On 26/04/15 23:14, John Brooks wrote: > It occurred to me that with proposal 224, there’s no longer a clear reason > to use both HSDirs and introduction points. I think we could select the IP > in the same way that we plan to select HSDirs, and bypass needing > descriptors entirely. > > Imagine that we select a set of IPs for a service using the HSDir process in > section 2.2 of the proposal. The service connects to each and establishes an > introduction circuit, identified by the blinded signing key, and using an > equivalent to the descriptor-signing key (per IP) for online crypto. > > The client can calculate the current blinded public key for the service and > derive the list of IPs as it would have done for HSDirs. We likely need an > extra step for the client to request the “auth-key” and “enc-key” on this IP > before building an INTRODUCE1 cell, but that seems straightforward. > > The IPs end up being no stronger as an adversary than HSDirs would have > been, with the exception that an IP also has an established long-term > circuit to the service. Crucially, because the IP only sees the blinded key, > it can’t build a valid INTRODUCE1 without external knowledge of the master > key. Something like this was suggested last May, and a concern was raised about a malicious IP repeatedly killing the long-term circuit in order to cause the HS to rebuild it. If the HS were ever to rebuild the circuit through a malicious middle node, the adversary would learn the identity of the HS's guard. I don't know whether that's a serious enough threat to outweigh the benefits of this idea, but I thought it should be mentioned. Cheers, Michael
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev