[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Improved HS key management

To: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-talk] Improved HS key management
From: Gregory Maxwell <gmaxwell@xxxxxxxxx>
Date: Sat, 28 Dec 2013 03:46:08 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 28 Dec 2013 06:56:07 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=alD1a9lDCOpmYZhP+b23iwN0/2PtqABbZBFaWErLRHg=; b=l+walP4dKz63oIN8aKcTwWBg73O4lT2TxkNBStcIadiCPoL2V92xuQBgKsnJ4H6AAG r8mMExnl1iD3Ex+XQ+J1+1h3Vq0dpa6eKVHj/g7iQjdQOEm9+7tDJJGM2kEc2fSwjad7 kTwGzWCN4A/nkSIgxvX8tTcvWwxjOxU4zb/OouyUtk9DLBQmpOuYd/yYNWeGQwlgRMhn 6nTW4UCjt8TfhFLC/CnYB0XTrn//ACVLs7QbSXyWGa9N20YSY6Fm3pRQHgTEhOry0OsS 3vqRDZOa98yC68nU8byIjy8JXaF7luaiy/uGOBpSjwWv5nluDPXZVHOv0Ln7jKtfU7fV ektg==
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

One of the current unfortunate properties of hidden services is that
the identity of the hidden service is its public key (or the
equivalent hash, in the current setup), and this key must always be
available for signing on an online host (usually the HS itself, though
potentially on a bastion host).

This is pretty bad for prudent key managementâ the key is very high
value because its difficult to change, and then stuck always online
constantly being signed withâ even on demand by a hostile attacker.

Then the matter is made even worse by there being no systematized
mechanism for revocation.

It would be preferable if it were possible to have a HS master key
which was kept _offline_ which could be use to authorize use for some
time period and/or revoke usage. The offline key could be used to
create an online key which is good for a year or until superseded by a
higher sequence number, and every 6 months the online key could be
replaced. Thus if an old copy of the HS media were discovered it
couldn't be used to impersonate the site.

Sadly the homomorphism proposed to prevent HSDIR enumeration attacks
cannot be used to accomplish this, as knoweldge of the ephemeral
private key and the public blinding factor yields the original private
key.

I can describe a scheme to address this but I'm surprised to not find
any discussion of it.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Improved HS key management
  - From: grarpamp
- Re: [tor-talk] Improved HS key management
  - From: Qingping Hou

Prev by Author: Re: [tor-talk] Improved HS key management
Next by Author: [tor-talk] Vanity onion attacks
Previous by thread: Re: [tor-talk] Interesting question on Quora "Tor: Why did the US government create and continue to fund Tor?"
Next by thread: Re: [tor-talk] Improved HS key management
Index(es):
- Author
- Thread