[tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells

Robert Ransom rransom.8774 at gmail.com
Fri Nov 4 21:10:16 UTC 2011


On 2011-11-04, George Kadianakis <desnacked at gmail.com> wrote:
>
> Filename: 189-authorize-cell.txt
> Title: AUTHORIZE and AUTHORIZED cells
> Author: George Kadianakis
> Created: 04 Nov 2011
> Status: Open
>
> 1. Overview
>
>    Proposal 187 introduced the concept of the AUTHORIZE cell, a cell
>    whose purpose is to make Tor bridges resistant to scanning attacks.
>
>    This is achieved by having the bridge and the client share a secret
>    out-of-band and then use AUTHORIZE cells to validate that the
>    client indeed knows that secret before proceeding with the Tor
>    protocol.
>
>    This proposal specifies the format of the AUTHORIZE cell and also
>    introduces the AUTHORIZED cell, a way for bridges to announce to
>    clients that the authorization process is complete and successful.
>
> 2. Motivation
>
>    AUTHORIZE cells should be able to perform a variety of
>    authorization protocols based on a variety of shared secrets. This
>    forces the AUTHORIZE cell to have a dynamic format based on the
>    authorization method used.
>
>    AUTHORIZED cells are used by bridges to signal the end of a
>    successful bridge client authorization and the beginning of the
>    actual link handshake. AUTHORIZED cells have no other use and for
>    this reason their format is very simple.
>
>    Both AUTHORIZE and AUTHORIZED cells are to be used under censorship
>    conditions and they should look innocuous to any adversary capable
>    of monitoring network traffic.

I wrote the following in my reply to proposal 190, but it probably
belongs here instead:

| An adversary who MITMs the TLS connection and receives a Tor AUTHORIZE
| cell will know that the client is trying to connect to a Tor bridge.
|
| Should the client send a string of the form "GET
| /?q=correct+horse+battery+staple\r\n\r\n" instead of an AUTHORIZE
| cell, where "correct+horse+battery+staple" is a semi-plausible search
| phrase derived from the HMAC in some way?


>    As an attack example, an adversary could passively monitor the
>    traffic of a bridge host, looking at the packets directly after the
>    TLS handshake and trying to deduce from their packet size if they
>    are AUTHORIZE and AUTHORIZED cells. For this reason, AUTHORIZE and
>    AUTHORIZED cells are padded with a random amount of padding before
>    sending.

What distribution should this 'random amount' be chosen from?


> 3. Design
>
> 3.1. AUTHORIZE cell
>
>    The AUTHORIZE cell is a variable-sized cell.
>
>    The generic AUTHORIZE cell format is:
>
>          AuthMethod                       [1 octet]
>          MethodFields                     [...]
>          PadLen                           [2 octets]
>          Padding                          ['PadLen' octets]
>
>    where:
>
>    'AuthMethod', is the authorization method to be used.
>
>    'MethodFields', is dependent on the authorization Method used. It's
>                    a meta-field hosting an arbitrary amount of fields.
>
>    'PadLen', specifies the amount of padding in octets.
>
>    'Padding', is 'PadLen' octets of random content.
>
> 3.2. AUTHORIZED cell format
>
>    The AUTHORIZED cell is a variable-sized cell.
>
>    The AUTHORIZED cell format is:
>
>          'AuthMethod'                       [1 octet]
>          'PadLen'                           [2 octets]
>          'Padding'                          ['PadLen' octets]
>
>    where all fields have the same meaning as in section 3.1.
>
> 3.3. Cell parsing
>
>    Implementations MUST ignore the contents of 'Padding'.
>
>    Implementations MUST reject an AUTHORIZE or AUTHORIZED cell where
>    the 'Padding' field is not 'PadLen' octets long.
>
>    Implementations MUST reject an AUTHORIZE cell with an 'AuthMethod'
>    they don't recognize.

What does "reject" mean here?


> 4. Discussion
>
> 4.1. Why not let the pluggable transports do the padding, like they
>      are supposed to do for the rest of the Tor protocol?
>
>    The arguments of section "Alternative design: Just use pluggable
>    transports" of proposal 187, apply here as well:
>
>    All bridges who use client authorization will also need camouflaged
>    AUTHORIZE/AUTHORIZED cell.

What does "camouflaged" mean here?


> 4.2. How should multiple round-trip authorization protocols be handled?

s/multiple round/multiple-round/ # it's part of a phrase acting as an
ad-something

>    Protocols that require multiple round-trips between the client and
>    the bridge should use AUTHORIZE cells for communication.

.-1s/round-trips/round trips/ # it's part of a top-level noun phrase

>    The format of the AUTHORIZE cell is flexible enough to support
>    messages from the client to the bridge and the inverse.

s/inverse/reverse/

When can an AUTHORIZE cell be sent, and by whom?

Can a bridge which requires client authorization perform reachability
and bandwidth self-tests?  If so, how?


>    In the end of a successful multiple round-trip protocol, an
>    AUTHORIZED cell must be issued from the bridge to the client.

.-1s/multiple round/multiple-round/ # it's part of a phrase acting as
an ad-something
s/In/At/

> 4.3. AUTHORIZED seems useless. Why not use VPADDING instead?
>
>    As noted in proposal 187, the Tor protocol uses VPADDING cells for
>    padding; any other use of VPADDING makes the Tor protocol kludgy.
>
>    In the future, and in the example case of a v3 handshake, a client
>    can optimistically send a VERSIONS cell along with the final
>    AUTHORIZE cell of an authorization protocol. That allows the
>    bridge, in the case of successful authorization, to also process
>    the VERSIONS cell and begin the v3 handshake promptly.


Robert Ransom


More information about the tor-dev mailing list