[tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor

[Michael Rogers]

On 12/05/15 20:41, Jeff Burdges wrote:
> Alright, what if we collaboratively select the RP as follows :
> 
> Drop the HSDirs and select IPs the way 224 selects HSDirs, like John
> Brooks suggests. Protect HSs from malicious IPs by partially pinning
> their second hop, ala (2).
> 
> An HS opening a circuit to an IP shares with it a new random number 
> y. I donno if y could be a hash of an existing shared random value,
> maybe, maybe not.
> 
> A client contacts a hidden services as follows :
> - Select an IP for the HS and open a circuit to it.
> - Send HS a random number w, encrypted so the IP cannot see it.
> - Send IP a ReqRand packet identifying the HS connection.
> 
> An IP responds to ReqRand packet as follows :
> - We define a function h_c(x,y) = hash(x++y++c), or maybe some
> hmac-like construction, where c is a value dependent upon the current
> consensus.
> - Generate z = h_c(x,y) where x is a new random number.
> - Send the client z and send the HS both x and z.
> 
> An HS verifies that z = h_c(x,y).
> 
> Finally, the client and HS determine the RP to build the circuit
> using h_c(z,w) similarly to how 224 selects HSDirs.

One small problem with this suggestion (hopefully fixable) is that
there's no single "current consensus" that the client and IP are
guaranteed to share:

https://lists.torproject.org/pipermail/tor-dev/2014-September/007571.html

Cheers,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 1748 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150528/e88bb018/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150528/e88bb018/attachment.sig>