Re: [tor-dev] DoS resistance for Next-Generation Onion Services

To: George Kadianakis <desnacked@xxxxxxxxxx>

Subject: Re: [tor-dev] DoS resistance for Next-Generation Onion Services

From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>

Date: Fri, 20 Nov 2015 12:21:32 +1100

Delivery-date: Thu, 19 Nov 2015 20:21:58 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=5rQpxo0qFkQqBPTANJxnFDZq1dRohWt4koNENRpbLv8=; b=c5lXHht4vlx0NLGtTYbjaYgDVBGlBHYI7Cj86hq0GFB4OTDhj+OrxxF6beaqySR96q 8QeTRI42Ue+wsRjzZAa3f16vxcepoBWcwbQU9Ut6ziNWKqTcUoou+wuwxNjAf4O2T1Pg qASu6Kf3VVg0bkHJkXeyS7rtkXd69B0026P4tGO36vyeR+lmJNmNX8wX7vkORU3xdfP4 fr62tpMJDbnDo+JjziMVzRtitpvMeHJw81E4S1BqhpGjJTwVovtj15+lB/NKHHcTjjKH cz6LkQhSNHQoEiHFaq6eUYsDTv79ucYGlRxkC2kN+tAoEX0L5JLcf1U4WmZMnjYbCFfW 8Dwg==

In-reply-to: <87a8qarv1v.fsf@xxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <8AC4D129-4C3E-41FB-98AB-1C9C6F855307@xxxxxxxxx> <9DCAB9D5-F8F4-471E-AF37-6DA840C68537@xxxxxxxxx> <87a8qarv1v.fsf@xxxxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi George,

Please see below for a spec patch covering this email thread and various issues discussed on Trac and tor-dev@

On 20 Nov 2015, at 00:13, George Kadianakis <desnacked@xxxxxxxxxx> wrote:

Tim Wilson-Brown - teor <teor2345@xxxxxxxxx> writes:

Hi All,

prop224 salts the encrypted portion of each descriptor with a random value.
If we use the same "salt" for every replica/spread, the encrypted portions of the descriptor will be identical.
(In the spec, it looks like the same encrypted descriptor / salt is used for each replica / spread, but it's not explicit.)

I can't think of an attack based on matching up the encrypted portions of descriptors.
But I like the idea of making the blinded key and encrypted portion of every descriptor different, so there's no way to tell if they're from the same service or not.

Then there would be no way of telling whether replica/spread descriptors were from the same hidden service, which I think is a useful property.

You are suggesting we should use a different salt for each descriptor we push?

Sounds reasonable, with a small cost on implementation complexity since now we
will have to generate N different descriptors and push them properly to the
right HSDirs. Plausible.

If you send a patch for the proposal, I will merge!

I've created a branch rend-ng-descriptors on https://github.com/teor2345/torspec.git

It addresses the issues I've mentioned in this email trail, tickets #17239 and #17242, and the raw random value leakage issue mentioned by Jacob in [0].

A full list of changes is:

* add a comment that prop252 wants to add extend-info to the descriptor (perhaps it will need more padding)

* add distinguishing values to every hash

* hash raw random bytes before use

* deal with replica hashing collisions

* randomise revision-counter to avoid information leaks

* use a different salt for each replica and upload

* avoid replicas with the same blinded key

They are in approximate order of complexity / impact.

Please feel free to ask me questions about any of these changes.

(And please to cherry-pick as needed.)

Tim

[0]: https://lists.torproject.org/pipermail/tor-dev/2015-November/009954.html

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev