[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31369 [Core Tor/Stem]: HSv3 descriptor support in stem

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #31369 [Core Tor/Stem]: HSv3 descriptor support in stem
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 27 Aug 2019 08:39:56 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 27 Aug 2019 04:40:09 -0400
In-reply-to: <043.e92557936520c4bbac5b2b4e71015352@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.e92557936520c4bbac5b2b4e71015352@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#31369: HSv3 descriptor support in stem
-----------------------------------------+-------------------------------
 Reporter:  asn                          |          Owner:  atagar
     Type:  defect                       |         Status:  reopened
 Priority:  Medium                       |      Milestone:
Component:  Core Tor/Stem                |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  tor-hs onionbalance scaling  |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:  Sponsor27-can
-----------------------------------------+-------------------------------

Comment (by asn):

 Replying to [comment:5 atagar]:
 > > I will be working on the crypto parts of all the other tasks
 >
 > Wonderful, thanks asn!
 >
 > Unsure if it helps but here's where we validate v2 hidden service
 digests...
 >
 >
 https://gitweb.torproject.org/stem.git/tree/stem/descriptor/hidden_service.py#n311
 >
 https://gitweb.torproject.org/stem.git/tree/stem/descriptor/__init__.py#n1036
 >
 > If it would be easier for you I'm happy to integrate working demos. I
 can easily make code pretty and add tests - I just need a working example
 of doing the crypto. :P
 >

 ACK. Thanks!

 > > Damian, would you be interested in moving forward with (a) if I give
 you a full unencrypted descriptor to play with, while I'm doing the crypto
 parts above?
 >
 > Certainly, delighted to!
 >

 OK here is an unencrypted version of the descriptor. The stuff below
 "encrypted" belongs to the inner layer of the descriptor, while the stuff
 below "superencrypted" belongs to the middle layer of the descriptor.

 The descriptor decryption/encryption logic is fairly complicated so it
 will take me some time to implement properly, so feel free to work on this
 unencrypted thing if it's helpful to you :)


 {{{
 hs-descriptor 3
 descriptor-lifetime 180
 descriptor-signing-key-cert
 -----BEGIN ED25519 CERT-----
 AQgABqRnARJOPIQQUBTcdHepFHerAPuv0UucpTBBFRpDysiHNwmZAQAgBADI3nM8
 stVGnGGuzA4/81qRBS5asA8oUrLwH/MDpJ6QSRePrioaMbGwrgu999FasMbYpEWM
 VJ2VKC3FfU1OtQZlm8kgeEvptCbgVzqD0KQ5A8YKpkiZB40ONEL/6eIyBAE=
 -----END ED25519 CERT-----
 revision-counter 1012307846
 superencrypted
 -----BEGIN MESSAGE-----
 desc-auth-type x25519
 desc-auth-ephemeral-key 68GrIdhTe01n7WfZroM+Uwqzd4N6GpFWgVfperanvDM=
 auth-client viYu6HEs7bo ljriJfI9acOhbwhjksBvAg omzl9Hz/XK6fMdifuIAXiw
 auth-client SNzxBNMmHiU Mh0Zv0GrGxjFaKr9OG1QNg 9xayJnQoEXsuakxolL54nQ
 auth-client Ho28DFsBhTE tBB4ebOhBu95a+3dHEv+Fg XUkBvpJXerGUX/eS3uwXdQ
 auth-client 7BHnYML5O20 eMm3Csm92XdR9Mt/Xzy/ug HrEx44IVpQlQBu7tcP4F2g
 auth-client xsrAsjgWj/0 5QdhG282mmK35U5BCkqaMg Ops8Lgl+ASOXKnfii7egdA
 auth-client 6FO1oPHXwmI mEl0Z5Pn8GLlCNH5xbUeWg 9610jM1OWyASws80exma6Q
 auth-client MvOMOF2ynd0 t2TFwq3mj5ZKm8yH6wDEIg hM1wsvG4CTY8X1MLOInIIg
 auth-client WJs5l92CN4Y vfmHF82nJ8qmGqJ/DLRTGg g9d51VyUEi9LOsmdQvaQJQ
 auth-client 1TiTYG9rpDU xPJPjzHtQYmJTFm8zR1j9Q /Uv+1B5co/86sOKEGJzCqQ
 auth-client ZBkeY2qXdTc ir85lASBZRF/pD4PQIK+EQ 2LxDABMvmv86KaNQqzNenQ
 auth-client 1AOfLh0KtmI 2+yYUfy1BAKB+PKwMukTrA S1d6QTczWqADotn+yl+2aQ
 auth-client xd2xsZiNr3A FWk/SsFrech49gODym+7gA 5ydb7Ji0e7yCNZFlVD4Q5Q
 auth-client DQYYX5iSlGA VIV3wSGKIfK1GxF0xxm4dg wdH1bc2zm5dSvCVJX8ZzLg
 auth-client 1rqVzmtYgGU aSQbgq+/sF93k5stnA+8KA aAWoQMV0VM262Znc7RCMxw
 auth-client sx7Br+mYTp8 b/0rd+9e5Q1zGa79I1O41A jc1sm3lOfujPljWA09Q3ng
 auth-client S4C/qS7s5N8 XtRzoNhqQGcrVaeTQqMk2A O4bBlq8d3gopBRMWkpuyeg
 encrypted
 -----BEGIN MESSAGE-----
 create2-formats 2
 introduction-point
 AwAGkExrfCMpAhTjo4XfW84SY3IR1NHfRwPEsetFYAMgunpaAeKrlxOok7NcwG7XQJO12DqiRACG4shEyIL3MYU=
 onion-key ntor +GHueuAQu2CJhx87ADCpDP6LeSWVBaX+hVuuSf4y2X8=
 auth-key
 -----BEGIN ED25519 CERT-----
 AQkABqRmARQiSGQe7cREmoid9fsRTmS+40K4S+uCxZ/MqDTui62NAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmW8ANRYfvbwh8I3SYUKrrxFamAnI
 Th4QXMrext1v3VCCu5GkzSwbmoXcw6Jmb0L6iNj5mq7DygO+8xkCuPGxTAY=
 -----END ED25519 CERT-----
 enc-key ntor 0XZIya+M/b3AOMM+65dvsdo4t7wYINPZAEqHqpIC4mI=
 enc-key-cert
 -----BEGIN ED25519 CERT-----
 AQsABqRmATzQHfq5TLhxvSIXZu3hD3wl37DkLfgWeOr9FGyfLOtHAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmTCs3FYjx4KoGH8h33Dlv72/2NLI
 3VSdrZc7IblPfkBybuUjarbAnGH9FmeCcEBLnqykvbKRWklk5luHDzJiIgQ=
 -----END ED25519 CERT-----
 introduction-point
 AwAGsB8tAwG7AhTqQ2a83KYWe4z/cOQdjNHumWjkRQMgDXL7pq1xXCCsFVp/fLe17caZhva4tDZ6/K5RPVNrGV8=
 onion-key ntor 67rrzP7USiiFuLf6f2DdzLjMGPTYI/THf0JA0NgdCEw=
 auth-key
 -----BEGIN ED25519 CERT-----
 AQkABqRmAVLwfGwQd1+CdVIxJD57ot8qyC4qLkn/BEvlOd+K1GwJAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmVdkwdxk9NbZ+ERq/OMn4ecdtpof
 SmWR7Og/BO9JZ3RpQeDEYvXm1XQhuBvdjs1+NGSmb7MMC5BCLTgXwXoo8Ac=
 -----END ED25519 CERT-----
 enc-key ntor jZ0oazC6FVzBCf4EoDtup8XCKL01b/lXlcDv07tnC1Y=
 enc-key-cert
 -----BEGIN ED25519 CERT-----
 AQsABqRmAYgVv926BQ01WwTrtNXT+VrYcZHLwomROSuaq/aqNXRuAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmdLuGMZGffBATymvNZ+Rdwy0T0gc
 DhPYhi+moBsf41NligZ7GjzD64G/xDXpJW4jXTnGIliisZyoci7jTUXDGgg=
 -----END ED25519 CERT-----
 introduction-point
 BAAG1e/X3SMpAhQCHdzWh/1QW36n512mzvDXeKoH+wMgQM1EqfCypvdC6oFfjE2DjfCb0FupPqBH5iJm/FyFI8ABEioBBPgAoJCweJ0GpJXzp4wjKQ==
 onion-key ntor 8BfSoB+OJ0XM06b8yE4dUgpyla17Hhha551sMeCspAU=
 auth-key
 -----BEGIN ED25519 CERT-----
 AQkABqRmAaEgakKORB8XHiYdroxoEznAIC7fzqJ49dNMcZoEDQwjAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmYmBRh6lM8or1WcsJwbgZrbTlxZA
 1oHQA6yDh+mQBcK6uDgkpbbWUNf+bZPpXh3/2Y50kHcfQIkLluzYFqciQgo=
 -----END ED25519 CERT-----
 enc-key ntor Yv6Yrmt7QPI4NAP5fY6weEjEGJOv8giFXxN6Wlqo82Q=
 enc-key-cert
 -----BEGIN ED25519 CERT-----
 AQsABqRmAUSQ0SBPP9T8mxbCKCZfPYY74y/9V5DyPrROYKTvQcYVAQAgBAASTjyE
 EFAU3HR3qRR3qwD7r9FLnKUwQRUaQ8rIhzcJmRDI4CVOU+oEeKUXiydsznIfOE4C
 IpskucdyhEUD0tgzi2gvasuTQK0rjwp6Vn9W03S6+hLESNJjY+F0prhKxgk=
 -----END ED25519 CERT-----
 -----END MESSAGE----------END MESSAGE-----
 signature
 +87sbLtU3Bnjfhw1NacnmzktKnRsbC+IVayQq7UEcvEudRoSGDbq+wpWZFtQqfY1POOU+s4yEl7OStfH7Te+Bw
 }}}
 > > Also would it be possible to split the hidden_service.py file into two
 files (v2 and v3) so that the two codebases are isolated from each other?
 >
 > Sure, we can but honestly I don't think it makes much difference either
 way and imports are nicer as this is...
 >

 Hmm, IMO it would be great to have them separated. The whole v3 logic will
 be a fair amount of code (especially when the crypto parts get in), and it
 would be helpful to me to know that all the things in the file are
 relevant to v3.

 For personal notekeeping here is the crypto stuff that needs to be
 implemented in python:

 - Compute descriptor signing certificate and descriptor signature.
 - Compute the blinded key from the permanent key using a consensus and the
 SRV.
 - Validate descriptor signing certificate using the blinded key.
 - Validate descriptor signature using the descriptor signing key.
 - Implement encryption and decryption of descriptor layers.

 Thanks for all the pointers to the crypto stuff Teor. I will use them when
 I start working on this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31369#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #31369 [Core Tor/Stem]: HSv3 descriptor support in stem
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #24792 [Metrics/CollecTor]: Broken links on new collector page
Next by Author: [tor-bugs] #31376 [Circumvention/Snowflake]: Make a /metrics handle at the snowflake broker for the stats collector
Previous by thread: Re: [tor-bugs] #31369 [Core Tor/Stem]: HSv3 descriptor support in stem
Next by thread: Re: [tor-bugs] #31369 [Core Tor/Stem]: HSv3 descriptor support in stem
Index(es):
- Author
- Thread