[tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 7 16:29:11 UTC 2013


#8106: Make .onion addresses harder to harvest by directory servers
-----------------------------+----------------------------------------------
 Reporter:  asn              |          Owner:                    
     Type:  defect           |         Status:  new               
 Priority:  major            |      Milestone:  Tor: 0.2.5.x-final
Component:  Tor              |        Version:                    
 Keywords:  SponsorZ tor-hs  |         Parent:                    
   Points:                   |   Actualpoints:                    
-----------------------------+----------------------------------------------

Comment(by rransom):

 Replying to [comment:23 hyperelliptic]:
 > > I said explicitly in comment:13, before your first comment here, that
 the blinded base point is part of the blinded public key:
 > >
 > > > In Ed25519, the public key is `A`. In my blinded-public-key variant
 of Ed25519, the blinded public key is `(HB(nonce, B, A)*B, HB(nonce, B,
 A)*A)`.
 > >
 > If you meant this to say that the .onion address is the concatenation of
 the 2 x-coordinates than the easy reply to "I realize that you can
 bootstrap from this by including Bprime in the storage location so that
 the real data and the attack data get written to different places, but
 then you suddendly have twice the length." in
 >
 https://trac.torproject.org/projects/tor/ticket/8106?replyto=22#comment:16
 > would be to say that you in fact accept the double length.
 >
 > In any case, double-length .onion addreses or a broken scheme are pretty
 "legitimate reasons for concern".

 The ‘.onion address’ (I prefer the term “hidden service address” or “HS
 address”) represents a public key (`PubKey`), not a blinded public key
 (`BlindedPubKey`).  A hidden service address can still contain only one
 group element (or a compact representation of one).

 The blinded public key would only be used in two ways in the directory-
 service protocol, where users do not need to see it:

  * Each hidden service periodically uploads a ‘hidden service descriptor’
 (a message accompanied by a signature and a blinded public key) to each of
 several directory servers.  Currently, each hidden service descriptor
 contains an ASN.1-encoded RSA public key with 1024-bit modulus, variable-
 length exponent, and some wrapping bytes, and an ASN.1-encoded RSA
 signature under that public key.  Using the Curve25519 curve without point
 compression, my blinded public key is smaller than the current public-key
 blob, and my signature is smaller than the current signature blob; with
 point compression, both my blinded public key and my signature are smaller
 than the current public-key modulus alone.
  * Each hidden service client uploads a collision-resistant hash of a
 blinded public key to a directory server in order to obtain a hidden
 service's most recent descriptor.  My blinded public keys are small enough
 at 512 bits that the hash could be omitted.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list