On Fri, Nov 28, 2014 at 03:22:18PM +0000, Steven Murdoch wrote:
On 24 Nov 2014, at 18:54, Tom Ritter tom@ritter.vg wrote:
Attached is a document written in the specification format for one aspect of CA-signed .onion addresses - specifically a "What is a safe way to sign (or not sign) a statement using the .onion key" It presents a couple options - I'd love to get feedback from folks on which they prefer.
An alternative scheme could be to take advantage of the fact that Tor does not RSA sign the descriptor itself but a SHA-1 hash of the descriptor. So if the signature for the purpose of getting a CA to accept the request uses a different hash function then there should not be any confusion.
For example, rather than using the SHA-1 hash, use the SHA-1 HMAC under a hard-coded “key”. For the attacker to abuse this signature they would need to find a document which hashes to the same thing. This sounds like (but should be checked) to have the same difficulty as performing a collision attack (2^80 best case, 2^60 using cryptanalytic attacks).
A convenient result of this scheme is that changing the “key” lets the same onion key be used for other purposes, and if the key is well chosen then the chances of someone using the same approach is negligible.
While finding M1 and M2 such that SHA-1-HMAC(k1,M1) = SHA-1-HMAC(k2,M2) should be difficult for k1 \not= k2, even when k1 and k2 are known, it is easy to find M2 (given k1 and M1) such that SHA-1-HMAC(k1,M1) = SHA-1(M2), by the construction of HMAC, right? Something like:
M2 = (k1 \xor opad) || SHA-1[ (k1 \xor ipad) || M1 ]
?
So I think the above is dangerous.
- Ian