FEATURE IDEA: Hidden Directory Authorities

Kyle Williams kyle.kwilliams at gmail.com
Mon Nov 19 08:29:53 UTC 2007

Any suggestions, questions, or comments are encouraged.

I know that Tor has the PrivateDir option, which uses an Onion Router
to make the request to the DA to retrieve updated cached-* documents.
However, this option will not
function without a pre-cached copy of the cached-routers documents
because it wouldn't know of an Onion Routers to tunnel the request
Basically you need a pre-cached copy of cached-routers for PrivateDir
to work, right?
(Please correct me if I am wrong here.)

So the questions that entered my mind were:
* Could Directory Authorities use an .onion address instead of an IP
address if a pre-cached copy of cached-routers was distributed with
the initial download of Tor?
* Would this make the Directory Authorities more resistant to digital
& physical attack?
* Are "guard" nodes[2] the same as "valet" nodes[1]?
The wording of "guard" nodes [2] sounds very similar to the concept of
"valet" nodes [1], but I'm not quite sure if these are the same.  Are

Since the DAs would be the most logical place for an attacker to DoS
or attack, I was thinking that it would make sense if the DAs couldn't
be found physically or by IP.
To start a network, I was think of using 3 DAs with 8 nodes.  The
nodes would act as rendezvous points, introduction points, valet/guard
points, entry, middle, and exit nodes.
If the DAs .onion information and 8 startup nodes information was
pre-cached when Tor is download, would that be enough to keep the DA's

Now the big question.  What type of attacks would this be prone to?
After reading [2], it became clear that someone could attack
Introduction Points to reveal the true location of the hidden service.
 But the 'valet' (or 'guard'?) node design model would significantly
help reduce the probability of this attack being successful.  So, if
the DA's are acting as a hidden service, in theory, Introduction and
Valet Points wouldn't be able to distinguish regular hidden services
from the DA's hidden service.

I know that by hiding the DA's, every downloaded package of Tor would
have to contain an up-to-date copy of the cached-routers.  Could a
"cached-onions" file be introduced into the design to make it clear
which are Onion Routers and which are Hidden Services?

This idea was something that been going through my mind the last few
weeks.  What do you think?
Paul, if you're reading this, I would really like to hear what you
think about this.
Any feedback from anyone is appreciated.

Best Regards,

[1] Making Anonymous Communications
( http://www.onion-router.net/Publications/Briefing-2004.pdf )

[2] Locating Hidden Servers
( http://www.onion-router.net/Publications/locating-hidden-servers.pdf )

More information about the tor-dev mailing list