Filename: 187-allow-client-auth.txt Title: Reserve a cell type to allow client authorization Author: Nick Mathewson Created: 16-Oct-2011 Status: Open Target: 0.2.3.x
Overview:
Proposals 176 and 184 introduce a new "v3" handshake, coupled with a new version 3 link protocol. This is a good time to introduce other stuff we might need.
One thing we might want is a scanning resistance feature for bridges. This proposal suggests a change we should make right away to enable us to deploy such a feature in future versions of Tor.
Motivation:
If an adversary has a suspected bridge address/port combination, the easiest way for them to confirm or disconfirm their suspicion is to connect to the address and see whether they can do a Tor handshake. The easiest way to fix this problem seems to be to give out bridge addresses along with some secret that clients should know, but which an adversary shouldn't be able to learn easily. The client should prove to the bridge that it's authorized to know about the bridge, before the bridge acts like a bridge. If the client doesn't show knowledge of the proper secret, the bridge should at like an HTTPS server or a bittorrent tracker or something.
This proposal *does not* specify a way for clients to authorize themselves at bridges; rather, it specifies changes that we should make now in order to allow this kind of authorization in the future.
Design:
Currently, now that proposal 176 is implemented, if a server provides a certificate that indicates a v3 handshake, and the client understands how to do a V3 handshake, we specify that the client's first cell must be a VERSIONS cell.
Instead, we make the following specification changes:
We reserve a new variable-length cell type, "AUTHORIZE."
We specify that any number of PADDING or VPADDING or AUTHORIZE cells may be sent by the client before it sends a VERSIONS cell. Servers that do not require client authorization MUST ignore such cells, except to include them when calculating the HMAC that will appear in the CLOG part of a client's AUTHENTICATE cell.
We still specify that clients SHOULD send VERSIONS as their first cell; only in some future version of Tor will an AUTHORIZE cell be sent first.
Discussion:
This change allows future versions of the Tor client to know that some bridges need authorization, and to send them authentication before sending them anything recognizably Tor-like.
The authorization cell needs to be received before the server can send any Tor cells, so we can't just patch it in after the VERSIONS cell exchange: the server's VERSIONS cell is unsendable until after the AUTHORIZE has been accepted.
Note that to avoid scanning attacks, it's not sufficient to wait for a single cell, and then either handle it as authorization or reject the connection. Instead, we need to decide what kind of server we're impersonating, and respond once the client has provided *either* an authorization cell, *or* a recognizably valid or invalid command in the impersonated protocol.
Alternative design: Just use pluggable transports
Pluggable transports can do this too, but in general, we want to avoid designing the Tor protocol so that any particular desirable feature can only be done with a pluggable transport. That is, any feature that *every* bridge should want, should be doable in Tor proper.
Also, as of 16 Oct 2011, pluggable transports aren't in general use. Past experience IMO suggests that we shouldn't offload architectural responsibilities to our chickens until they've hatched.
Alternative design: Out-of-TLS authorization
There are features (like port-knocking) designed to allow a client to show that it's authorized to use a bridge before the TLS handshake even happens. These are appropriate for bunches of applications, but they're trickier with an adversary who is MITMing the client.
Alternative design: Just use padding.
Arguably, we could only add the "VPADDING" cell type to the list of those allowed before VERSIONS cells, and say that any client authorization we specify later on will be sent as a VPADDING cell. But that design is kludgy: padding should be padding, not semantically significant. Besides, cell types are still fairly plentiful.
Counterargument: specify it later
We could, later on, say that if a client learns that a bridge needs authorization, it should send an AUTHORIZE cell. So long as a client never sends an AUTHORIZE to anything other than a bridge that needs authorization, it'll never violate the spec.
But all things considered, it seems easier (just a few lines of spec and code) to let bridges eat unexpected authorization now than it does to have stuff fail later when clients think that a bridge needs authorization but it doesn't.
Counterargument: it's too late!
We've already got the prop176 branch merged and running on a few servers. But as of this writing, it isn't in any Tor version.
Even if it *is* out in an alpha before we can get this proposal accepted and implemented, that's not a big disaster. In the worst case, where future clients don't know whom to send authorization to so they need to send it to _all_ v3 servers, they will at worst break their connections only to a couple of alpha versions which one hopes by then will be long-deprecated already.
On Wed, Oct 19, 2011 at 08:08:12PM -0400, Nick Mathewson wrote:
We reserve a new variable-length cell type, "AUTHORIZE."
We specify that any number of PADDING or VPADDING or AUTHORIZE cells may be sent by the client before it sends a VERSIONS cell. Servers that do not require client authorization MUST ignore such cells, except to include them when calculating the HMAC that will appear in the CLOG part of a client's AUTHENTICATE cell.
We still specify that clients SHOULD send VERSIONS as their first cell; only in some future version of Tor will an AUTHORIZE cell be sent first.
Sounds good to me. Feel free.
Thanks, --Roger
I like the proposal; what I think we now have to figure out, is what kind and how much of 'scanning resistance' to put into the tor binary.
If we assume that tor must act as something innocuous in the case of a false AUTHORIZE, we have to find out how much of that innocuous behavior should be implemented into tor. We probably want to avoid putting megabytes of innocuous-looking HTML pages or implement a bittorrent tracker into tor. Not only because the implementation will make the tor codebase even more bloated, but also because we would have to ship a new tor every time the censors manage to block an obfuscation.
What I think is saner - at least for the short term future - is find a couple of web services (not necessarily HTTP(S)) whose interface is easy to implement and have bridges stick to one of them at random, for as long as they stay on an IP address.
Some examples of such interfaces:
* A "HTTP server" whose index page is protected by HTTP basic access authentication. It's easy to code (a couple of HTTP headers and some HTML), with a small distinguishing surface and it also defends the fact that the same "web server" serves lots of data to other clients (read: the actual bridge users).
* A "HTTP server" whose index page is an Apache "It Works!". It serves 404s to any HTTP request.
* An "FTPS server" which asks for a username/password and obviously accepts none.
* An "SSH server" which asks for a username/password and obviously accepts none.
Then we can also add a torrc option, say "ScanningResistanceServicePort", that takes a local port as an argument and pipes all the input of the attacker (the person who failed the AUTHORIZE) to that port. In that port the user should have configured an actual web service which will handle that input.
In the future we can also code a project that pretends to be different web services for the sake of sitting behind "ScanningResistanceServicePort". That way we don't polute the tor codebase and we can also use high level programming languages.
-
George Kadianakis -
Nick Mathewson -
Roger Dingledine