[tor-talk] A Tor-based Public-Key Infrastructure

Ethan White ethanwhite at rogers.com
Mon Jan 11 23:59:30 UTC 2016 

First off, this is my first post to tor-talk, so I'm not even really 
sure this is the right place, but...

Recently, I've been toying with an idea inspired by a posting on 
tor-talk by Mike Perry from September 2013 [1], in which alternatives 
were discussed to Web of Trust (WoT); specifically, the suggestion 
“Every time GPG downloads a new key, re-download it several times via 
multiple Tor circuits to ensure you always get the same key.”

I've developed it more, and I've come up with a comprehensive public-key 
infrastructure that associates e-mail addresses with arbitrary data 
(such as public keys). We assume Alice is using the e-mail address 
alice at alice.com, and Bob is using the e-mail address bob at bob.com. Alice 
wants to get Bob's public key securely. My goal with this is slightly 
different from most PKIs: I simply want either Alice or Bob to notice if 
anything fishy is going on. They can then simply publish broadly that 
something is off. (This would be a nice thing to eliminate; if anyone 
has any ideas, feel free to suggest them).

The obvious solution is to have Bob upload his public key to bob.com, 
and then Alice can simply use the three-tor-circuit method to download 
Bob's public key. However, this has the flaw of trusting bob.com; 
bob.com could simply serve up the wrong public key.

To solve this, Bob could periodically check that bob.com is serving up 
the right public key. The intervals would have to be random, since Eve 
could simply MITM everyone and serve up the wrong public key except when 
she knows Bob usually asks.

However, this still has a problem: let's say Bob is a high-value target 
like a journalist, and Eve is, for example, an intelligence agency. Eve 
could simply sit outside Bob's house, and, whenever she sees a packet 
into the Tor network, not MITM anyone for a few seconds. Thus, Bob's 
illusion that his public key is being served up authentically is 
maintained, but yet Eve can still MITM Alice (or anyone else). This 
doesn't even seem too far-fetched; this is what NSA's QUANTUM injection 
is, is it not?

To solve this, Bob would send some sort of traffic to the first relay 
every (average latency of the tor network) / 2 seconds, which would 
almost always be something meaningless (like a TLS warning message), 
except occasionally when it's actually a request to bob.com to grab the 
public key.

I have a few questions:
* Do I actually have to worry about QUANTUM-style attacks?
* Are there any vulnerabilities that I'm missing?
* Is this practical? Would it effecively DDOS the Tor network?
* Could I do this in any way that doesn't rely on DNS?


==Footnotes==

1. Available in the archives online @
https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html

On 11/01/16 07:00 AM, tor-talk-request at lists.torproject.org wrote:
> Send tor-talk mailing list submissions to
> 	tor-talk at lists.torproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> or, via email, send a message with subject or body 'help' to
> 	tor-talk-request at lists.torproject.org
>
> You can reach the person managing the list at
> 	tor-talk-owner at lists.torproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tor-talk digest..."
>
>
> Today's Topics:
>
>     1. Re: Help me secure my setup (Aeris)
>     2. Re: What is "cookie protections"? (Joe Btfsplk)
>     3. Re: Funding Tor Development trough Referral/Affiliate
>        Marketing (Nick Mathewson)
>     4. Re: Help me secure my setup (Oskar Wendel)
>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list