Re: [tor-talk] Choosing a name for a .onon

[Seth David Schoen <schoen@xxxxxxx>]

Adrian Crenshaw writes:

> Hi all,
>    I was under the impression that the .onion names for Tor Hidden Services
> were pseudo-random based on the public key. How was someone able to choose
> one/choose some character in one? As an example:
> http://silkroadvb5piz3r.onion (hope it is not against policy to post that
> link, only example I know. ) How did they choose the first 8 characters?

The basic answer is "try a lot of possibilities on a computer until the one
you want comes up"!

According to

https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt

the .onion name is a base32-encoded version of the first 80 bits of the
SHA1 of the hidden service public key.  base32 is 5 bits per character,
so the prefix "silkroad" in the .onion address above is 5Ã8=40 bits
(indeed, exactly half of the 80 bits in the entire .onion name).  Choosing
the first 40 bits of a hash generally requires trying an average of 2ââ
possibilities; my laptop does about 3-4 million SHA1 operations per second
(per CPU core) so it would take me 3-4 days (per CPU core) of computation
to try that many possibilities on my laptop.  Since hash value searches
are completely parallelizable, you can make this arbitrarily faster by
adding more computers to the search.

Of course this requires being able to change something trivial about the
public key when generating the .onion address.  (Generating a new public
key from scratch would be very time-consuming; making a 1024-bit keypair
from scratch on my machine takes around 0.1 second, depending on how lucky
the key-generation process gets, which is considerably longer than the
0.0000003 seconds that trying a SHA1 operation requires.)  I'm not sure
exactly what you would change because I'm not sure what data is (or can
be) included in a hidden service public key, but there's probably something
you can change without actually needing to make a new keypair.

There's a nice description of the possibility of creating a public key
with a chosen set of bits at the beginning or end at

http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

although note that the Tor hidden service identifiers are 80 bits, while
PGP short key IDs are only 32 bits, so it's 2ââ times as hard to fake a
hidden service as it is to make a colliding PGP short key ID.  (Full PGP
fingerprints are 160 bits.)

I first got interested in this when I used to develop a live-CD called
LNX-BBC (for "bootable business card").  At that time we were using MD5
checksums on our web site, and I wrote a program to try lots of
possibilities so that all of our MD5 values started with "bbcbbc" in
hexadecimal (on average only 2Ââ MD5 attempts).

For more on the base32 encoding, see

https://en.wikipedia.org/wiki/Base32

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk