Changes between Version 8 and Version 9 of doc/HiddenServiceNames

Apr 23, 2010, 10:49:23 AM (9 years ago)



  • doc/HiddenServiceNames

    v8 v9  
    1 As of Sat Feb  4 15:17:31 GMT 2006 i'm still writing on this.
     2#pragma section-numbers on
    3 For now, have a look
     4[:../:up to Tor]
    5 [http://6sxoyfb3h2nvok2d.onion/tor/TheFakeWiki here,]
    6 [ here,]
    7 [ and here].
     6Table of Contents
    9 -- bebop
     9= General =
     13== How are .onion names created? ==
     15Tor generates an [ RSA-1024] keypair for every hidden service you decide to run. The .onion name is computed as follows: first the [ SHA1] hash of the [ DER]-encoded [ ASN.1] public key is calculated. Afterwards the first half of the hash is encoded to [ Base32] and the suffix ".onion" is added. Therefore .onion names can only contain the digits 2-7 and the letters a-z and are exactly 16 characters long.
     17[#HowCreated [#]]
     21== Why are .onion names created that way? ==
     23The reason for using cryptic fingerprints instead of human-readable names is described in [ Zooko's Distnames]: they're self-authenticating. If a client wants to connect to a hidden service he asks the directory services for the .onion name's service descriptor which includes it's public key. If the hash of the public key matches the .onion name, the client can be sure it is will encrypt data for the right hidden service.
     25"Zooko's Triangle" which is discussed in Stiegler's [ Petname Systems] argues that names cannot be global, secure, and memorable at the same time. This means while being unique and secure, .onion names have the disadvantage that they cannot be not meaningful to humans.
     28[#WhyCryptic [#]]
     32== Can i download a complete list of .onion names? ==
     34No. Hidden services that want to be found should announce themselves on the [http://6sxoyfb3h2nvok2d.onion Hidden Wiki].
     36[#CompleteList [#]]
     40== What about collisions in the hash function? ==
     42The output of SHA1 has a length of 160 bit. To make handling the URLs more convenient we only use the first half of the hash, so 80 bit remain. Taking advantage of the [ Birthday Attack], entropy can be reduced to 40 bit. That's why collisions could be found with moderate means. This is not a problem for Tor since all an attacker might be able to do is create two different public keys that match the same .onion name. He would not be able to impersonate already existing hidden services.
     44[#Collisions [#]]
     48== Which attacks remain concerning the naming scheme? ==
     50Names can be mimicked as described in Plasmoid's "[ Vulnerabilities in the Human Brain]". Here is how it works: many people cannot remember the whole .onion hash, nor did they write it down somewhere. Therefore they only check the first and last couple of characters and then assume it is alright.
     52This issue has been first exploited for SSH fingerprints but can be adopted to Tor hidden services easily. E.g. the first seven characters of a specific .onion name can be computed within a day on a standard PC using programs like [http://torlandypjxiligx.onion/src/onionhash/ OnionHash]. Imagine an attacker creates a .onion name that looks similar to that one of [http://zfp44lbek54utuch.onion/ TorMail] and replaces it's hyperlink on the Hidden Wiki. How long would it take until someone would recognize?
     54There's a proof-of-concept implementation for mimicked hidden services at the [http://6sxoyfb3h2nvok2d.onion/tor/TheFakeWiki Fake Wiki].
     56These days most people know that it is important to check the correctness of SSH or GPG fingerprints, but there is not much awareness for .onion names yet. As a counter-measure you should bookmark hidden services that need to be trusted instead of just following hyperlinks everyone can edit.
     58[#Attacks [#]]