[tor-commits] [torspec/master] prop224: use a different salt for each replica and upload

[nickm at torproject.org]

commit 01e865d592ffcbb67a0e6631c56e5b8048ea6065
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date:   Fri Nov 20 11:57:09 2015 +1100

    prop224: use a different salt for each replica and upload
    
    Use a different salt for each descriptor replica and upload,
    to avoid matching encrypted blobs, which could be used to
    link other replicas of the service.
    
    If descriptors for different replicas cannot be linked, then it
    becomes much harder for a malicious HSDir to discover other
    replicas and attept to DoS them.
---
 proposals/224-rend-spec-ng.txt |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 2575136..612ca2c 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -919,7 +919,12 @@ Status: Draft
    The encrypted part of the hidden service descriptor is encrypted and
    authenticated with symmetric keys generated as follows:
 
-       salt = 16 random bytes
+       salt = 16 random bytes, different for each post to each replica,
+              even if the content of the descriptor hasn't changed.
+              (This avoids leaking service stability, and linking replicas
+              via encrypted data comparison.)
+
+       [ XX/teor - is the extra load on the HSDirs worth it? ]
 
        secret_input = blinded_public_key | subcredential |
              INT_4(revision_counter)