[tor-dev] Proposition: Applying an AONT to Prop224 addresses?

Ian Goldberg iang at cs.uwaterloo.ca
Wed Apr 5 14:11:42 UTC 2017

On Wed, Apr 05, 2017 at 10:02:07AM -0400, David Goulet wrote:
> Another thing about this I just thought of. This AONT construction seems wise
> to use. But it's still not entirely clear to me why we need a 1bit version
> field. Taking this:
>     base64( AONT( pubkey || 0x0000 ) || version)
> If the version is 1 byte, then only the end of the address can be mangled with
> and if it is, the tor client won't be able to fetch the descriptor because of
> how the URL is constructed (correct version number is needed).
> So I really don't see the phishing attack here being successful at all...?
> Can you enlighten what attack we are trying to avoid here that we require a
> 1bit version field?

I believe the danger Alec was wanting to avoid was that someone (not the
onion service owner) could take an existing onion address, bump the
version number (which wouldn't change the vanity beginning of the
address), and upload the very same descriptor to the resulting blinded
address (under the new version number).  Then the modified address would
work just like the original.

As mentioned elsewhere in the thread, this is solved if that descriptor
contains (under the signature by the "master" onion key) the actual
onion address you were expected to use to get there.  Does it?  If so,
I think we don't have to worry about this problem at all.

More information about the tor-dev mailing list