[tor-dev] Tor HS keys password protection against impersonation attacks?

[Jacob Appelbaum]

On 03/17/2012 02:52 AM, Fabio Pietrosanti (naif) wrote:
> Hi,
> thinking about Tor Hidden services, they are managed by using Hidden
> Services client keys.
> 
> The Tor HS keys are "private keys" that may require to be protected
> because they represent also the "identity" of the Tor HS and if stolen,
> it would be possible to carry on impersonation attack on connecting to
> Tor HS.
> Accepting connections on behalf of the real TorHS, with the goal to
> steal passwords, provide fake data to clients, exploit them, etc.
> 
> 
> The Tor HS keys are even more sensible than the X509v3, as it does provide:
> - identity (similar to an internet domain name)
> - routing (similar to an internet IP address)
> - encryption (they provide e2e encryption, i don't know if there are
> attacks on crypto if they get stolen)
> 
> So owning a Tor HS key it's like owning a user domain name, acquiring
> it's ip address and the x509v3 private key of his digital certificate
> bound to his domain name.
> 
> 
> As a protection schema it would be possible to create the Tor HS private
> key encrypted with a passphrase, like it's possible to do for x509v3 PEM
> certificates.
> 
> That the passphrase to unlock the Tor HS key, could be provided via Tor
> Control Port, so an external process (UI, scripts) could manage the
> setup of the passphrase.
> 
> That way even in case of seizure of the server running the Tor HS
> it would not be possible to who seized the Tor HS Server to do actively
> Impersonation attacks of the Tor HS.

I think that's a great idea but also a UI nightmare; for servers, I
think arm would need to support entering the key and for desktops, I
think Vidalia is the obvious target. It would probably be good to have
the key decryption tied together with something like scrypt[0] to make
it really expensive to bruteforce.

All the best,
Jacob

[0] http://www.tarsnap.com/scrypt.html