Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 6e799a6e9c
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
121-hidden-service-authentication.txt

121-hidden-service-authentication.txt 18 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336 
  1. Filename: 121-hidden-service-authentication.txt
    2. 

  2. Title: Hidden Service Authentication
    3. 

  3. Version: $LastChangedRevision$
    4. 

  4. Last-Modified: $LastChangedDate$
    5. 

  5. Author: Tobias Kamm, Thomas Lauterbach, Karsten Loesing, Ferdinand Rieger,
    6. 

  6.         Christoph Weingarten
    7. 

  7. Created: 10-Sep-2007
    8. 

  8. Status: Open
    9. 

  9. 

  10. Change history:
    11. 

  11. 

  12.   26-Sep-2007  Initial proposal for or-dev
    13. 

  13.   08-Dec-2007  Incorporated comments by Nick posted to or-dev on 10-Oct-2007
    14. 

  14. 

  15. Overview:
    16. 

  16. 

  17.   This proposal deals with some possibilities to implement authentication
    18. 

  18.   for restricted access to hidden services. This way we try to increase the
    19. 

  19.   security level for the service provider (Bob) by giving him the ability
    20. 

  20.   to exclude non-authorized users from using his service. It is based on
    21. 

  21.   proposal 114-distributed-storage but is better suited for a fine grained
    22. 

  22.   way of authentication, because it is less resource-consuming. Whenever we
    23. 

  23.   refer to service descriptors and cell formats, we are talking about the
    24. 

  24.   definitions found in 114-distributed-storage unless otherwise stated.
    25. 

  25. 

  26.   We discuss password and public-key authentication for the Onion Proxy
    27. 

  27.   (OP) of Bob's hidden service (HS). Furthermore a challenge-response
    28. 

  28.   authentication mechanism is introduced at the introduction point.
    29. 

  29. 

  30.   These modifications aim at:
    31. 

  31.    - increasing the security of hidden services by limiting access only to
    32. 

  32.      authorized users (specification see details) and
    33. 

  33.    - reducing the traffic in the network by rejecting unauthorized access
    34. 

  34.      requests earlier.
    35. 

  35. 

  36. Motivation:
    37. 

  37. 

  38.   The currently used implementation of hidden services does not provide any
    39. 

  39.   kind of authentication. The v2 implementation adds an authentication
    40. 

  40.   mechanism at the directory server. Security can be further improved by
    41. 

  41.   adding two more authentication authorities at the introduction point
    42. 

  42.   (IPo) and the OP.
    43. 

  43. 

  44.   Although the service descriptors are already designed to carry
    45. 

  45.   authentication information the existing fields are not used so far.
    46. 

  46.   Moreover one can find a couple of notes at the specification of cell
    47. 

  47.   formats (rend-spec) which point at adding authentication information but
    48. 

  48.   no fields are specified yet. It would be preferable to extend the Tor
    49. 

  49.   network with authentication features to offer a solution for all
    50. 

  50.   services. This would also provide means to authorize access to services
    51. 

  51.   that currently do not support authentication mechanisms. Moreover, Bob's
    52. 

  52.   authentication administration for all services could be performed
    53. 

  53.   centralized in the Tor application, and the implementation overhead for
    54. 

  54.   developers would be significantly reduced. Another benefit would be the
    55. 

  55.   reduced traffic by checking authentication data and dropping unauthorized
    56. 

  56.   requests as soon as possible. For example unauthorized requests could
    57. 

  57.   already be discarded at the introduction points.
    58. 

  58. 

  59.   In addition to that, our implementation is able to hide the service from
    60. 

  60.   users, who still have access to the secret cookie (see
    61. 

  61.   114-distributed-storage) but should no longer be authorized. Bob can now
    62. 

  62.   not only hide his location, but also to a certain degree his presence
    63. 

  63.   towards unauthorized clients given that none of his IPo's are corrupted.
    64. 

  64. 

  65. Details:
    66. 

  66. 

  67.   [XXX Restructure this section in separate patch:
    68. 

  68.    A) The general mechanisms to perform authentication at three
    69. 

  69.       authentication points (directory, service, introduction point)
    70. 

  70.    B) A specific authentication protocol based on secret cookies. -KL]
    71. 

  71. 

  72.   [XXX Describe use of descriptor cookie as "/0/ Client authentication at
    73. 

  73.    directory". Optional encryption/decryption using a descriptor cookie is
    74. 

  74.    understood since proposal 114, but not used by servers and clients. -KL]
    75. 

  75. 

  76.   /1/ Client authentication at the hidden service
    77. 

  77. 

  78.   In proposal 114 a client (Alice) who has a valid secret cookie, which may
    79. 

  79.   be considered as a form of authentication, and a service ID is able to
    80. 

  80.   connect to Bob if he is online. He can not distinguish between Alice
    81. 

  81.   being intentionally authorized by himself or being an attacker.
    82. 

  82.   Integrating authentication in Tor HS will ensure Bob that Alice is only
    83. 

  83.   able to use the service if she is authorized by him.    
    84. 

  84. 

  85.   Authentication data will be transmitted via the RELAY_INTRODUCE1 cell
    86. 

  86.   from Alice to Bob that is forwarded by the IPo. For this message several
    87. 

  87.   format versions are specified in the rend-spec in section 1.8. We will
    88. 

  88.   use the format version 3, which is specified, but not implemented by
    89. 

  89.   December 2007. This specification already contains the fields
    90. 

  90.   "AUTHT" (to specify the authentication method), "AUTHL" (length of the
    91. 

  91.   authentication data), and "AUTHD" (the authentication data) that will be
    92. 

  92.   used to store authentication data. Since these fields are encrypted with
    93. 

  93.   the service's public key, sniffing attacks will fail. Bob will only build
    94. 

  94.   the circuit to the rendezvous point if the provided authentication data
    95. 

  95.   is valid, otherwise he will drop the cell. This will improve security due
    96. 

  96.   to preventing communication between Bob and Alice if she is an attacker.
    97. 

  97.   Especially, it prevents the attack described by Øverlier and Syverson in
    98. 

  98.   their paper "Locating Hidden Servers", even without the need for guards.
    99. 

  99.   As a positive side effect it reduces network traffic because it avoids
    100. 

  100.   Bob from building unnecessary circuits to the rendezvous points.
    101. 

  101.   Authentication at the HS should be the last gatekeeper and the number of
    102. 

  102.   cases in which a client successfully passes the introduction point, but
    103. 

  103.   fails at the HS should be almost zero. Therefore it is very important to
    104. 

  104.   perform fine-grained access control already at the IPo (but without
    105. 

  105.   relying on it).
    106. 

  106. 

  107.   The first authentication mechanism that will be supported is password
    108. 

  108.   (symmetric secret) authentication. "AUTHT" is set to "1" for this
    109. 

  109.   authentication method while the "AUTHL" field is set to "20", the length
    110. 

  110.   of the SHA-1 digest of the password.
    111. 

  111. 

  112.   (1) Alice creates a password x and sends the password digest h(x) to Bob
    113. 

  113.       out of band.
    114. 

  114.       [XXX Don't distinguish between x and h(x), so that both Alice and Bob
    115. 

  115.        can be the initiator of the password exchange. -KL]
    116. 

  116.   (2) Alice sends h(x) to Bob, encrypted with Bob's fresh service key (not
    117. 

  117.       subject to this proposal, see proposal 114).
    118. 

  118.   (3) Bob decrypts Alice's message using his private service key (see
    119. 

  119.       proposal 114) and compares the contained h(x) with what he knows what
    120. 

  120.       Alice's password digest h(x) should be.
    121. 

  121. 

  122.   This kind of authentication is well-known. It has the known disadvantage
    123. 

  123.   of weak passwords that are vulnerable to dictionary or brute-force
    124. 

  124.   attacks. Nevertheless it seems to be an appropriate solution since safe
    125. 

  125.   passwords can be randomly generated by Tor. Cracking methods that rely on
    126. 

  126.   guessing passwords should not be effective in the constantly changing
    127. 

  127.   network infrastructure. A usability advantage is that this method is easy
    128. 

  128.   to perform even for unexperienced users. The authentication data will be
    129. 

  129.   the SHA-1 secure hash (see tor-spec) of the shared secret (password).
    130. 

  130. 

  131.   The premise to use password authentication is that Bob must send the
    132. 

  132.   password to Alice -- or the other way around -- outside Tor.
    133. 

  133.   If at the same time the secret cookie is
    134. 

  134.   transmitted and the message is intercepted the attacker can gain access
    135. 

  135.   to the service. Therefore, a secure way to exchange this information must
    136. 

  136.   be established.
    137. 

  137. 

  138.   [Removed public-key authentication protocol. -KL]
    139. 

  139. 

  140.   After validating the provided "AUTHD" Bob builds a circuit to the
    141. 

  141.   rendezvous point and starts interacting with Alice. If Bob cannot
    142. 

  142.   identify the client he must refuse the request by not connecting to the
    143. 

  143.   rendezvous point.
    144. 

  144.   [XXX Bob should discard an IPo after a certain number of cells containing
    145. 

  145.    bad auth data. But any denouncement by other IPos or clients, e.g. by
    146. 

  146.    replaying cells, must be inhibited. Maybe Bob should keep a history of
    147. 

  147.    connection attempts within a certain time and discard an IPo after a
    148. 

  148.    specific threshold. And maybe authentication to the service should be
    149. 

  149.    based on a nonce, so that the service can differentiate between a replay
    150. 

  150.    attack by an introduction point and regular reconnection attempts. More
    151. 

  151.    thoughts needed here. -KL]
    152. 

  152. 

  153.   It will also still be possible to establish v2 hidden services without
    154. 

  154.   authentication. Therefore the "AUTHT" field must be set to "0". "AUTHL"
    155. 

  155.   and "AUTHD" are not provided by the client in that case.
    156. 

  156. 

  157.   /2/ Client authentication at the introduction point 	
    158. 

  158. 

  159.   In addition to authentication at the HS OP, the IPo should be able to
    160. 

  160.   detect and abandon all unauthorized requests. This would help to raise
    161. 

  161.   the level of privacy and therefore also the level of security for Bob by
    162. 

  162.   better hiding his online activity from unauthorized users. Especially if
    163. 

  163.   Alice still has access to the secret cookie. This can be the case if she
    164. 

  164.   had access to the service earlier, but is no longer authorized or the
    165. 

  165.   directory is outdated. Another advantage of this additional "gate keeper"
    166. 

  166.   would be reduced traffic in the network, because unauthorized requests
    167. 

  167.   could already be detected and declined at the IPo.
    168. 

  168. 

  169.   It is important to notice that the IPo may not be trustworthy, and
    170. 

  170.   therefore can not replace authentication at the HS OP itself. Nor should
    171. 

  171.   the IPo get hold of critical authentication information (because it could
    172. 

  172.   try to access the service itself).
    173. 

  173. 

  174.   A challenge-response authentication protocol is used to address these
    175. 

  175.   issues. This means that a challenge is needed to be solved by Alice to
    176. 

  176.   get forwarded to Bob by the IPo.
    177. 

  177. 

  178.   Two types of authentication are supported and need to be preconfigured by
    179. 

  179.   Bob when creating the service: password and public-key authentication.
    180. 

  180.   Again it is up to Alice what kind of authentication mechanism she wants
    181. 

  181.   to use, given that Bob knows both her password and her public key.
    182. 

  182. 

  183.   If Alice uses a password to authenticate herself at the IPo, the
    184. 

  184.   authentication is based on a symmetric challenge-response authentication 
    185. 

  185.   protocol. In this case the challenge for Alice is to send h(x|y) where x
    186. 

  186.   is a user-specific password, which should be different from the password
    187. 

  187.   needed for authentication at the hidden service and y is a randomly
    188. 

  188.   generated value. Alice gets hold of her password out of band.
    189. 

  189. 

  190.   With the initial RELAY_ESTABLISH_INTRO cell, the IPo gets a list of
    191. 

  191.   h(x|y)'s which it stores locally. Upon a request of Alice it compares her
    192. 

  192.   provided authentication data with the list entries. If there is a
    193. 

  193.   matching entry in its list, Alice's request is valid and can be forwarded
    194. 

  194.   to Bob. To generate the hash, Alice needs to know the password (which she
    195. 

  195.   will get out of band) and the random value y. This value is contained in
    196. 

  196.   the cookie-encrypted part of the hidden service descriptor which Alice
    197. 

  197.   can retrieve from the directory using her secret cookie.
    198. 

  198. 

  199.   (1) Alice creates a password x and sends the password digest h(x) to Bob
    200. 

  200.       out of band.
    201. 

  201.   (2) Bob creates a random value y, computes h(h(x)|y), and sends the
    202. 

  202.       result to the introduction point.
    203. 

  203.       [XXX There should be a separate y for each introduction point, so
    204. 

  204.        that none of them may impersonate Alice to any of the other
    205. 

  205.        introduction points. -KL]
    206. 

  206.   (3) Bob encrypts y with a secret cookie (see proposal 114) and writes it
    207. 

  207.       to a rendezvous service descriptor.
    208. 

  208.   (4) Alice fetches Bob's rendezvous service descriptor, decrypts y using
    209. 

  209.       the secret cookie (see proposal 114), computes h(h(x)|y), encrypts
    210. 

  210.       it with the public key of the introduction point, and sends it to
    211. 

  211.       that introduction point.
    212. 

  212.   (5) The introduction point decrypts h(h(x)|y) from Alice's message and
    213. 

  213.       compares it to the value it knows from Bob (from step 2).
    214. 

  214. 

  215.   [Removed public-key authentication protocol. -KL]
    216. 

  216. 

  217.   To remove a user from a group, Bob needs to update the random value list
    218. 

  218.   at the IPo's.
    219. 

  219. 

  220.   The changes needed in Tor to realize these two challenge-response
    221. 

  221.   variations affect the RELAY_ESTABLISH_INTRO and RELAY_INTRODUCE1 relay
    222. 

  222.   cells, the service descriptor and the code parts in Tor where these cells
    223. 

  223.   and the descriptor are handled.
    224. 

  224. 

  225.   The RELAY_ESTABLISH_INTRO cell is now structured as follows:
    226. 

  226. 

  227.   V      Format byte: set to 255             [1 octet]
    228. 

  228.   V      Version byte: set to 2              [1 octet]
    229. 

  229.   KL     Key length                         [2 octets]
    230. 

  230.   PK     Bob's public key                  [KL octets]
    231. 

  231.   HS     Hash of session info              [20 octets]
    232. 

  232.   AUTHT  The auth type that is supported     [1 octet]
    233. 

  233.   AUTHL  Length of auth data                [2 octets]
    234. 

  234.   AUTHD  Auth data                          [variable]
    235. 

  235.   SIG    Signature of above information     [variable]
    236. 

  236. 

  237.   "AUTHT" is set to "1" for password/public-key authentication.
    238. 

  238.   "AUTHD" is a list of 20 octet long challenges for clients.
    239. 

  239. 

  240.   The service descriptor as specified in 114-distributed-storage is used in
    241. 

  241.   our implementation.
    242. 

  242. 

  243.   For password authentication "authentication" auth-type is set to "1" and
    244. 

  244.   auth-data contains the 20 octets long string used by clients to construct
    245. 

  245.   the response to the challenge for authentication at the IPo.
    246. 

  246. 

  247.   When using public-key authentication the auth-type is set to "2" and
    248. 

  248.   auth-data holds a list of 148 octets long blank separated values. The
    249. 

  249.   first 20 octets of each value is the hash of the public key of a certain
    250. 

  250.   client and used by Alice to determine her entry in the list. The
    251. 

  251.   remaining 128 octets contain the PK-encrypted token needed to
    252. 

  252.   authenticate to the IPo.
    253. 

  253.   [XXX Handle space limitation problem, either by using fewer space, by
    254. 

  254.    sending multiple cells, or by finding a protocol that is
    255. 

  255.    space-independent here. -KL]
    256. 

  256. 

  257.   The part of the RELAY_INTRODUCE1 cell that can be read by the IPo has the
    258. 

  258.   following fields added:
    259. 

  259. 

  260.   AUTHT  The auth type that is supported   [1 octet]
    261. 

  261.   AUTHL  Length of auth data               [1 octets]
    262. 

  262.   AUTHD  Auth data                         [variable]
    263. 

  263.   [XXX Insert a version field, so that we won't be facing the same problems
    264. 

  264.    again when specifying the next version of INTRODUCE1 cells. -KL]
    265. 

  265. 

  266.   The AUTHT and AUTHL fields are provided to allow extensions of the
    267. 

  267.   protocol. Currently, we set AUTHT to 1 for password/public-key
    268. 

  268.   authentication and AUTHL to 20 for the length of the authorization token.
    269. 

  269. 

  270.   [XXX Insert file format containing auth data here. -KL]
    271. 

  271. 

  272. Security implications:
    273. 

  273. 

  274.   In addition to the security features proposed in 114-distributed-storage
    275. 

  275.   a new way of authentication is added at the OP of Bob. Moreover, the
    276. 

  276.   authentication at the IPo's is improved to support a fine-grained access
    277. 

  277.   control. Corrupted IPo's may easily bypass this authentication, but given
    278. 

  278.   the case that the majority of IPo's is acting as expected we still
    279. 

  279.   consider this feature as being useful.
    280. 

  280. 

  281.   Bob can now decide whether he wants to allow Alice to use his services or
    282. 

  282.   not. This gives him the possibility to offer his services only to known
    283. 

  283.   and trusted users that need to identify by a password or by signing their
    284. 

  284.   messages. The anonymity of the client towards the service provider is
    285. 

  285.   thereby reduced to pseudonymity.
    286. 

  286. 

  287.   Changing of access rights now involves all three authorization authorities
    288. 

  288.   depending on what changes should be made:
    289. 

  289. 

  290.     - The user configures his changes at the local OP. Therefore he can
    291. 

  291.       edit the cookie files that were extended to support multiple users.
    292. 

  292.       Moreover he can edit the new user files that were added to specify
    293. 

  293.       authentication information for every user.
    294. 

  294. 

  295.     - Whenever local changes occur, this information needs to be either
    296. 

  296.       passed to the responsible IPo's, the directory servers, or both
    297. 

  297.       depending on the authorization method and operation used. It is
    298. 

  298.       important to have consistent authorization results at all authorities
    299. 

  299.       at the same time, to create a trustworthy system with good user
    300. 

  300.       acceptance. As these reconfigurations always follow local changes
    301. 

  301.       they can be done automatically by the new Tor implementation and
    302. 

  302.       therefore no user interaction is needed.
    303. 

  303. 

  304.     - The secret cookies proposed in 114-distributed-storage are used for
    305. 

  305.       group management in our implementation as their use would be far to
    306. 

  306.       costly for a user-based authorization. That is because right now one
    307. 

  307.       descriptor is generated and uploaded for every secret cookie. Changes
    308. 

  308.       in this configuration should therefore be rare (maybe never) and only
    309. 

  309.       a few groups should exist. Provided that this is the case the costs
    310. 

  310.       for changes seem acceptable. As there is currently no possibility to
    311. 

  311.       make a directory remove the descriptor for a group an updated
    312. 

  312.       descriptor without any IPo should be uploaded to the directory
    313. 

  313.       servers.
    314. 

  314. 

  315.   Local changes to access rights can now be done faster than by changing
    316. 

  316.   service descriptors which reduces the directory server load and network
    317. 

  317.   traffic. Still every configuration change remains costly and users should
    318. 

  318.   carefully choose how detailed the access right configuration should be.
    319. 

  319. 

  320.   Attacking clients now need to bypass two more authentication steps to
    321. 

  321.   reach the service implementation. Compared to the current state it is
    322. 

  322.   more likely that attackers can be stopped even before they are able to
    323. 

  323.   contact Bob's OP. We expect that the possibility of an attack is thereby
    324. 

  324.   significantly reduced. Another positive side effect is that network
    325. 

  325.   traffic and router load is reduced by discarding unauthorized cells which
    326. 

  326.   should lower the effectiveness of denial of service attacks.
    327. 

  327. 

  328. Compatibility:
    329. 

  329. 

  330.   When using our authentication for hidden services the implementation of
    331. 

  331.   IPo's needs to be extended. Therefore we use version information provided
    332. 

  332.   in router descriptors to be sure that we only send modified
    333. 

  333.   RELAY_ESTABLISH_INTRO cells to routers that can handle them. Clients and
    334. 

  334.   service providers will have to update their Tor installation if they
    335. 

  335.   want to be able to use the service.
    336. 

  336.