Opened 6 years ago

Last modified 3 years ago

#11448 new defect

Dirauths must support multiple relay identity keys at once

Reported by: rransom Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: prop231, tor-dirauth key-agility key-migration
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As discussed on https://blog.torproject.org/blog/openssl-bug-cve-2014-0160, directory authorities must rotate their relay identity keys in order to recover from possible exposure due to the ‘Heartbleed’ bug. (A dirauth's relay identity key could be used by a MITM attacker to feed clients an outdated consensus, for example.)

There are two requirements in order to do this without causing a network meltdown:

  • A dirauth must be able to sign relay descriptors using multiple relay identity keys at once.
  • A dirauth must be able to operate multiple ORPorts at once, with (possibly) different relay identity keys.

Child Tickets

Change History (8)

comment:1 Changed 6 years ago by nickm

Keywords: needs-proposal added
Priority: criticalmajor

Alternatively, we can just have a key migration procedure that makes the information that determines flags and whatnot migrate sanely from old identities to new identities.

comment:2 Changed 6 years ago by nickm

Whoops, you're talking relay identities for directory authorities, not for relay identities in general. (Sorry, I got wrapped up writing proposal 230 last night and was thinking about the other problem.)

comment:3 Changed 6 years ago by nickm

Actually, I'm not sure you actually need to put extra ORPorts in the descriptors at all. I think it would work fine if we just support having an extra, non-advertised ORPort that uses an old identity key.

comment:4 in reply to:  3 Changed 6 years ago by rransom

Replying to nickm:

Actually, I'm not sure you actually need to put extra ORPorts in the descriptors at all. I think it would work fine if we just support having an extra, non-advertised ORPort that uses an old identity key.

I didn't say that multiple ORPorts needed to be in a single descriptor (and I'm pretty sure that can't be a good thing to do). And I don't think that dirauths need to sign a single relay descriptor using multiple relay identity keys at once, or that that would be a good idea either.

But I assume that some/many/most/all clients will misbehave if they connect to an ORPort with relay identity key X and can't get a relay descriptor signed by X, and it's not good to have clients misbehave in the general direction of a dirauth.

comment:5 Changed 6 years ago by nickm

Keywords: prop231 added; needs-proposal removed

Good point; we should check that out.

This is now proposal 231.

comment:6 Changed 5 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: unspecified
01:32 < nickm> #11448 -- not sure about this one.  It seems that the 
               post-heartbleed ID key migration on dirservers wasn't too 
               terrible.  With any luck, implementing multilayer identity keys 
               will mean that any time spent doing support for multiple ID keys 
               would be wasted.

Calling this "Tor: Unspecified" for now.

comment:7 Changed 3 years ago by dgoulet

Keywords: tor-dirauth added; tor-auth removed

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

comment:8 Changed 3 years ago by nickm

Keywords: key-agility key-migration added
Priority: HighLow
Severity: Normal

Alternatively, dirauths should just keep their ed25519 master identity keys offline.

Note: See TracTickets for help on using tickets.