wiki:org/meetings/2018NetworkTeamHackfestSeattle/OldCrypto

Old crypto that we should remove (worst cases):

  1. Truncated sha-1
  2. RSA-1024
  3. Sha-1
  4. DH 1024 - TAP and old TLS parameters (but now we prefer better TLS options)
  5. TAP (which is comprised of the above things)

What stands in the way of removing the above old crypto?

1) truncated sha-1

  • Used by the old onion services and relay crypt
  • Nick has already writted a proposal in torspec/ideas for what we need to do to remove this

2) RSA-1024

  • This is not an immediate concern as each relay also uses an Ed25519 key
  • We should remove RSA and use only Ed25519 keys.
  • Scariest places we use RSA: old hidden services, followed by signed documents. everything relays sign is with ed and rsa keys, so we don't need to worry much about rsa here
  • Tor currently doesn't support relays without RSA keys. We would need to make it such that a correct descriptor has an ed25519 key, and remove all the places where RSA is currently used. This might be ideal to save on bandwidth.
  • We use a hash of the RSA identity key all over the code for relay identity.

3) Sha-1

  • We use this in relay fingerprints and old hidden services

4) DH 1024

5) TAP - constructed out of the above things. TAP is part of the old onion service protocol. When we get rid of TAP, we'll get rid of DH 1024.

We can remove TAP when we remove support for old onion services. Deprecating TAP is desirable but hard because of rendezvous points.

X509 certificates are self-signed (kinda).

TLS uses sha-1 and md5 to generate keys (used as a KDF) openssl RNG uses sha-1 (more recent ones are transisioning)

  • Is it time for a third consensus flavor? RSA-less consensus flavor. we could have clients download it.
  • We could remove RSA keys from the miscrodesc. could we also ditch sha1 at the same time? -
  • It might be better for now to not use the RSA identity keys- including them in the link/extend cells in order to look like other clients.

Next steps:

  • Declare a date to deprecate v2 onion services? we need to decide when this should be deprecated
  • List of things that we find unacceptable- [Done in these notes, review to make sure there aren't any more]
  • Write a document for each of these crypto primatives where it is used (similar to Sha1)
  • Write a proposal for what order we remove each feature of the proposal that uses the protocol things.
  • Write a proposal for what order we turn of v2 onion service support.
Last modified 7 weeks ago Last modified on Jun 2, 2018, 5:48:13 PM