[tor-dev] is the consensus document unpredictable / unique?
razvan.dragomirescu at veri.fi
Mon Jun 27 19:30:28 UTC 2016
Thank you Tim,
As long as a malicious authority cannot choose a hash that is identical to
an older consensus hash, I think the system should be fine. In addition, I
can have the the smartcard look at one of the valid-* dates in the
consensus and hash that into the descriptor cookie as well - I'm guessing a
rogue authority can mess with the consensus hash but cannot change the
valid-after, valid-until, etc dates. If I enforce increasing dates (so that
you cannot go back in time, once you've seen a consensus for Jan 2017 for
instance you cannot sign another one from June 2016), if you attempt to
pre-generate a signature for a future date, you lose connectivity until
that particular date.
I also plan to enforce an upper limit on the number of RSA signatures the
card can perform with a given key. SIM cards already do this to prevent
brute force attacks.
If you don't have access to the smartcard and if you've somehow
pre-generated some signed descriptors, those will only work for 1 hour (a
very specific hour in the future that you've simulated consensus for and
somehow tricked an authority into making the consensus hash be exactly the
one you're expecting).
What I like about the consensus (vs shared random value) is that it's
regenerated every hour, so a successful attack would have very limited
impact (1 hour sometime in the future). Shared random values are generated
once per day, so if the attacker somehow guesses them successfully, he can
pretend to be another node for a full day.
As a second security layer, once the communication is established, the two
nodes can negotiate a shared symmetrical key (based on the same RSA
keypairs they use as permanent keys for hidden services or a different
keypair). This way, a successful attacker can only launch a Denial of
Service type of attack (preventing the legitimate node from getting the
traffic) but cannot decrypt or encrypt traffic from/to that node.
On Mon, Jun 27, 2016 at 9:02 AM, Tim Wilson-Brown - teor <teor2345 at gmail.com
> Hi Razvan,
> > On 26 Jun 2016, at 07:52, Razvan Dragomirescu <
> razvan.dragomirescu at veri.fi> wrote:
> > I couldn't find a detailed description of the Tor consensus, so I'm
> checking that my understanding of it is correct. Basically, would it be
> correct to assume that the consensus document (or a hash thereof) for a
> date in the future is an unpredictable value that will also be unique to
> all nodes inquiring about it at that time?
> The future values of consensuses can be influenced by each of the 9
> directory authorities, individually. A malicious authority has ~5 minutes
> between receiving other authorities' votes and creating its own to
> calculate a vote that creates a consensus hash that achieves a desired
> While it can't control the exact consensus hash, it can choose between
> many possible hashes, only limited by the available computing time. And it
> can farm out these computations to other computers.
> A shared random commit-and-reveal scheme, like the one in proposal 250,
> gives each authority a single choice: to reveal, or not reveal. This means
> that a malicious authority can only choose between two different output
> hashes, rather than choosing between many millions of possible hashes.
> This is why OnionNS switched from using a hash of the consensus, to the
> shared random value in the consensus.
> > On 26 Jun 2016, at 08:18, Tom van der Woerdt <info at tvdw.eu> wrote:
> > The consensus has signatures from all directory operators on it, and
> computing those ahead of time requires a lot of private keys. Because they
> also all contain the date, they're all unique. So yea, they're both unique
> and unpredictable.
> The signed part of the consensus is the (hash of) everything up until the
> first signature.
> So while the consensus eventually contains up to 9 signatures, and some
> legacy signatures, it's not created or initially distributed between
> authorities that way.
> There's a few reasons you shouldn't rely on the hash of the signatures:
> * while the consensus is produced by up to 9 authority signatures, each
> signature is only produced by 1 authority;
> * a client only needs 5 of the 9 signatures to use a consensus, so it's
> not guaranteed to have them all;
> * signatures are distributed encoded, in PKCS1-padded format that ignores
> additional whitespace (and various other extraneous characters), so a
> malicious authority can control (some bits in) the hash of its own
> * PKCS1.5-padding allows arbitrary pseudorandom inputs as part of the
> padding, so a malicious authority can try multiple values for this
> pseudorandom input until it gets a has that it wants;
> A malicious authority also has ~5 minutes between receiving other
> authorities' signatures and creating its own to calculate a signature that
> creates a consensus + signatures hash that achieves a desired outcome.
> This doesn't necessarily mean that your scheme will be insecure, but it
> would need to be constructed very carefully to avoid giving one malicious
> authority the ability to break it. And you might want to get some
> cryptographers to review it.
> (I can imagine an attack where a service creates many keys in advance with
> random values as the consensus hash, and a malicious authority then tries
> to vote or sign to match the consensus hash to one of the random values
> used to create one of the keys.)
> On the other hand, you could wait until there's a shared random value in
> the tor consensus, and use it. This may be ready a lot sooner than the
> entire next-generation hidden service protocol (proposal 224). It could be
> released in 0.2.9, and it could be running on enough authorities some time
> in 2017.
> Tim Wilson-Brown (teor)
> teor2345 at gmail dot com
> PGP 968F094B
> tor-dev mailing list
> tor-dev at lists.torproject.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-dev