Publishing sanitized bridge pool assignments

Karsten Loesing karsten.loesing at
Thu Feb 3 10:16:53 UTC 2011

On Wed, Feb 02, 2011 at 12:03:19PM -0500, Ian Goldberg wrote:
> Actually, to keep it to one SHA block (447 bits, not including padding),
> you can have at most 255 bits (31 bytes, if we're byte-aligned) for the
> secret.  I wouldn't suggest spanning the secret across SHA blocks.
> SHA-512 seems like overkill if we're only using 3 bytes of the output.
> SHA-256 should be fine.  Indeed, there's no _actual_ reason to believe
> SHA-1 isn't fine here, except for the general "don't be mandating SHA-1
> for anything new at this point" rule.

These sound like fine suggestions to me!  I added a short summary to the
Trac entry here:

> A 31-byte secret is far more likely to leak than be brute-forced, of
> course.  If it's leaked one month, is it likely to leak again another
> month?

Leaking shouldn't be a problem here, because the secret will only be known
to the machine that's sanitizing bridge descriptors.  If someone learns
about the secret on that machine, they could as well learn about the
original descriptors, too, and save themselves all the trouble of brute
forcing things.

Thanks a lot for your feedback so far!


More information about the tor-dev mailing list