[tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 7 14:50:16 UTC 2013
#8106: Make .onion addresses harder to harvest by directory servers
-----------------------------+----------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: SponsorZ tor-hs | Parent:
Points: | Actualpoints:
-----------------------------+----------------------------------------------
Comment(by hyperelliptic):
To be fully explicit, here is the attack using your notation; l is the
group order.
Aprime = scalarmult(blindingExponent, pub.A);
this is computed the proper way so that it will store to the desired HS
address.
fakea = hashToExponent(generateRandomBytes(64));
inva = 1/fakea mod l;
Bprime = scalarmult(inva, Aprime);
r = hashToExponent(generateRandomBytes(64));
R = scalarmult(r, Bprime);
messageHash := H(groupElementToBytes(R),
groupElementToBytes(blindedPub.Bprime),
groupElementToBytes(blindedPub.Aprime),
msg);
s := r + (hashToExponent(messageHash) * fakea);
return Signature{R = R, s = s};
verification will work because
sBprime = rBprime+(hashToExponent(messageHash) * fakea)Bprime
= R + (hashToExponent(messageHash) * fakea*1/fakea)Aprime
= R + hashToExponent(messageHash) Aprime
This is all the directory service can check, so it will accept the
information provided with the signature as authoritative.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list