[tor-talk] Improved HS key management
George Kadianakis
desnacked at riseup.net
Wed Jan 29 17:05:42 UTC 2014
Qingping Hou <dave2008713 at gmail.com> writes:
> On 12/28/2013 06:46 AM, Gregory Maxwell wrote:
>> One of the current unfortunate properties of hidden services is that
>> the identity of the hidden service is its public key (or the
>> equivalent hash, in the current setup), and this key must always be
>> available for signing on an online host (usually the HS itself, though
>> potentially on a bastion host).
>>
>> This is pretty bad for prudent key management— the key is very high
>> value because its difficult to change, and then stuck always online
>> constantly being signed with— even on demand by a hostile attacker.
>>
>> Then the matter is made even worse by there being no systematized
>> mechanism for revocation.
>>
>> It would be preferable if it were possible to have a HS master key
>> which was kept _offline_ which could be use to authorize use for some
>> time period and/or revoke usage. The offline key could be used to
>> create an online key which is good for a year or until superseded by a
>> higher sequence number, and every 6 months the online key could be
>> replaced. Thus if an old copy of the HS media were discovered it
>> couldn't be used to impersonate the site.
>>
>> Sadly the homomorphism proposed to prevent HSDIR enumeration attacks
>> cannot be used to accomplish this, as knoweldge of the ephemeral
>> private key and the public blinding factor yields the original private
>> key.
>>
>> I can describe a scheme to address this but I'm surprised to not find
>> any discussion of it.
>>
>
> As grarpamp already mentioned, second gen draft introduced the concept
> of master key, blinded signing key and descriptor signing key. It does
> not specify how to do key revocation though.
>
> Maybe you can add your idea to the draft and help improve it?
FWIW I started a thread in tor-dev about this:
https://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html
Would like to hear your comments if you have any :)
More information about the tor-talk
mailing list