[tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'

Steven Murdoch Steven.Murdoch at cl.cam.ac.uk
Fri Nov 28 15:22:18 UTC 2014

On 24 Nov 2014, at 18:54, Tom Ritter <tom at ritter.vg> wrote:

> Attached is a document written in the specification format for one
> aspect of CA-signed .onion addresses - specifically a "What is a safe
> way to sign (or not sign) a statement using the .onion key"  It
> presents a couple options - I'd love to get feedback from folks on
> which they prefer.

An alternative scheme could be to take advantage of the fact that Tor does not RSA sign the descriptor itself but a SHA-1 hash of the descriptor. So if the signature for the purpose of getting a CA to accept the request uses a different hash function then there should not be any confusion.

For example, rather than using the SHA-1 hash, use the SHA-1 HMAC under a hard-coded “key”. For the attacker to abuse this signature they would need to find a document which hashes to the same thing. This sounds like (but should be checked) to have the same difficulty as performing a collision attack (2^80 best case, 2^60 using cryptanalytic attacks).

A convenient result of this scheme is that changing the “key” lets the same onion key be used for other purposes, and if the key is well chosen then the chances of someone using the same approach is negligible.

Best wishes,

More information about the tor-dev mailing list