[tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 7 15:07:16 UTC 2013
#8106: Make .onion addresses harder to harvest by directory servers
-----------------------------+----------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: SponsorZ tor-hs | Parent:
Points: | Actualpoints:
-----------------------------+----------------------------------------------
Comment(by rransom):
Replying to [comment:20 hyperelliptic]:
> Replying to [comment:19 rransom]:
> > Replying to [comment:18 asn]:
> > > Hey Robert,
> > >
> > > I talked with hyperelliptic today and she explained me her concerns
of comment:17.
> >
> > None of those concerns are legitimate.
> >
> Huh? Let me try this again.
>
> There are two security requirements:
> * Nobody can produce a signature that passes verification by a user
knowing A's long-term key.
> AND
> * Nobody can produce a signature that passes verification for the short-
term public key.
>
> The second proposal of rransom flunks the second requirement.
>
> Here is why this requirement matters:
> The HS address is the x-cooordinate of the short-term public key. This
can be computed by anybody knowing the long-term public key. An attacker
could overwrite the correct information on the directory service with
bogus information if he could produce a signature under the short-term
public key.
>
> What makes the attack work on the second scheme is that the basepoint is
provided as part of the signature and is therefore under the control of
the attacker.
>
> To avoid this problem, use a fixed basepoint or use x(short-term
key),x(basepoint) as HS address.
----
I said explicitly in comment:13, before your first comment here, that the
blinded base point is part of the blinded public key:
> In Ed25519, the public key is `A`. In my blinded-public-key variant of
Ed25519, the blinded public key is `(HB(nonce, B, A)*B, HB(nonce, B,
A)*A)`.
I said in comment:15, in the explicit description of my signature scheme
which you specifically asked for (and thus can be expected to have read),
that the blinded base point is part of the blinded public key:
>
{{{
BlindedPubKey = struct {
Bprime: GroupElement;
Aprime: GroupElement;
};
}}}
Since you had previously missed that fact in comment:13, I repeated it for
emphasis in comment:15, as explicitly as it can be said:
> Also note that the blinded public key contains the blinded base point;
the attacker does not get to choose the base point separately from the
blinded public-key group element.
----
You have not only misrepresented my idea, you are now attempting to claim
credit for it.
I'm done putting up with your crap.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list