Opened 2 years ago

Last modified 17 months ago

#20055 new enhancement

Remove relays that fail to rotate onion keys from the consensus

Reported by: teor Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-spec, tor-dirauth, security, key-rotation
Cc: Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

On #7164, a cypherpunks notes that ~40 relays fail to rotate their onion keys. This should be addressed by identifying these relays, and adding them to the DirAuths' AuthDirInvalid or AuthDirReject lists.

First, we need to update torspec/dir-spec.txt to say that relays SHOULD rotate their onion keys every 7 days, and MUST rotate them every N days. (I suggest 14 or 28.)

Then we can modify DocTor to check for relays in the consensus that have had the same onion key for N days. (I think DocTor is the right place for this check.)

This won't catch cases where relays repeat onion keys, but it will suffice to catch the most obvious misconfiguration - a read-only onion key file.

Child Tickets

Change History (15)

comment:1 Changed 2 years ago by teor

Actually, I think the correct fix is to say that onion keys MUST be rotated every 7 days in the spec. And then ban keys that haven't been rotated for 7*N days, where N is in (2,3,4).

comment:2 Changed 2 years ago by nickm

I don't think I would object to that.

comment:3 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:4 Changed 2 years ago by dgoulet

Keywords: tor-spec added; torspec 030-proposed removed
Milestone: Tor: 0.3.???Tor: 0.3.0.x-final
Points: 20.1

Opened #20969 for DocTor so this ticket becomes an important spec change.

comment:5 Changed 2 years ago by nickm

Points: 0.11

comment:6 Changed 2 years ago by nickm

Actually, I think the correct fix is to say that onion keys MUST be rotated every 7 days in the spec. And then ban keys that haven't been rotated for 7*N days, where N is in (2,3,4).

Fine with me. I'd take a patch for this.

comment:7 Changed 2 years ago by arma

Golly. Can you point to some relays that have this behavior? Then we can try to investigate why it's happening.

comment:8 in reply to:  7 Changed 2 years ago by teor

Replying to arma:

Golly. Can you point to some relays that have this behavior? Then we can try to investigate why it's happening.

This task needs someone who is good at writing stem scripts.
We need to compare the onion keys (TAP & ntor) for each relay in full consensuses spaced 7 days + 1 hour apart, and make sure they are different.

comment:9 Changed 2 years ago by nickm

Type: defectenhancement

batch modify: I think these are "enhancement", though I could be wrong about some.

comment:10 Changed 2 years ago by nickm

Keywords: triaged-out-20160116 added
Milestone: Tor: 0.3.0.x-finalTor: unspecified

comment:11 Changed 2 years ago by nickm

Keywords: triaged-out-20170116 added; triaged-out-20160116 removed

comment:12 Changed 22 months ago by nickm

We might want to raise the permissible interval for onion key rotation, actually. It appears to be the leading cause of microdescriptor replacement, and the security benefit for rotating onion keys frequently is not all that high.

comment:13 Changed 22 months ago by nickm

But FWIW, here are the relays that appeared in at least 400 consensuses in January, but rotated their onion key either only once, or not at all:

0572dcfe4ba472e02389499d0c30e9be41e0170a => 2 2 / 716 oO
1f45542a24a61bf9408f1c05e0dce4e29f2cba11 => 1 1 / 744 
3b4e3571662ad6759d9b3df454d281e16672f49e => 2 2 / 744 oO
4b7f7d1c10e80f8bb947ba6cbeec6ab50dd2e1be => 2 2 / 518 oO
59f16177e3b3d1979da56642e6044e266473ef2a => 1 1 / 739 
697d7612a5eb6db98226e98d180a779cb341c655 => 2 2 / 744 oO
8bdb5ec87abe18cc11ea22ac8153fa9be8678091 => 1 1 / 505 
8f029d39141c7a7bce3c64e0865c28c752f53650 => 2 2 / 515 oO
9d446e2c88ba5ae596101fe43bd07ef07e9f87f2 => 1 1 / 407 
a271979245a0f27246a75e5b7003f1a9dbbaa6b5 => 2 2 / 742 oO
a43f89ca39a127f0ec7793936451ef862a856d79 => 2 2 / 528 oO
a74e40c37958d1bbab36c2e0d78216f823e24d0b => 1 1 / 744 
ad5730ca65160f63269833a14cfe12b3a578c667 => 2 2 / 744 oO
b5ec038b6f90be09e7f0bd62ad0e54a59c7d4243 => 1 1 / 741 
c147c73d388b6ea0cde0cd67b4a2149cd6ae0b66 => 2 2 / 744 oO
ea070bb67442bdae49bdd86ac4277ae1db8b912d => 2 2 / 714 oO
efdeb09ffd0c569afabfe00ed870d088ecca6f7f => 1 1 / 744 

(Every oO is a key rotation.)

comment:14 Changed 22 months ago by teor

Once we define an acceptable rotation range (for example, 7-30 days), we can develop exclusion criteria like:

  • rotates more than twice in 7 days (places too much load on the network), or
  • has not rotated in 60 days (no forward secrecy).

Key pinning will also exclude some of the frequent relays.

comment:15 Changed 17 months ago by nickm

Keywords: tor-dirauth security key-rotation added; triaged-out-20170116 removed
Note: See TracTickets for help on using tickets.