Network and cybersecurity: What is a 'Hidden Service'? Part 2
Application anonymity, network authentication, and exposure elimination are three characteristics intimately linked to the principle of hidden services. In the previous article: What is a 'Hidden Service'? Part 1, we highlighted these three aspects of the mechanism, but they are not alone in bringing interesting properties in terms of network security. In this new article, we found it interesting to highlight four other characteristics, much less known than the first ones, yet providing a real defensive added value.
Hidden Services
Even though anonymity is the first characteristic (sometimes the only one!) that comes to mind when discussing the principle of hidden services, it is not unique. Moreover, according to Chimere, it is even the least interesting. So, what about the others?
Micro-Segmentation
In Part 1 of the article, we mentioned that a hidden service is no longer accessible via client software through an IP address and port, but through a cryptographic key that identifies it within the network. This key strictly designates the application, not the machine or network zone it is in. In other words, knowledge of the cryptographic key only allows access to the service and nothing else. Unlike 'classic' networks and services, which require the association of firewalls or other solutions to segment networks, hidden services are inherently isolated from all other resources of the network. It is not possible to reach a hidden service from an external resource without knowledge of the associated cryptographic element.
This fundamental characteristic makes the mechanism of hidden services an interesting method for providing access to sensitive or secret applications to a designated population of users without providing complete access to the network or a subnet, as is usually the case with a VPN.
Thus, this micro-segmentation resonates particularly with companies providing access to some of their applications to providers but do not want to provide VPN access, considered "too broad" and too dangerous for network integrity.
No trusted third-party
Most Zero-Trust Network Access solutions on the market are heavily inspired by the mechanism of hidden services. However, they generally use only a few of the proposed characteristics. One of the properties usually discarded is this: not having to trust the intermediary. Hidden services and ZTNA solutions share the same technical reality: they both rely on a network provided by a third party to function. This network, overlaid on the internet, connects users and published applications. However, in most cases, the service administrator and the user need to trust the intermediary network and its operator. The latter is often able to access published services without knowledge of their cryptographic keys (sometimes, ZTNA providers do not even rely on cryptographic mechanisms for the connection negotiation between users and services).
In the state of the art of hidden service mechanisms, it is possible not to trust this intermediary. This is indeed the case with the Tor network: as the network is community-driven, malicious operators can run machines within it and attempt attacks against users or services. When designing it, the solution had to be able to withstand such an internal threat, and that is the case today. Thus, such an implementation of hidden services brings the following characteristics:
- It is not possible for the network operator to eavesdrop on conversations between users and applications. This characteristic is provided by "classic" end-to-end encryption mechanisms.
- It is not possible for the network operator to access the published services. This characteristic is provided by the network authentication principle described in Part 1.
- As the network is community-driven, availability is ensured by the concept of "distributed trust." If an operator becomes unavailable, services are automatically republished on the remaining valid part of the network. The same applies to users trying to access services: connections are automatically re-established using operational machines.
Security through movement
The last characteristic from the previous point leads us to this interesting property: the "position" of a hidden service within the network is ultimately determined by its cryptographic key, making it easy to consider "moving" a service by rotating this key. Also, even considering a static cryptographic key, services can become available at one location at time T, then elsewhere at time T+1. This is a mechanism found within the Tor implementation, which combines the cryptographic key of each service with an element calculated by the network and changes at regular intervals. The value thus obtained is used to store connection negotiation information on a hash table distributed over the network. The next moment, the service becomes available elsewhere and stores the new contact information in another location. This security through movement makes applications elusive and effectively combats internal threats within the intermediary network or denial-of-service attacks against applications.
Passive services become active
Finally, the paradigm shift brought about by hidden services necessitates a new way of conceiving connection negotiation. Previously, services listening on an IP address and port had no choice but to accept incoming connections. It was necessary to verify the client's identity upstream using additional solutions (such as firewalls and IP address whitelisting) to ensure that the connection request was legitimate and that the risk to the service was limited.
Hidden services disrupt this approach because they are the last to close the connection with the client. Given that services and clients are connected within an intermediary network, they each initiate outgoing connections to a "rendezvous point." In this logic, the service is the last to perform the action, which it can accept or reject based on the identity of the client trying to reach it. Thus, applications, which were previously "passive," become "active" in establishing connections and regain control.
Hidden Services in the Chimere network
If the hidden services paradigm interests you and you want to try it out, you can publish your services or a portion of them on the Chimere network, ensuring that only your users can communicate with them while benefiting from all the features presented in this and the previous article.
Trying Chimere is achievable in a few minutes. It does not require intrusive changes to your information system and does not cut nominal access.
N’oubliez pas de vous inscrire à la newsletter Chimere pour ne pas manquer les prochains articles: