[tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 6 02:20:05 UTC 2012 

#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor         |        Version:                    
 Keywords:  tor-bridge  |         Parent:  #4773             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 Replying to [comment:7 nickm]:
 > Replying to [comment:6 asn]:
 >  [...]
 > > Sounds like Protocol B will be harder to design, prove and implement.
 Does our threat model include the attacks that it protects against? If
 not, we should probably do Protocol A.
 >
 > There are a couple of pieces of the protocols left off here.  To wit:
 how does the proxy learn where to look for the secret file?  I'd lean
 towards "Specify the location of the file in its environment when it's
 launched."
 >

 Sounds reasonable.

 How do you think this should be done in the protocol?
 Should we increase the managed-proxy protocol version and add a new
 mandatory env var (`TOR_PT_AUTH_COOKIE`), or should we add an optional env
 var on the current protocol version, or should we add the path to the
 already existing `TOR_PT_EXTENDED_SERVER_PORT` env. var?

 I'm leaning towards adding an optional new env var. What do you think?

 > In the managed proxy case, since you're getting both the cookie file
 location and the extended ORPort from Tor when it launches the proxy,
 there's not too much risk of connecting to something that isn't really a
 Tor process, and not much risk of reading something that isn't really a
 cookie file.  If you add a header to the file (which seems like an
 obviously correct choice), there's zero risk of reading a non-cookie file.
 So we probably _could_ get away with just a password system for that case.
 >
 > In the external proxy case, are we worried about somebody setting up the
 external proxy to point at the wrong extended ORPort for Tor, or at the
 wrong cookie file, or what?
 >

 Yes, something like that. I don't really think these are realistic
 adversarial attacks.

 > That said, I am fine with doing an HMAC-based challenge/response thing
 here, on the theory that the assumptions above might turn out to be less
 robust than we thought.
 >

 I think I'm going to go with the HMAC-based challenge/response protocol
 too. I will also make the protocol flexible enough to support other
 authentication types.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list