Главная Обзор Помощь
Вход
sengler
/
tor-parallel-relay-conn
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 96e8fb8e8a
Ветки Метки
tor-parallel...
/
doc
/
spec
/
proposals
/
136-legacy-keys.txt

136-legacy-keys.txt 4.1 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. Filename: 136-legacy-keys.txt
    2. 

  2. Title: Mass authority migration with legacy keys
    3. 

  3. Author: Nick Mathewson
    4. 

  4. Created: 13-May-2008
    5. 

  5. Status: Finished
    6. 

  6. 

  7. Overview:
    8. 

  8. 

  9.   This document describes a mechanism to change the keys of more than
    10. 

  10.   half of the directory servers at once without breaking old clients
    11. 

  11.   and caches immediately.
    12. 

  12. 

  13. Motivation:
    14. 

  14. 

  15.   If a single authority's identity key is believed to be compromised,
    16. 

  16.   the solution is obvious: remove that authority from the list,
    17. 

  17.   generate a new certificate, and treat the new cert as belonging to a
    18. 

  18.   new authority.  This approach works fine so long as less than 1/2 of
    19. 

  19.   the authority identity keys are bad.
    20. 

  20. 

  21.   Unfortunately, the mass-compromise case is possible if there is a
    22. 

  22.   sufficiently bad bug in Tor or in any OS used by a majority of v3
    23. 

  23.   authorities.  Let's be prepared for it!
    24. 

  24. 

  25.   We could simply stop using the old keys and start using new ones,
    26. 

  26.   and tell all clients running insecure versions to upgrade.
    27. 

  27.   Unfortunately, this breaks our cacheing system pretty badly, since
    28. 

  28.   caches won't cache a consensus that they don't believe in.  It would
    29. 

  29.   be nice to have everybody become secure the moment they upgrade to a
    30. 

  30.   version listing the new authority keys, _without_ breaking upgraded
    31. 

  31.   clients until the caches upgrade.
    32. 

  32. 

  33.   So, let's come up with a way to provide a time window where the
    34. 

  34.   consensuses are signed with the new keys and with the old.
    35. 

  35. 

  36. Design:
    37. 

  37. 

  38.   We allow directory authorities to list a single "legacy key"
    39. 

  39.   fingerprint in their votes.  Each authority may add a single legacy
    40. 

  40.   key.  The format for this line is:
    41. 

  41. 

  42.      legacy-dir-key FINGERPRINT
    43. 

  43. 

  44.   We describe a new consensus method for generating directory
    45. 

  45.   consensuses.  This method is consensus method "3".
    46. 

  46. 

  47.   When the authorities decide to use method "3" (as described in 3.4.1
    48. 

  48.   of dir-spec.txt), for every included vote with a legacy-dir-key line,
    49. 

  49.   the consensus includes an extra dir-source line.  The fingerprint in
    50. 

  50.   this extra line is as in the legacy-dir-key line.  The ports and
    51. 

  51.   addresses are in the dir-source line.  The nickname is as in the
    52. 

  52.   dir-source line, with the string "-legacy" appended.
    53. 

  53. 

  54.       [We need to include this new dir-source line because the code
    55. 

  55.       won't accept or preserve signatures from authorities not listed
    56. 

  56.       as contributing to the consensus.]
    57. 

  57. 

  58.   Authorities using legacy dir keys include two signatures on their
    59. 

  59.   consensuses: one generated with a signing key signed with their real
    60. 

  60.   signing key, and another generated with a signing key signed with
    61. 

  61.   another signing key attested to by their identity key.  These
    62. 

  62.   signing keys MUST be different.  Authorities MUST serve both
    63. 

  63.   certificates if asked.
    64. 

  64. 

  65. Process:
    66. 

  66. 

  67.   In the event of a mass key failure, we'll follow the following
    68. 

  68.   (ugly) procedure:
    69. 

  69.      - All affected authorities generate new certificates and identity
    70. 

  70.        keys, and circulate their new dirserver lines.  They copy their old
    71. 

  71.        certificates and old broken keys, but put them in new "legacy
    72. 

  72.        key files".
    73. 

  73.      - At the earliest time that can be arranged, the authorities
    74. 

  74.        replace their signing keys, identity keys, and certificates
    75. 

  75.        with the new uncompromised versions, and update to the new list
    76. 

  76.        of dirserer lines.
    77. 

  77.      - They add an "V3DirAdvertiseLegacyKey 1" option to their torrc.
    78. 

  78.      - Now, new consensuses will be generated using the new keys, but
    79. 

  79.        the results will also be signed with the old keys.
    80. 

  80.      - Clients and caches are told they need to upgrade, and given a
    81. 

  81.        time window to do so.
    82. 

  82.      - At the end of the time window, authorities remove the
    83. 

  83.        V3DirAdvertiseLegacyKey option.
    84. 

  84. 

  85. Notes:
    86. 

  86. 

  87.   It might be good to get caches to cache consensuses that they do not
    88. 

  88.   believe in.  I'm not sure the best way of how to do this.
    89. 

  89. 

  90.   It's a superficially neat idea to have new signing keys and have
    91. 

  91.   them signed by the new and by the old authority identity keys.  This
    92. 

  92.   breaks some code, though, and doesn't actually gain us anything,
    93. 

  93.   since we'd still need to include each signature twice.
    94. 

  94. 

  95.   It's also a superficially neat idea, if identity keys and signing
    96. 

  96.   keys are compromised, to at least replace all the signing keys.
    97. 

  97.   I don't think this achieves us anything either, though.
    98. 

  98. 

  99.