[tor-relays] Security implications of disabling onion key rotation?
Nick Mathewson
nickm at torproject.org
Thu Jun 1 13:07:17 UTC 2023
On Wed, May 24, 2023 at 8:54 PM David Fifield <david at bamsoftware.com> wrote:
[...]
>
> What are the risks of not rotating onion keys? My understanding is that
> rotation is meant to enhance forward security; i.e., limit how far back
> in time past recorded connections can be attacked in the case of key
> compromise. https://spec.torproject.org/tor-design Section 4 says:
> Short-term keys are rotated periodically and independently, to
> limit the impact of key compromise.
This is an interesting question!
So, compromising an onion key shouldn't be enough on its own to break
forward secrecy. The circuit extension handshakes use an additional
set of ephemeral keys as part of the negotiation process, which are
discarded immediately after the handshake. (This is the
diffie-hellman keys in TAP, and the x/X y/Y keypairs in ntor.)
Assuming that this is done properly, and all the cryptographic
assumptions hold, these keys alone should make it impossible to
decrypt anything after the session keys are discarded.
The purpose of the onion key is, rather, to make it impossible for
somebody else to impersonate the target relay. If somebody steals
your onion key, and they have their own relay R, then they can use
your onion key to impersonate you whenever somebody tries to extend a
circuit from R to you.
Onion key rotation limits the time range in which this kind of attack
is useful: it will only work for as long as the onion key is listed in
a live directory.
(Now, any attacker who can steal your onion key can probably also
steal your identity key too, if you don't keep that offline, and use
it to impersonate you for even longer. The advantage of using a stolen
onion key is that it's much harder to detect; all the attacks I can
think of that use a stolen identity key involve, whereas the
onion-key-theft attack occurs when you are already in a perfect
position to be a MITM.)
> Do the considerations differ when using ntor keys versus TAP keys?
The argument above is the same with TAP and ntor, I'd say, except for
the fact that TAP just isn't that secure under modern assumptions: it
depends on RSA-1024 and DH-1024, both of which are believed to
breakable if you have a large budget or a lot of stolen computers or a
lot of time.
Assuming that we care about these attacks, they _would_ make rotating
TAP keys more important: the longer any TAP onion keys are in use, the
more cost-effective it would be for an attacker to factor them...
...but there's another factor that makes TAP keys less important: they
simply shouldn't be used for anything modern in today's Tor. The last
thing that required the TAP handshake was some facets of the v2 onion
service protocol, and that's now been fully deprecated. So I wouldn't
personally worry about TAP too much.
hoping this helps and I haven't screwed up my analysis,
--
Nick
More information about the tor-relays
mailing list