[tor-dev] Sanitizing bridge descriptors containing ed25519 fields

Karsten Loesing karsten at torproject.org
Mon Jun 1 07:27:55 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nick,

On 31/05/15 16:21, Nick Mathewson wrote:
> On Sat, May 30, 2015 at 5:16 PM, Karsten Loesing
> <karsten at torproject.org> wrote:
>> So, I think a "fingerprint-ed25519" line would be useful.  It
>> would make the bridge descriptor sanitizing process much easier.
>> It would also facilitate debugging network problems, because
>> people can just grep descriptors rather than using specialized
>> tools that know how to decode the cert.  And with
>> microdescriptors in place it should be okay to add this line even
>> if it's redundant information, because clients would never
>> download it.
> 
> Hm.  Okay, that sounds solid enough.  I'll try to hack it in
> tonight or Monday, and add it to prop220.

Sounds good.  Thanks!

>> If the server descriptor in #16227 were a bridge descriptor, I'd
>> do the following steps for sanitizing it:
>> 
>> - Remove identity-ed25519 line and subsequent crypto block.
> 
> +1

Okay.

>> - Keep yet-to-be-added fingerprint-ed25519 line, but SHA256 its
>> value. - Keep extra-info digest line, but SHA1 and SHA256 its
>> values.
> 
> Suggestion: Don't use raw SHA256(x) but instead use
> SHA256("sanitize ID for bridge descriptor" | x) or SHA256("sanitize
> extra-info digest for bridge descriptor" | x). That way we don't
> need to worry about colliding with something else that decides to
> SHA256 these.

Hmm, actually I worry more about simplicity here than possible SHA256
collisions.  This algorithm needs to be implemented in various places
and sometimes even performed manually:

 - `router_write_fingerprint(int hashed)` in router.c: for the log
line and hashed-fingerprint file (want me to add a ticket for this, btw?),
 - Nyx (formerly known as arm): to display the hashed fingerprint that
users can paste into Atlas/Globe,
 - Atlas/Globe: to make sure that only hashed fingerprints are
submitted to Onionoo,
 - Onionoo: to make sure we also return relays that had their identity
hashed by Atlas/Globe and bridges that had their identity hashed twice,
 - CollecTor: to sanitize bridge descriptors,
 - bridge operators/BridgeDB devs: to find out more details about a
bridge that they only have a bridge network status or server
descriptor for,
 - and maybe others.

How bad would it be to just SHA256 values for sanitizing bridge
descriptors for the sake of simplicity?

>> - Remove onion-key line and subsequent crypto block. - Remove
>> signing-key line and subsequent crypto block. - Remove
>> onion-key-crosscert line and subsequent crypto block. - Remove
>> ntor-onion-key-crosscert line and subsequent crypto block. - Keep
>> ntor-onion-key line, mostly because we didn't remove it so far;
>> unless it should be removed? - Remove router-sig-ed25519 line. -
>> Remove router-signature line and subsequent crypto block. - Add
>> router-digest line with SHA1 of SHA1 of descriptor content and 
>> SHA256 of SHA256 of descriptor content; the rationale is that we
>> don't have to write entirely new digests into the network status
>> in order to match "r" lines with descriptors.
> 
> That all sounds fine.

Cool.

>> I also added the extra-info descriptor that corresponds to the
>> server descriptor to #16227:
>> 
>> https://trac.torproject.org/projects/tor/ticket/16227#comment:5
>> 
>> I wonder, what's the best way for including the ed25519 identity
>> in the extra-info descriptor?  How about extending the first line
>> to:
>> 
>> "extra-info Truie SHA1-of-RSA SHA256-of-ed25519"
>> 
>> Possible downsides are that this additional value might break
>> existing code and that it might be problematic to get rid of the
>> SHA1-of-RSA part later.  But the same issues would come up with
>> the "extra-info-digest" line in server descriptors, and maybe
>> there are good solutions.
>> 
>> Otherwise, a separate "fingerprint-ed25519" line might work here,
>> too.
> 
> Plausible.

Which one, the extended "extra-info" line or the additional
"fingerprint-ed25519" line? :)

>> In order to sanitize such an extra-info descriptor, I'd do these
>> steps:
>> 
>> - Keep extra-info line, but SHA1 (and possibly SHA256) its
>> value(s).
> 
> See above.
> 
>> - Or, keep yet-to-be-added fingerprint-ed25519 line, but SHA256
>> its value.
> 
> See above.
> 
>> - Remove router-sig-ed25519 line. - Remove router-signature line
>> and subsequent crypto block. - Add router-digest line with SHA1
>> of SHA1 of descriptor content and SHA256 of SHA256 of descriptor
>> content; same rationale as above, but with the
>> "extra-info-digest" line in server descriptors.
>> 
>> What do you think?
>> 
> 
> Sounds fine.

Thanks for looking!

All the best,
Karsten

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJVbAl7AAoJEJD5dJfVqbCrwTEIAMnXjFxwcHQUfcqozO/15gta
W7J5XNTfBFnXYy5a8ZFWRMf80+Mt+qwb9wJG2Nvjot9enBRS1Bn2TFchcKFUgEeS
U/epBGdWYgq1Uq7At7suX9AOt2SYYBKnQk3dfkvs3EJHVTWz+3s02Mh9Fz/FZl47
QcDXZkR7DYv1pu6XfVpidm4S390z5J+IuWzZGFfwTe2AElGBUQUxxLrQGPnLVCX/
Ue6WXtwgr8GvFgoXZ1ZAz43r2/P5IxCnuSsmFpKTJynvwkosK9TG/5fj/wmxxaiK
C1De+Dqfsrkket+wJQm5FUpx6wowIp5rIwkDqAgZYzwTNwViE3Ijg1nW0RtRTbg=
=ABhA
-----END PGP SIGNATURE-----

More information about the tor-dev mailing list