FEATURE IDEA: Hidden Directory Authorities

Paul Syverson syverson at itd.nrl.navy.mil
Tue Nov 20 15:04:17 UTC 2007

Hi Kyle,

Sorry swamped and crazy so can only give a partial answer. If you
are still unclear on something from me in a few weeks and I haven't
responded again, feel free to ping me again (directly, I don't
always catch something in any of the Tor mailing lists). Then iterate
that process a few weeks after that ;>)

On Mon, Nov 19, 2007 at 12:29:53AM -0800, Kyle Williams wrote:
> Any suggestions, questions, or comments are encouraged.
> I know that Tor has the PrivateDir option, which uses an Onion Router
> to make the request to the DA to retrieve updated cached-* documents.
> However, this option will not
> function without a pre-cached copy of the cached-routers documents
> because it wouldn't know of an Onion Routers to tunnel the request
> through.
> Basically you need a pre-cached copy of cached-routers for PrivateDir
> to work, right?
> (Please correct me if I am wrong here.)
> So the questions that entered my mind were:
> * Could Directory Authorities use an .onion address instead of an IP
> address if a pre-cached copy of cached-routers was distributed with
> the initial download of Tor?
> * Would this make the Directory Authorities more resistant to digital
> & physical attack?
> * Are "guard" nodes[2] the same as "valet" nodes[1]?
> The wording of "guard" nodes [2] sounds very similar to the concept of
> "valet" nodes [1], but I'm not quite sure if these are the same.  Are
> they?

No they're not the same. Guard nodes make it hard for someone to
identify you by just owning some small number of nodes and watching
you make connections over and over again until you use one of their
compromised nodes as a first hop. In [2] we were looking at using this
to attack hidden services and trying to see how far you could get
owning just one evil node in the network. But, as we noted if you own
more than one node, you can do the same thing to both ends of the
circuit to link source and destination. You can also do similar things
to play games with the choice of guard nodes (cf. "Low Resource
Routing Attacks Against Tor" in WPES'07).  Valet nodes do a bunch of
things. One is that they hide the introduction points from the
clients. Another is that they are part of making it much harder for
the introduction point to figure out the hidden service for which it's
an introduction point (I don't mean find the hidden service, I mean
hiding that going through that introduction point connects you to that
hidden service). BTW, the reference you should have had for valet
nodes is http://www.onion-router.net/Publications.html#valet-services
You seem to have inadvertently pointed at another publication.

> Since the DAs would be the most logical place for an attacker to DoS
> or attack, I was thinking that it would make sense if the DAs couldn't
> be found physically or by IP.
> To start a network, I was think of using 3 DAs with 8 nodes.  The
> nodes would act as rendezvous points, introduction points, valet/guard
> points, entry, middle, and exit nodes.
> If the DAs .onion information and 8 startup nodes information was
> pre-cached when Tor is download, would that be enough to keep the DA's
> hidden?

Sorry, not sure I got this. Are you talking about directories of
hidden services or directories of Tor nodes. At the moment they
are in the same place, but there is no need for that to ultimately
stay true. I think there are mechanisms in place that make DoS attacks
on the directory infrastructure of Tor quite hard (redundancy, voting,
mirroring, etc.). The hidden service design that includes valet nodes
also includes hiding which directory has service lookup info for a
hidden service from those who don't know the .onion address already
and other protections too. Cf. also Karsten Loesing's work 
"Distributed Storage of Tor Hidden Service Descriptors" from PETS 2007

> Now the big question.  What type of attacks would this be prone to?
> After reading [2], it became clear that someone could attack
> Introduction Points to reveal the true location of the hidden service.
>  But the 'valet' (or 'guard'?) node design model would significantly
> help reduce the probability of this attack being successful.  So, if
> the DA's are acting as a hidden service, in theory, Introduction and
> Valet Points wouldn't be able to distinguish regular hidden services
> from the DA's hidden service.

Right. That's the idea.

> I know that by hiding the DA's, every downloaded package of Tor would
> have to contain an up-to-date copy of the cached-routers.  Could a
> "cached-onions" file be introduced into the design to make it clear
> which are Onion Routers and which are Hidden Services?
> This idea was something that been going through my mind the last few
> weeks.  What do you think?
> Paul, if you're reading this, I would really like to hear what you
> think about this.
> Any feedback from anyone is appreciated.

Above comments all I have time for right now. HTH.


More information about the tor-dev mailing list