[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DoS resistance for Next-Generation Onion Services

To: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>
Subject: Re: [tor-dev] DoS resistance for Next-Generation Onion Services
From: George Kadianakis <desnacked@xxxxxxxxxx>
Date: Thu, 19 Nov 2015 15:13:48 +0200
Cc: tor-dev@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 19 Nov 2015 08:14:08 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1447938835; bh=hLgZ/fDStFY+jDdT8jM6j2rix3Yfpzlby5RKhhVAVYY=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=Bcs++6bhP2R01Hkl2kPkpTjoW7TuhMHmLTfDv3Ex0if+ZY5nLt9KOugf7HhlQQU6f O4wvmhl00p0sHqXOXaK3xMe9hmk3HJ2unMkAJFeOJuMthrr9L/+oG+jFyv6m9wW2r/ Vd2Ln6lKvwYlHXEMfCTasDAbxX9Q/JooAO2Krim8=
In-reply-to: <9DCAB9D5-F8F4-471E-AF37-6DA840C68537@xxxxxxxxx> (Tim Wilson-Brown's message of "Wed, 18 Nov 2015 11:43:04 +1100")
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <8AC4D129-4C3E-41FB-98AB-1C9C6F855307@xxxxxxxxx> <9DCAB9D5-F8F4-471E-AF37-6DA840C68537@xxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Microsoft Outlook Express 6.00.2900.5843

Tim Wilson-Brown - teor <teor2345@xxxxxxxxx> writes:

> Hi All,
>
> prop224 salts the encrypted portion of each descriptor with a random value.
> If we use the same "salt" for every replica/spread, the encrypted portions of the descriptor will be identical.
> (In the spec, it looks like the same encrypted descriptor / salt is used for each replica / spread, but it's not explicit.)
>
> I can't think of an attack based on matching up the encrypted portions of descriptors.
> But I like the idea of making the blinded key and encrypted portion of every descriptor different, so there's no way to tell if they're from the same service or not.
>
> Then there would be no way of telling whether replica/spread descriptors were from the same hidden service, which I think is a useful property.
>

You are suggesting we should use a different salt for each descriptor we push?

Sounds reasonable, with a small cost on implementation complexity since now we
will have to generate N different descriptors and push them properly to the
right HSDirs. Plausible.

If you send a patch for the proposal, I will merge!

Thanks!

> (Unless you can decrypt them, and therefore you'd likely know the key, or could
> match up the introduction points. Even then, the service might be using a load
> balancing technique that puts different intro points in each descriptor, like
> OnionBalance; or posting multiple descriptors with the same key, like the Tor:
> Hidden Service Scaling paper.[0])
>
> The relevant portion of the proposal is:
>>    The encrypted part of the hidden service descriptor is encrypted and
>>    authenticated with symmetric keys generated as follows:
>> 
>>        salt = 16 random bytes
>> 
>>        secret_input = blinded_public_key | subcredential |
>>              INT_4(revision_counter)
>>        keys = KDF(secret_input, salt, "hsdir-encrypted-data",
>>                   S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)
>> 
>>        SECRET_KEY = first S_KEY_LEN bytes of keys
>>        SECRET_IV  = next S_IV_LEN bytes of keys
>>        MAC_KEY    = last MAC_KEY_LEN bytes of keys
>> 
>>    The encrypted data has the format:
>> 
>>        SALT       (random bytes from above)       [16 bytes]
>>        ENCRYPTED  The plaintext encrypted with S  [variable]
>>        MAC        MAC of both above fields        [32 bytes]
>
> Tim
>
> Tim Wilson-Brown (teor)
>
> [0]: https://www.benthamsgaze.org/wp-content/uploads/2015/11/sucu-torscaling.pdf
>
>
>> On 7 Nov 2015, at 07:22, teor <teor2345@xxxxxxxxx> wrote:
>> 
>> Hi all,
>> 
>> I think we can make next-generation onion (hidden) services (proposal #224) more resilient against certain kinds of DoS / client discovery attacks, by using a different blinded public key for each HSDir.
>> 
>> Attack Summary:
>> 
>> Once a malicious HSDir receives a descriptor, it can locate other HSDirs with
>> that descriptor's blinded public key. It doesn't need to know the onion
>> service address or decrypt the descriptor. Each descriptor contains the
>> blinded public key:
>> 
>>> ...
>
>
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] DoS resistance for Next-Generation Onion Services
  - From: Tim Wilson-Brown - teor

References:
- [tor-dev] DoS resistance for Next-Generation Onion Services
  - From: teor
- Re: [tor-dev] DoS resistance for Next-Generation Onion Services
  - From: Tim Wilson-Brown - teor

Prev by Author: Re: [tor-dev] Weird interactions between TBB and Hidden Services upon HS kill/restart
Next by Author: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
Previous by thread: Re: [tor-dev] DoS resistance for Next-Generation Onion Services
Next by thread: Re: [tor-dev] DoS resistance for Next-Generation Onion Services
Index(es):
- Author
- Thread