[tor-dev] A Proposal for a hidden service revocation system
Adrien Johnson
adrienj at adrienj.com
Sat Mar 7 21:33:16 UTC 2015
Filename: xxx-rend-revoke.txt
Title: Hidden Service Revocation
Author: Adrien Johnson
Created: 2015-03-04
Status: Draft
Hidden service operators need to be able to revoke trust in their hidden
service
if they know or suspect their hidden service secret key has been
compromised.
1. Motivation
A Hidden service operator can determine that the hidden service
secret key
is compromised in several ways today. Forensic traces of intrusion
may be
detected on the hidden service server, or valid signed descriptors
for the
service may be published by someone other than the legitimate
operator in a
traffic hijacking attack. It is impossible for a compromised hidden
service
secret key to be used to hijack traffic in a way that is not
detectable by
the latter method.
Even though it is easy for the operator to detect a hidden service
key is
compromised, there is no satisfactory way for a hidden service
operator to
notify its users of this fact. The hidden service may display
a message to its users warning of the compromise and directing them
to a new
supposedly uncompromised .onion domain, but a user has no way to know
whether such a message was posted by the legitimate hidden service
operator
or a hijacker.
A revocation system where anyone possessing the hidden service
secret key
can revoke trust in the key solves this problem.
2. Overview
This revocation system is built on the hidden service directory
system. A
revocation takes the form of a hidden service descriptor which
provides no
way to contact the hidden service (i.e. zero introductory points).
A hidden service directory which receives a revocation descriptor and
verifies its signature should discard any non-revocation descriptors it
possesses for that hidden service, and should propagate the revocation
through the hidden service directory system as normal.
Crucially, a hidden service directory which possesses a revocation
descriptor for a hidden service and receives a newer, valid
descriptor for
that hidden service which is not a revocation descriptor MUST
retain the
revocation descriptor and MUST discard the newer non-revocation
descriptor.
This is the only change needed to support this revocation system at a
basic level today.
3. Design considerations
3.1 Revocation lifetime
Ideally, a revocation should be permanent. The Tor network would
ideally remember forever that a hidden service has been
revoked, and
this would provide the maximum possible protection to the users
of the
hidden service against imposter services.
Indeed, any tor node which becomes aware a hidden service has been
revoked should remember this information forever, and should
refuse to
connect to any hidden service which it knows was revoked in the
past
(unless the user disables this protection).
However, a permanent (or even just long-lived) revocation in
the hidden
service directories present problems:
1) Increased memory and bandwidth requirements on the Tor network
compared to a normal hidden service descriptor. For
non-malicious use,
this may not really be a problem, since once a service is
revoked, there
would be only a trickle of requests for updated information
about it
(from visitors who have not already found out it was revoked).
However
for a malicious user who attacks the Tor network by flooding it
with
hidden service descriptors for fake hidden services, any increased
lifetime of a revocation descriptor over a normal descriptor
represents
a multiplication of their attack power.
2) For next generation hidden services as described in
224-rend-spec-ng.txt, a revocation which lasts longer than one
blinded
signing key validity period weakens the privacy protection against
correlation which is provided by rotating blinded signing keys.
If a
revocation were - for any amount of time - not expected to be
signed by the current normal blinded signing key for that
service, but
instead a separate 'blinded revocation signing key', then users
seeking
to check the revocation status of that service before visiting
would
have to make two requests for a hidden service descriptor: one
to see if
there is a revocation descriptor published by that service, and
one to
see if there is a normal descriptor published by that service.
A malicious hidden service directory (or group of directories)
could use
this correlation to determine which hidden service descriptors
belong to
the same hidden service between blinded signing key rotations.
[NOTE: Not sure how easy correlation based on request volume
already
makes this attack if the attacker controls enough hidden server
directories to reliably monitor request volume between blinded
signing
key rotations. I suspect the real danger of long-lived revocations
compared to attacks based purely on request volume is that it lets
attackers easily "pick up a lost trail" if they managed to link a
revocation signing key and a normal blinded signing key at any time
in the past, whereas attacks based purely on request volume are
likely
to lose track of a service permanently when its descriptors
shift to
a directory the attacker does not control]
For these reasons, revocations which last no longer than
a normal hidden service descriptor, and which the operator must
therefore constantly broadcast, are the safest option for
implementing
hidden service revocations using hidden service descriptors.
Short lived revocations have the advantage that the Tor network
does not
need to make any hard-and-fast judgement about how long it is
worthwhile
to remember a hidden service has been revoked, the hidden service
operator can make that judgement for themselves and broadcast the
revocation for as long the operator feels hijacking and
impersonation
is a concern.
If the operator is unable to maintain (or fears they will be
unable to
maintain) a revocation broadcast for an appropriate amount of time,
they can disclose their private key to a 3rd party service who will
broadcast the revocation on the operator's behalf. An operator
would
want to employ several of these services, since if only one
service had
the private key, and if they were malicious, they could cease
broadcasting the revocation and instead use the key to set up an
impostor service.
Despite these minor difficulties that short-lived revocations
impose,
they are still a major improvement to the security of the Tor
network.
3.2 Digression on the shape of a 3rd party Revocation Broadcast Service
Though it is outside the scope of this proposal,
I envision these 3rd party key revocation services being simple
websites
where anyone can upload a hidden service private key and the
website
will broadcast the revocation indefinitely. They could employ
simple
abuse-mitigation like CAPCHAs or IP ratelimiting over the
clearnet to
prevent mass-upload of keys. This should keeps costs low enough
that
these revocations services could operate for free.
Alternatively (or additionally), a distributed 3rd party revocation
service could be built into the Tor network by enclosing the
private
key in the revocation descriptor. This would allow anyone who
retrieves
the revocation descriptor (and knows which .onion it's for) to
broadcast updated 'echo' revocation descriptors of their own.
This could
be built to avoid the problems with static long-lived revocations.
[TODO: Expand in another document later]
4. Implementation
4.1 Basic Support
For the Tor network to support hidden service revocations at a
basic
level, a large proportion of hidden service directories must
recognize
that a hidden service descriptor with zero introductory points
has the
special meaning of being a revocation. These hidden service
directories
must not allow a current unexpired revocation descriptor to be
replaced
by a non-revocation descriptor (so called 'un-revocation'). In
all other
ways, treatment of a revocation descriptor is identical to
treatment of
a non-revocation descriptor for a hidden service.
[NOTE: Maybe we want a more explicitly requested revocation?
Using a
zero introductory point descriptor as a revocation has the
advantage of being backward-compatible with older directory
software,
which will be able to accept and propagate the revocation to
other more
up-to-date directories, even though the older directories will not
provide protection against un-revoking a hidden service if the
attacker
delivers an un-revocation descriptor to them directly.
Is there a need for zero introductory point descriptors in any
other
case? If a hidden service previously published introductory points
and it now no longer can be contacted at those points, and it does
not have any new introductory points, it is unreachable.
Publishing a
descriptor announcing all zero of its introductory points will not
change its reachability, though it may slightly reduce wasted
effort by
tor nodes attempting to reach it.]
4.1.1 Steps required to add support
1) If current code results in hidden services publishing zero-
introductory point descriptors, this is blocked to prevent
accidental revocation. I would love to get this in 0.2.6.
2) If a modification is needed in step 1, then a grace period
is given for hidden service operators to update their
software. This grace period does not have to be long, we
can move
onto step 3 relatively fast, since the only penalty for
accidental
revocation step 3 would create is forcing the hidden service to
upgrade their software, and the hidden service being
unreachable for
a maximum of 25 hours (lifetime of a descriptor) after the
hidden service upgrades.
3) Hidden service directories are modified to not allow a
current unexpired revocation descriptor to be replaced by an
un-revocation descriptor. Basic support for revocation is
achieved!
4) A long upgrade grace period is now given. The vast majority
of hidden services should be using software which includes the
modifications made in step 1
5) Expanded revocation capabilities may be added, as described
below.
4.2 Expanded Capabilities
4.2.1 Cache of revoked services
A Tor node which tried to connect to a hidden service in
the past
and discovered that the service was revoked should remember
that
revocation and refuse to connect indefinitely, even if the
revocation ceases to be broadcast in the future.
4.2.2 Presentation to the user
If an onion proxy that detects the user tried to visit a
revoked
service, this information should be presented to the user
out-of-band. I.E not in a way that could be mistaken for a
hidden
service which is only temporarily unreachable, or as
information
sent by the service. This could be done via a system level
popup, or
a taskbar notification. The presentation should be strongly
distinguished from a hidden service which is simple
unreachable.
4.2.3 Automatic hijacking detection/revocation
Tor hidden service software could have a mode to detect if
another
party is using the hidden service private key to publish
descriptors
for that service. If the hidden service operator configures it,
the Tor hidden service software could immediately begin to
broadcast
the revocation for that service.
5. Future Compatibility with Next Generation Hidden Services
Next generation Tor hidden services require a modified
revocation system because the hidden service master secret key is
better
protected, and does not need to live online on the hidden service
tor node.
The day-to-day operation of the service is carried out by a
pre-loaded set
of changing subordinate descriptor signing keys, which expire after
a set
time (25 hours by default). If descriptor signing keys are compromised,
they can be used to hijack traffic and impersonate the hidden service,
but only until the descriptor signing keys expire. So there is a need
for a way to revoke descriptor signing keys and provide new ones,
but not to
permanently revoke trust in the hidden service.
Also, theft of descriptor signing keys should not allow an attacker to
revoke the master secret key.
The revocation permissions would looks something like the following.
(Blinded signing keys are equivalent to the master secret key for
revocation purposes because an attacker which obtains any blinded
signing
secret key can easily derive the master secret key.)
1) Current descriptor signing key can revoke current descriptor
signing key.
2) Master secret key can revoke any descriptor signing key and
provide a new
descriptor signing key for that time-period.
3) Master secret key is the only one that can revoke master secret key.
5.1 Descriptor Signing Keys Revoking Themselves
[TODO: Finish later]
5.1 Master Secret Key Revoking and Replacing Descriptor Signing Keys
[TODO: Finish later]
5.2 Master Secret Key Revoking Itself
[TODO: Finish later]
More information about the tor-dev
mailing list