[tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor

[Michael Rogers]

On 26/04/15 23:14, John Brooks wrote:
> It occurred to me that with proposal 224, there’s no longer a clear reason
> to use both HSDirs and introduction points. I think we could select the IP
> in the same way that we plan to select HSDirs, and bypass needing
> descriptors entirely.
> 
> Imagine that we select a set of IPs for a service using the HSDir process in
> section 2.2 of the proposal. The service connects to each and establishes an
> introduction circuit, identified by the blinded signing key, and using an
> equivalent to the descriptor-signing key (per IP) for online crypto.
> 
> The client can calculate the current blinded public key for the service and
> derive the list of IPs as it would have done for HSDirs. We likely need an
> extra step for the client to request the “auth-key” and “enc-key” on this IP
> before building an INTRODUCE1 cell, but that seems straightforward.
> 
> The IPs end up being no stronger as an adversary than HSDirs would have
> been, with the exception that an IP also has an established long-term
> circuit to the service. Crucially, because the IP only sees the blinded key,
> it can’t build a valid INTRODUCE1 without external knowledge of the master
> key.

Something like this was suggested last May, and a concern was raised
about a malicious IP repeatedly killing the long-term circuit in order
to cause the HS to rebuild it. If the HS were ever to rebuild the
circuit through a malicious middle node, the adversary would learn the
identity of the HS's guard.

I don't know whether that's a serious enough threat to outweigh the
benefits of this idea, but I thought it should be mentioned.

Cheers,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150512/31279234/attachment.sig>