[torspec/master] prop224: avoid replicas with the same blinded key - tor-commits

20 Nov 2015

commit 8df8c0584392240aa8fecbcd2164a4489be7ae1a
Author: teor (Tim Wilson-Brown) teor2345@gmail.com
Date:   Fri Nov 20 12:02:51 2015 +1100
prop224: avoid replicas with the same blinded key
Each replicas uses one of multiple blinded keys (and a different
    descriptor signing key) to avoid HSDirs being able to locate other
    replicas of the service.
In combination with the changes to the salt and revision-counter,
    this also makes it difficult to link descriptors from the same
    service at all.
If descriptors for different replicas cannot be linked, then it
    becomes much harder for a malicious HSDir to discover other
    replicas and attept to DoS them.
---
 proposals/224-rend-spec-ng.txt |   98 ++++++++++++++++++++++++++--------------
 1 file changed, 64 insertions(+), 34 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 612ca2c..8dd30b0 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -372,9 +372,10 @@ Status: Draft
    In order to download a descriptor, clients must know which blinded
    signing key was used to sign it. (See the next section for more info
    on key blinding.)  This blinded signing key is derived from the
-   service's public key and, optionally, an additional secret that is
-   not part of the hidden service's onion address. The public key and
-   this secret together constitute the service's "credential".
+   service's public key, the descriptor replica number, and, optionally,
+   an additional secret that is not part of the hidden service's onion
+   address. The public key, replica number, and this secret together
+   constitute the service's "credential".
When the secret is in use, the hidden service gains protections
    equivalent to the "stealth mode" in previous designs.
@@ -414,19 +415,19 @@ Status: Draft
    positions based on the key that was used to sign them. Note that
    hidden service descriptors are not signed with the services' public
    keys directly. Instead, we use a key-blinding system [KEYBLIND] to
-   create a new key-of-the-day for each hidden service. Any client that
-   knows the hidden service's credential can derive these blinded
-   signing keys for a given period. It should be impossible to derive
-   the blinded signing key lacking that credential.
+   create new keys-of-the-day for the descriptor replicas for each
+   hidden service. Any client that knows the hidden service's credential
+   can derive these blinded signing keys for a given period. It should be
+   impossible to derive the blinded signing keys lacking that credential.
The body of each descriptor is also encrypted with a key derived from
    the credential.
To avoid a "thundering herd" problem where every service generates
    and uploads a new descriptor at the start of each period, each
-   descriptor comes online at a time during the period that depends on
-   its blinded signing key. The keys for the last period remain valid
-   until the new keys come online.
+   descriptor replica comes online at a time during the period that
+   depends on its blinded signing key. The keys for the last period remain
+   valid until the new keys come online.
1.5. In more detail: Scaling to multiple hosts
@@ -483,9 +484,9 @@ Status: Draft
    in advance).
    [TODO: Define revocation mechanism?]
-   It's important to not send the private part of the blinded signing
+   It's important to not send the private part of a blinded signing
    key to the Hidden Service since an attacker can derive from it the
-   secret master identity key. The secret blinded signing key should
+   secret master identity key. A secret blinded signing key should
    only be used to create credentials for the descriptor signing keys.
1.8. In more detail: Encryption Keys And Replay Resistance
@@ -518,14 +519,16 @@ Status: Draft
         service's public identity key and an optional secret can derive
         the public blinded identity key for a service.  This key is used
         as an index in the DHT-like structure of the directory system
-        (see [SUBCRED]).
+        (see [SUBCRED]). Each descriptor replica may use a different
+        blinded signing key, based on its replicanum.
Descriptor signing key -- A key used to sign hidden service
         descriptors.  This is signed by blinded signing keys. Unlike
         blinded signing keys and master identity keys, the secret part
         of this key must be stored online by hidden service hosts. The
         public part of this key is included in the unencrypted section
-        of HS descriptors (see [DESC-OUTER]).
+        of HS descriptors (see [DESC-OUTER]). Each descriptor replica must
+        use a different descriptor signing key.
Introduction point authentication key -- A short-term signing
         keypair used to identify a hidden service to a given
@@ -546,7 +549,8 @@ Status: Draft
Descriptor encryption keys -- A symmetric encryption key used to
         encrypt the body of hidden service descriptors. Derived from the
-        current period and the hidden service credential.
+        current period, the descriptor replica, the descriptor revision,
+        and the hidden service credential.
Public/private keypairs defined elsewhere:
@@ -577,6 +581,8 @@ Status: Draft
    periods), a hidden service host uses a different blinded private key
    to sign its directory information, and clients use a different
    blinded public key as the index for fetching that information.
+   Each descriptor replica for each service may use different blinded
+   keys.
For a candidate for a key derivation method, see Appendix [KEYBLIND].
@@ -593,7 +599,13 @@ Status: Draft
    The subcredential for a period is derived as:
        H("subcredential" |
          credential |
-         blinded-public-key).
+         blinded-public-key(replica-keynum)).
+
+   Where replica-keynum = replicanum % hsdir_num_replica_keys.
+   (This ensures that each replica has a blinded key, even if
+   hsdir_num_replicas is higher than hsdir_num_replica_keys. This ensures
+   hidden services can't predict future values of hsdir_num_replicas at
+   key blinding time.)
2.2. Locating, uploading, and downloading hidden service descriptors
        [HASHRING]
@@ -601,7 +613,9 @@ Status: Draft
    To avoid attacks where a hidden service's descriptor is easily
    targeted for censorship, we store them at different directories over
    time, and use shared random values to prevent those directories from
-   being predictable far in advance.
+   being predictable far in advance. Each descriptor replica may use a
+   different blinded signing key, which prevents directories in one
+   replica locating directories in other replica(s).
Which Tor servers hosts a hidden service depends on:
@@ -662,7 +676,8 @@ Status: Draft
    The time at which a key from the next interval becomes valid is
    determined by taking the first two bytes of
-     OFFSET = H("interval-offset" | Key | INT_8(Next_Period_Num))
+     OFFSET = H("interval-offset" | blinded-public-key(replica-keynum) |
+              INT_8(Next_Period_Num))
as a big-endian integer, dividing by 65536, and treating that as a
    fraction of the overlap interval.
@@ -683,11 +698,21 @@ Status: Draft
2.2.3. Where to publish a service descriptor
+   The following constant controls how many blinded keys are created
+   per period for the different descriptor replicas:
+
+        hsdir_num_replica_keys = an integer constant 2.
+
+   (Since blinded keys can be generated ahead of time, a service can not
+   know the value of hsdir_n_replicas at the time the blinded keys will
+   be used. If hsdir_n_replicas is greater than hsdir_num_replica_keys,
+   some keys will be used for multiple replicas.)
+
    The following consensus parameters control where a hidden service
    descriptor is stored;
hsdir_n_replicas = an integer in range [1,16]
-                             with default value 2.
+                             with default value hsdir_num_replica_keys.
hsdir_spread_fetch = an integer in range [1,128]
                              with default value 3.
@@ -699,12 +724,12 @@ Status: Draft
                              with default value 12.
To determine where a given hidden service descriptor will be stored
-   in a given period, after the blinded public key for that period is
-   derived, the uploading or downloading party calculate
+   in a given period, after the blinded public key for that period and
+   replica is derived, the uploading or downloading party calculates:
for replicanum in 1...hsdir_n_replicas:
             hs_index(replicanum) = H("store-at-idx" |
-                                 blinded_public_key |
+                                 blinded_public_key(replica-keynum) |
                                  INT_8(replicanum) |
                                  INT_8(periodnum) )
@@ -712,7 +737,8 @@ Status: Draft
    periodnum is defined in section TIME-PERIODS.
where n_replicas is determined by the consensus parameter
-   "hsdir_n_replicas".
+   "hsdir_n_replicas", and replica-keynum is replicanum %
+   hsdir_num_replica_keys.
Then, for each node listed in the current consensus with the HSDir3
    flag, we compute a directory index for that node as:
@@ -761,7 +787,7 @@ Status: Draft
    /tor/rendezvous3/publish relative to the hidden service directory's
    root, and downloaded with an HTTP GET request for the URL
    /tor/rendezvous3/<z> where z is a base-64 encoding of the hidden
-   service's blinded public key.
+   service's blinded public key for the replica.
[TODO: raw base64 is not super-nice for URLs, since it can have
    slashes. We already use it for microdescriptor URLs, though. Do we
@@ -819,8 +845,9 @@ Status: Draft
The 'certificate' field contains a certificate in the format from
        proposal 220, with the short-term ed25519 descriptor-signing key
-       signed by the blinded public key.  It must contain a
-       ed25519-signing-key extension containing the blinded public key.
+       for the replica, signed by the blinded public key for the replica.
+       It must contain a ed25519-signing-key extension containing the
+       blinded public key for the replica.
"time-period" SP YYYY-MM-DD HH:MM:SS NUM NL
@@ -911,7 +938,7 @@ Status: Draft
        A signature of all previous fields, using the signing key in the
        hs-descriptor line. We use a separate key for signing, so that
        the hidden service host does not need to have its private blinded
-       key online.
+       keys online.
2.5. Hidden service descriptors: encryption format [ENCRYPTED-DATA]
@@ -926,8 +953,8 @@ Status: Draft
[ XX/teor - is the extra load on the HSDirs worth it? ]
-       secret_input = blinded_public_key | subcredential |
-             INT_4(revision_counter)
+       secret_input = blinded_public_key(replica-keynum) |
+             subcredential | INT_4(revision_counter)
        keys = KDF(secret_input, salt, "hsdir-encrypted-data",
                   S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)
@@ -990,9 +1017,10 @@ Status: Draft
Base-64 encoded introduction point authentication key that was
           used to establish introduction point circuit, cross-certifying
-          the blinded public key.  This uses the certificate format of
-          proposal 220 with type [09].  The signing-key extension is
-          mandatory here to tell you what the public key is.
+          the blinded public key for the replica.  This uses the
+          certificate format of proposal 220 with type [09].  The
+          signing-key extension is mandatory here to tell you what the
+          public key is.
"enc-key" SP "ntor" SP key NL
@@ -1784,8 +1812,10 @@ Appendix A. Signature scheme with key blinding [KEYBLIND]
   possible alternatives. Also, see [KEYBLIND-PROOF] for a security
   proof of this scheme.
-  (To use this with Tor, set N = "key-blind" | INT_8(period-number) |
-  INT_8(Start of period in seconds since epoch).)
+  (To use this with Tor, set N(replica-keynum) = "key-blind" |
+  INT_8(period-number) |  INT_8(Start of period in seconds since epoch) |
+  INT_1(replica-keynum), where replica-keynum is from 1 to
+  hsdir_num_replica_keys.)
Appendix B. Selecting nodes [PICKNODES]

    