121-hidden-service-authentication.txt 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358
  1. Filename: 121-hidden-service-authentication.txt
  2. Title: Hidden Service Authentication
  3. Version: $LastChangedRevision$
  4. Last-Modified: $LastChangedDate$
  5. Author: Tobias Kamm, Thomas Lauterbach, Karsten Loesing, Ferdinand Rieger,
  6. Christoph Weingarten
  7. Created: 10-Sep-2007
  8. Status: Open
  9. Change history:
  10. 26-Sep-2007 Initial proposal for or-dev
  11. Overview:
  12. This proposal deals with some possibilities to implement authentication
  13. for restricted access to hidden services. This way we try to increase the
  14. security level for the service provider (Bob) by giving him the ability
  15. to exclude non-authorized users from using his service. It is based on
  16. proposal 114-distributed-storage but is better suited for a fine grained
  17. way of authentication, because it is less resource-consuming. Whenever we
  18. refer to service descriptors and cell formats, we are talking about the
  19. definitions found in 114-distributed-storage unless otherwise stated.
  20. We discuss password and public-key authentication for the Onion Proxy
  21. (OP) of Bob's hidden service (HS). Furthermore a challenge-response
  22. authentication mechanism is introduced at the introduction point.
  23. These modifications aim at:
  24. - increasing the security of hidden services by limiting access only to
  25. authorized users (specification see details) and
  26. - reducing the traffic in the network by rejecting unauthorized access
  27. requests earlier.
  28. Motivation:
  29. The currently used implementation of hidden services does not provide any
  30. kind of authentication. The v2 implementation adds an authentication
  31. mechanism at the directory server. Security can be further improved by
  32. adding two more authentication authorities at the introduction point
  33. (IPo) and the OP.
  34. Although the service descriptors are already designed to carry
  35. authentication information the existing fields are not used so far.
  36. Moreover one can find a couple of notes at the specification of cell
  37. formats (rend-spec) which point at adding authentication information but
  38. no fields are specified yet. It would be preferable to extend the Tor
  39. network with authentication features to offer a solution for all
  40. services. This would also provide means to authorize access to services
  41. that currently do not support authentication mechanisms. Moreover, Bob's
  42. authentication administration for all services could be performed
  43. centralized in the Tor application, and the implementation overhead for
  44. developers would be significantly reduced. Another benefit would be the
  45. reduced traffic by checking authentication data and dropping unauthorized
  46. requests as soon as possible. For example unauthorized requests could
  47. already be discarded at the introduction points.
  48. In addition to that, our implementation is able to hide the service from
  49. users, who still have access to the secret cookie (see
  50. 114-distributed-storage) but should no longer be authorized. Bob can now
  51. not only hide his location, but also to a certain degree his presence
  52. towards unauthorized clients given that none of his IPo's are corrupted.
  53. Details:
  54. /1/ Client authentication at the hidden service
  55. In proposal 114 a client (Alice) who has a valid secret cookie, which may
  56. be considered as a form of authentication, and a service ID is able to
  57. connect to Bob if he is online. He can not distinguish between Alice
  58. being intentionally authorized by himself or being an attacker.
  59. Integrating authentication in Tor HS will ensure Bob that Alice is only
  60. able to use the service if she is authorized by him.
  61. Authentication data will be transmitted via the RELAY_INTRODUCE1 cell
  62. from Alice to Bob that is forwarded by the IPo. For this message several
  63. format versions are specified in the rend-spec in section 1.8. We will
  64. use the format version 3. This specification already contains the fields
  65. "AUTHT" (to specify the authentication method), "AUTHL" (length of the
  66. authentication data), and "AUTHD" (the authentication data) that will be
  67. used to store authentication data. Since these fields are encrypted with
  68. the service's public key, sniffing attacks will fail. Bob will only build
  69. the circuit to the rendezvous point if the provided authentication data
  70. is valid, otherwise he will drop the cell. This will improve security due
  71. to preventing communication between Bob and Alice if she is an attacker.
  72. As a positive side effect it reduces network traffic because it avoids
  73. Bob from building unnecessary circuits to the rendezvous points.
  74. Authentication at the HS should be the last gatekeeper and the number of
  75. cases in which a client successfully passes the introduction point, but
  76. fails at the HS should be almost zero. Therefore it is very important to
  77. perform fine-grained access control already at the IPo (but without
  78. relying on it).
  79. The first authentication mechanism that will be supported is password
  80. (symmetric secret) authentication. "AUTHT" is set to "1" for this
  81. authentication method while the "AUTHL" field is set to "20", the length
  82. of the SHA-1 digest of the password.
  83. (1) Alice creates a password x and sends the password digest h(x) to Bob
  84. out of band.
  85. (2) Alice sends h(x) to Bob, encrypted with Bob's fresh service key (not
  86. subject to this proposal, see proposal 114).
  87. (3) Bob decrypts Alice's message using his private service key (see
  88. proposal 114) and compares the contained h(x) with what he knows what
  89. Alice's password digest h(x) should be.
  90. This kind of authentication is well-known. It has the known disadvantage
  91. of weak passwords that are vulnerable to dictionary or brute-force
  92. attacks. Nevertheless it seems to be an appropriate solution since safe
  93. passwords can be randomly generated by Tor. Cracking methods that rely on
  94. guessing passwords should not be effective in the constantly changing
  95. network infrastructure. A usability advantage is that this method is easy
  96. to perform even for unexperienced users. The authenticationdata will be
  97. the SHA-1 secure hash (see tor-spec) of the shared secret (password).
  98. The premise to use password authentication is that Bob must send the
  99. password to Alice outside Tor. If at the same time the secret cookie is
  100. transmitted and the message is intercepted the attacker can gain access
  101. to the service. Therefore, a secure way to exchange this information must
  102. be established.
  103. The second authentication mechanism is public-key authentication. The
  104. well-known RSA implementation will be used as cipher (see tor-spec).
  105. Authentication data will be the hash of the rendezvous cookie, signed
  106. with the private key (SK).
  107. When Alice wants to use this authentication method she sets "AUTHT" to
  108. "2" and "AUTHL" to "128" which is the size of the encrypted data. Since
  109. the rendezvous cookie changes each time Alice connects, replay attacks
  110. can be easily prevented.
  111. (1) Alice creates a private key e and sends the corresponding public key
  112. d to Bob out of band.
  113. (2) Alice generates a random rendezvous cookie r, computes PKSign(e, r),
  114. encrypts it with Bob's fresh service key (see proposal 114), and
  115. sends the result to Bob.
  116. (3) Bob decrypts Alice's message using his private service key (see
  117. proposal 114) and verifies PKSign(e, r) with d.
  118. The premise for public-key authentication is that Alice must send the
  119. generated public key to Bob outside Tor. If an attacker is able to swap
  120. that key, the attacker could perform a man-in-the-middle attack, if he
  121. managed to serve as an IPo for Bob. Therefore a secure exchange channel
  122. must be established.
  123. Depending on what authentication data Bob knows from Alice (password
  124. and/or public key, or other data that is added later) there are several
  125. choices for Alice to authenticate to the service.
  126. After validating the provided "AUTHD" Bob builds a circuit to the
  127. rendezvous point and starts interacting with Alice. If Bob cannot
  128. identify the client he must refuse the request by not connecting to the
  129. rendezvous point.
  130. It will also still be possible to establish v2 hidden services without
  131. authentication. Therefore the "AUTHT" field must be set to "0". "AUTHL"
  132. and "AUTHD" are not provided by the client in that case.
  133. /2/ Client authentication at the introduction point
  134. In addition to authentication at the HS OP, the IPo should be able to
  135. detect and abandon all unauthorized requests. This would help to raise
  136. the level of privacy and therefore also the level of security for Bob by
  137. better hiding his online activity from unauthorized users. Especially if
  138. Alice still has access to the secret cookie. This can be the case if she
  139. had access to the service earlier, but is no longer authorized or the
  140. directory is outdated. Another advantage of this additional "gate keeper"
  141. would be reduced traffic in the network, because unauthorized requests
  142. could already be detected and declined at the IPo.
  143. It is important to notice that the IPo may not be trustworthy, and
  144. therefore can not replace authentication at the HS OP itself. Nor should
  145. the IPo get hold of critical authentication information (because it could
  146. try to access the service itself).
  147. A challenge-response authentication protocol is used to address these
  148. issues. This means that a challenge is needed to be solved by Alice to
  149. get forwarded to Bob by the IPo.
  150. Two types of authentication are supported and need to be preconfigured by
  151. Bob when creating the service: password and public-key authentication.
  152. Again it is up to Alice what kind of authentication mechanism she wants
  153. to use, given that Bob knows both her password and her public key.
  154. If Alice uses a password to authenticate herself at the IPo, the
  155. authentication is based on a symmetric challenge-response authentication
  156. protocol. In this case the challenge for Alice is to send h(x|y) where x
  157. is a user-specific password, which should be different from the password
  158. needed for authentication at the hidden service and y is a randomly
  159. generated value. Alice gets hold of her password out of band.
  160. With the initial RELAY_ESTABLISH_INTRO cell, the IPo gets a list of
  161. h(x|y)'s which it stores locally. Upon a request of Alice it compares her
  162. provided authentication data with the list entries. If there is a
  163. matching entry in its list, Alice's request is valid and can be forwarded
  164. to Bob. To generate the hash, Alice needs to know the password (which she
  165. will get out of band) and the random value y. This value is contained in
  166. the cookie-encrypted part of the hidden service descriptor which Alice
  167. can retrieve from the directory using her secret cookie.
  168. (1) Alice creates a password x and sends the password digest h(x) to Bob
  169. out of band.
  170. (2) Bob creates a random value y, computes h(h(x)|y), and sends the
  171. result to the introduction point.
  172. (3) Bob encrypts y with a secret cookie (see proposal 114) and writes it
  173. to a rendezvous service descriptor.
  174. (4) Alice fetches Bob's rendezvous service descriptor, decrypts y using
  175. the secret cookie (see proposal 114), computes h(h(x)|y), encrypts
  176. it with the public key of the introduction point, and sends it to
  177. that introduction point.
  178. (5) The introduction point decrypts h(h(x)|y) from Alice's message and
  179. compares it to the value it knows from Bob (from step 2).
  180. If Alice wants to use public-key authentication to authenticate herself
  181. at Bob's HS, the challenge-response authentication protocol is slightly
  182. different.
  183. The IPo's are provided with a list of random value hashes h(r) with an
  184. entry for each user via the RELAY_ESTABLISH_INTRO cell. For public-key
  185. authentication Alice uses an RSA public/private-key pair (as specified in
  186. tor-spec). The public key is made known to Bob out of band. The IPo's
  187. will now be sent a new ESTABLISH_INTRO cell with an additional random
  188. value hash for Alice and a new descriptor is uploaded to the responsible
  189. directories. The public-key authentication part of the service descriptor
  190. holds a blank separated list of key-value pairs with one pair for every
  191. authorized user. The hash of the public key of a user serves as a key,
  192. while the PK-encrypted r represents the value. Authorized users can now
  193. find their respective key-value pair and decrypt the value of h(r). This
  194. result serves as an authorization token at the IPo in the same way as
  195. with password authentication. The IPo does not know which authentication
  196. method was used since the tokens always have the same format.
  197. (1) Alice creates a private key e and sends the corresponding public key
  198. d to Bob out of band.
  199. (2) Bob creates a random value y and sends it to the introduction point.
  200. (3) Bob computes PKEncrypt(d, y), encrypts the result with a secret
  201. cookie (see proposal 114), and writes it to a rendezvous service
  202. descriptor.
  203. (4) Alice fetches Bob's rendezvous service descriptor, decrypts
  204. PKEncrypt(d, y) using the secret cookie (see proposal 114), decrypts
  205. y from it using her private key e, and sends it to the introduction
  206. point.
  207. (5) The introduction point compares y with the value it knows from Bob
  208. (from step 2).
  209. To remove a user from a group, Bob needs to update the random value list
  210. at the IPo's.
  211. The changes needed in Tor to realize these two challenge-response
  212. variations affect the RELAY_ESTABLISH_INTRO and RELAY_INTRODUCE1 relay
  213. cells, the service descriptor and the code parts in Tor where these cells
  214. and the descriptor are handled.
  215. The RELAY_ESTABLISH_INTRO cell is now structured as follows:
  216. V Format byte: set to 255 [1 octet]
  217. V Version byte: set to 2 [1 octet]
  218. KL Key length [2 octets]
  219. PK Bob's public key [KL octets]
  220. HS Hash of session info [20 octets]
  221. AUTHT The auth type that is supported [1 octet]
  222. AUTHL Length of auth data [2 octets]
  223. AUTHD Auth data [variable]
  224. SIG Signature of above information [variable]
  225. "AUTHT" is set to "1" for password/public-key authentication.
  226. "AUTHD" is a list of 20 octet long challenges for clients.
  227. The service descriptor as specified in 114-distributed-storage is used in
  228. our implementation.
  229. For password authentication "authentication" auth-type is set to "1" and
  230. auth-data contains the 20 octets long string used by clients to construct
  231. the response to the challenge for authentication at the IPo.
  232. When using public-key authentication the auth-type is set to "2" and
  233. auth-data holds a list of 148 octets long blank separated values. The
  234. first 20 octets of each value is the hash of the public key of a certain
  235. client and used by Alice to determine her entry in the list. The
  236. remaining 128 octets contain the PK-encrypted token needed to
  237. authenticate to the IPo.
  238. The part of the RELAY_INTRODUCE1 cell that can be read by the IPo has the
  239. following fields added:
  240. AUTHT The auth type that is supported [1 octet]
  241. AUTHL Length of auth data [1 octets]
  242. AUTHD Auth data [variable]
  243. The AUTHT and AUTHL fields are provided to allow extensions of the
  244. protocol. Currently, we set AUTHT to 1 for password/public-key
  245. authentication and AUTHL to 20 for the length of the authorization token.
  246. Security implications:
  247. In addition to the security features proposed in 114-distributed-storage
  248. a new way of authentication is added at the OP of Bob. Moreover, the
  249. authentication at the IPo's is improved to support a fine-grained access
  250. control. Corrupted IPo's may easily bypass this authentication, but given
  251. the case that the majority of IPo's is acting as expected we still
  252. consider this feature as being useful.
  253. Bob can now decide whether he wants to allow Alice to use his services or
  254. not. This gives him the possibility to offer his services only to known
  255. and trusted users that need to identify by a password or by signing their
  256. messages. The anonymity of the client towards the service provider is
  257. thereby reduced to pseudonymity.
  258. Changing of access rights now involves all three authorization authorities
  259. depending on what changes should be made:
  260. - The user configures his changes at the local OP. Therefore he can
  261. edit the cookie files that were extended to support multiple users.
  262. Moreover he can edit the new user files that were added to specify
  263. authentication information for every user.
  264. - Whenever local changes occur, this information needs to be either
  265. passed to the responsible IPo's, the directory servers, or both
  266. depending on the authorization method and operation used. It is
  267. important to have consistent authorization results at all authorities
  268. at the same time, to create a trustworthy system with good user
  269. acceptance. As these reconfigurations always follow local changes
  270. they can be done automatically by the new Tor implementation and
  271. therefore no user interaction is needed.
  272. - The secret cookies proposed in 114-distributed-storage are used for
  273. group management in our implementation as their use would be far to
  274. costly for a user-based authorization. That is because right now one
  275. descriptor is generated and uploaded for every secret cookie. Changes
  276. in this configuration should therefore be rare (maybe never) and only
  277. a few groups should exist. Provided that this is the case the costs
  278. for changes seem acceptable. As there is currently no possibility to
  279. make a directory remove the descriptor for a group an updated
  280. descriptor without any IPo should be uploaded to the directory
  281. servers.
  282. Local changes to access rights can now be done faster than by changing
  283. service descriptors which reduces the directory server load and network
  284. traffic. Still every configuration change remains costly and users should
  285. carefully choose how detailed the access right configuration should be.
  286. Attacking clients now need to bypass two more authentication steps to
  287. reach the service implementation. Compared to the current state it is
  288. more likely that attackers can be stopped even before they are able to
  289. contact Bob's OP. We expect that the possibility of an attack is thereby
  290. significantly reduced. Another positive side effect is that network
  291. traffic and router load is reduced by discarding unauthorized cells which
  292. should lower the effectiveness of denial of service attacks.
  293. Compatibility:
  294. When using our authentication for hidden services the implementation of
  295. IPo's needs to be extended. Therefore we use version information provided
  296. in router descriptors to be sure that we only send modified
  297. RELAY_ESTABLISH_INTRO cells to routers that can handle them. Clients of
  298. v2 hidden services will have to update their Tor installation if they
  299. want to be able to use the service.