Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 45742ce0b0
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
142-combine-intro-and-rend-points.txt

142-combine-intro-and-rend-points.txt 14 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280 
  1. Filename: 142-combine-intro-and-rend-points.txt
    2. 

  2. Title: Combine Introduction and Rendezvous Points
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Karsten Loesing, Christian Wilms
    6. 

  6. Created: 27-Jun-2008
    7. 

  7. Status: Open
    8. 

  8. 

  9. Change history:
    10. 

  10. 

  11.   27-Jun-2008  Initial proposal for or-dev
    12. 

  12. 

  13. Overview:
    14. 

  14. 

  15.   Establishing a connection to a hidden service currently involves two Tor
    16. 

  16.   relays, introduction and rendezvous point, and 10 more relays distributed
    17. 

  17.   over four circuits to connect to them. The introduction point is
    18. 

  18.   established in the mid-term by a hidden service to transfer introduction
    19. 

  19.   requests from client to the hidden service. The rendezvous point is set
    20. 

  20.   up by the client for a single hidden service request and actually
    21. 

  21.   transfers end-to-end encrypted application data between client and hidden
    22. 

  22.   service.
    23. 

  23. 

  24.   There are some reasons for separating the two roles of introduction and
    25. 

  25.   rendezvous point: (1) Plausible deniability: A relay shall not be made
    26. 

  26.   responsible that it relays data for a certain hidden service; in the
    27. 

  27.   original design as described in [1] an introduction point relays no
    28. 

  28.   application data, and a rendezvous points neither knows the hidden
    29. 

  29.   service nor can it decrypt the data. (2) Scalability: The hidden service
    30. 

  30.   shall not have to maintain a number of open circuits proportional to the
    31. 

  31.   expected number of client requests. (3) Attack resistance: The effect of
    32. 

  32.   an attack on the only visible parts of a hidden service, its introduction
    33. 

  33.   points, shall be as small as possible.
    34. 

  34. 

  35.   However, elimination of a separate rendezvous connection as proposed by
    36. 

  36.   Øverlier and Syverson [2] is the most promising approach to improve the
    37. 

  37.   delay in connection establishment. From all substeps of connection
    38. 

  38.   establishment extending a circuit by only a single hop is responsible for
    39. 

  39.   a major part of delay. Reducing on-demand circuit extensions from two to
    40. 

  40.   one results in a decrease of mean connection establishment times from 39
    41. 

  41.   to 29 seconds [3]. Particularly, eliminating the delay on hidden-service
    42. 

  42.   side allows the client to better observe progress of connection
    43. 

  43.   establishment, thus allowing it to use smaller timeouts. Proposal 114
    44. 

  44.   introduced new introduction keys for introduction points and provides for
    45. 

  45.   user authorization data in hidden service descriptors; it will be shown
    46. 

  46.   in this proposal that introduction keys in combination with new
    47. 

  47.   introduction cookies provide for the first security property of plausible
    48. 

  48.   deniability. Further, eliminating the need for a separate introduction
    49. 

  49.   connection benefits the overall network load by decreasing the number of
    50. 

  50.   circuit extensions. After all, having only one connection between client
    51. 

  51.   and hidden service reduces the overall protocol complexity.
    52. 

  52. 

  53. Design:
    54. 

  54. 

  55.   1. Hidden Service Configuration
    56. 

  56. 

  57.   Hidden services should be able to choose whether they would like to use
    58. 

  58.   this protocol. This might be opt-in for 0.2.1.x and opt-out for later
    59. 

  59.   major releases.
    60. 

  60. 

  61.   2. Contact Point Establishment
    62. 

  62. 

  63.   When preparing a hidden service, a Tor client selects a set of relays to
    64. 

  64.   act as contact points instead of introduction points. The contact point
    65. 

  65.   combines both roles of introduction and rendezvous point as proposed in
    66. 

  66.   [2]. The only requirement for a relay to be picked as contact point is
    67. 

  67.   its capability of performing this role. This can be determined from the
    68. 

  68.   Tor version number that needs to be equal or higher than the first
    69. 

  69.   version that implements this proposal.
    70. 

  70. 

  71.   The easiest way to implement establishment of contact points is to
    72. 

  72.   introduce v2 ESTABLISH_INTRO cells and use the currently unused auth type
    73. 

  73.   number 1 for contact points.
    74. 

  74. 

  75.      V      Format byte: set to 255               [1 octet]
    76. 

  76.      V      Version byte: set to 2                [1 octet]
    77. 

  77.      KLEN   Key length                           [2 octets]
    78. 

  78.      PK     Bob's public key                  [KLEN octets]
    79. 

  79.      HS     Hash of session info                [20 octets]
    80. 

  80.      AUTHT  The auth type that is supported       [1 octet]
    81. 

  81.      AUTHL  Length of auth data                  [2 octets]
    82. 

  82.      AUTHD  Auth data                            [variable]
    83. 

  83.      SIG    Signature of above information       [variable]
    84. 

  84. 

  85.   The hidden service does not create a fixed number of contact points, like
    86. 

  86.   3 in the current protocol. It uses a minimum of 3 contact points, but
    87. 

  87.   increases this number depending on the history of client requests within
    88. 

  88.   the last hour. The hidden service also increases this number depending on
    89. 

  89.   the frequency of failing contact points in order to defend against
    90. 

  90.   attacks on its contact points. When client authorization as described in
    91. 

  91.   proposal 121 is used, a hidden service can also use the number of
    92. 

  92.   authorized clients as first estimate for the required number of contact
    93. 

  93.   points.
    94. 

  94. 

  95.   3. Hidden Service Descriptor Creation
    96. 

  96. 

  97.   A hidden service needs to issue a fresh introduction cookie for each
    98. 

  98.   established introduction point. By requiring clients to use this cookie
    99. 

  99.   in a later connection establishment, an introduction point cannot access
    100. 

  100.   the hidden service that it works for. Together with the fresh
    101. 

  101.   introduction key that was introduced in proposal 114, this results in
    102. 

  102.   plausible deniability for the contact point.
    103. 

  103. 

  104.   The v2 hidden service descriptor format contains an
    105. 

  105.   "intro-authentication" field that may contain introduction-point specific
    106. 

  106.   keys. The hidden service creates a random string, comparable to the
    107. 

  107.   rendezvous cookie, and includes it in the descriptor as introduction
    108. 

  108.   cookie. Existing clients that do not understand this new protocol simply
    109. 

  109.   ignore that cookie. Further, the hidden service lists in the
    110. 

  110.   "protocol-versions" field that it supports this protocol.
    111. 

  111. 

  112.   4. Connection Establishment
    113. 

  113. 

  114.   When establishing a connection to a hidden service a client learns about
    115. 

  115.   the capability of using the new protocol from the hidden service
    116. 

  116.   descriptor. It may choose whether to use this new protocol or not,
    117. 

  117.   whereas older clients cannot understand the new capability and can only
    118. 

  118.   use the current protocol. Client using version 0.2.1.x should be able to
    119. 

  119.   opt-in for using the new protocol, which should change to opt-out for
    120. 

  120.   later major releases.
    121. 

  121. 

  122.   When using the new capability the client creates a v2 INTRODUCE1 cell
    123. 

  123.   that extends an unversioned INTRODUCE1 cell by adding the content of an
    124. 

  124.   ESTABLISH_RENDEZVOUS cell. Further, the client sends this cell using the
    125. 

  125.   new cell type 41 RELAY_INTRODUCE1_VERSIONED to the introduction point,
    126. 

  126.   because unversioned and versioned INTRODUCE1 cells are indistinguishable:
    127. 

  127. 

  128.   Cleartext
    129. 

  129.      V      Version byte: set to 2                [1 octet]
    130. 

  130.      PK_ID  Identifier for Bob's PK             [20 octets]
    131. 

  131.      AUTHT  The auth type that is supported       [1 octet]
    132. 

  132.      AUTHL  Length of auth data                  [2 octets]
    133. 

  133.      AUTHD  Auth data                            [variable]
    134. 

  134.   Encrypted to Bob's PK:
    135. 

  135.      VER    Version byte: set to 3.               [1 octet]
    136. 

  136.      AUTHT  The auth type that is supported       [1 octet]
    137. 

  137.      AUTHL  Length of auth data                  [2 octets]
    138. 

  138.      AUTHD  Auth data                            [variable]
    139. 

  139.      IP     Rendezvous point's address           [4 octets]
    140. 

  140.      PORT   Rendezvous point's OR port           [2 octets]
    141. 

  141.      ID     Rendezvous point identity ID        [20 octets]
    142. 

  142.      KLEN   Length of onion key                  [2 octets]
    143. 

  143.      KEY    Rendezvous point onion key        [KLEN octets]
    144. 

  144.      RC     Rendezvous cookie                   [20 octets]
    145. 

  145.      g^x    Diffie-Hellman data, part 1        [128 octets]
    146. 

  146. 

  147.   The cleartext part contains the rendezvous cookie as auth data for the
    148. 

  148.   currently unused auth type 1. The contact point remembers the rendezvous
    149. 

  149.   cookie just as a rendezvous point would do.
    150. 

  150. 

  151.   The encrypted part contains the introduction cookie as auth data for the
    152. 

  152.   likewise unused auth type 1. The rendezvous cookie is contained as
    153. 

  153.   before, but the remaining rendezvous point information is left empty, as
    154. 

  154.   there is no separate rendezvous point.
    155. 

  155. 

  156.   5. Rendezvous Establishment
    157. 

  157. 

  158.   The contact point recognizes a v2 INTRODUCE1 cell with auth type 1 as a
    159. 

  159.   request to be used in the new protocol. It remembers the contained
    160. 

  160.   rendezvous cookie, replies to the client with an INTRODUCE_ACK cell
    161. 

  161.   (omitting the RENDEZVOUS_ESTABLISHED cell), and forwards the encrypted
    162. 

  162.   part of the INTRODUCE1 cell as INTRODUCE2 cell to the hidden service.
    163. 

  163. 

  164.   6. Introduction at Hidden Service
    165. 

  165. 

  166.   The hidden services recognizes an INTRODUCE2 cell containing an
    167. 

  167.   introduction cookie as authorization data. In this case, it does not
    168. 

  168.   extend a circuit to a rendezvous point, but sends a RENDEZVOUS1 cell
    169. 

  169.   directly back to its contact point as usual.
    170. 

  170. 

  171.   7. Rendezvous at Contact Point
    172. 

  172. 

  173.   The contact point processes a RENDEZVOUS1 cell just as a rendezvous point
    174. 

  174.   does. The only difference is that the hidden-service-side circuit is not
    175. 

  175.   exclusive for the client connection, but shared among multiple client
    176. 

  176.   connections.
    177. 

  177. 

  178. Security Implications:
    179. 

  179. 

  180.   (1) Plausible deniability
    181. 

  181. 

  182.   One of the original reasons for the separation of introduction and
    183. 

  183.   rendezvous points is that a relay shall not be made responsible that it
    184. 

  184.   relays data for a certain hidden service. In the current design an
    185. 

  185.   introduction point relays no application data and a rendezvous points
    186. 

  186.   neither knows the hidden service nor can it decrypt the data.
    187. 

  187. 

  188.   This property is also fulfilled in this new design. A contact point only
    189. 

  189.   learns a fresh introduction key instead of the hidden service key, so
    190. 

  190.   that it cannot recognize a hidden service. Further, the introduction
    191. 

  191.   cookie, which is unknown to the contact point, prevents it from accessing
    192. 

  192.   the hidden service itself. The only way for a contact point to access a
    193. 

  193.   hidden service is to look up whether it is contained in the descriptors
    194. 

  194.   of known hidden services. A contact point can plausibly deny knowledge of
    195. 

  195.   any hidden services, so that it cannot know for which hidden service it
    196. 

  196.   is working. In addition to that, it cannot learn the data that it
    197. 

  197.   transfers, because all communication between client and hidden service
    198. 

  198.   are end-to-end encrypted.
    199. 

  199. 

  200.   (2) Scalability
    201. 

  201. 

  202.   Another goal of the existing hidden service protocol is that a hidden
    203. 

  203.   service does not have to maintain a number of open circuits proportional
    204. 

  204.   to the expected number of client requests. The rationale behind this is
    205. 

  205.   better scalability.
    206. 

  206. 

  207.   The new protocol eliminates the need for a hidden service to extend
    208. 

  208.   circuits on demand, which has a positive effect circuits establishment
    209. 

  209.   times and overall network load. The solution presented here to establish
    210. 

  210.   a number of contact points proportional to the history of connection
    211. 

  211.   requests reduces the number of circuits to a minimum number that fits the
    212. 

  212.   hidden service's needs.
    213. 

  213. 

  214.   (3) Attack resistance
    215. 

  215. 

  216.   The third goal of separating introduction and rendezvous points is to
    217. 

  217.   limit the effect of an attack on the only visible parts of a hidden
    218. 

  218.   service which are the contact points in this protocol.
    219. 

  219. 

  220.   In theory, the new protocol is more vulnerable to this attack. An
    221. 

  221.   attacker who can take down a contact point does not only eliminate an
    222. 

  222.   access point to the hidden service, but also breaks current client
    223. 

  223.   connections to the hidden service using that contact point.
    224. 

  224. 

  225.   Øverlier and Syverson proposed the concept of valet nodes as additional
    226. 

  226.   safeguard for introduction/contact points [4]. Unfortunately, this
    227. 

  227.   increases hidden service protocol complexity conceptually and from an
    228. 

  228.   implementation point of view. Therefore, it is not included in this
    229. 

  229.   proposal.
    230. 

  230. 

  231.   However, in practice attacking a contact point (or introduction point) is
    232. 

  232.   not as rewarding as it might appear. The cost for a hidden service to set
    233. 

  233.   up a new contact point and publish a new hidden service descriptor is
    234. 

  234.   minimal compared to the efforts necessary for an attacker to take a Tor
    235. 

  235.   relay down. As a countermeasure to further frustrate this attack, the
    236. 

  236.   hidden service raises the number of contact points as a function of
    237. 

  237.   previous contact point failures.
    238. 

  238. 

  239.   Further, the probability of breaking client connections due to attacking
    240. 

  240.   a contact point is minimal. It can be assumed that the probability of one
    241. 

  241.   of the other five involved relays in a hidden service connection failing
    242. 

  242.   or being shut down is higher than that of a successful attack on a
    243. 

  243.   contact point.
    244. 

  244. 

  245.   (4) Resistance against Locating Attacks
    246. 

  246. 

  247.   Clients are no longer able to force a hidden service to create or extend
    248. 

  248.   circuits. This further reduces an attacker's capabilities of locating a
    249. 

  249.   hidden server as described by Øverlier and Syverson [5].
    250. 

  250. 

  251. Compatibility:
    252. 

  252. 

  253.   The presented protocol does not raise compatibility issues with current
    254. 

  254.   Tor versions. New relay versions support both, the existing and the
    255. 

  255.   proposed protocol as introduction/rendezvous/contact points. A contact
    256. 

  256.   point acts as introduction point simultaneously. Hidden services and
    257. 

  257.   clients can opt-in to use the new protocol which might change to opt-out
    258. 

  258.   some time in the future.
    259. 

  259. 

  260. References:
    261. 

  261. 

  262.   [1] Roger Dingledine, Nick Mathewson, and Paul Syverson, Tor: The
    263. 

  263.   Second-Generation Onion Router. In the Proceedings of the 13th USENIX
    264. 

  264.   Security Symposium, August 2004.
    265. 

  265. 

  266.   [2] Lasse Øverlier and Paul Syverson, Improving Efficiency and Simplicity
    267. 

  267.   of Tor Circuit Establishment and Hidden Services. In the Proceedings of
    268. 

  268.   the Seventh Workshop on Privacy Enhancing Technologies (PET 2007),
    269. 

  269.   Ottawa, Canada, June 2007.
    270. 

  270. 

  271.   [3] Christian Wilms, Improving the Tor Hidden Service Protocol Aiming at
    272. 

  272.   Better Performance, diploma thesis, June 2008, University of Bamberg.
    273. 

  273. 

  274.   [4] Lasse Øverlier and Paul Syverson, Valet Services: Improving Hidden
    275. 

  275.   Servers with a Personal Touch. In the Proceedings of the Sixth Workshop
    276. 

  276.   on Privacy Enhancing Technologies (PET 2006), Cambridge, UK, June 2006.
    277. 

  277. 

  278.   [5] Lasse Øverlier and Paul Syverson, Locating Hidden Servers. In the
    279. 

  279.   Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.
    280. 

  280.