[tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor
michael at briarproject.org
Tue May 12 17:39:19 UTC 2015
On 26/04/15 23:14, John Brooks wrote:
> It occurred to me that with proposal 224, there’s no longer a clear reason
> to use both HSDirs and introduction points. I think we could select the IP
> in the same way that we plan to select HSDirs, and bypass needing
> descriptors entirely.
> Imagine that we select a set of IPs for a service using the HSDir process in
> section 2.2 of the proposal. The service connects to each and establishes an
> introduction circuit, identified by the blinded signing key, and using an
> equivalent to the descriptor-signing key (per IP) for online crypto.
> The client can calculate the current blinded public key for the service and
> derive the list of IPs as it would have done for HSDirs. We likely need an
> extra step for the client to request the “auth-key” and “enc-key” on this IP
> before building an INTRODUCE1 cell, but that seems straightforward.
> The IPs end up being no stronger as an adversary than HSDirs would have
> been, with the exception that an IP also has an established long-term
> circuit to the service. Crucially, because the IP only sees the blinded key,
> it can’t build a valid INTRODUCE1 without external knowledge of the master
Something like this was suggested last May, and a concern was raised
about a malicious IP repeatedly killing the long-term circuit in order
to cause the HS to rebuild it. If the HS were ever to rebuild the
circuit through a malicious middle node, the adversary would learn the
identity of the HS's guard.
I don't know whether that's a serious enough threat to outweigh the
benefits of this idea, but I thought it should be mentioned.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
More information about the tor-dev