[tor-dev] Sanitizing bridge descriptors containing ed25519 fields
Nick Mathewson
nickm at torproject.org
Sun May 31 14:21:43 UTC 2015
On Sat, May 30, 2015 at 5:16 PM, Karsten Loesing <karsten at torproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 30/05/15 16:44, Nick Mathewson wrote:
>> On Fri, May 29, 2015 at 4:23 PM, Karsten Loesing
>> <karsten at torproject.org> wrote:
>>>> router euler [scrubbed] 8000 0 0 identity-ed25519 -----BEGIN
>>>> ED25519 CERT----- [scrubbed] -----END ED25519 CERT-----
>>>
>>> Base64-decode that block, throw it into SHA256(), base64-encode
>>> the result, format as block. But wouldn't the result be much
>>> shorter? There's no new "fingerprint" equivalent, like
>>> "fingerprint-ed25519", is there?
>>
>> Oh dear. That blob is a certificate, not a key. It changes over
>> time, because the key that it certifies varies over time.
>>
>> The format is documented in section 2.1 of proposal 220; the
>> actual identity key is in an extension labeled with type 04 (see
>> section 2.2.1).
>>
>> Maybe we should add a fingerprint-ed25519 line? It would be
>> redundant, but maybe valuable. What do you think?
>
> I took a quick look at proposal 220, but not to the point that makes
> me entirely certain about this ed25519 stuff. If anything below
> remains unclear, that might be because I'm not clear about it myself.
> Please question everything I'm saying, even more than usual.
>
> Let's also include Damian on this thread. He usually has good ideas
> about descriptors, and he knows about sanitizing bridge descriptors.
> And let's add Isis who is working a lot with bridge descriptors, too.
> (There may be more people we should ask, but hey, it's tor-dev at .)
>
>
> So, I think a "fingerprint-ed25519" line would be useful. It would
> make the bridge descriptor sanitizing process much easier. It would
> also facilitate debugging network problems, because people can just
> grep descriptors rather than using specialized tools that know how to
> decode the cert. And with microdescriptors in place it should be okay
> to add this line even if it's redundant information, because clients
> would never download it.
Hm. Okay, that sounds solid enough. I'll try to hack it in tonight
or Monday, and add it to prop220.
> If the server descriptor in #16227 were a bridge descriptor, I'd do
> the following steps for sanitizing it:
>
> - Remove identity-ed25519 line and subsequent crypto block.
+1
> - Keep yet-to-be-added fingerprint-ed25519 line, but SHA256 its value.
> - Keep extra-info digest line, but SHA1 and SHA256 its values.
Suggestion: Don't use raw SHA256(x) but instead use SHA256("sanitize
ID for bridge descriptor" | x) or SHA256("sanitize extra-info digest
for bridge descriptor" | x). That way we don't need to worry about
colliding with something else that decides to SHA256 these.
> - Remove onion-key line and subsequent crypto block.
> - Remove signing-key line and subsequent crypto block.
> - Remove onion-key-crosscert line and subsequent crypto block.
> - Remove ntor-onion-key-crosscert line and subsequent crypto block.
> - Keep ntor-onion-key line, mostly because we didn't remove it so
> far; unless it should be removed?
> - Remove router-sig-ed25519 line.
> - Remove router-signature line and subsequent crypto block.
> - Add router-digest line with SHA1 of SHA1 of descriptor content and
> SHA256 of SHA256 of descriptor content; the rationale is that we don't
> have to write entirely new digests into the network status in order to
> match "r" lines with descriptors.
That all sounds fine.
>
> I also added the extra-info descriptor that corresponds to the server
> descriptor to #16227:
>
> https://trac.torproject.org/projects/tor/ticket/16227#comment:5
>
> I wonder, what's the best way for including the ed25519 identity in
> the extra-info descriptor? How about extending the first line to:
>
> "extra-info Truie SHA1-of-RSA SHA256-of-ed25519"
>
> Possible downsides are that this additional value might break existing
> code and that it might be problematic to get rid of the SHA1-of-RSA
> part later. But the same issues would come up with the
> "extra-info-digest" line in server descriptors, and maybe there are
> good solutions.
>
> Otherwise, a separate "fingerprint-ed25519" line might work here, too.
Plausible.
> In order to sanitize such an extra-info descriptor, I'd do these steps:
>
> - Keep extra-info line, but SHA1 (and possibly SHA256) its value(s).
See above.
> - Or, keep yet-to-be-added fingerprint-ed25519 line, but SHA256 its
> value.
See above.
> - Remove router-sig-ed25519 line.
> - Remove router-signature line and subsequent crypto block.
> - Add router-digest line with SHA1 of SHA1 of descriptor content and
> SHA256 of SHA256 of descriptor content; same rationale as above, but
> with the "extra-info-digest" line in server descriptors.
>
> What do you think?
>
Sounds fine.
More information about the tor-dev
mailing list