aboutsummaryrefslogtreecommitdiff
path: root/rend-spec-v3.txt
diff options
context:
space:
mode:
Diffstat (limited to 'rend-spec-v3.txt')
-rw-r--r--rend-spec-v3.txt137
1 files changed, 78 insertions, 59 deletions
diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index 8b3996b..141cfa0 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -1124,8 +1124,8 @@ Table of contents:
2.5.1. First layer of encryption [HS-DESC-FIRST-LAYER]
The first layer of HS descriptor encryption is designed to protect
- descriptor confidentiality against entities who don't know the blinded
- public key of the hidden service.
+ descriptor confidentiality against entities who don't know the public
+ identity key of the hidden service.
2.5.1.1. First layer encryption logic
@@ -1136,6 +1136,11 @@ Table of contents:
SECRET_DATA = blinded-public-key
STRING_CONSTANT = "hsdir-superencrypted-data"
+ The encryption scheme in [HS-DESC-ENCRYPTION-KEYS] uses the service
+ credential which is derived from the public identity key (see [SUBCRED]) to
+ ensure that only entities who know the public identity key can decrypt the
+ first descriptor layer.
+
The ciphertext is placed on the "superencrypted" field of the descriptor.
Before encryption the plaintext is padded with NUL bytes to the nearest
@@ -1209,7 +1214,7 @@ Table of contents:
And here is what the hidden service computes:
SECRET_SEED = x25519(hs_y, client_X)
- KEYS = KDF(SECRET_SEED, 40)
+ KEYS = KDF(subcredential | SECRET_SEED, 40)
CLIENT-ID = fist 8 bytes of KEYS
COOKIE-KEY = last 32 bytes of KEYS
@@ -1338,6 +1343,15 @@ Table of contents:
The link-specifiers is a base64 encoding of a link specifier
block in the format described in BUILDING-BLOCKS.
+ The client SHOULD NOT reject any LSTYPE fields which it doesn't
+ recognize; instead, it should use them verbatim in its EXTEND
+ request to the introduction point.
+
+ The client MAY perform basic validity checks on the link
+ specifiers in the descriptor. These checks SHOULD NOT leak
+ detailed information about the client's version, configuration,
+ or consensus. (See 3.3 for service link specifier handling.)
+
"onion-key" SP "ntor" SP key NL
[Exactly once per introduction point]
@@ -1388,7 +1402,7 @@ Table of contents:
legacy protocol (v2) that is <= 0.2.9 or the protocol version value
"HSIntro 3".
- "legacy-key-cert NL certificate NL
+ "legacy-key-cert" NL certificate NL
[None or at most once per introduction point]
@@ -1666,7 +1680,7 @@ Table of contents:
If the cell is not a replay, it decrypts the ENCRYPTED field,
establishes a shared key with the client, and authenticates the whole
contents of the cell as having been unmodified since they left the
- client. There may be multiple ways of decrypting the ENCRYTPED field,
+ client. There may be multiple ways of decrypting the ENCRYPTED field,
depending on the chosen type of the encryption key. Requirements for
an introduction handshake protocol are described in
[INTRO-HANDSHAKE-REQS]. We specify one below in section
@@ -1697,9 +1711,10 @@ Table of contents:
in [BUILDING-BLOCKS], the "TLS-over-TCP, IPv4" and "Legacy node
identity" specifiers must be present.
- The hidden service SHOULD NOT reject any LSTYPE fields which it
- doesn't recognize; instead, it should use them verbatim in its EXTEND
- request to the rendezvous point.
+ The hidden service should handle invalid or unrecognised link specifiers
+ the same way as clients do in section 2.5.2.2. In particular, services
+ MAY perform basic validity checks on link specifiers, and SHOULD NOT
+ reject unrecognised link specifiers, to avoid information leaks.
The ONION_KEY_TYPE field is:
@@ -2284,29 +2299,21 @@ Appendix F. Hidden service directory format [HIDSERVDIR-FORMAT]
This file contains the private master ed25519 key of the onion service.
[TODO: Offline keys]
- - "client_authorized_pubkeys" [FILE]
-
- If client authorization is _enabled_, this is a newline-separated file of
- "<client name> <pubkeys> entries for authorized clients. You can think of it
- as the ~/.ssh/authorized_keys of onion services. See [CLIENT-AUTH-MGMT] for
- more details.
-
- (NOTE: client authorization is not implemented as of 0.3.2.1-alpha.)
-
+ - "./authorized_clients/" [DIRECTORY]
+ "./authorized_clients/alice.auth" [FILE]
+ "./authorized_clients/bob.auth" [FILE]
+ "./authorized_clients/charlie.auth" [FILE]
- - "./client_authorized_privkeys/" [DIRECTORY]
- "./client_authorized_privkeys/alice.privkey" [FILE]
- "./client_authorized_privkeys/bob.privkey" [FILE]
- "./client_authorized_privkeys/charlie.privkey" [FILE]
+ If client authorization is enabled, this directory MUST contain a ".auth"
+ file for each authorized client. Each such file contains the public key of
+ the respective client. The files are transmitted to the service operator by
+ the client.
- If client authorization is _enabled_ _AND_ if the hidden service is
- responsible for generating and distributing private keys for its clients,
- then this directory contains files with client's private keys. See
- [CLIENT-AUTH-MGMT] for more details.
+ See section [CLIENT-AUTH-MGMT] for more details and the format of the client file.
(NOTE: client authorization is not implemented as of 0.3.2.1-alpha.)
-Appendix E. Managing authorized client data [CLIENT-AUTH-MGMT]
+Appendix G. Managing authorized client data [CLIENT-AUTH-MGMT]
Hidden services and clients can configure their authorized client data either
using the torrc, or using the control port. This section presents a suggested
@@ -2315,52 +2322,64 @@ Appendix E. Managing authorized client data [CLIENT-AUTH-MGMT]
(NOTE: client authorization is not implemented as of 0.3.2.1-alpha.)
- E.1. Configuring client authorization using torrc
+ G.1. Configuring client authorization using torrc
+
+ G.1.1. Hidden Service side configuration
+
+ A hidden service that wants to enable client authorization, needs to
+ populate the "authorized_clients/" directory of its HiddenServiceDir
+ directory with the ".auth" files of its authorized clients.
+
+ When Tor starts up with a configured onion service, Tor checks its
+ <HiddenServiceDir>/authorized_clients/ directory for ".auth" files, and if
+ any recognized and parseable such files are found, then client
+ authorization becomes activated for that service.
+
+ G.1.2. Service-side bookkeeping
+
+ This section contains more details on how onion services should be keeping
+ track of their client ".auth" files.
- E.1.1. Hidden Service side
+ For the "descriptor" authentication type, the ".auth" file MUST contain
+ the x25519 public key of that client. Here is a suggested file format:
- A hidden service that wants to perform client authorization, adds a new
- option HiddenServiceAuthorizeClient to its torrc file:
+ <auth-type>:<key-type>:<base32-encoded-public-key>
- HiddenServiceAuthorizeClient auth-type client-name,client-name,...
+ Here is an an example:
- The only recognized auth-type value is "basic" which describes the scheme in
- section [CLIENT-AUTH]. The rest of the line is a comma-separated list of
- human-readable authorized client names.
+ descriptor:x25519:OM7TGIVRYMY6PFX6GAC6ATRTA5U6WW6U7A4ZNHQDI6OVL52XVV2Q
- Let's consider that one of the listed client names is "alice". In this
- case, Tor checks the "client_authorized_pubkeys" file for any entries
- with client_name being "alice". If an "alice" entry is found, we use the
- relevant pubkeys to authenticate Alice.
+ Tor SHOULD ignore lines it does not recognize.
+ Tor SHOULD ignore files that don't use the ".auth" suffix.
- If no "alice" entry is found in the "client_authorized_pubkeys" file, Tor
- is tasked with generating public/private keys for Alice. To do so, Tor
- generates x25519 and ed25519 keypairs for Alice, then makes a
- "client_authorized_privkeys/alice.privkey" file and writes the private
- keys inside; it also adds an entry for alice to the
- "client_authorized_pubkeys" file.
+ G.1.3. Client side configuration
- In this last case, the hidden service operator has the responsibility to
- pass the .key file to Alice in a secure out-of-band way. After the file
- is passed to Alice, it can be shredded from the filesystem, as only the
- public keys are required for the hidden service to function.
+ A client who wants to register client authorization data for onion
+ services needs to add the following line to their torrc to indicate the
+ directory which hosts ".auth_private" files containing client-side
+ credentials for onion services:
- E.1.2. Client side
+ ClientOnionAuthDir <DIR>
- A client who wants to register client authorization data for a hidden service
- needs to add the following line to their torrc:
+ The <DIR> contains a file with the suffix ".auth_private" for each onion
+ service the client is authorized with. Tor should scan the directory for
+ ".auth_private" files to find which onion services require client
+ authorization from this client.
- HidServAuth onion-address x25519-private-key ed25519-private-key
+ For the "descriptor" auth-type, a ".auth_private" file contains the
+ private x25519 key:
- The keys above are either generated by Alice using a key generation utility,
- or they are extracted from a .key file provided by the hidden service.
+ <onion-address>:descriptor:x25519:<base32-encoded-privkey>
- In the former case, the client is also tasked with transfering the public
- keys to the hidden service in a secure out-of-band way.
+ The keypair used for client authorization is created by a third party tool
+ for which the public key needs to be transferred to the service operator
+ in a secure out-of-band way. The third party tool SHOULD add appropriate
+ headers to the private key file to ensure that users won't accidentally
+ give out their private key.
- E.2. Configuring client authorization using the control port
+ G.2. Configuring client authorization using the control port
- E.2.1. Service side
+ G.2.1. Service side
A hidden service also has the option to configure authorized clients
using the control port. The idea is that hidden service operators can use
@@ -2375,7 +2394,7 @@ Appendix E. Managing authorized client data [CLIENT-AUTH-MGMT]
Hidden services who use the control port interface for client auth need
to perform their own key management.
- E.2.2. Client side
+ G.2.2. Client side
There should also be a control port interface for clients to register
authorization data for hidden services without having to use the
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion