[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Secure way to set time using Hidden Service descriptors

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Secure way to set time using Hidden Service descriptors
From: bancfc@xxxxxxxxxxxxxxx
Date: Thu, 11 Sep 2014 00:15:16 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 Sep 2014 20:51:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org; h=user-agent:message-id:subject:subject:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version:received:received; s=openmailbox; t=1410394516; bh=cVkY03DV7pRqeHzo4XaFtl3hP/5Wv5FxSv9AxmX1NAA=; b=lGe+1UenPL/p nxk2mYoNp2plewqIOLsX3+OvZn+uew0pbLXjAoSXy8Xr6O7ByQwxkpQVQcvH9uZi Auha/1zEbNNBZIA9OM+DVZfvHR9oycuwgORFiG6dJV+adOD5fYJPvzBBEzPG4kH3 KsNhVQt/AvDJnk1Al88Pw+iaQ5BZCPs=
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.0.2

Hi. As you may already know, NTP doesn't work over Tor and even if itdid its untrusted and unauthenticated design leaves systems open toclock skew attacks that could unmask hidden services. What are yourthoughts on having an anonymity distro, that Torrifies all traffic,depend on Hidden Service descriptors for secure timesyncing purposes?

N.B. I have suggested a mechanism that Tor itself incorporate amechanism to broadcast time from relays to clients, but until this isrealized I'm thinking that the proposed alternative is a good drop in.

The only weakness identified is that if a Hidden service forges itsdescriptor timestamp deliberately, it could perform a time replay attackwithin an 18 hour window. How serious is this?



Proposal:

My proposal is to have the time synchronizer daemon query the DHT forspecific Hidden Service descriptors from the HSDir Authorities withoutactually connecting to them and calculate a more finegrained time toset. Here is why I think its a good idea:

* Descriptors contain a timestamp field which shows the time they aregenerated.Time reported is number of microseconds since 1970.* Descriptors are signed by the HS and cannot be spoofed by theHSDirAuth.

* Descriptors are refreshed hourly.

* A "malicious" HS that want to fool our time check has to go out of itsway and forge the timestamp in its descriptor. If they are doing this byjust running with a wrong clock, they will make themselves inaccessible.* According to rend-spec, the damage is much limited (only and 18 hourwindow) before HSDir Authorities reject these forgeries.* There does exist stable, available and friendly HS besides the TPO onethat was taken down. The only addresses that will be used are those oftrusted organizations that will not carry out the forging attacksdescribed above. These will be Whistleblowing and Freedom friendlysites. Some suggestions: Wikileaks, RiseUp (each service they providehas a unique HS address assigned), TheNewyorker's SecureDrop service andprobably more.* The way to go about this is to fetch descriptors without connecting.(how? please describe if it can be done. Its probably best so we don'toverload these organization's hidden servers)

* The timestamps will be averaged to get a more accurate reading.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Article: Best Alternatives to Tor
Next by Author: Re: [tor-talk] Dropping Tor Browser support for Mac OSX 10.6?
Previous by thread: Re: [tor-talk] HTTP CGI and Tor Hidden Services?
Next by thread: [tor-talk] How FBI Pinpointed Silk Road's Server
Index(es):
- Author
- Thread