Opened 9 years ago

Closed 7 years ago

#2768 closed enhancement (implemented)

Write standalone directory document signature verification tools

Reported by: rransom Owned by: rransom
Priority: Medium Milestone:
Component: Metrics Utilities Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Right now, the only easy way for researchers to verify that they are using the actual Tor network consensuses/votes/descriptors is to verify Karsten's OpenPGP signature of the tarball (if there is one). Tor already contains code to verify those documents which have signatures; we should expose that code to researchers' scripts, too.

The extra-info descriptors and microdescriptors are authenticated by having their hashes published in other documents, rather than being signed directly, so they will be a bit trickier for simple tools to verify; we should postpone writing verification tools for those documents for now.

Child Tickets

Change History (10)

comment:1 Changed 9 years ago by karsten

Agreed, we should write code to check the descriptor signatures. I suggest writing the code in Java, because we can create a standalone tool from it (as part of metrics-utils) and add it to metrics-db to check signatures on the fly. I should have some Java code around that checks descriptor signatures. Do you want to work on this? If so, I'll dig out the code.

Verifying extra-info descriptors requires having the server descriptors of the same month available. Fortunately, descriptors are sorted into month folders and tarballs by their publication time, so that all relevant server descriptors should be in a single tarball.

We don't collect any microdescriptors yet, and I don't know how to verify them. Perhaps by having the server descriptors, just like with extra-info descriptors? By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

comment:2 in reply to:  1 Changed 9 years ago by rransom

Replying to karsten:

Agreed, we should write code to check the descriptor signatures. I suggest writing the code in Java, because we can create a standalone tool from it (as part of metrics-utils) and add it to metrics-db to check signatures on the fly. I should have some Java code around that checks descriptor signatures. Do you want to work on this? If so, I'll dig out the code.

Yes, I want to work on these tools, but I currently do not have a Java runtime around.

We don't collect any microdescriptors yet, and I don't know how to verify them. Perhaps by having the server descriptors, just like with extra-info descriptors?

Microdescriptors can be verified using the microdescriptor consensus.

By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

Probably (even though no clients use them yet). We should also investigate the lifetimes of microdescs.

comment:3 Changed 9 years ago by rransom

Where are the directory authorities' consensus-signing keys archived?

comment:4 in reply to:  3 ; Changed 9 years ago by rransom

Replying to rransom:

Where are the directory authorities' consensus-signing keys archived?

The DAs' directory-signing certificates can be extracted from their vote documents, but we should extract them and publish them separately from the (huge) vote tarballs.

comment:5 in reply to:  4 Changed 9 years ago by karsten

Replying to rransom:

Replying to karsten:

By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

Probably (even though no clients use them yet). We should also investigate the lifetimes of microdescs.

I just opened #2785 for the archiving part, but I will leave out the verification part for the moment.

Replying to rransom:

Replying to rransom:

Where are the directory authorities' consensus-signing keys archived?

The DAs' directory-signing certificates can be extracted from their vote documents, but we should extract them and publish them separately from the (huge) vote tarballs.

See the new ticket #2786.

comment:6 Changed 8 years ago by karsten

Component: MetricsMetrics Utilities
Priority: majornormal

Moving this ticket to the new Metrics Utilities component. Once there's code, it would most likely live in the metrics-utils repository. ExoneraTor and VisiTor tickets would also go in the Metrics Utilities component.

Also reducing priority to normal.

comment:7 Changed 8 years ago by karsten

task-2768 in metrics-tasks now contains code to verify server descriptors.

comment:8 in reply to:  7 Changed 7 years ago by karsten

Replying to karsten:

task-2768 in metrics-tasks now contains code to verify server descriptors.

That repository now also contains code to verify consensuses.

comment:9 Changed 7 years ago by karsten

Robert, do you have a list of things that need to be checked in order to verify the various descriptors? Here's what I do for server descriptors, certs, and consensuses:

Verify server descriptors using the contained signing key. Verify that

1) a contained fingerprint is actually a hash of the signing key and
2) a router signature was created using the signing key.

Verify consensuses using the separate certs. Verify that

1) the fingerprint in a cert is actually a hash of the identity key,
2) a cert was signed using the identity key,
3) a consensus was signed using the signing key from the cert.

comment:10 Changed 7 years ago by karsten

Resolution: implemented
Status: newclosed

There's code. Calling this done.

Note: See TracTickets for help on using tickets.