Hello. I was reading about hidden services and a thought occurred to me regarding the hash ring used in choosing and determining the HSDirs for a hidden service. As far as I can tell the hash ring is more or less static since a relay's position is determined by their identity key, which doesn't change. I'm also under the impression that the hash ring is only used for calculation of HSDirs of hidden services.
I don't have a particular method in mind, but it seems to me that you could use the "time-period" value that is used in calculation of the service's descriptor-id to shuffle the ring. This would cause the ring to be different for each hidden service, and also make its order change periodically. I imagine in particular it would make onion address enumeration attacks more difficult, since an attacker wouldn't just be able to "cast a net" over the ring for all services.
Can anybody see any problems or false assumptions with this?
Thanks
On Fri, Aug 23, 2013 at 9:31 AM, Kang td66bshwu@gmail.com wrote:
Hello. I was reading about hidden services and a thought occurred to me regarding the hash ring used in choosing and determining the HSDirs for a hidden service. As far as I can tell the hash ring is more or less static since a relay's position is determined by their identity key, which doesn't change. I'm also under the impression that the hash ring is only used for calculation of HSDirs of hidden services.
I don't have a particular method in mind, but it seems to me that you could use the "time-period" value that is used in calculation of the service's descriptor-id to shuffle the ring. This would cause the ring to be different for each hidden service, and also make its order change periodically. I imagine in particular it would make onion address enumeration attacks more difficult, since an attacker wouldn't just be able to "cast a net" over the ring for all services.
Can anybody see any problems or false assumptions with this?
So right now, the HSDir ring is built as a function of node IDs. A hidden service's position within that ring changes depending on a function of the hidden service's ID (immutable) and time-period (predictable). The issue we'd like to solve is that if you know a hidden service's ID, you can predict where it will be stored in the ring at any given time in the future, and try to arrange to have servers with identities close to that point.
So for example, suppose that Mallory want to DOS a hidden service with ID "jellyandcrumpets.onion" next Thursday, right before the big crumpet festival.
The descriptor IDs that this hidden service will generate on Thursday are going to be: (coding simplified) H1 = H( jellyandcrumpets | H(Aug 29 2013, replica1) ) H2 = H( jellyandcrumpets | H(Aug 29 2013, replica2) )
And so all that Mallory needs to do is try to make sure that, by Thursday, Mallory occupies the points in the HSDir ring right after H1 and right after H2. Mallory does this by generating identity keys until finding several that are right after H1, and several that are right after H2. Mallory then must run nodes with those identity keys until they get the HSDir flag. At that point, Mallory can refuse to answer requests for the jellyandcrumpets service.
That's how it is now.
As I understand it, your proposed fix is to have the time-period also used in sorting the nodes into the HSDir. So on Thursday, instead of ordering the nodes in the HSDir ring by their public keys PK, we would instead order the nodes in the ring by H(Aug 29 2013, PK).
But Mallory can still succeed. All he must do is to choose public keys such that H(Aug 29 2013, PK) is right after H1 or H2, and he can succeed just as well at censoring jellyandcrumpets.onion service for that day.
The real problem here is that time is predictable. Not to put too fine a point on it: we know what day it's going to be next Thursday well in advance. :)
So long as the the <hidden service, hsdir> mapping depends only on things things that Mallory can control (like the public keys of his servers) and things that Mallory can predict far enough in advance to get the HSDir flag (like the hidden service's identity and the date of the attack), then these attacks will remain feasible.
If we want to keep Mallory from knowing which PKs to run long enough in advance to do a low-cost HSDir-based censorship attack, we can take two approaches: * We make it higher-cost to have a server running with a given PK and the HSDir flag on a chosen day. We've already done this with changes to the directory authorities in 0.2.4.10-alpha, in response to the attack technique in the "Trawling for Tor Hidden Services" paper. * Have the mapping depend on some temporary value that the attacker cannot know very far in advance.
The most obvious way to have such an unpredictable value is to have the authorities decide on one for each time period a short time before each time period begins. But it turns out that collaboratively generating random value is tricky, if you want to resist attacks where one authority can influence the random value to give the results they want. Section 4 of http://freehaven.net/doc/casc-rep/casc-rep.pdf discusses some difficulties and a possible workaround, but that paper's pretty old, and I bet somebody's come up with a better answer by now.
cheers,
On Fri, Aug 23, 2013 at 1:01 PM, Nick Mathewson nickm@alum.mit.edu wrote:
See also Roger's writeup at https://trac.torproject.org/projects/tor/ticket/8244 ; it's pretty informative IMO.
Sure. This wasn't intended as a solution for the determinism problem. Just a small defence against harvesting of Tor hidden service descriptors by having each hidden service use a differently ordered ring, so it wouldn't be possible, for instance to place a dishonest node in every third position of the ring for all services. I had slightly misunderstood home "time-period" was calculated.
For the determinism problem my current thoughts seem to be similar to what's in the paper. That you could use a simple bit commitment scheme to generate a random value in a distributed fashion.
You could have each authority generate a random value, and then encrypt it with a temporarily secret key. They distribute the encrypted values and once each authority has the full set they distribute the keys. They'd then decrypt the values and combine them to create a salt which would be used in descriptor-id calculations by clients and hidden services for that time period. They'd probably also have to sign the value and then distribute theses signatures among themselves to ensure that they all had the same value.
The problem with dishonest authorities affecting the outcome is indeed tricky. With the above solution even if an authority can't change its value it can refuse to unlock its value, leaving us with a few possible courses of action, each flawed. We could start the calculation all over again, which would mean a dishonest node could simply keep refusing to unlock its value until the desired outcome is achieved. Alternatively you could simply drop the value and finish the calculation without it. This would mean an attacker can choose between (I think) C^2 different results, where C is the number of dishonest collaborating authorities. If you used a scheme where an encrypted value could be unlocked without cooperation from its creator then this could potentially be abused to modify the result very precisely, provided that there were enough dishonest collaborators.
Any of these methods could be augmented using some kind of reputation system, although this would need to be carefully designed as it's also open to exploit. A reputation system where an authority can either participate or can't participate in the random value calculation probably isn't a good idea, since an attacker could likely abuse this to have honest authorities locked out. If a reputation system were used I imagine a sliding scale would work best, where the less trusted an authority is the less it can modify the outcome, with even the most untrusted authorities having a small say in the result.
On Sat, Aug 24, 2013 at 2:33 AM, Nick Mathewson nickm@alum.mit.edu wrote:
On Fri, Aug 23, 2013 at 1:01 PM, Nick Mathewson nickm@alum.mit.edu wrote:
See also Roger's writeup at https://trac.torproject.org/projects/tor/ticket/8244 ; it's pretty informative IMO. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-
Kang -
Nick Mathewson