[tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
Robert Ransom
rransom.8774 at gmail.com
Sat Mar 10 01:03:05 UTC 2012
On 2012-03-09, Nick Mathewson <nickm at freehaven.net> wrote:
> Filename: 195-TLS-normalization-for-024.txt
> Title: TLS certificate normalization for Tor 0.2.4.x
> Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde
> Created: 6-Mar-2012
> Status: Draft
> Target: 0.2.4.x
>
>
> 0. Introduction
>
> The TLS (Transport Layer Security) protocol was designed for security
> and extensibility, not for uniformity. Because of this, it's not
> hard for an attacker to tell one application's use of TLS from
> another's.
>
> We proposes improvements to Tor's current TLS certificates to
> reduce the distinguishability of Tor traffic.
>
> 0.1. History
>
> This draft is based on parts of Proposal 179, by Jacob Appelbaum
> and Gladys Shufflebottom, but removes some already implemented parts
> and replaces others.
>
> 0.2. Non-Goals
>
> We do not address making TLS harder to distinguish after the
> handshake is done. We also do not discuss TLS improvements not
> related to distinguishability (such as increased key size, algorithm
> choice, and so on).
>
> 1. Certificate Issues
>
> Currently, Tor generates certificates according to a fixed pattern,
> where lifetime is fairly small, the certificate Subject DN is a
> single randomly generated CN, and the certificate Issuer DN is a
> different single randomly generated CN.
>
> We propose several ways to improve this below.
>
> 1.1. Separate initial certificate from link certificate
>
> When Tor is using the v2 or v3 link handshake (see tor-spec.txt), it
> currently presents an initial handshake authenticating the link key
> with the identity key.
>
> We propose instead that Tor should be able to present an arbitrary
> initial certificate (so long as its key matches the link key used in
> the actual TLS handshake), and then present the real certificate
> authenticating the link key during the Tor handshake. (That is,
> during the v2 handshake's renegotiation step, or in the v3
> handshake's CERTS cell.)
>
> The TLS protocol and the Tor handshake protocol both allow this, and
> doing so will give us more freedom for the alternative certificate
> presentation ideas below.
>
> 1.2. Allow externally generated certificates
>
> It should be possible for a Tor relay operator to generate and
> provide their own certificate and secret key. This will allow a relay or
> bridge operator to use a certificate signed by any member of the "SSL
> mafia,"[*] to generate their own self-signed certificate, and so on.
>
> For compatibility, we need to require that the key be an RSA secret
> key, of at least 1024 bits, generated with e=65537.
>
> As a proposed interface, let's require that the certificate be stored
> in ${DataDir}/tls_cert/tls_certificate.crt , that the secret key be
> stored in ${DataDir}/tls_cert/private_tls_key.key , and that they be
> used instead of generating our own certificate whenever the new
> boolean option "ProvidedTLSCert" is set to true.
>
> (Alternative interface: Allow the cert and key cert to be stored
> wherever, and have the user provide their respective locations with
> TLSCertificateFile and TLSCertificateKeyFile options.)
Users need to specify a full certificate chain, not just the
end-entity certificate.
Have you considered whether to allow the user to store the TLS
certificate's private key in a hardware device?
>
> 1.3. Longer certificate lifetimes
>
> Tor's current certificates aren't long-lived, which makes them
> different from most other certificates in the wild.
>
> Typically, certificates are valid for a year, so let's use that as
> our default lifetime. [TODO: investigate whether "a year" for most
> CAs and self-signed certs have their validity dates running for a
> calendar year ending at the second of issue, one calendar year
> ending at midnight, or 86400*(365.5 +/- .5) seconds, or what.]
>
> There are two ways to approach this. We could continue our current
> certificate management approach where we frequently generate new
> certificates (albeit with longer lifetimes), or we could make a cert,
> store it to disk, and use it for all or most of its declared
> lifetime.
>
> If we continue to use fairly short lifetimes for the _true_ link
> certificates (the ones presented during the Tor handshake), then
> presenting long-lived certificates doesn't hurt us much: in the event
> of a link-key-only compromise, the adversary still couldn't actually
> impersonate a server for long.[**]
>
> Using shorter-lived certificates with long nominal lifetimes doesn't
> seem to buy us much. It would let us rotate link keys more
> frequently, but we're already getting forward secrecy from our use of
> diffie-hellman key agreement. Further, it would make our behavior
> look less like regular TLS behavior, where certificates are typically
> used for most of their nominal lifetime. Therefore, let's store and
> use certs and link keys for the full year.
>
> 1.4. Self-signed certificates with better DNs
>
> When we generate our own certificates, we currently set no DN fields
> other than the commonName. This behavior isn't terribly common:
> users of self-signed certs usually/often set other fields too.
> [TODO: find out frequency.]
>
> Unfortunately, it appears that no particular other set of fields or
> way of filling them out _is_ universal for self-signed certificates,
> or even particularly common. The most common schema seem to be for
> things most censors wouldn't mind blocking, like embedded devices.
> Even the default openssl schema, though common, doesn't appear to
> represent a terribly large fraction of self-signed websites. [TODO:
> get numbers here.]
>
> So the best we can do here is probably to reproduce the process that
> results in self-signed certificates originally: let the bridge and relay
> operators to pick the DN fields themselves. This is an annoying
> interface issue, and wants a better solution.
>
> 1.5. Better commonName values
>
> Our current certificates set the commonName to a randomly generated
> field like www.rmf4h4h.net. This is also a weird behavior: nearly
> all TLS certs used for web purposes will have a hostname that
> resolves to their IP.
>
> The simplest way to get a plausible commonName here would be to do a
> reverse lookup on our IP and try to find a good hostname. It's not
> clear whether this would actually work out in practice, or whether
> we'd just get dynamic-IP-pool hostnames everywhere blocked when they
> appear in certificates.
What if a bridge's IP address and reverse-DNS hostname change?
How does this interact with the v3 link protocol signaling mechanism?
How will a bridge's client be told what hostname to specify in its
server name indication field?
Robert Ransom
More information about the tor-dev
mailing list