[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [torspec/master] Add proposal 191 and 192
commit d329528c3942727c591ba8bb9100d5d65a50fd8a
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu Dec 1 09:42:38 2011 -0500
Add proposal 191 and 192
---
proposals/000-index.txt | 4 +
proposals/191-mitm-bridge-detection-resistance.txt | 114 ++++++++++++++++
proposals/192-store-bridge-information.txt | 137 ++++++++++++++++++++
3 files changed, 255 insertions(+), 0 deletions(-)
diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index 68ce0b2..950bc38 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -111,6 +111,8 @@ Proposals by number:
188 Bridge Guards and other anti-enumeration defenses [OPEN]
189 AUTHORIZE and AUTHORIZED cells [OPEN]
190 Password-based Bridge Client Authorization [OPEN]
+191 Bridge Detection Resistance against MITM-capable Adversaries [OPEN]
+192 Automatically retrieve and store information about bridges [OPEN]
Proposals by status:
@@ -144,6 +146,8 @@ Proposals by status:
188 Bridge Guards and other anti-enumeration defenses
189 AUTHORIZE and AUTHORIZED cells
190 Password-based Bridge Client Authorization
+ 191 Bridge Detection Resistance against MITM-capable Adversaries
+ 192 Automatically retrieve and store information about bridges [for 0.2.[45].x]
ACCEPTED:
110 Avoiding infinite length circuits [for 0.2.3.x] [in 0.2.1.3-alpha]
117 IPv6 exits [for 0.2.3.x]
diff --git a/proposals/191-mitm-bridge-detection-resistance.txt b/proposals/191-mitm-bridge-detection-resistance.txt
new file mode 100644
index 0000000..7709ae8
--- /dev/null
+++ b/proposals/191-mitm-bridge-detection-resistance.txt
@@ -0,0 +1,114 @@
+Filename: 191-mitm-bridge-detection-resistance.txt
+Title: Bridge Detection Resistance against MITM-capable Adversaries
+Author: George Kadianakis
+Created: 07 Nov 2011
+Status: Open
+
+1. Overview
+
+ Proposals 187, 189 and 190 make the first steps toward scanning
+ resistant bridges. They attempt to block attacks from censoring
+ adversaries who provoke bridges into speaking the Tor protocol.
+
+ An attack vector that hasn't been explored in those previous
+ proposals is that of an adversary capable of performing Man In The
+ Middle attacks to Tor clients. At the moment, Tor clients using the
+ v3 link protocol have no way to detect such an MITM attack, and
+ will gladly send an VERSIONS or an AUTHORIZE cell to the MITMed
+ connection, thereby revealing the Tor protocol and thus the bridge.
+
+ This proposal introduces a way for clients to detect an MITMed SSL
+ connection, allowing them to protect against the above attack.
+
+2. Motivation
+
+ When the v3 link handshake protocol is performed, Tor's SSL
+ handshake is performed with the server sending a self-signed
+ certificate and the client blindly accepting it. This allows the
+ adversary to perform an MITM attack.
+
+ A Tor client must detect the MITM attack before he initializes the
+ Tor protocol by sending a VERSIONS or an AUTHORIZE cell. A good
+ moment to detect such an MITM attack is during the SSL handshake.
+
+ To achieve that, bridge operators provide their bridge users with a
+ hash digest of the public-key certificate their bridge is using for
+ SSL. Bridge clients store that hash digest locally and associate it
+ with that specific bridge. Bridge clients who have "pinned" a
+ bridge to a certificate "fingerprint" can thereafter validate that
+ their SSL connection peer is the intended bridge.
+
+ Of course, the hash digest must be provided to users out-of-band
+ and before the actual SSL handshake. Usually, the bridge operator
+ gives the hash digest to her bridge users along with the rest of
+ the bridge credentials, like the bridge's address and port.
+
+3. Security implications
+
+ Bridge clients who have pinned a bridge to a certificate
+ fingerprint will be able to detect an MITMing adversary in timely
+ fashion. If after detection they act as an innocuous Internet
+ client, they can successfully remove suspicion from the SSL
+ connection and subvert bridge detection.
+
+ Pinning a certificate fingerprint and detecting an MITMing attacker
+ does not automatically aleviate suspicions from the bridge or the
+ client. Clients must have a behavior to follow after detecting the
+ MITM attack so that they look like innocent Netizens. This proposal
+ does not try to specify such a behavior.
+
+ Implementation and use of this scheme does not render bridges and
+ clients immune to scanning or DPI attacks. This scheme should be
+ used along with bridge client authorization schemes like the ones
+ detailed in proposal 190.
+
+4. Tor Implementation
+
+4.1. Certificate fingerprint creation
+
+ The certificate fingerprints used on this scheme MUST be computed
+ by applying the SHA256 cryptographic hash function upon the ASN.1
+ DER encoding of a public-key certificate.
+
+4.2. Bridge side implementation
+
+ Tor bridge implementations SHOULD provide a command line option
+ that exports a fully equipped Bridge line containing the bridge
+ address and port, the link certificate fingerprint and any other
+ enabled Bridge options, so that bridge operators can easily send it
+ to their users.
+
+ In the case of expiring SSL certificates, Tor bridge
+ implementations SHOULD warn the bridge operator a sensible amount
+ of time before the expiration, so that she can warn her clients and
+ potentially rotate the certificate herself.
+
+4.3. Client side implementation
+
+ Tor client implementations MUST extend their Bridge line format to
+ support bridge SSL certificate fingerprints. The new format is:
+ Bridge <method> <address:port> [["keyid="]<id-fingerprint>] \
+ ["shared_secret="<shared_secret>] ["link_cert_fpr="<fingerprint>]
+
+ where <fingerprint> is the bridge's SSL certificate fingerprint in
+ hexademical encoding.
+
+ Tor clients who use bridges and want to pin their SSL certificates
+ must specify the bridge's SSL certificate fingerprint as in:
+ Bridge 12.34.56.78 shared_secret=934caff420aa7852b855 \
+ link_cert_fpr=38b0712e90bed729df81f2a22811d3dd89e91406d2522f4482ae4079e5245187
+
+4.4. Implementation prerequisites
+
+ Tor bridges currently rotate their SSL certificates every 2
+ hours. This not only acts as a fingerprint for the bridges, but it
+ also acts as a blocker for this proposal.
+
+ Tor trac ticket #4390 and proposal YYY were created to resolve this
+ issue.
+
+5. Acknowledgements
+
+ Thanks to Robert Ransom for his great help and suggestions on
+ devising this scheme and writing this proposal!
+
diff --git a/proposals/192-store-bridge-information.txt b/proposals/192-store-bridge-information.txt
new file mode 100644
index 0000000..09ecc5a
--- /dev/null
+++ b/proposals/192-store-bridge-information.txt
@@ -0,0 +1,137 @@
+Filename: 192-store-bridge-information.txt
+Title: Automatically retrieve and store information about bridges
+Author: Sebastian Hahn
+Created: 16-Nov-2011
+Status: Open
+Target: 0.2.[45].x
+
+Overview:
+Currently, tor already stores some information about the bridges it is
+configured to use locally, but doesn't make great use of the stored
+data. This data is the Tor configuration information about the bridge
+(IP address, port, and optionally fingerprint) and the bridge descriptor
+which gets stored along with the other descriptors a Tor client fetches,
+as well as an "EntryGuard" line in the state file. That line includes
+the Tor version we used to add the bridge, and a slightly randomized
+timestamp (up to a month in the past of the real date). The descriptor
+data also includes some more accurate timestamps about when the
+descriptor was fetched.
+
+The information we give out about bridges via bridgedb currently only
+includes the IP address and port, because giving out the fingerprint as
+well might mean that Tor clients make direct connections to the bridge
+authority, since we didn't design Tor's UpdateBridgesFromAuthority
+behaviour correctly.
+
+Motivation:
+
+The only way to let Tor know about a change affecting the bridge (IP
+address or port change) is to either ask the bridge authority directly,
+or reconfigure Tor. The former requires making a non-anonymized direct
+connection to the bridge authority Tonga and asking it for the current
+descriptor of the bridge with a given fingerprint - this is unsafe and
+also requires prior knowledge of the fingerprint. The latter requires
+user intervention, first to learn that there was an update and second to
+actually teach Tor about the change.
+
+This is way too complicated for most users, and should be unnecessary
+while the user has at least one bridge that remains working: Tonga can
+give out bridge descriptors when asked for the descriptor for a certain
+fingerprint, and Tor clients learn the fingerprint either from their
+torrc file or from the first connection they make to a bridge.
+
+For some users, however, this option is not what they want: They might
+use private bridges or have special security concerns, which would make
+them want to connect to the IP addresses specified in their
+configuration only, and not tell Tonga about the set of bridges they
+know about, even through a Tor circuit. Also see
+https://blog.torproject.org/blog/different-ways-use-bridge for more
+information about the different types of bridge users.
+
+Design:
+
+Tor should provide a new configuration option that allows bridge users
+to indicate that they wish to contact Tonga anonymously and learn about
+updates for the bridges that they know about, but can't currently reach.
+Once those updates have been received, the clients would then hold on to
+the new information in their state file, and use it across restarts for
+connection attempts.
+
+The option UpdateBridgesFromAuthority should be removed or recycled for
+this purpose, as it is currently dangerous to set (it makes direct
+connections to the bridge authority, thus leaking that a user is about
+to use bridges). Recycling the option is probably the better choice,
+because current users of the option get a surprising and never useful
+behaviour. On the other hand, users who downgrade their Tors might get
+the old behaviour by accident.
+
+If configured with this option, tor would make an anonymized connection
+to Tonga to ask for the descriptors of bridges that it cannot currently
+connect to, once every few hours. Making more frequent requests would
+likely not help, as bridge information doesn't typically change that
+frequently, and may overload Tonga.
+
+This information needs to be stored in the state file:
+
+- An exact copy of the Bridge stanza in the torrc file, so that tor can
+ detect when the bridge is unconfigured/the configuration is changed
+
+- The IP address, port, and fingerprint we last used when making a
+ successful connection to the bridge, if this differs from/supplements
+ the configured data.
+
+- The IP address, port, and fingerprint we learned from the bridge
+ authority, if this differs from both the configured data and the data
+ we used for the last successful connection.
+
+We don't store more data in the state file to avoid leaking too much if
+the state file falls into the hands of an adversary.
+
+Security implications:
+
+Storing sensitive data on disk is risky when the computer one uses gets
+into the wrong hands, and state file entries can be used to identify
+times the user was online. This is already a problem for the Bridge
+lines in a user's configuration file, but by storing more information
+about bridges some timings can be deduced.
+
+Another risk is that this allows long-term tracking of users when the
+set of bridges a user knows about is known to the attacker, and the set
+is unique. This is not very hard to achieve for bridgedb, as users
+typically make requests to it non-anomymized and bridgedb can
+selectively pick bridges to report. By combining the data about
+descriptor fetches on Tonga and this fingerprint, a usage pattern can be
+established. Also, bridgedb could give out a made-up fingerprint to a
+user that requested bridges, thus easily creating a unique set.
+
+Users of private bridges should not set this option, as it will leak the
+fingerprints of their bridges to Tonga. This is not a huge concern, as
+Tonga doesn't know about those descriptors, but private bridge users
+will likely want to avoid leaking the existence of their bridge. We
+might want to figure out a way to indicate that a bridge is private on
+the Bridge line in the configuration, so fetching the descriptor from
+Tonga is disabled for those automatically. This warrants more discussion
+to find a solution that doesn't require bridge users to understand the
+trade-offs of setting a configuration option.
+
+One idea is to indicate that a bridge is private by a special flag in
+its bridge descriptor, so clients can avoid leaking those to the bridge
+authority automatically. Also, Bridge lines for private bridges
+shouldn't include the fingerprint so that users don't accidentally leak
+the fingerprint to the bridge authority before they have talked to the
+bridge.
+
+Specification:
+
+No change/addition to the current specification is necessary, as the
+data that gets stored at clients is not covered by the specification.
+This document is supposed to serve as a basis for discussion and to
+provide hints for implementors.
+
+Compatibility:
+
+Tonga is already set up to send out descriptors requested by clients, so
+the bridge authority side doesn't need any changes. The new
+configuration options governing the behaviour of Tor would be
+incompatible with previous versions, so the torrc needs to be adapted.
+The state file changes should not affect older versions.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits