[tor-talk] Improved HS key management

[Qingping Hou]

On 12/28/2013 06:46 AM, Gregory Maxwell wrote:
> One of the current unfortunate properties of hidden services is that
> the identity of the hidden service is its public key (or the
> equivalent hash, in the current setup), and this key must always be
> available for signing on an online host (usually the HS itself, though
> potentially on a bastion host).
> 
> This is pretty bad for prudent key management— the key is very high
> value because its difficult to change, and then stuck always online
> constantly being signed with— even on demand by a hostile attacker.
> 
> Then the matter is made even worse by there being no systematized
> mechanism for revocation.
> 
> It would be preferable if it were possible to have a HS master key
> which was kept _offline_ which could be use to authorize use for some
> time period and/or revoke usage. The offline key could be used to
> create an online key which is good for a year or until superseded by a
> higher sequence number, and every 6 months the online key could be
> replaced. Thus if an old copy of the HS media were discovered it
> couldn't be used to impersonate the site.
> 
> Sadly the homomorphism proposed to prevent HSDIR enumeration attacks
> cannot be used to accomplish this, as knoweldge of the ephemeral
> private key and the public blinding factor yields the original private
> key.
> 
> I can describe a scheme to address this but I'm surprised to not find
> any discussion of it.
> 

As grarpamp already mentioned, second gen draft introduced the concept
of master key, blinded signing key and descriptor signing key. It does
not specify how to do key revocation though.

Maybe you can add your idea to the draft and help improve it?