mirror of
https://github.com/torproject/torspec.git
synced 2024-12-14 14:10:02 +00:00
686 lines
28 KiB
Plaintext
686 lines
28 KiB
Plaintext
Filename: 220-ecc-id-keys.txt
|
|
Title: Migrate server identity keys to Ed25519
|
|
Authors: Nick Mathewson
|
|
Created: 12 August 2013
|
|
Implemented-In: 0.3.0.1-alpha
|
|
Status: Closed
|
|
|
|
[Note: This is a draft proposal; I've probably made some important
|
|
mistakes, and there are parts that need more thinking. I'm
|
|
publishing it now so that we can do the thinking together.]
|
|
|
|
(Sections 0-5 are currently implemented, except for section 2.3. Sections
|
|
6-8 are a work in progress, and may require revision.)
|
|
|
|
0. Introduction
|
|
|
|
In current Tor designs, router identity keys are limited to
|
|
1024-bit RSA keys.
|
|
|
|
Clearly, that should change, because RSA doesn't represent a good
|
|
performance-security tradeoff nowadays, and because 1024-bit RSA is
|
|
just plain too short.
|
|
|
|
We've already got an improved circuit extension handshake protocol
|
|
that uses curve25519 in place of RSA1024, and we're using (where
|
|
supported) P256 ECDHE in our TLS handshakes, but there are more uses
|
|
of RSA1024 to replace, including:
|
|
|
|
* Router identity keys
|
|
* TLS link keys
|
|
* Hidden service keys
|
|
|
|
This proposal describes how we'll migrate away from using 1024-bit
|
|
RSA in the first two, since they're tightly coupled. Hidden service
|
|
crypto changes will be complex, and will merit their own proposal.
|
|
|
|
In this proposal, we'll also (incidentally) be extirpating a number
|
|
of SHA1 usages.
|
|
|
|
1. Overview
|
|
|
|
When this proposal is implemented, every router will have an Ed25519
|
|
identity key in addition to its current RSA1024 public key.
|
|
|
|
Ed25519 (specifically, Ed25519-SHA-512 as described and specified at
|
|
http://ed25519.cr.yp.to/) is a desirable choice here: it's secure,
|
|
fast, has small keys and small signatures, is bulletproof in several
|
|
important ways, and supports fast batch verification. (It isn't quite
|
|
as fast as RSA1024 when it comes to public key operations, since RSA
|
|
gets to take advantage of small exponents when generating public
|
|
keys.)
|
|
|
|
(For reference: In Ed25519 public keys are 32 bytes long, private keys
|
|
are 64 bytes long, and signatures are 64 bytes long.)
|
|
|
|
To mirror the way that authority identity keys work, we'll fully
|
|
support keeping Ed25519 identity keys offline; they'll be used to
|
|
sign long-ish term signing keys, which in turn will do all of the
|
|
heavy lifting. A signing key will get used to sign the things that
|
|
RSA1024 identity keys currently sign.
|
|
|
|
1.1. 'Personalized' signatures
|
|
|
|
Each of the keys introduced here is used to sign more than one kind
|
|
of document. While these documents should be unambiguous, I'm going
|
|
to forward-proof the signatures by specifying each signature to be
|
|
generated, not on the document itself, but on the document prefixed
|
|
with some distinguishing string.
|
|
|
|
2. Certificates and Router descriptors.
|
|
|
|
2.1. Certificates
|
|
|
|
When generating a signing key, we also generate a certificate for it.
|
|
Unlike the certificates for authorities' signing keys, these
|
|
certificates need to be sent around frequently, in significant
|
|
numbers. So we'll choose a compact representation.
|
|
|
|
VERSION [1 Byte]
|
|
CERT_TYPE [1 Byte]
|
|
EXPIRATION_DATE [4 Bytes]
|
|
CERT_KEY_TYPE [1 byte]
|
|
CERTIFIED_KEY [32 Bytes]
|
|
N_EXTENSIONS [1 byte]
|
|
EXTENSIONS [N_EXTENSIONS times]
|
|
SIGNATURE [64 Bytes]
|
|
|
|
The "VERSION" field holds the value [01]. The "CERT_TYPE" field
|
|
holds a value depending on the type of certificate. (See appendix
|
|
A.1.) The CERTIFIED_KEY field is an Ed25519 public key if
|
|
CERT_KEY_TYPE is [01], or a SHA256 hash of some other key type
|
|
depending on the value of CERT_KEY_TYPE. The EXPIRATION_DATE is a
|
|
date, given in HOURS since the epoch, after which this
|
|
certificate isn't valid. (A four-byte field here will work fine
|
|
until 10136 A.D.)
|
|
|
|
The EXTENSIONS field contains zero or more extensions, each of
|
|
the format:
|
|
|
|
ExtLength [2 bytes]
|
|
ExtType [1 byte]
|
|
ExtFlags [1 byte]
|
|
ExtData [Length bytes]
|
|
|
|
The meaning of the ExtData field in an extension is type-dependent.
|
|
|
|
The ExtFlags field holds flags; this flag is currently defined:
|
|
|
|
1 -- AFFECTS_VALIDATION. If this flag is present, then the
|
|
extension affects whether the certificate is valid; clients
|
|
must not accept the certificate as valid unless they
|
|
understand the extension.
|
|
|
|
It is an error for an extension to be truncated; such a
|
|
certificate is invalid.
|
|
|
|
Before processing any certificate, parties MUST know which
|
|
identity key it is supposed to be signed by, and then check the
|
|
signature. The signature is formed by signing the first N-64
|
|
bytes of the certificate prefixed with the string "Tor node
|
|
signing key certificate v1".
|
|
|
|
2.2. Basic extensions
|
|
|
|
2.2.1. Signed-with-ed25519-key extension [type 04]
|
|
|
|
In several places, it's desirable to bundle the key signing a
|
|
certificate along with the certificate. We do so with this
|
|
extension.
|
|
|
|
ExtLength = 32
|
|
ExtData =
|
|
An ed25519 key [32 bytes]
|
|
|
|
When this extension is present, it MUST match the key used to
|
|
sign the certificate.
|
|
|
|
2.3. Revoking keys.
|
|
|
|
We also specify a revocation document for revoking a signing key or an
|
|
identity key. Its format is:
|
|
FIXED_PREFIX [8 Bytes]
|
|
VERSION [1 Byte]
|
|
KEYTYPE [1 Byte]
|
|
IDENTITY_KEY [32 Bytes]
|
|
REVOKED_KEY [32 Bytes]
|
|
PUBLISHED [8 Bytes]
|
|
N_EXTENSIONS [1 Byte]
|
|
N_EXTENSIONS_TIMES:
|
|
EXTENSIONS [N_EXTENSIONS times]
|
|
SIGNATURE [64 Bytes]
|
|
|
|
FIXED_PREFIX is "REVOKEID" or "REVOKESK". VERSION is [01]. KEYTYPE is
|
|
[01] for revoking a signing key, [02] for revoking an identity key,
|
|
or [03] for revoking an RSA identity key.
|
|
REVOKED_KEY is the key being revoked or a SHA256 hash of the key if
|
|
it is an RSA identity key; IDENTITY_KEY is the node's
|
|
Ed25519 identity key. PUBLISHED is the time that the document was
|
|
generated, in seconds since the epoch. REV_EXTENSIONS is left for a
|
|
future version of this document. The SIGNATURE is generated with
|
|
the same key as in IDENTITY_KEY, and covers the entire revocation,
|
|
prefixed with "Tor key revocation v1".
|
|
|
|
Using these revocation documents is left for a later specification.
|
|
|
|
2.4. Managing keys
|
|
|
|
By default, we can keep the easy-to-setup key management properties
|
|
that Tor has now, so that node operators aren't required to have
|
|
offline public keys:
|
|
|
|
* When a Tor node starts up with no Ed25519 identity keys, it
|
|
generates a new identity keypair.
|
|
* When a Tor node has an Ed25519 identity keypair, and it has
|
|
no signing key, or its signing key is going to expire within
|
|
the next 48 hours, it generates a new signing key to last
|
|
30 days.
|
|
|
|
But we also support offline identity keys:
|
|
|
|
* When a Tor node starts with an Ed25519 public identity key
|
|
but no private identity key, it checks whether it has
|
|
a currently valid certified signing keypair. If it does,
|
|
it starts. Otherwise, it refuses to start.
|
|
* If a Tor node's signing key is going to expire soon, it starts
|
|
warning the user. If it is expired, then the node shuts down.
|
|
|
|
2.5. Router descriptors
|
|
|
|
We specify the following element that may appear at most once in
|
|
each router descriptor:
|
|
"identity-ed25519" NL "-----BEGIN ED25519 CERT-----" NL certificate
|
|
"-----END ED25519 CERT-----" NL
|
|
|
|
The certificate is base64-encoded with
|
|
terminating =s removed. When this element is present, it MUST appear
|
|
as the first or second element in the router descriptor.
|
|
[XXX The rationale here is to allow extracting the identity key and
|
|
signing key and checking the signature before fully parsing the rest
|
|
of the document. -NM]
|
|
|
|
The certificate has CERT_TYPE of [04]. It must include a
|
|
signed-with-ed25519-key extension (see section 2.2.1), so that we
|
|
can extract the identity key.
|
|
|
|
When an identity-ed25519 element is present, there must also be a
|
|
"router-sig-ed25519" element. It MUST be the next-to-last element in
|
|
the descriptor, appearing immediately before the RSA signature. (In
|
|
future versions of the descriptor format that do not require an RSA
|
|
identity key, it MUST be last.) It MUST contain an ed25519 signature
|
|
of a SHA256 digest of the entire document, from the first character
|
|
up to and including the first space after the "router-sig-ed25519"
|
|
string, prefixed
|
|
with the string "Tor router descriptor signature v1". Its format is:
|
|
|
|
"router-sig-ed25519" SP signature NL
|
|
|
|
Where 'signature' is encoded in base64 with terminating =s removed.
|
|
|
|
The signing key in the certificate MUST
|
|
be the one used to sign the document.
|
|
|
|
Note that these keys cross-certify as follows: the ed25519 identity
|
|
key signs the ed25519 signing key in the certificate. The ed25519
|
|
signing key signs itself and the ed25519 identity key and the RSA
|
|
identity key as part of signing the descriptor. And the RSA identity
|
|
key also signs all three keys as part of signing the descriptor.
|
|
|
|
|
|
When an ed25519 signature is present, there MAY be a "master-key-ed25519"
|
|
element containing the base64 encoded ed25519 master key as a single
|
|
argument. If it is present, it MUST match the identity key in
|
|
the certificate.
|
|
|
|
2.5.1. Checking descriptor signatures.
|
|
|
|
Current versions of Tor will handle these new formats by ignoring the
|
|
new fields, and not checking any ed25519 information.
|
|
|
|
New versions of Tor will have a flag that tells them whether to check
|
|
ed25519 information. When it is set, they must check:
|
|
|
|
* All RSA information and signatures that Tor implementations
|
|
currently check.
|
|
* If the identity-ed25519 line is present, it must be well-formed,
|
|
and the certificate must be well-formed and correctly signed,
|
|
and there must be a valid router-signature-ed25519 signature.
|
|
* If we require an ed25519 key for this node (see 3.1 below), the
|
|
ed25519 key must be present.
|
|
|
|
Authorities and directory caches will have this flag always-on. For
|
|
clients, it will be controlled by a torrc option and consensus
|
|
option, to be set to "always-on" in the future once enough clients
|
|
support it.
|
|
|
|
2.5.2. Extra-info documents
|
|
|
|
Extra-info documents now include "identity-ed25519" and
|
|
"router-signature-ed25519" fields in the same positions in which they
|
|
appear in router descriptors.
|
|
|
|
Additionally, we add the base64-encoded, =-stripped SHA256 digest of
|
|
a node's extra-info document field to the extra-info-digest line in
|
|
the router descriptor. (All versions of Tor that recognize this line
|
|
allow an extra field there.)
|
|
|
|
2.5.3. A note on signature verification
|
|
|
|
Here and elsewhere, we're receiving a certificate and a document
|
|
signed with the key certified by that certificate in the same step.
|
|
This is a fine time to use the batch signature checking capability of
|
|
Ed25519, so that we can check both signatures at once without (much)
|
|
additional overhead over checking a single signature.
|
|
|
|
3. Consensus documents and authority operation
|
|
|
|
3.1. Handling router identity at the authority
|
|
|
|
When receiving router descriptors, authorities must track mappings
|
|
between RSA and Ed25519 keys.
|
|
|
|
Rule 1: Once an authority has seen an Ed25519 identity key and an RSA
|
|
identity key together on the same (valid) descriptor, it should no
|
|
longer accept any descriptor signed by that RSA key with a different
|
|
Ed25519 key, or that Ed25519 key with a different RSA key.
|
|
|
|
Rule 2: Once an authority has seen an Ed25519 identity key and an RSA
|
|
identity key on the same descriptor, it should no longer accept any
|
|
descriptor signed by that RSA key unless it also has that Ed25519
|
|
key.
|
|
|
|
|
|
These rules together should enforce the property that, even if an
|
|
attacker manages to steal or factor a node's RSA identity key, the
|
|
attacker can't impersonate that node to the authorities, even when
|
|
that node is identified by its RSA key.
|
|
|
|
|
|
Enforcement of Rule 1 should be advisory-only for a little while (a
|
|
release or two) while node operators get experience having Ed25519
|
|
keys, in case there are any bugs that cause or force identity key
|
|
replacement. Enforcement of Rule 2 should be advisory-only for
|
|
little while, so that node operators can try 0.2.5 but downgrade to
|
|
0.2.4 without being de-listed from the consensus.
|
|
|
|
|
|
3.2. Formats
|
|
|
|
Vote and microdescriptor documents now contain an optional "id"
|
|
field for each routerstatus section. Its format is:
|
|
|
|
"id" SP "ed25519" SP ed25519-identity NL
|
|
|
|
where ed25519-identity is base64-encoded, with trailing = characters
|
|
omitted. In vote documents, it may be replaced by the format:
|
|
|
|
"id" SP "ed25519" SP "none" NL
|
|
|
|
which indicates that the node does not have an ed25519 identity. (In
|
|
a microdescriptor, a lack of "id" line means that the node has no ed25519
|
|
identity.)
|
|
|
|
A vote or consensus document is ill-formed if it includes the same
|
|
ed25519 identity key twice.
|
|
|
|
A vote listing ed25519 identities must also include a new entry in its
|
|
"r" lines, containing a base64-encoded SHA256 digest of the entire
|
|
descriptor (including signature). This kills off another place where
|
|
we rely on sha1. The format for 'r' lines is now:
|
|
|
|
"r" SP nickname SP identity SP digest SP publication SP IP SP ORPort
|
|
SP DirPort [ SP digest-sha256 ] NL
|
|
|
|
3.3. Generating votes
|
|
|
|
An authority should pick which descriptor to choose for a node as
|
|
before, and include the ed25519 identity key for the descriptor if
|
|
it's present.
|
|
|
|
As a transition, before Rule 1 and Rule 2 in 3.1 are fully enforced,
|
|
authorities need a way to deal with the possibility that there might
|
|
be two nodes with the same ed25519 key but different RSA keys. In
|
|
that case, it votes for the one with the most recent publication
|
|
date.
|
|
|
|
(The existing rules already prevent an authority from voting for two
|
|
servers with the same RSA identity key.)
|
|
|
|
3.4. Generating a consensus from votes
|
|
|
|
This proposal requires a new consensus vote method. When we deploy
|
|
it, we'll pick the next available vote method in sequence to use for
|
|
this.
|
|
|
|
When the new consensus method is in use, we must choose nodes first by ECC
|
|
key, then by RSA key. [This procedure is analogous to the current one,
|
|
except that it is aware of multiple kinds of keys.]
|
|
|
|
3.4.1. Notation for voting
|
|
|
|
We have a set of votes. Each contains either 'old tuples' or 'new tuples'.
|
|
|
|
Old tuples are:
|
|
<id-RSA, descriptor-digest, published, nickname, IP, ports>
|
|
|
|
New tuples are:
|
|
<id-Ed, id-RSA, descriptor-digest, dd256, published, nickname, IP, ports>
|
|
|
|
|
|
3.4.2. Validating votes
|
|
|
|
It is an error for a vote to have the same id-RSA or the same id-Ed listed
|
|
twice. Throw it away if it does.
|
|
|
|
3.4.3. Decide which ids to include.
|
|
|
|
For each <id-Ed, id-RSA> that is listed by more than half of the total
|
|
authorities (not just total votes), include it. (No other <id-Ed, id-RSA'>
|
|
can have as many votes.)
|
|
|
|
Log any other id-RSA values corresponding to an id-Ed we included, and any
|
|
other id-Ed values corresponding to an id-RSA we included.
|
|
|
|
For each <id-RSA> that is not yet included, if it is listed by more than
|
|
half of the total authorities, and we do not already have it listed with
|
|
some <id-Ed>, include it without an id-Ed.
|
|
|
|
3.4.4. Decide which descriptors to include.
|
|
|
|
A tuple belongs to an <id-RSA, id-Ed> identity if it is a new tuple that
|
|
matches both ID parts, or if it is an old tuple that matches the RSA part.
|
|
A tuple belongs to an <id-RSA> identity if its RSA identity matches.
|
|
|
|
A tuple matches another tuple if all the fields that are present in both
|
|
tuples are the same.
|
|
|
|
For every included identity, consider the tuples belonging to that
|
|
identity. Group them into sets of matching tuples. Include the tuple
|
|
that matches the largest set, breaking ties in favor of the most recently
|
|
published, and then in favor of the smaller server descriptor digest.
|
|
|
|
4. The link protocol
|
|
|
|
4.1. Overview of the status quo
|
|
|
|
This section won't make much sense unless you grok the v3
|
|
link protocol as described in tor-spec.txt, first proposed in
|
|
proposal 195. So let's review.
|
|
|
|
In the v3 link protocol, the client completes a TLS handshake
|
|
with the server, in which the server uses an arbitrary
|
|
certificate signed with an RSA key. The client then sends a
|
|
VERSIONS cell. The server replies with a VERSIONS cell to
|
|
negotiate version 3 or higher. The server also sends a CERTS
|
|
cell and an AUTH_CHALLENGE cell and a NETINFO cell.
|
|
|
|
The CERTS cell from the server contains a set of one or more
|
|
certificates that authenticate the RSA key used in the TLS
|
|
handshake. (Right now there's one self-signed RSA identity key
|
|
certificate, and one certificate signing the RSA link key with
|
|
the identity key. These certificates are X509.)
|
|
|
|
Having received a CERTS cell, the client has enough information
|
|
to authenticate the server. At this point, the client may send a
|
|
NETINFO cell to finish the handshake. But if the client wants to
|
|
authenticate as well, it can send a CERTS cell and an AUTENTICATE
|
|
cell.
|
|
|
|
The client's CERTS cell also contains certs of the same general
|
|
kinds as the server's key file: a self-signed identity
|
|
certificate, and an authentication certificate signed with the
|
|
identity key. The AUTHENTICATE cell contains a signature of
|
|
various fields, including the contents of the AUTH_CHALLENGE
|
|
which the server sent, using the client's authentication
|
|
key. These cells allow the client to authenticate to the server.
|
|
|
|
|
|
4.2. Link protocol changes for ECC ID keys
|
|
|
|
We add four new CertType values for use in CERTS cells:
|
|
4: Ed25519 signing key
|
|
5: Link key certificate certified by Ed25519 signing key
|
|
6: Ed25519 TLS authentication key certified by Ed25519 signing key
|
|
7: RSA cross-certificate for Ed25519 identity key
|
|
These correspond to types used in the CERT_TYPE field of
|
|
the certificates.
|
|
|
|
The content of certificate type [04] (Ed25519 signing key)
|
|
is as in section 2.5 above, containing an identity key and the
|
|
signing key, both signed by the identity key.
|
|
|
|
Certificate type [05] (Link certificate signed with Ed25519
|
|
signing key) contains a SHA256 digest of the X.509 link
|
|
certificate used on the TLS connection in its key field; it is
|
|
signed with the signing key.
|
|
|
|
Certificate type [06] (Ed25519 TLS authentication signed with
|
|
Ed25519 signing key) has the signing key used to sign the
|
|
AUTHENTICATE cell described later in this section.
|
|
|
|
Certificate type [07] (Cross-certification of Ed25519 identity
|
|
with RSA key) contains the following data:
|
|
ED25519_KEY [32 bytes]
|
|
EXPIRATION_DATE [4 bytes]
|
|
SIGLEN [1 byte]
|
|
SIGNATURE [SIGLEN bytes]
|
|
Here, the Ed25519 identity key is signed with router's RSA
|
|
identity key, to indicate that authenticating with a key
|
|
certified by the Ed25519 key counts as certifying with RSA
|
|
identity key. (The signature is computed on the SHA256 hash of
|
|
the non-signature parts of the certificate, prefixed with the
|
|
string "Tor TLS RSA/Ed25519 cross-certificate".)
|
|
|
|
(There's no reason to have a corresponding Ed25519-signed-RSA-key
|
|
certificate here, since we do not treat authenticating with an RSA
|
|
key as proving ownership of the Ed25519 identity.)
|
|
|
|
Relays with Ed25519 keys should always send these certificate types
|
|
in addition to their other certificate types.
|
|
|
|
Non-bridge relays with Ed25519 keys should generate TLS link keys of
|
|
appropriate strength, so that the certificate chain from the Ed25519
|
|
key to the link key is strong enough.
|
|
|
|
|
|
We add a new authentication type for AUTHENTICATE cells:
|
|
"Ed25519-TLSSecret", with AuthType value 2. Its format is the same as
|
|
"RSA-SHA256-TLSSecret", except that the CID and SID fields support
|
|
more key types; some strings are different, and the signature is
|
|
performed with Ed25519 using the authentication key from a type-6
|
|
cert. Clients can send this AUTHENTICATE type if the server
|
|
lists it in its AUTH_CHALLENGE cell.
|
|
|
|
Modified values and new fields below are marked with asterisks.
|
|
|
|
TYPE: The characters "AUTH0002"* [8 octets]
|
|
CID: A SHA256 hash of the initiator's RSA1024 identity key [32 octets]
|
|
SID: A SHA256 hash of the responder's RSA1024 identity key [32 octets]
|
|
*CID_ED: The initiator's Ed25519 identity key [32 octets]
|
|
*SID_ED: The responder's Ed25519 identity key, or all-zero. [32 octets]
|
|
SLOG: A SHA256 hash of all bytes sent from the responder to the
|
|
initiator as part of the negotiation up to and including the
|
|
AUTH_CHALLENGE cell; that is, the VERSIONS cell, the CERTS cell,
|
|
the AUTH_CHALLENGE cell, and any padding cells. [32 octets]
|
|
CLOG: A SHA256 hash of all bytes sent from the initiator to the
|
|
responder as part of the negotiation so far; that is, the
|
|
VERSIONS cell and the CERTS cell and any padding cells. [32
|
|
octets]
|
|
SCERT: A SHA256 hash of the responder's TLS link certificate. [32
|
|
octets]
|
|
TLSSECRETS: A SHA256 HMAC, using the TLS master secret as the
|
|
secret key, of the following:
|
|
- client_random, as sent in the TLS Client Hello
|
|
- server_random, as sent in the TLS Server Hello
|
|
- the NUL terminated ASCII string:
|
|
"Tor V3 handshake TLS cross-certification with Ed25519"*
|
|
[32 octets]
|
|
RAND: A 24 byte value, randomly chosen by the initiator. [24 octets]
|
|
*SIG: A signature of all previous fields using the initiator's
|
|
Ed25519 authentication flags.
|
|
[variable length]
|
|
|
|
If you've got a consensus that lists an ECC key for a node, but the
|
|
node doesn't give you an ECC key, then refuse this connection.
|
|
|
|
5. The extend protocol
|
|
|
|
We add a new NSPEC node specifier for use in EXTEND2 cells, with
|
|
LSTYPE value [03]. Its length must be 32 bytes; its content is the
|
|
Ed25519 identity key of the target node.
|
|
|
|
Clients should use this type only when:
|
|
* They know an Ed25519 identity key for the destination node.
|
|
* The source node supports EXTEND2 cells
|
|
* A torrc option is set, _or_ a consensus value is set.
|
|
|
|
We'll leave the consensus value off for a while until more clients
|
|
support this, and then turn it on.
|
|
|
|
When picking a channel for a circuit, if this NSPEC value is
|
|
provided, then the RSA identity *and* the Ed25519 identity must
|
|
match.
|
|
|
|
If we have a channel with a given Ed25519 ID and RSA identity, and we
|
|
have a request for that Ed25519 ID and a different RSA identity, we
|
|
do not attempt to make another connection: we just fail and DESTROY
|
|
the circuit.
|
|
|
|
If we receive an EXTEND or EXTEND2 request for a node listed in the
|
|
consensus, but that EXTEND/EXTEND2 request does not include an
|
|
Ed25519 identity key, the node SHOULD treat the connection as failed
|
|
if the Ed25519 identity key it receives does not match the one in the
|
|
consensus.
|
|
|
|
For testing, clients may have the ability to configure whether to
|
|
include Ed25519 identities in EXTEND2 cells. By default, this should
|
|
be governed by the boolean "ExtendByEd25519ID" consensus parameter,
|
|
with default value '0'.
|
|
|
|
6. Naming nodes in the interface
|
|
|
|
Anywhere in the interface that takes an $identity should be able to
|
|
take an ECC identity too. ECC identities are case-sensitive base64
|
|
encodings of Ed25519 identity keys. You can use $ to indicate them as
|
|
well; we distinguish RSA identity digests by length.
|
|
|
|
When we need to indicate an Ed25519 identity key in a hostname
|
|
format (as in a .exit address), we use the lowercased version of the
|
|
name, and perform a case-insensitive match. (This loses us a little
|
|
less than one bit per byte of name, leaving plenty of bits to make
|
|
sure we choose the right node.)
|
|
|
|
Nodes must not list Ed25519 identities in their family lines; clients and
|
|
authorities must not honor them there. (Doing so would make different
|
|
clients change paths differently in a possibly manipulatable way.)
|
|
|
|
Clients shouldn't accept .exit addresses with Ed25519 names on SOCKS
|
|
or DNS ports by default, even when AllowDotExit is set. We can add
|
|
another option for them later if there's a good reason to have this.
|
|
|
|
We need an identity-to-node map for ECC identity and for RSA
|
|
identity.
|
|
|
|
The controller interface will need to accept and report Ed25519
|
|
identity keys as well as (or instead of) RSA identity keys. That's a
|
|
separate proposal, though.
|
|
|
|
7. Hidden service changes out of scope
|
|
|
|
Hidden services need to be able to identify nodes by ECC keys, just as
|
|
they will need to include ntor keys as well as TAP keys. Not just
|
|
yet though. This needs to be part of a bigger hidden service
|
|
revamping strategy.
|
|
|
|
8. Proposed migration steps
|
|
|
|
Once a few versions have shipped with Ed25519 key support, turn on
|
|
"Rule 1" on the authorities. (Don't allow an Ed25519<->RSA pairing
|
|
to change.)
|
|
|
|
Once the release with these changes is in beta or rc, turn on the
|
|
consensus option for everyone who receives descriptors with
|
|
Ed25519 identity keys to check them.
|
|
|
|
Once the release with these changes is in beta or rc, turn on the
|
|
consensus option for clients to generate EXTEND2 requests with
|
|
Ed25519 identity keys.
|
|
|
|
Once the release with these changes has been stable for a month
|
|
or two, turn on "Rule 2" on authorities. (Don't allow nodes that
|
|
have advertised an Ed25519 key to stop.)
|
|
|
|
9. Future proposals
|
|
|
|
* Ed25519 identity support on the controller interface
|
|
* Supporting nodes without RSA keys
|
|
* Remove support for nodes without Ed25519 keys
|
|
* Ed25519 support for hidden services
|
|
* Bridge identity support.
|
|
* Ed25519-aware family support
|
|
|
|
A.1. List of certificate types
|
|
|
|
The values marked with asterisks are not types corresponding to
|
|
the certificate format of section 2.1. Instead, they are
|
|
reserved for RSA-signed certificates to avoid conflicts between
|
|
the certificate type enumeration of the CERTS cell and the
|
|
certificate type enumeration of in our Ed25519 certificates.
|
|
|
|
|
|
**[00],[01],[02],[03] - Reserved to avoid conflict with types used
|
|
in CERTS cells.
|
|
|
|
[04] - signing a signing key with an identity key (Section 2.5)
|
|
|
|
[05] - TLS link certificate signed with ed25519 signing key
|
|
(Section 4.2)
|
|
|
|
[06] - Ed25519 authentication key signed with ed25519 signing key
|
|
(Section 4.2)
|
|
|
|
**[07] - reserved for RSA identity cross-certification (Section 4.2)
|
|
|
|
|
|
A.2. List of extension types
|
|
|
|
|
|
[01] - signed-with-ed25519-key (section 2.2.1)
|
|
|
|
A.3. List of signature prefixes
|
|
|
|
We describe various documents as being signed with a prefix. Here
|
|
are those prefixes:
|
|
|
|
"Tor router descriptor signature v1" (section 2.5)
|
|
"Tor node signing key certificate v1" (section 2.1)
|
|
|
|
A.4. List of certified key types
|
|
|
|
[01] ed25519 key
|
|
[02] SHA256 hash of an RSA key
|
|
[03] SHA256 hash of an X.509 certificate
|
|
|
|
A.5. Reserved numbers
|
|
|
|
We need a new consensus algorithm number to encompass checking
|
|
ed25519 keys and putting them in microdescriptors.
|
|
|
|
|
|
We need new CertType values for use in CERTS cells. We reserved
|
|
in section 4.2.
|
|
|
|
4: Ed25519 signing key
|
|
5: Link key certificate certified by Ed25519 signing key
|
|
6: TLS authentication key certified by Ed25519 signing key
|
|
7: RSA cross-certificate for Ed25519 identity key
|
|
|
|
|
|
A.6. Related changes
|
|
|
|
As we merge this, proposal, we should also extend link key size to
|
|
2048 bits, and use SHA256 as the x509 cert algorithm for our link
|
|
keys. This will improve link security, and deliver better
|
|
fingerprinting resistence. See proposal 179 for an older discussion
|
|
of this issue.
|