wiki:doc/HiddenServiceNames

How are .onion names created?

If you decide to run a hidden service Tor generates an RSA-1024 keypair. The .onion name is computed as follows: first the SHA1 hash of the DER-encoded ASN.1 public key is calculated. Afterwards the first half of the hash is encoded to Base32 and the suffix ".onion" is added. Therefore .onion names can only contain the digits 2-7 and the letters a-z and are exactly 16 characters long.

Why are .onion names created that way?

The reason for using cryptic fingerprints instead of human-readable names is described in Zooko's Distnames: they are self-authenticating. If a client wants to connect to a hidden service he asks the directory services for the .onion name's service descriptor which includes its public key. If the hash of the public key matches the .onion name, the client can be sure it will encrypt data for the right hidden service.

"Zooko's Triangle" which is discussed in Stiegler's Petname Systems argues that names cannot be global, secure, and memorable at the same time. This means while being unique and secure, .onion names have the disadvantage that they cannot be not meaningful to humans.

Can i obtain a complete list of .onion names?

No. There is no central authority nor repository of .onion space.

What about collisions in the hash function?

The output of SHA1 has a length of 160 bit. To make handling the URLs more convenient we only use the first half of the hash, so 80 bit remain. Taking advantage of the Birthday Attack, entropy can be reduced to 40 bit. That's why collisions could be found with moderate means. This is not a problem for Tor since all an attacker might be able to do is create two different public keys that match the same .onion name. He would not be able to impersonate already existing hidden services.

Which attacks remain concerning the naming scheme?

Names can be mimicked as described in Plasmoid's Fuzzy Fingerprints. Here is how it works: many people cannot remember the whole .onion hash, nor did they write it down somewhere. Therefore they only check the first and last couple of characters and then assume it is alright.

This issue has been first exploited for SSH fingerprints but can be adopted to Tor hidden services easily. E.g. the first seven characters of a specific .onion name can be computed within a day on a standard PC using programs like Shallot or Scallion. Imagine an attacker creates a .onion name that looks similar to the .onion of a different Hidden Service and replaces its hyperlink on the Hidden Wiki. How long would it take until someone would recognize?

These days most people know that it is important to check the correctness of SSH or GPG fingerprints, but there is not much awareness for .onion names yet. As a counter-measure you should bookmark hidden services that need to be trusted instead of just following hyperlinks everyone can edit.

Last modified 4 years ago Last modified on Apr 28, 2013, 9:38:16 PM