Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?

Subject: Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?

From: Alec Muffett <alec.muffett@xxxxxxxxx>

Date: Mon, 3 Apr 2017 17:29:02 +0100

Delivery-date: Mon, 03 Apr 2017 12:30:10 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=jmQ3DV6Y+6T+su9F8Xx+Nbox4Obk5ZaQ6Z5/v6/qUJs=; b=DHuuFkiPSMnCnfNaFAT7iKlQiaxQXYkEF8/MycykDKLB9Xan/LcKmvIxLi6+SaM95m Gv3fa1LvOb6fuPFF33llM4d9htqrFOUHkh1m1SgvLDeDgxqNY+IbcleSmGmAQU6O43uU SE7YptdM87cTPY6QSeNnomPadgdmKmTfHeH6KXbvB6KlHMXD4XOpkAp/t0ceSIBZEKr1 B/L7c3SIuQjIFwIBktQCPy074XEdMfc7Ue410IlEoetIfodnxoyOx6xD4kaq2x7fKszI DBq74nDY1dSAz5cgZ7P/h6wcxymWg4+y3vVE6hn2w6Vo38YVjkMU+p5xyEK3Q225p7J8 qY7Q==

In-reply-to: <20170403155912.GD28540@thunk.cs.uwaterloo.ca>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <CAFWeb9+Z8BvVvxsDNsCVZ5YJx3id+fLdefcT0_u+hzcvJhftnA@mail.gmail.com> <20170326201958.GU28540@thunk.cs.uwaterloo.ca> <20170326204218.GX28540@thunk.cs.uwaterloo.ca> <CAFWeb9J-Hozkh4uzMYfM+-4V2tShH1+xT5nBf=kCpL4UNzZtAQ@mail.gmail.com> <20170327055942.GY28540@thunk.cs.uwaterloo.ca> <20170327085834.GZ28540@thunk.cs.uwaterloo.ca> <87zifxd7ds.fsf@riseup.net> <CAFWeb9JjchfFC+wivmTy6gb8cAokhqrrTGo=UEH9ZdnwCDpfeQ@mail.gmail.com> <20170403144826.GA28540@thunk.cs.uwaterloo.ca> <CAFWeb9LqtOvOteYmeqKzPH7G+O4DypB2ROp64_ki1gHWNJTUsw@mail.gmail.com> <20170403155912.GD28540@thunk.cs.uwaterloo.ca>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 3 April 2017 at 16:59, Ian Goldberg <iang@xxxxxxxxxxxxxxx> wrote:

> How about this, though: I know that Tor doesn't want to be in the business
> of site reputation, but what if (eg) Protonmail offers a Onion "Safe
> Browsing" extension some day, of known-bad Onions for malware reasons?

That's a quite good motivating example, thanks!

#Yay; I'm also thinking of other plugins (in the cleartext world, HTTPSEverywhere is the best example) which provide value to the user by mechanically mutating URIs which match some canonical DNS domain name; because Onion addresses are more like Layer-2 addresses*, development of similar plugins benefits greatly from enforced "canonicality" (sp?) than is necessary for equally-functional DNS equivalents; there is no means to "group" three disparate Onion addresses together just-because they are all owned by (say: Facebook), and if each address has 8 possible representations then that's 24 rules to match against...

> There's quite a gulf between stripping hyphens from a candidate onion
> address and doing strcmp(), versus either drilling into the candidate
> address to compute the alternative forms to check against the blacklist, or
> even requiring the blacklist to be 8x larger?

Yes, that's true. I'm definitely in favour of the "multiply by L (the
order of the group) and check that you get the identity element; error
with 'malformed address' if you don't" to get rid of the torsion point
problem.

I heard that and AMS and it sounds a fabulous idea, although I am still too much of an EC noob to appreciate it fully. :-)

If the daily descriptor uploaded to the point
Hash(onionaddr, dailyrand) contained Hash(onionaddr, dailyrand) *in* it
(and is signed by the master onion privkey, of course), then tor
could/should check that it reached that location through the "right"
onion address.

That sounds great, and I think it sounds an appropriate response, but again I am a Prop224 and EC noob. :-)

I would like, for two paragraph, to go entirely off-piste and ask a possibly irrelevant and probably wrong-headed question:

/* BEGIN PROBABLY WRONG SECTION */

I view Onions as Layer-2 addresses, and one popular attack on Ethernet Layer 2 is ARP-spoofing. Imagine $STATE_ACTOR exfiltrates the private key material from $ONIONSITE and wants to silently and partially MITM the existing site without wholesale owning or tampering with it. Can they make any benefit from multiple ("hardware MAC-address") keys colliding to one address? Is there any greater benefit to $STATE_ACTOR from this than (say) publishing lots of fake/extra introduction points for $ONIONSITE and using those to interpose themselves into communications?

/* END PROBABLY WRONG SECTION */

I'm afraid the details of what's in that daily descriptor are not in my
brain at the moment. Does it contain its own (daily blinded) name under
the signature?

<punt/> George?

-a

* Layer-2 analogy: https://twitter.com/AlecMuffett/status/802161730591793152

http://dropsafe.crypticide.com/aboutalecm

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev