Age | Commit message (Collapse) | Author |
|
Acked-by: George Kadianakis <desnacked@riseup.net>
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
In theory, we shouldn't use Draft anymore. Also, part of proposal 224 is
being implemented while we are still changing part of it.
Acked-by: George Kadianakis <desnacked@riseup.net>
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Value 0x0A (10) is taken by onion key cross-certifying ntor identity key
from proposal 228.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <asn@torproject.org>
|
|
|
|
|
|
Use a more standard format from Tor and proposal 220 instead of our own
construction.
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Use a more generic way to version the URL for the command so it's much
easier to parse in the implementation but also decoupled from the command
type.
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
The certificate already denotes the type of key.
|
|
|
|
Conflicts:
proposals/224-rend-spec-ng.txt
|
|
Conflicts:
proposals/224-rend-spec-ng.txt
|
|
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
|
|
- Sectioning fixes
|
|
|
|
- Specify credential/subcredential format.
- Bump up revision-counter to 64-bits.
- Specify descriptor encryption padding.
|
|
|
|
- Replace AES128-CTR with AES256.
- Use relay ed25519 identity keys to create the HSDir hash ring.
- Accept 0 introduction points in descriptors.
|
|
- Clarify how to distinguish between old and new style cells.
- Don't send the encryption key to the introduction point.
|
|
|
|
|
|
|
|
|
|
|
|
Also add a reference implementation for the scheme.
|
|
Specifically concering time periods and SRVs.
|
|
Also specify that HSes should re-upload their descriptor every one hour.
|
|
Now overlap periods start 6 hours before the start of the next time period.
|
|
|
|
|
|
This reverts commit 8df8c0584392240aa8fecbcd2164a4489be7ae1a.
|
|
This reverts commit 01119bf1291a40aa309dfb7d76edf790133f05b9.
|
|
Tor is doing the right thing anyway, and specs would look terrible if we
have to refer to [RANDOM-REFS] everytime we use random bytes.
|
|
|
|
Nick pointed out that having the length explicit is better for
backwards/future compatibility.
Also change some field names so that they are mostly uniform
throughout the proposal.
|
|
- No point in using SHAKE *with* HKDF. Just use SHAKE.
- Use our KDF to do key expansion for rendezvous crypto.
|
|
Too complex and not sufficient gain. For full rationale, please see thread:
https://lists.torproject.org/pipermail/tor-dev/2016-March/010560.html
|
|
|
|
|
|
|
|
|
|
|
|
- Kill last remnants of TAP from the proposal.
- Replace SHA256 with SHA3-256 and our KDF with SHAKE.
- Make the INTRO_ESTABLISHED cell extensible.
- Improve the descriptor format a bit.
- Don't be ambiguous about "INTRODUCE" cells (pointed out by malekbr).
- Cleanup the scaling section.
|
|
|
|
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
|
|
Each replicas uses one of multiple blinded keys (and a different
descriptor signing key) to avoid HSDirs being able to locate other
replicas of the service.
In combination with the changes to the salt and revision-counter,
this also makes it difficult to link descriptors from the same
service at all.
If descriptors for different replicas cannot be linked, then it
becomes much harder for a malicious HSDir to discover other
replicas and attept to DoS them.
|
|
Use a different salt for each descriptor replica and upload,
to avoid matching encrypted blobs, which could be used to
link other replicas of the service.
If descriptors for different replicas cannot be linked, then it
becomes much harder for a malicious HSDir to discover other
replicas and attept to DoS them.
|
|
Randomise revision-counter start value and increment to avoid
leaking:
* the descriptor validity start time,
* the age of new hidden services,
* the stability of a hidden service,
* a value that could be used to link other replicas of the service.
If descriptors for different replicas cannot be linked, then it
becomes much harder for a malicious HSDir to discover other
replicas and attept to DoS them.
|