a v3
    126. 

  126.       authority.
    127. 

  127. 

  128.       The elements "dir-signing-key", "dir-key-published", and
    129. 

  129.       "dir-identity-key", "dir-key-certification" and MUST NOT appear in
    130. 

  130.       consensus documents.
    131. 

  131. 

  132.       The "fingerprint" field is generated based on the identity key, not
    133. 

  133.       the signing key.
    134. 

  134. 

  135.   Consensus network statuses change as follows:
    136. 

  136. 

  137.       Remove dir-signing-key.
    138. 

  138. 

  139.       Change "directory-signature" to take a fingerprint of the authority's
    140. 

  140.       identity key rather than the authority's nickname.
    141. 

  141. 

  142.   Add a new document type:
    143. 

  143. 

  144.       A "keys" document contains all currently known key certification
    145. 

  145.       certificates.  All authorities serve it at
    146. 

  146. 

  147.           http://<hostname>/tor/status/keys.z
    148. 

  148. 

  149.       Caches and clients download the keys document whenever they receive a
    150. 

  150.       consensus vote that uses a key they do not recognize.  Caches download
    151. 

  151.       from authorities; clients download from caches.
    152. 

  152. 

  153.   Verification:
    154. 

  154. 

  155.       [XXXX write me]
    156.