Opened 7 years ago

Closed 5 years ago

#5976 closed enhancement (duplicate)

Load Tor Hidden Service Key via Tor Control Protocol

Reported by: naif Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: tor-hs
Cc: mk@… Actual Points:
Parent ID: #8993 Points:
Reviewer: Sponsor:

Description

Rationale

All the applications embedding Tor binaries (TorChat, APAF Framework, GlobaLeaks) that use Tor Hidden Service have to setup a Tor Hidden Service.

Currently Tor Hidden Services are created automatically by Tor into the Tor HiddenServiceDir configuration directive, by creating two files:

  • private key
  • file containing the hostname

This method of activation/configuration of Tor HS data is not particularly application integration friendly because:

  • It require Filesystem operations just to know the hostname of a TorHS
  • Make difficult to protect the Tor HS Private Key (Use need filesystem encryption rather than just application-level encryption to preserve this private data)

This feature enhancement propose to let the creation of a Tor Hidden Service by loading the required files and configuration via Tor Control Protocol.

That way Python application via TorCtl/TxTorCon would be able to create and setup TorHS by loading the Private Key dynamically on-boot.

The applications that way would be able to store in an application database all the information to write-from-scratch Tor configuration and Tor HS data.

The application database maybe encrypted, to protect the Tor HS private key and prevent Tor HS hijacking in case of computer seizure.

Child Tickets

Change History (16)

comment:1 Changed 7 years ago by nickm

Milestone: Tor: unspecified

comment:2 Changed 7 years ago by mk

Cc: mk@… added

Why would an application need to load hidden service private key (as opposed to HS hostname)?

comment:3 in reply to:  2 Changed 7 years ago by naif

Replying to mk:

Why would an application need to load hidden service private key (as opposed to HS hostname)?

The hostname is an hash deriving from the RSA key, so if you have the RSA you can compute the hostname.

The problem is that currently the TorHS key cannot be stored securely like Apache can do with PKCS#21 digital certificate because it's stored in clear-text on the filesystem. The only way to protect it is to "encrypt the filesystem", but it's a workaround.

So this ticket is to propose a method to keep "off-filesystem" this information, being able to load it into Tor trough Tor control Protocol.

It would be up to a third party piece of software to decide where and how to store the RSA key, giving integration flexibility that currently it's not available, allowing to provide more improved security (protecting the TorHS RSA Key by encrypting it).

comment:4 Changed 7 years ago by mk

Ah, so by "load" you mean both "get from Tor" and "load into Tor".

comment:5 in reply to:  4 Changed 7 years ago by naif

Replying to mk:

Ah, so by "load" you mean both "get from Tor" and "load into Tor".

mmm yes, this maybe the right definition,as a result being able to activate TorHS without the need to write on filesystem the private RSA key, giving flexibility to third party app in handling it :-)

comment:6 Changed 7 years ago by naif

comment:7 Changed 7 years ago by naif

Which is the best way if we want to proceed by making a proposal?

Are there an example for modifications of Tor Control Protocol to make a proposal?

comment:8 Changed 7 years ago by naif

This ticket is also referenced by Tor's GSoc APAF (Anonymous Python Application Framework) Ticket https://github.com/mmaker/APAF/issues/27 .

comment:10 Changed 7 years ago by naif

A different approach to fix the problem of Tor HS Private Key security has been proposed on https://github.com/meejah/txtorcon/issues/13 , but cannot be implemented due to bug #6044

comment:11 Changed 7 years ago by nickm

Keywords: tor-hs added

comment:12 Changed 7 years ago by nickm

Component: Tor Hidden ServicesTor

comment:13 Changed 7 years ago by naif

Something has been implemented on https://trac.torproject.org/projects/tor/ticket/6411 and should be reviewed to understand if it fit the requirement of passing the Tor HS key via Tor CP (so, keeping it externally hosted, not as a filesystem file).

comment:14 Changed 6 years ago by arma

Parent ID: #8993

comment:15 Changed 5 years ago by special

I believe this is a duplicate of #1949. It is also discussing ways to have a controller provide the private key without using the filesystem.

I suggest closing this ticket and solving the problem there.

comment:16 Changed 5 years ago by nickm

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.