[tor-dev] A Proposal for a hidden service revocation system

Donncha O'Cearbhaill donncha at donncha.is
Sun Mar 8 02:43:19 UTC 2015 

Hi Adrien,

Good job on writing up a draft for this proposal! It looks good!

On 07/03/15 21:33, Adrien Johnson wrote:
> Filename: xxx-rend-revoke.txt
> Title: Hidden Service Revocation
> Author: Adrien Johnson
> Created: 2015-03-04
> Status: Draft
> 
> Hidden service operators need to be able to revoke trust in their hidden
> service
> if they know or suspect their hidden service secret key has been
> compromised.
> 

-- snip --

>     4.1 Basic Support
> 
>         For the Tor network to support hidden service revocations at a
> basic
>         level, a large proportion of hidden service directories must
> recognize
>         that a hidden service descriptor with zero introductory points
> has the
>         special meaning of being a revocation. These hidden service
> directories
>         must not allow a current unexpired revocation descriptor to be
> replaced
>         by a non-revocation descriptor (so called 'un-revocation'). In
> all other
>         ways, treatment of a revocation descriptor is identical to
> treatment of
>         a non-revocation descriptor for a hidden service.
> 
>         [NOTE: Maybe we want a more explicitly requested revocation?
> Using a
>         zero introductory point descriptor as a revocation has the
>         advantage of being backward-compatible with older directory
> software,
>         which will be able to accept and propagate the revocation to
> other more
>         up-to-date directories, even though the older directories will not
>         provide protection against un-revoking a hidden service if the
> attacker
>         delivers an un-revocation descriptor to them directly.
> 
>         Is there a need for zero introductory point descriptors in any
> other
>         case? If a hidden service previously published introductory points
>         and it now no longer can be contacted at those points, and it does
>         not have any new introductory points, it is unreachable.
> Publishing a
>         descriptor announcing all zero of its introductory points will not
>         change its reachability, though it may slightly reduce wasted
> effort by
>         tor nodes attempting to reach it.]

The current rend-spec allows for hidden service's to publish descriptors
without any introduction points. I think it would much better to add an
explicit 'revoked' line to the revocation descriptor.

I've done a quick test and it looks like relays already accept hidden
service descriptors containing undefined fields. As such implementing it
as such should be backward-compatible with previous version of Tor.

> 
>         4.1.1 Steps required to add support
> 
>             1) If current code results in hidden services publishing zero-
>             introductory point descriptors, this is blocked to prevent
>             accidental revocation. I would love to get this in 0.2.6.
> 
>             2) If a modification is needed in step 1, then a grace period
>             is given for hidden service operators to update their
>             software. This grace period does not have to be long, we can
> move
>             onto step 3 relatively fast, since the only penalty for
> accidental
>             revocation step 3 would create is forcing the hidden service to
>             upgrade their software, and the hidden service being
> unreachable for
>             a maximum of 25 hours (lifetime of a descriptor) after the
>             hidden service upgrades.
> 
>             3) Hidden service directories are modified to not allow a
>             current unexpired revocation descriptor to be replaced by an
>             un-revocation descriptor. Basic support for revocation is
> achieved!
> 
>             4) A long upgrade grace period is now given. The vast majority
>             of hidden services should be using software which includes the
>             modifications made in step 1
> 
>             5) Expanded revocation capabilities may be added, as described
>             below.
> 
>     4.2 Expanded Capabilities
> 
>         4.2.1 Cache of revoked services
> 
>             A Tor node which tried to connect to a hidden service in the
> past
>             and discovered that the service was revoked should remember
> that
>             revocation and refuse to connect indefinitely, even if the
>             revocation ceases to be broadcast in the future.

The client should not keep local records of the hidden services that
they have accessed. I think the client should only store the descriptor
as normal in their local descriptor cache.

> 
>         4.2.2 Presentation to the user
> 
>             If an onion proxy that detects the user tried to visit a
> revoked
>             service, this information should be presented to the user
>             out-of-band. I.E not in a way that could be mistaken for a
> hidden
>             service which is only temporarily unreachable, or as
> information
>             sent by the service. This could be done via a system level
> popup, or
>             a taskbar notification. The presentation should be strongly
>             distinguished from a hidden service which is simple
> unreachable.

A control port event should be defined to signal to a controller that
the accessed hidden service has been revoked. The controller (TorButton
etc.) could then notify the user is an appropriate way.

> 
>         4.2.3 Automatic hijacking detection/revocation
> 
>             Tor hidden service software could have a mode to detect if
> another
>             party is using the hidden service private key to publish
> descriptors
>             for that service. If the hidden service operator configures it,
>             the Tor hidden service software could immediately begin to
> broadcast
>             the revocation for that service.
> 

This may be possible, but I think it would be simpler and safer to
implement "hijacking" detection outside of little-t-tor.


It practice, it may be difficult to ensure that a client actually
receives a revocation descriptor. Firstly this protocol won't work very
well until enough relays upgrade to version implementing this protocol.

Additionally with the current implementation of hidden services, an
attacker who has compromised the HS key could position their relays to
be the HSDir's for the revoked hidden service. They could then provide
client's with only a standard descriptor and impersonate the HS. In
practice it may be possible for a revocation service to to watch for
this type of behaviour.

Thanks for putting this together. The best solution is of course of
hidden service operators their service key safe in the first place!

Regards
Donncha


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150308/efece8b6/attachment-0001.sig>

More information about the tor-dev mailing list