Re: [tor-talk] .onion name gen

[Roger Dingledine]

On Fri, Mar 04, 2016 at 05:24:34PM -0700, Mirimir wrote:
> Right, _very_ difficult to find!
> 
> But, let's say that one were found. Or occurred by chance. Am I correct
> that HSdirs would go with the server that had announced most recently?

Yes.

http://tor.stackexchange.com/questions/13/can-a-hidden-service-be-hosted-by-multiple-instances-of-tor/24#24

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Mirimir]

On 03/04/2016 05:10 PM, Seth David Schoen wrote:
> Scfith Rise up writes:
> 
>> I'm pretty sure that the onion address is generated directly from the 
>> private key, at least if you have every played around with scallion or 
>> eschalot. So what you just wrote doesn't apply in that way. But again, I 
>> could be wrong. 
> 
> Mirimir's reference at
> 
> https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames
> 
> shows that they are truncated SHA-1 hashes, 80 bits in length, of "the
> DER-encoded ASN.1 public key" of "an RSA-1024 keypair".
> 
> So you have the space of public keys (indeed, it's considerably less than
> 1024 bits if you want to actually be able to use it as a keypair) and the
> space of 80-bit truncated hashes, and the former is dramatically larger
> than the latter.  So over the entire space of keys, collisions are not
> just possible but are required and even extremely frequent.  On the other
> hand, they're so difficult to find that nobody knows a single example!

Right, _very_ difficult to find!

But, let's say that one were found. Or occurred by chance. Am I correct
that HSdirs would go with the server that had announced most recently?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Seth David Schoen]

Scfith Rise up writes:

> I'm pretty sure that the onion address is generated directly from the private 
> key, at least if you have every played around with scallion or eschalot. So 
> what you just wrote doesn't apply in that way. But again, I could be wrong. 

Mirimir's reference at

https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames

shows that they are truncated SHA-1 hashes, 80 bits in length, of "the
DER-encoded ASN.1 public key" of "an RSA-1024 keypair".

So you have the space of public keys (indeed, it's considerably less than
1024 bits if you want to actually be able to use it as a keypair) and the
space of 80-bit truncated hashes, and the former is dramatically larger
than the latter.  So over the entire space of keys, collisions are not
just possible but are required and even extremely frequent.  On the other
hand, they're so difficult to find that nobody knows a single example!

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Scfith Rise up]

So it's not who is already published in the list but whoever has published most 
recently? Very confused now. Seems like that works completely backwards from 
how it should. 

> On Mar 4, 2016, at 4:05 PM, Mirimir  wrote:
> 
>> On 03/04/2016 01:39 PM, Scfith Rise up wrote:
>> It _would_ be the same private key. Good luck with generating 1.2
>> septillion permutations (16^32).
> 
> That's not what I get from
> https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames.
> SHA1 collisions are possible.
> 
>> But could be doable in a few years so to answer your question, I
>> believe there can only be one published in the HSDIR, so first come
>> first served. Facebook's would have to be DDOS / shutdown and then
>> the forged one can be spun up and published.
> 
> As I understand it, what matters is which one announced most recently.
> 
>> Please correct me if I'm wrong as I've only been researching Tor since 2015. 
>> 
 On Mar 4, 2016, at 3:23 PM, Mirimir  wrote:
 
> On 03/04/2016 01:03 PM, Andreas Krey wrote:
> On Fri, 04 Mar 2016 19:55:01 +, Flipchan wrote:
> IF i generate a .onion domain , isnt there a risk that someone can 
> generate the same domain? I mean anyone can generate .onion domains and 
> IF i got an easy .onion address then some could easily generate that rsa 
> key right?
 
 There is no 'easy' onion address, only ones that look like they
 are. Faking facebookcorewwwi takes the same effort as any other.
 Getting an onion that starts with facebook but does not end in
 corewwwi is much easier (by the factor 1099511627775), but that
 is true for any other eight character prefix as well.
 
 Andreas
>>> 
>>> OK, but let's say that someone got facebookcorewwwi.onion, running
>>> scallion on some mega-GPU monster. It's hugely improbable, I know. And
>>> they'd have a different private key, of course. But how would Tor handle
>>> that? Would it work like running multiple onion copies does now? That
>>> is, would they compete for HSDir priority?
>>> -- 
>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Scfith Rise up]

I'm pretty sure that the onion address is generated directly from the private 
key, at least if you have every played around with scallion or eschalot. So 
what you just wrote doesn't apply in that way. But again, I could be wrong. 

> On Mar 4, 2016, at 3:52 PM, Seth David Schoen  wrote:
> 
> Scfith Rise up writes:
> 
>> It _would_ be the same private key. Good luck with generating 1.2 septillion 
>> permutations (16^32). 
> 
> This would be true if the public key were used directly as the onion name
> (which might be possible in certain elliptic curve systems because keys
> are so small).
> 
> But in this case, the onion name is calculated from a hash of the public
> key, and the size of the hash is much smaller than the size of the
> underlying pubkey (80 bits vs. 1024 bits).  The pigeonhole principle
> requires that many, many different pubkeys must have the same hash --
> on average, about 2⁹⁴⁴ pubkeys would have the same hash.  When you
> get a perfect collision from scallion, after doing that 2⁸⁰ work
> (analogous to about 11 days of entire work of the Bitcoin network --
> which you can think of as surprisingly much or surprisingly little work),
> you're still astronomically unlikely to have the same private key!
> 
> -- 
> Seth Schoen  
> Senior Staff Technologist   https://www.eff.org/
> Electronic Frontier Foundation  https://www.eff.org/join
> 815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Seth David Schoen]

Scfith Rise up writes:

> It _would_ be the same private key. Good luck with generating 1.2 septillion 
> permutations (16^32). 

This would be true if the public key were used directly as the onion name
(which might be possible in certain elliptic curve systems because keys
are so small).

But in this case, the onion name is calculated from a hash of the public
key, and the size of the hash is much smaller than the size of the
underlying pubkey (80 bits vs. 1024 bits).  The pigeonhole principle
requires that many, many different pubkeys must have the same hash --
on average, about 2⁹⁴⁴ pubkeys would have the same hash.  When you
get a perfect collision from scallion, after doing that 2⁸⁰ work
(analogous to about 11 days of entire work of the Bitcoin network --
which you can think of as surprisingly much or surprisingly little work),
you're still astronomically unlikely to have the same private key!

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Scfith Rise up]

It _would_ be the same private key. Good luck with generating 1.2 septillion 
permutations (16^32). 

But could be doable in a few years so to answer your question, I believe there 
can only be one published in the HSDIR, so first come first served. Facebook's 
would have to be DDOS / shutdown and then the forged one can be spun up and 
published. 

Please correct me if I'm wrong as I've only been researching Tor since 2015. 

> On Mar 4, 2016, at 3:23 PM, Mirimir  wrote:
> 
>> On 03/04/2016 01:03 PM, Andreas Krey wrote:
>>> On Fri, 04 Mar 2016 19:55:01 +, Flipchan wrote:
>>> IF i generate a .onion domain , isnt there a risk that someone can generate 
>>> the same domain? I mean anyone can generate .onion domains and IF i got an 
>>> easy .onion address then some could easily generate that rsa key right?
>> 
>> There is no 'easy' onion address, only ones that look like they
>> are. Faking facebookcorewwwi takes the same effort as any other.
>> Getting an onion that starts with facebook but does not end in
>> corewwwi is much easier (by the factor 1099511627775), but that
>> is true for any other eight character prefix as well.
>> 
>> Andreas
> 
> OK, but let's say that someone got facebookcorewwwi.onion, running
> scallion on some mega-GPU monster. It's hugely improbable, I know. And
> they'd have a different private key, of course. But how would Tor handle
> that? Would it work like running multiple onion copies does now? That
> is, would they compete for HSDir priority?
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Mirimir]

On 03/04/2016 01:03 PM, Andreas Krey wrote:
> On Fri, 04 Mar 2016 19:55:01 +, Flipchan wrote:
>> IF i generate a .onion domain , isnt there a risk that someone can generate 
>> the same domain? I mean anyone can generate .onion domains and IF i got an 
>> easy .onion address then some could easily generate that rsa key right? 
> 
> There is no 'easy' onion address, only ones that look like they
> are. Faking facebookcorewwwi takes the same effort as any other.
> Getting an onion that starts with facebook but does not end in
> corewwwi is much easier (by the factor 1099511627775), but that
> is true for any other eight character prefix as well.
> 
> Andreas

OK, but let's say that someone got facebookcorewwwi.onion, running
scallion on some mega-GPU monster. It's hugely improbable, I know. And
they'd have a different private key, of course. But how would Tor handle
that? Would it work like running multiple onion copies does now? That
is, would they compete for HSDir priority?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Andreas Krey]

On Fri, 04 Mar 2016 19:55:01 +, Flipchan wrote:
> IF i generate a .onion domain , isnt there a risk that someone can generate 
> the same domain? I mean anyone can generate .onion domains and IF i got an 
> easy .onion address then some could easily generate that rsa key right? 

There is no 'easy' onion address, only ones that look like they
are. Faking facebookcorewwwi takes the same effort as any other.
Getting an onion that starts with facebook but does not end in
corewwwi is much easier (by the factor 1099511627775), but that
is true for any other eight character prefix as well.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds 
Date: Fri, 22 Jan 2010 07:29:21 -0800
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] .onion name gen

[Josef Stautner]

Hi,

creating a 1:1 copy of an onion key is very hard. You need much luck or
computing power to generate a key with the exact same hash as the key
you want to copy.
With modern computers and graphic cards it's very easy to find a key
with the same 4 digits but a whole 1:1 copy seems to be impossible at
the moment.

The README describes the problem a bit:

https://github.com/lachesis/scallion

~Josef



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] .onion name gen

[Flipchan]

IF i generate a .onion domain , isnt there a risk that someone can generate the 
same domain? I mean anyone can generate .onion domains and IF i got an easy 
.onion address then some could easily generate that rsa key right? 
-- 
Sincerly Flipchan
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Custom Intro Page Fingerprintability

[bancfc]

AFAIK for trademark reasons TPO recommends that distros built around Tor 
Browser show a custom intro page upon Tor Browser start up to users 
(which we do in Whonix).


Is this custom page detectable by websites a user visits (with a 
malicious JS script for example)?


If successful this attack has the effect of partitioning Whonix TBB 
users and everyone else.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk