wiki:TorHSM

The TorHSM work item aims to letting directory authority signing keys move to a so called Hardware Security Module (HSM) based on the CrypTech Alpha board. The Tor part of this project produces code for little-t-tor, a program for key management and support software for development and test. See the CrypTech wiki for a description of TorHSM from the CrypTech point of view.

Status

  • 2019-07-10 Successfully producing a consensus with one dirauth using an emulated HSM device in a Chutney test network (basic) with TestingV3AuthInitialVotingInterval set to 120 and VoteDelay/DistDelay at 20, when the HSM takes 8 seconds to produce a signature.

Design

Code

tor

https://gitweb.torproject.org/user/linus/tor.git/log/?h=torhsm

NOTE: This branch is not meant for merging into master! It's a PoC written to minimize the diff against tor-0.3.5.8 in order to show what needs to be done. Refactoring of the consensus handling code should be done before trying to get this functionality into master.

chutney

https://gitweb.torproject.org/user/linus/chutney.git/log/?h=torhsm

NOTE: Quite a few necessary actions for setting things up properly are not done by Chutney, see note in networks/basic-hsm for a list.

USB gadget emulation

Notes

Open questions

  • Figure out how legacy dirauth keys are meant to be used and if they're still considered a good idea.
  • Does tor still need variable consensus periods? If so, our idea with rate-limiting might not work.
  • Really verify new signing keys ('verify'), or simply activate new key when operator says so ('activate')?
  • Require PIN or not?

To do

Last modified 5 months ago Last modified on Jul 18, 2019, 10:17:32 AM