On Fri, 6 Aug 2010 03:07:12 -0700 Mike Perry <mikeperry@xxxxxxxxxx> wrote: > In the real world, it is disturbingly practical to compute .onion urls > that have a significantly large number of characters in common with an > arbitrary target url, in arbitrary positions of the url. > > There was a program called 'shallot' which optimized hidden service > key generation to accomplish exactly this using THC's Fuzzy > Fingerprint technique. It seems to exist only in rumor and legend > these days, but if you would like an arbitrary snapshot of the code > that calls itself 0.0.1, I can post it somewhere. http://taswebqlseworuhc.onion/ > It was originally created for the sake of creating vanity .onion urls. > However, the author optimized it far enough so that the hash could > have something like 8 characters in common with a target .onion url, > in either the prefix, or the suffix, or both, with just a few > machine-days of computation. Their implementation also only created > "strong" RSA keys for the resulting .onion urls. If they allowed weak > key generation for their targets, much more optimization was possible > (and if your goal is to deceive a user into visiting or chatting with > your spoofed hidden service, why not use weak keys?). From the README file for version 0.0.3: | On my 1.5GHz x86-machine, I get about 500k hashes/sec. | +---------------------------------------------+ | | chars | ~number of tries | ~time @ 500 KH/s | [snip] | | 6 | 32^6 = 1g | 30 min | | | 7 | 32^7 = 32g | 1 day | | | 8 | 32^8 = 1t | 25 days | | | 9 | 32^9 = 32t | 2.5 years | Also, it can search for keys whose hashes match an arbitrary regular expression, not just keys whose hashes have specified characters at the beginning and end. Robert Ransom
Attachment:
signature.asc
Description: PGP signature