[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Revisiting prop224 client authorization

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Revisiting prop224 client authorization
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Fri, 4 Nov 2016 10:28:17 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 04 Nov 2016 10:29:05 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=DcsKwE5M097mTrFQ9D4zFvTNMu6oMI1P6YJ7ksEyM0A=; b=YmbvQHE24h08F3SNynAcWeJFUYPqBnFPPiQ4j7Mv53O3tXe81/vy2Sdee2ZRqQyGz9 Dk5ujrBshyQcE+ncKINLe38RPkwER8qeQ8TYIi4n3qrHizZRN3+n9BrWImmR0so1+8YC mRhbDnZVmVAKqjkzi8/keEHWvu+6muA/p5bqVd6quVOtLDVH6pW9ET3nThk0Lz8qJht5 5RPzu+LgC5C+XZUpbWkesBj3XCyHuDYJ0zQ5CP0pdjMFxQDBWlwksbADGCboCjX2cWI8 hdqBRHtlO95CtdQzb8UhMkTxYqQqGBDXRJ6dEVD2r6D9bS6wnCOLZ9VNxw1eXUALLyNh EChQ==
In-reply-to: <87ins7cdia.fsf@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87shs21u2k.fsf@riseup.net> <87oa2i3mlf.fsf@riseup.net> <20161017183530.4r7pi6xhefq366sb@raoul> <87ins7cdia.fsf@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Nov 1, 2016 at 1:32 PM, George Kadianakis <desnacked@xxxxxxxxxx> wrote:
> I worked some more on the descriptor part of client authorization and
> prepared a torspec patch. You can find it at `prop224_client_auth_2` in
> my repo:
>    https://gitweb.torproject.org/user/asn/torspec.git/commit/?h=prop224_client_auth_2&id=a85ffa341cc6c493ad031972f466a6dd5d8510e2
>
> Based on received feedback, I went with the double-layer encryption
> style, where the first layer is encrypted using the HS pubkey and the
> second layer is encrypted using the descriptor cookie. Inside the first
> layer plaintext is the information for authorized clients to derive the
> descriptor cookie.
>
> I also included the padding suggestions from my previous post that
> should help with hiding the number of client auths.

Hi, George!  This looks like  solid stuff.  I'll try to answer your
questions and

> I'd like feedback on the following:
>
> a) Do you like the descriptor format and logic? Can we make it nicer or
>    easier to implement?

No objections.

> b) Do you like the proposal format? Is it messy and/or hard to
>    understand? Ideas on how can it be improved?

I think it's fine.

>    I think we have reached the point where every subsystem of prop224 is
>    complex enough to warrant its own proposal, but I'm resisting the
>    urge to dig into this rabbithole right now.

Maybe we can clean it all up when we turn it from "prop224" to
"rend-spec-v2.txt" ? :)

> c) Is the descriptor cookie encryption format good enough Namely:
>      encrypted_cookie = STREAM(iv, client_auth_cookie) XOR descriptor_cookie

I don't much care for the lack of a MAC here.  I haven't found any
actual vulnerability here, but every time in my life that I have
omitted a MAC from a malleable ciphertext, I have turned out to regret
it.

> d) Current changes: I changed "authentication-required" to
>    "intro-auth-required" in the descriptor, to make it more clear its
>    about introduction-layer authentication.
>
> Feedback on the patch and the above points is very much welcome!
>
> BTW, I'm not done with this thread yet, there are still some more points
> that need to be handled wrt client authorization. But this spec patch is
> the most important and lengthiest of them all, so let's get it out of
> the way first.


So, here's my feedback on the branch itself.


wrt 3da540606a85e6 "Make subcredential actually change every time period."

   This change is safe, I think, but not necessary: Note that the
   blinded_public_key input already changes every time period because
   of the nonce value N used in blinding the public key.

wrt a85ffa341cc6c4 "Use per-client desc auth keys"

     What is the format of "IV" and "client-id" and "encrypted-cookie"?
     Base64?  How long are they?  I would guess "base64-encoded, 32 bytes each"?

     The IV has to be random, right?  The spec ought to say so, but I
didn't see where.

     Malleability on the encrypted descriptor_cookie bothers me for
     some reason I can't figure out; see note above.

     The syntax on "superencrypted" doesn't seem right. The
"encrypted-string" part should probably be after an NL, not an SP,
right?

     Descriptor-cookie needs to be random each time, yeah? Does the
spec say so?


In all, this looks fine to me.  I like the part where we do two layers
of encryption unconditionally.

-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- Re: [tor-dev] Revisiting prop224 client authorization
  - From: George Kadianakis

Prev by Author: Re: [tor-dev] prop224: What should we do with torrc options?
Next by Author: [tor-dev] sketch: An alternative prop224 authentication mechanism based on curve25519
Previous by thread: Re: [tor-dev] Revisiting prop224 client authorization
Next by thread: [tor-dev] Using fingerprint of cached relay bypasses bridge?
Index(es):
- Author
- Thread