tor-dev June 2012

tor-dev@lists.torproject.org

37 participants
46 discussions

Proposal 189: AUTHORIZE and AUTHORIZED cells
by George Kadianakis 12 Jun '12

12 Jun '12

Filename: 189-authorize-cell.txt Title: AUTHORIZE and AUTHORIZED cells Author: George Kadianakis Created: 04 Nov 2011 Status: Open 1. Overview Proposal 187 introduced the concept of the AUTHORIZE cell, a cell whose purpose is to make Tor bridges resistant to scanning attacks. This is achieved by having the bridge and the client share a secret out-of-band and then use AUTHORIZE cells to validate that the client indeed knows that secret before proceeding with the Tor protocol. This proposal specifies the format of the AUTHORIZE cell and also introduces the AUTHORIZED cell, a way for bridges to announce to clients that the authorization process is complete and successful. 2. Motivation AUTHORIZE cells should be able to perform a variety of authorization protocols based on a variety of shared secrets. This forces the AUTHORIZE cell to have a dynamic format based on the authorization method used. AUTHORIZED cells are used by bridges to signal the end of a successful bridge client authorization and the beginning of the actual link handshake. AUTHORIZED cells have no other use and for this reason their format is very simple. Both AUTHORIZE and AUTHORIZED cells are to be used under censorship conditions and they should look innocuous to any adversary capable of monitoring network traffic. As an attack example, an adversary could passively monitor the traffic of a bridge host, looking at the packets directly after the TLS handshake and trying to deduce from their packet size if they are AUTHORIZE and AUTHORIZED cells. For this reason, AUTHORIZE and AUTHORIZED cells are padded with a random amount of padding before sending. 3. Design 3.1. AUTHORIZE cell The AUTHORIZE cell is a variable-sized cell. The generic AUTHORIZE cell format is: AuthMethod [1 octet] MethodFields [...] PadLen [2 octets] Padding ['PadLen' octets] where: 'AuthMethod', is the authorization method to be used. 'MethodFields', is dependent on the authorization Method used. It's a meta-field hosting an arbitrary amount of fields. 'PadLen', specifies the amount of padding in octets. 'Padding', is 'PadLen' octets of random content. 3.2. AUTHORIZED cell format The AUTHORIZED cell is a variable-sized cell. The AUTHORIZED cell format is: 'AuthMethod' [1 octet] 'PadLen' [2 octets] 'Padding' ['PadLen' octets] where all fields have the same meaning as in section 3.1. 3.3. Cell parsing Implementations MUST ignore the contents of 'Padding'. Implementations MUST reject an AUTHORIZE or AUTHORIZED cell where the 'Padding' field is not 'PadLen' octets long. Implementations MUST reject an AUTHORIZE cell with an 'AuthMethod' they don't recognize. 4. Discussion 4.1. Why not let the pluggable transports do the padding, like they are supposed to do for the rest of the Tor protocol? The arguments of section "Alternative design: Just use pluggable transports" of proposal 187, apply here as well: All bridges who use client authorization will also need camouflaged AUTHORIZE/AUTHORIZED cell. 4.2. How should multiple round-trip authorization protocols be handled? Protocols that require multiple round-trips between the client and the bridge should use AUTHORIZE cells for communication. The format of the AUTHORIZE cell is flexible enough to support messages from the client to the bridge and the inverse. In the end of a successful multiple round-trip protocol, an AUTHORIZED cell must be issued from the bridge to the client. 4.3. AUTHORIZED seems useless. Why not use VPADDING instead? As noted in proposal 187, the Tor protocol uses VPADDING cells for padding; any other use of VPADDING makes the Tor protocol kludgy. In the future, and in the example case of a v3 handshake, a client can optimistically send a VERSIONS cell along with the final AUTHORIZE cell of an authorization protocol. That allows the bridge, in the case of successful authorization, to also process the VERSIONS cell and begin the v3 handshake promptly.

6 12

[GSoC] Update - Safe cookie support/General controller class for Stem
by Ravi Chandra Padmala 11 Jun '12

11 Jun '12

Hello I have finished working on implementing the safe cookie authentication support for Stem. Damian fixed a few things[1] and merged it into master. I'm now working on implementing the general controller class. GETINFO parsing was implemented by Damian as an example. I've implemented GETCONF parsing[2] for the controller. It's almost done. I'm also going to implement the other methods to handle the remaining control commands allocated to week 2 and 3 in my proposal[3]. Note: I'm behind my schedule by a little more than a week. I had an exam during the 2nd week, because of which I couldn't do much/any work that week. Though, I do have enough buffer time to make up for this, and, I'm trying to catch up with my schedule. 1. https://gitweb.torproject.org/stem.git/commit/560923cb7b572d02046c6ca2bd5eb… 2. https://trac.torproject.org/projects/tor/ticket/6114 3. https://www.torproject.org/about/gsocProposal/gsoc12-proposal-stemImproveme… -- neena

1 0

Stem Sphinx Documentation
by Damian Johnson 10 Jun '12

10 Jun '12

Hi Ravi, Beck, and everyone else hacking on stem. I just finished and merged a rewrite of our documentation into reStructuredText. The results are... very pretty. http://www.atagar.com/transfer/tmp/stem_html_12_06_05/ Next I plan to make a landing page for stem, and a cron process which will automatically keep a documentation page up to date with the current git master branch. Some pages that you might find especially relevant... Ravi http://www.atagar.com/transfer/tmp/stem_html_12_06_05/stem.html#module-stem… Beck http://www.atagar.com/transfer/tmp/stem_html_12_06_05/stem.html#stem.contro… Karsten http://www.atagar.com/transfer/tmp/stem_html_12_06_05/stem.descriptor.html#… Norman, Erik, and Megan http://www.atagar.com/transfer/tmp/stem_html_12_06_05/stem.util.html#module… Cheers! -Damian

2 4

How (not) to Build a Transport Layer for Anonymity Overlays
by Roger Dingledine 09 Jun '12

09 Jun '12

http://pade12.mytestbed.net/pade12-final6.pdf To be presented this coming Friday in London: http://pade12.mytestbed.net/technicalprogram/ --Roger

1 0

Stem Testing Code Question - Wesleyan Interns
by Erik I Islo 08 Jun '12

08 Jun '12

Hi Damian, Having gotten started looking at some of the testing code from Stem over the last day or so, Megan and I have come up with a question. While both of us are currently on #tor and #tor-dev (as ErikI and MeganC), we figured an email would be best for getting started as we have a bit more to say. In run_tests.py, under the if statement that catches the case of integration tests (line 268), there is a block of code that contains a number of references to 'targets.' To start, could you explain the formatting and specific purpose of the settings.cfg file? Basically, we are trying to understand what lines 274 through 309 are doing in run_tests.py. Thanks in advance, Erik & Megan

2 1

Can we stop sanitizing nicknames in bridge descriptors?
by Karsten Loesing 06 Jun '12

06 Jun '12

Hi everybody, we're discussing in #5684 whether we can stop sanitizing nicknames in the bridge descriptors that we publish here: https://metrics.torproject.org/data.html#bridgedesc The sanitizing process is described here: https://metrics.torproject.org/formats.html#bridgedesc When we started making sanitized bridge descriptors available on the metrics website we replaced all contained nicknames with "Unnamed". The reason was that "bridge nicknames might give hints on the location of the bridge if chosen without care; e.g. a bridge nickname might be very similar to the operators' relay nicknames which might be located on adjacent IP addresses." This was an easy decision back then, because we didn't use the nickname for anything. This has changed with #5629 where we try to count EC2 bridges which all have a similar nickname. So, while we don't have that information, there'd now be a use for it. Another advantage of having bridge nicknames would be that they're easier to look up in a status website like Atlas (which doesn't support searching for bridges yet). We should re-consider whether it still makes sense to sanitize nicknames in bridge descriptors or not. Regarding the reasoning above, couldn't an adversary just scan adjacent IP addresses of all known relays, not just the ones with similar nicknames? And are we giving away anything else with the nicknames? It would be great to get some feedback here whether leaving nicknames in the sanitized descriptors is a terrible idea, and if so, why. If nobody objects within the next, say, two weeks, I'm going to make an old tarball from 2008 available with original nicknames. And if nobody screams, I'll provide the remaining tarballs containing original nicknames another two weeks later. Thanks! Karsten

5 21

Stats on Amazon bridges
by SiNA Rabbani 06 Jun '12

06 Jun '12

Dear Team, I need to get a count of all the Amazon Tor images running bridges. The reason I need this data is so I can follow-up with acessnow.org about the campaign they are running at: https://www.globalproxycloud.net/ How should I go about that data? All the best, SiNA -- First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

2 1

[GSoC]Tails-server
by jvoisin 06 Jun '12

06 Jun '12

Hello, the "community bonding period" is over for quite some time now, but as I have previously said in my application, I (unfortunately) won't be able to start my GSoC until the 8th of June. So far, I managed to build Tails in a virtual machine, in a tmpfs, using a proxy (to avoid spamming Debian's mirrors); but also using vagrant[1]. It takes me only a couple of minutes to build Tails on my machine, which is a good news. About the testing environment now: It seems like liveCD testing is not something that interest people very much. The autotesting repo[3] of debian-live is a 404, and even if it wasn't, the documentation is lacking. The "mainstream way" for doing system-wide/vm/liveCD tests is autotest[4], but it seems completely overkill to me. This is why I am currently playing around with lettuce[2], a nice Python-powered BDD tool. Hopefully, my next status update will be more consistent/interesting. Have a nice day 1. https://tails.boum.org/contribute/build/#index1h1 2. http://lettuce.it/ 3. http://git.debian.org/?p=debian-live/autotesting.git 4. http://autotest.github.com/ -- jvoisin

2 1

Stegotorus now available from gitweb.torproject.org
by Zack Weinberg 05 Jun '12

05 Jun '12

On Mon, Jun 4, 2012 at 8:21 AM, Zack Weinberg <zackw(a)panix.com> wrote: > For the moment, the source tree is visible on Github: > <https://github.com/zackw/stegotorus>. It is likely to move to > gitweb.torproject.org hosting in the near future. You can now clone {git,https}://git.torproject.org/stegotorus.git . Be warned that due to a couple of very large files, a clone requires approximately 350MB of disk space and 140MB transferred over the network. (The troublesome files are unlikely to change in the near future, so this is a one-time cost.) You should also assume that all documentation is out of date until further notice. Patches are welcome. The TODO list currently exists only in my head, but I'll be getting that updated in-repo Real Soon. zw

2 3

use sphinx on stem
by Beck Chen 05 Jun '12

05 Jun '12

Hi Damian, I explored sphinx and tried it on stem these days, and it seemed pretty handy. I think a good way to produce nice documentation for stem is to create a page for each module manually, write an introduction by hand, and use autoclass / autofunction / autoexception in the autodoc extension to create API docs. automodule seems too general and does not work well with module's docstring in stem since it is not written in reST format, so I don't like it. What do you suggest? And how's your progress now? Cheers, Beck

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev June 2012