Re: [tor-dev] DoS resistance for Next-Generation Onion Services

Subject: Re: [tor-dev] DoS resistance for Next-Generation Onion Services

From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>

Date: Wed, 18 Nov 2015 11:43:04 +1100

Delivery-date: Tue, 17 Nov 2015 19:43:21 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:message-id :references:to; bh=YosFO81HKK0Hhzq8R0/8yv9opzDZwdHAGXYfKz3Okmw=; b=ISiMnp1HIoqZxVDsPDZT8f1JV0jzVdz0W2q5oob0XzuRV5xbpjF1QFXgoDxthWofQX pvYbaAFPcFODBj6z7tV4aCiZtoEUAIYSgcAES5kGdQc9d0IDolHSggvTxiD4HpfUosIn 9eu/c41hb4vzazHuiTIQ+Z0H1OkhXqFuI2+LXnmdidL2S/D/86pH8soH5cw0EYBiiRDQ TDlsJSXGXZQgC+1K2UsnnodTL1PIudw2zhaaXjl3h3zcJ2Zd43B8YttkKvWytASQr9BU YC++lK9cy5LHW10oBT0w2A/3gi7mm93zegTthbRMUV6pgePiW33UJN8Ub+AhteTyxvgx dNGg==

In-reply-to: <8AC4D129-4C3E-41FB-98AB-1C9C6F855307@xxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <8AC4D129-4C3E-41FB-98AB-1C9C6F855307@xxxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi All,

prop224 salts the encrypted portion of each descriptor with a random value.

If we use the same "salt" for every replica/spread, the encrypted portions of the descriptor will be identical.

(In the spec, it looks like the same encrypted descriptor / salt is used for each replica / spread, but it's not explicit.)

I can't think of an attack based on matching up the encrypted portions of descriptors.

But I like the idea of making the blinded key and encrypted portion of every descriptor different, so there's no way to tell if they're from the same service or not.

Then there would be no way of telling whether replica/spread descriptors were from the same hidden service, which I think is a useful property.

(Unless you can decrypt them, and therefore you'd likely know the key, or could match up the introduction points. Even then, the service might be using a load balancing technique that puts different intro points in each descriptor, like OnionBalance; or posting multiple descriptors with the same key, like the Tor: Hidden Service Scaling paper.[0])

The relevant portion of the proposal is:

The encrypted part of the hidden service descriptor is encrypted and
authenticated with symmetric keys generated as follows:

salt = 16 random bytes

secret_input = blinded_public_key | subcredential |
INT_4(revision_counter)
keys = KDF(secret_input, salt, "hsdir-encrypted-data",
S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)

SECRET_KEY = first S_KEY_LEN bytes of keys
SECRET_IV = next S_IV_LEN bytes of keys
MAC_KEY = last MAC_KEY_LEN bytes of keys

The encrypted data has the format:

SALT (random bytes from above) [16 bytes]
ENCRYPTED The plaintext encrypted with S [variable]
MAC MAC of both above fields [32 bytes]

Tim

Tim Wilson-Brown (teor)

[0]: https://www.benthamsgaze.org/wp-content/uploads/2015/11/sucu-torscaling.pdf

On 7 Nov 2015, at 07:22, teor <teor2345@xxxxxxxxx> wrote:
Hi all,

I think we can make next-generation onion (hidden) services (proposal #224) more resilient against certain kinds of DoS / client discovery attacks, by using a different blinded public key for each HSDir.

Attack Summary:

Once a malicious HSDir receives a descriptor, it can locate other HSDirs with that descriptor's blinded public key. It doesn't need to know the onion service address or decrypt the descriptor. Each descriptor contains the blinded public key:
...

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev