tor-dev August 2017

tor-dev@lists.torproject.org

22 participants
23 discussions

[release] Onionoo 4.0-1.3.0
by iwakeh 08 Aug '17

08 Aug '17

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi there! Another release of Onionoo is available: https://dist.torproject.org/onionoo/4.0-1.3.0/ This release is a maintenance release: * It adapts to use the improvements of metrics-lib 2.0.0 and * Debian Stretch dependencies and * steps up to Jetty9. (See the changelog [0] and git repo for details.) Please direct comments and questions to the metrics-team mailing list [1]. Cheers, iwakeh [0] https://gitweb.torproject.org/onionoo.git/tree/CHANGELOG.md?h=onionoo-4.0-1… [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/metrics-team -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZiYO/AAoJEPeEx9Sa/gviYUQP/jTj8Tp5AtHacrW1zu9GqUry SlOSmwx0EgldVZDc96RD2rz0sef5OR0WBA/kQz8QUL3m6LpjdCmsOz9HyOZNtpqO gEY9RWEm0dfXLMai2BZVApp52X45MwRh+LBP/PTI/Sl5RJ4drmaDr+DZGHAzPJUz uXV9f45LNy/fZgtrR+Cjkr3pr+sb5IB/uGdjJYYC4hXXIhFHe6eRW0mqLGkjl733 sy5Z02ldTKntjeBfu+iVDgtObrYrDkDvbJYyQHPHwPLiVqtKiGZixeK8ojjPimIz 5O/GHH/2m00Jst+u4uyIeUQiUexzv/uMRLKYi0lPshbId1icGpAhs2VHy0pI7CXJ vr6rXkFv07tw86F36kOg2Vvy1/8oy0JEbZPA8hpl1F5tELp5Go0tf8Eq3PahMKh9 DfjOatQdj/BCi6G3dvtCiKyWnwd3chF1Gaqe1GmrAuDnrGGtbAWWv0ofStMOO+7X 2aI4y5Q2QTT7v9UJjks/rw4GOhEq+vlQHUFTVc4vSBm6bxSrowRyIy0/jUzeGs7A XT0CnTWyO5xtuNhGYsZPSx7fENGko1tPOnzjxurHCYcZNM7oBIJKwn2yol+xpEwr 2DE5lyp/8bmb4Ya6/m3li34ku++Y7peXQ3wVagB5aPq1oROZ5ttabi9gA+xPRCqk keSUDKXP9PBz+EtGvMoQ =ELXu -----END PGP SIGNATURE-----

1 0

Various Tor keys, their formats, and usages [was: Bridge Bandwidth Scanner Internship]
by isis agora lovecruft 08 Aug '17

08 Aug '17

Hello! The following was my attempt last week to summarise all of our various keys in server descriptors, how they are formatted, and what they are used for, in the hopes that this is useful in alleviating possible future confusions for others. Let me know (and, more importantly! let Jake know since he's writing a Rust parser for bridge descriptors as part of the Bridge Bandwidth Scanner project) if I got anything wrong. :) ----- Forwarded message from isis agora lovecruft <isis(a)torproject.org> ----- > From: isis agora lovecruft <isis(a)torproject.org> > Subject: Re: Bridge Bandwidth Scanner Internship > Date: Thu, 27 Jul 2017 19:52:47 +0000 > Message-ID: <20170727195247.GI24882(a)patternsinthevoid.net> > To: jnz(a)riseup.net > Reply-To: isis(a)torproject.org > Delivered-To: <isis+torproject(a)patternsinthevoid.net> > > jnz(a)riseup.net transcribed 1.4K bytes: > > Hey Isis, > > > > I have started the sanitization spec and the parser. A lot of the stuff > > I had to learn for the two overlaps, so I am working on them > > simultaneously. Conceptually, I understand the sanitization process, but > > I am a little bit confused about what some of the fields are in the > > descriptors. > > > > Q1. What exactly is the difference between "master-key", "identity-key", > > and "signing-key"? > > > > After reading through the descriptor spec, cert spec, and other docs, I > > am pretty confused on what each of the above means.I'm using the Nom > > crate for the parser, I've never used it before but so far I'm really > > liking it. Have you ever used it? > > This is specified (not all that well, imho) in dir-spec.txt… it's really > confusing. > > For versions of tor new enough to have prop#220 and prop#228 (>0.2.7.2-alpha): > > - "identity-ed25519" is a certificate containing a base64-encoded ed25519 > key. The bridge uses this to authenticate to clients. > > - "master-key-ed25519" is the ed25519 key which is in the > "identity-ed25519" certificate. > > - "onion-key" is an RSA-1024 key, encoded as a PKCS#1 RSAPublicKey > structure, encoded in base64, and wrapped in "-----BEGIN RSA PUBLIC > KEY-----" and "-----END RSA PUBLIC KEY-----". This key is used to > encrypt CREATE cells to in the older TAP handshake protocol. (TAP is > almost entirely unused on the network, last I checked. We'll likely be > removing "onion-key"s in the next year or so, after we EOL some old tor > versions.) > > - "ntor-onion-key" is a public curve25519 key, base64-encoded. This is used > in the newer NTor handshake protocol, which replaced TAP. It is still > quite common to see routers which have both an "onion-key" and an > "ntor-onion-key". > > - "signing-key" is the same type and format as "onion-key" above, but it's > used as a long-term identity key, for authenticating the bridge to > clients. (Similar to "identity-ed25519" just with RSA signatures.) > > - "router-sig-ed255519" is a only present iff "identity-ed25519" is > present, and it's an ed25519 signature of a SHA-256 digest of the > "entire" descriptor (Minus the "@purpose bridge" header since the Bridge > Authority is the one who adds that. So from "router " on the first line > up to and including the first space after "router-sig-ed25519".) This > "entire" descriptor is first prefixed with the string "Tor router > descriptor signature v1" before hashing and signing. After the signature > is produced, it is encoded in base64 and the trailing "="s are removed. > > - "router-signature" contains a signature of the PKCS#1-padded SHA-1 digest > of the "entire" server descriptor, taken from the beginning of the > "router" line (skipping "@purpose bridge" again), through (and > including) the newline after the "router-signature" line. The signature > is made with the router's "signing-key" (a.k.a. identity key). > > For older tor versions (without prop220 and/or prop228): > > - They will have "onion-key", "ntor-onion-key", "signing-key", and > "router-signature", as above. > > I've attached a tarball of today's descriptors for this bridge from the > public/default bridges in Tor Browser: > > https://atlas.torproject.org/#details/FEC8FB380DABA9D3C80790B634E4540BF5D09… > > Let me know if you want some more examples! I only grabbed one because they > are pretty annoying to pull out of the giant, unordered, undeduplicated > files the BridgeAuth produces (at least without writing a full parser). > > Also lmk if you have more questions, the entangled ball of crypto junk we > shove into descriptors is pretty confusing. […snip…] ----- End forwarded message ----- Best regards, -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt

1 0

X25519 ←→ Ed25519 key conversions and specs [was: Bridge Bandwidth Scanner Internship]
by isis agora lovecruft 08 Aug '17

08 Aug '17

jnz(a)riseup.net transcribed 2.0K bytes: > Hey Isis, > > I have a few crypto questions for you. The bonus question is purely out > of interest (I searched for the answer, but didn't get a > good/understandable answer, if you are busy don't worry about it). Hey Jake! I'm CCing the conversation to tor-dev, since these are all really good questions. (Also you found another problem in our specs!) > Q1. What does the bit argument in the the ntor-onion-key-crosscert field > do? > > The following is an example ntor-onion-key-crosscert field. The bit > argument is the "1" following ntor-onion-key-crosscert keyword. > > > ntor-onion-key-crosscert 1 > > -----BEGIN ED25519 CERT----- > > AQoABl2EAdjttTuvK9jQzdyi+Mh46ky1Jk9+Hw+FJ6eos5zUxcBDAJF+TGU6oZij > > DOToeg+/lIaEkv0RwIrl5aJta/jf2EdTgHRfCsMOLEWMfqjOA6pmkwc3jnWvWNms > > 7NVBzUcMWgA= > > -----END ED25519 CERT----- > > Q2. The following sentence is the bit argument's documentation from the > dir-spec. Could you possibly explain to me what this means? What is a > public key's "sign"? > > > Bit must be "0" or "1". It indicates the sign of the ed25519 public key corresponding to the ntor onion key. > > The following paragraph is also in the dir-spec, I know that it is > relevant, but I don't understand what it means. > > > C. Converting a curve25519 public key to an ed25519 public key > > > > Given a curve25519 x-coordinate (u), we can get the y coordinate > > of the ed25519 key using > > > > y = (u-1)/(u+1) > > > > and then we can apply the usual ed25519 point decompression > > algorithm to find the x coordinate of the ed25519 point to check > > signatures with. > > > > Note that we need the sign of the X coordinate to do this > > operation; otherwise, we'll have two possible X coordinates that > > might have correspond to the key. Therefore, we need the 'sign' > > of the X coordinate, as used by the ed25519 key expansion > > algorithm. > > > > To get the sign, the easiest way is to take the same private key, > > feed it to the ed25519 public key generation algorithm, and see > > what the sign is. > > BONUS. What is the difference between a curve25519 public key and an > ed25519 public key? Why would you want to convert back and forth between > the two? Okay, this is going to be a long answer. Let me know if parts don't make sense. So, as you noted, dir-spec.txt says [0]: > Bit must be "0" or "1". It indicates the sign of the ed25519 > public key corresponding to the ntor onion key. > > To compute the ed25519 public key corresponding to a > curve25519 key, see appendix C. There are a few different representations of the curve over the Galois field GF(2²⁵⁵ - 19) called curve25519. The (arguably) most useful is the twisted Edwards form of the curve (see our Rust documentation [1] for further details on point forms and more literature) defined for affine points P = (x,y) by the equation -x²+y² = 1 + dx²y² (1) where d = - 121665/121666 This is due to the fact that efficient, complete formulae (meaning that the same formulae, e.g. for point addition, can be used for all points, so you don't have messy if/then statements to deal with exceptional points) exist for Edwards curves. (Recently, complete formulae for Weierstrass curves and other prime-order curves have also been described. [2] However, they are still slightly less-efficient for most tasks.) There's a useful technique called a Montgomery ladder, which is an approach to constant-time (if implemented in a sane manner) point multiplication (i.e. computing nP by taking the point P and adding it to itself n times). This is particularly useful for elliptic curve Diffie-Hellman (ECDH) implementations, but it requires first converting a point from a certain representation (a.k.a. within a specific spatial coordinate system), usually "extended homogeneous twisted Edwards coordinates" (see Hişil's thesis [3], which is the explanation of all the different forms and group laws), into the affine point Q = (u,v) as it would lie on the Montgomery form of the curve: bv² = u³ + au² + u (2) where a = 486662 b = 1 The conversion is rather straighforward, as you can see from mine and Henry de Valence's code [4], but there's a problem in that the compressed form (i.e. "give me the serialised version that is just an array of 32 bytes") of points on the Montgomery curve are just the u-coordinate. You can use this u-coordinate to recover the v-coordinate, [5] and then use both u and v to recover the original Edwards x-coordinate, [6] but there's two possible x-coordinates, one positive and one negative. So, if you want to be able to use a key for both purposes, then, when using Montgomery form (e.g. an X25519 key a.k.a. a "curve25519 key") then you have to also pass around the sign of x. It's kind of icky. In this case, the "ntor-onion-key-crosscert" is an Ed25519 signature (so the public key is a point in twisted Edwards form) of the relay's public master identity key, computed using the "ntor-onion-key" (which is an X25519 key, so a point in Montgomery form). The verifier knows the "ntor-onion-key", but needs to know the sign of x in order to be able to convert it into the Edwards-form public key to check this signature. Following through the code tor is using, it appears that if "Bit" is "0", then x will be positive. If "Bit" is "1" then x will be negative. Tor's behaviour w.r.t. the sign bit (using either curve25519-donna [7] or ref10 [8]) appears to be identical to other implementations, namely Open Whispersystems' code [9] and curve25519-dalek. [10] It appears it isn't specified anywhere what the "Bit" is supposed to mean in terms of parsing the ntor-onion-cert into an Ed25519 key though. :( I made an attempt at specifying it better. [11] As for the question of why one would want to convert back and forth between the two… normally, you wouldn't want to do this. There's nothing concretely horribly wrong or insecure about it, but there are plenty of more theoretical concerns regarding any type of key reuse for different protocols, primarily because it removes any sense of domain separation, such that an attack on one protocol might be assisted by or contribute to attacking the other. With separate keys for separate purposes, you can breathe a lot easier knowing that if, e.g. your ECDH keys were compromised, that your signing key (being a totally different key) is (probably) unaffected. The only time where is does make sense to share a key between two protocols is what Nick's design for the cross-certifications, i.e.: a) Prove that you control the private part of an encryption key by converting it to a signing key, then signing the public master identity key, and b) Authenticate the signature by using the master identity key to sign the entire document (including the other signature). > Thanks for all the help, I hope that you are having a nice day and... > Happy Hacking. > > - Jake No worries! Thanks for the excellent questions and catching more bugs in our specs! [0]: https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt?id=ce09d266#n536 [1]: https://docs.rs/curve25519-dalek/0.10.0/curve25519_dalek/curve/index.html [2]: https://ellipticnews.wordpress.com/2016/05/30/complete-group-laws-for-prime… [3]: https://github.com/isislovecruft/library--/blob/master/cryptography%20%26%2… [4]: https://github.com/isislovecruft/curve25519-dalek/blob/f2883028d/src/curve.… [5]: https://github.com/isislovecruft/curve25519-dalek/blob/f2883028d/src/curve.… [6]: https://github.com/isislovecruft/curve25519-dalek/blob/f2883028d/src/curve.… [7]: https://gitweb.torproject.org/tor.git/tree/src/ext/ed25519/donna/ed25519_to… [8]: https://gitweb.torproject.org/tor.git/tree/src/ext/ed25519/ref10/keyconv.c?… [9]: https://github.com/WhisperSystems/curve25519-java/blob/master/android/jni/e… [10]: https://github.com/isislovecruft/curve25519-dalek/blob/f2883028d/src/curve.… [11]: https://gitweb.torproject.org/torspec.git/commit/?id=2395f34affbe97c19d7bb9… Best, -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev August 2017