[tor-dev] Proposal 230: How to change RSA1024 relay identity keys

Nicholas Hopper hopper at cs.umn.edu
Tue Apr 8 19:15:12 UTC 2014

On Tue, Apr 8, 2014 at 1:50 PM, Nick Mathewson <nickm at torproject.org> wrote:
> Filename: 230-rsa1024-relay-id-migration.txt
> Title: How to change RSA1024 relay identity keys
> Authors: Nick Mathewson
> Created: 7 April 2014
> Target: 0.2.?
> Status: Draft
> 1. Intro and motivation
>    Some times, a relay would like to migrate from one RSA1024
>    identity key to another without losing its previous status.
>    This is especially important because proposal 220 ("Migrate
>    server identity keys to Ed25519") is not yet implemented, and so
>    server identity keys are not kept offline.  So when an OpenSSL
>    bug like CVE-2014-0160 makes memory-reading attacks a threat to
>    identity keys, we need a way for routers to migrate ASAP.
>    This proposal does not cover migrating RSA1024 OR identity keys
>    for authorities.
> 2. Design
>    I propose that when a relay changes its identity key, it should
>    include a "old-identity" field in its server descriptor for 60 days
>    after the migration.  This old-identity would include the
>    old RSA1024 identity, a signature of the new identity key
>    with the old one, and the date when the migration occurred.
>    This field would appear as an "old-id" field in microdescriptors,
>    containing a SHA1 fingerprint of the old identity key, if the
>    signature turned out to be value.

>    Authorities would store old-identity => new-identity mappings,
>    and:
>       * Treat history information (wfu, mtbf, [and what else?]) from
>         old identities as applying to new identities instead.

possibly: bw authority weights?

>       * No longer accept any routers descriptors signed by the old
>         identity.

To clarify here: does "router[s] descriptors signed by the old
identity" include the old-id field?  That is, in case an identity key
is compromised is there a race to claim the old-id mapping?  If not,
how should the authorities/clients treat a pair of descriptors
claiming the mapping?

> 4. Interface
>    To use this feature, a router should rename its secret_id_key
>    file to secret_id_key_OLD.  The first time that Tor starts and
>    finds a secret_id_key_OLD file, it generates a new ID key if one
>    is not present, and generates the text of the old-rsa-1024-id-key
>    and old-rsa1024-id-migration fields above.  It stores them in a
>    new "old_id_key_migration" file, and deletes the
>    secret_id_key_OLD file.  It includes them in its desecriptors.

I guess it's possible a relay operator could shoot themselves in the
foot here by causing some inconsistent state between these three
files.  I guess at worst, though, this should again be a case where
the window of vulnerability is small, so very few (or possibly no)
relays would lose their history this way.

Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project

More information about the tor-dev mailing list