Re: [tor-talk] Choosing a name for a .onon

[Robert Ransom]

On 2012-03-30, Asheesh Laroia ashe...@asheesh.org wrote:

 As the author of that asheesh.org note, I suggest you read it carefully.
 (-:

After reading that note four times, I still see no details about your
attack tool.

 In particular, pay attention to how key timestamps are used in OpenPGP!
 It's interesting and was surprising to me at first, too.

Your note does not contain the word “timestamp”.

According to RFC 4880, the key generation timestamp is near the
beginning of the key blob.  Thus, every time you change the timestamp,
you need to re-hash a relatively long fixed string (the public modulus
in an RSA key, or the group parameters in a DLP-based key).  Changing
the timestamp may be useful for DSA or ElGamal keys (I'm not convinced
of that), but it's not helpful in generating an RSA key with chosen
key ID.


Robert Ransom
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Choosing a name for a .onon

[Gregory Maxwell]

On Thu, Mar 29, 2012 at 6:47 PM, Adrian Crenshaw irong...@irongeek.com wrote:
 Hi all,
   I was under the impression that the .onion names for Tor Hidden Services
 were pseudo-random based on the public key. How was someone able to choose
 one/choose some character in one? As an example:
 http://silkroadvb5piz3r.onion (hope it is not against policy to post that
 link, only example I know. ) How did they choose the first 8 characters?

Using a brute force search tool like http://gitorious.org/shallot/shallot/

I'd advise against it— while I don't have a study to back me up I expect
'readable' names like that discourage good security practices— that
they cause people to use addresses (spread in that look like yours, perhaps)
without verifying the source— and when people do compare they are probably
more likely to just compare the readable parts.

sure, the computation is a bit of a barrier— but it's easier for the
attacker (who
may generate fake onions for many sites at once) then it is for the defender.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Choosing a name for a .onon

[Seth David Schoen]

Adrian Crenshaw writes:

 Hi all,
I was under the impression that the .onion names for Tor Hidden Services
 were pseudo-random based on the public key. How was someone able to choose
 one/choose some character in one? As an example:
 http://silkroadvb5piz3r.onion (hope it is not against policy to post that
 link, only example I know. ) How did they choose the first 8 characters?

The basic answer is try a lot of possibilities on a computer until the one
you want comes up!

According to

https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt

the .onion name is a base32-encoded version of the first 80 bits of the
SHA1 of the hidden service public key.  base32 is 5 bits per character,
so the prefix silkroad in the .onion address above is 5×8=40 bits
(indeed, exactly half of the 80 bits in the entire .onion name).  Choosing
the first 40 bits of a hash generally requires trying an average of 2⁴⁰
possibilities; my laptop does about 3-4 million SHA1 operations per second
(per CPU core) so it would take me 3-4 days (per CPU core) of computation
to try that many possibilities on my laptop.  Since hash value searches
are completely parallelizable, you can make this arbitrarily faster by
adding more computers to the search.

Of course this requires being able to change something trivial about the
public key when generating the .onion address.  (Generating a new public
key from scratch would be very time-consuming; making a 1024-bit keypair
from scratch on my machine takes around 0.1 second, depending on how lucky
the key-generation process gets, which is considerably longer than the
0.003 seconds that trying a SHA1 operation requires.)  I'm not sure
exactly what you would change because I'm not sure what data is (or can
be) included in a hidden service public key, but there's probably something
you can change without actually needing to make a new keypair.

There's a nice description of the possibility of creating a public key
with a chosen set of bits at the beginning or end at

http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

although note that the Tor hidden service identifiers are 80 bits, while
PGP short key IDs are only 32 bits, so it's 2⁴⁸ times as hard to fake a
hidden service as it is to make a colliding PGP short key ID.  (Full PGP
fingerprints are 160 bits.)

I first got interested in this when I used to develop a live-CD called
LNX-BBC (for bootable business card).  At that time we were using MD5
checksums on our web site, and I wrote a program to try lots of
possibilities so that all of our MD5 values started with bbcbbc in
hexadecimal (on average only 2²⁴ MD5 attempts).

For more on the base32 encoding, see

https://en.wikipedia.org/wiki/Base32

-- 
Seth Schoen  sch...@eff.org
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Choosing a name for a .onon

[Maxim Kammerer]

On Fri, Mar 30, 2012 at 01:54, Seth David Schoen sch...@eff.org wrote:
 Choosing the first 40 bits of a hash generally requires trying an average of 
 2⁴⁰
 possibilities; my laptop does about 3-4 million SHA1 operations per second
 (per CPU core) so it would take me 3-4 days (per CPU core) of computation
 to try that many possibilities on my laptop.

Due to proliferation of Bitcoin, there are now very efficient SHA-256
generators for off-the-shelf GPUs. The numbers at [1] suggest
performance that's at least two orders of magnitude faster than your
laptop — and for double-SHA-256 instead of a single SHA-1 (which I
assume can be done by the same software after some simple adaptation).

[1] https://en.bitcoin.it/wiki/Mining_hardware_comparison

 Of course this requires being able to change something trivial about the
 public key when generating the .onion address.

Not necessarily — you can generate the hash first, and then check
whether the public key is legal. I.e., generate a 512-bit prime p, and
then go on with producing a completely random 512-bit e, and checking
whether SHA-1(ASN.1-RSAPublicKey(modulus=p*e, exponent=65537)) (which
is how Tor computes the .onion address) produces the desired result.
If it does, check whether e is prime. Density of primes in the range
of e is ~1/512, so that's just 9 bits more of search space, and
primality checking efficiency doesn't matter much.

-- 
Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Choosing a name for a .onon

[Robert Ransom]

On 2012-03-30, Maxim Kammerer m...@dee.su wrote:
 On Fri, Mar 30, 2012 at 01:54, Seth David Schoen sch...@eff.org wrote:
 Choosing the first 40 bits of a hash generally requires trying an average
 of 2⁴⁰
 possibilities; my laptop does about 3-4 million SHA1 operations per second
 (per CPU core) so it would take me 3-4 days (per CPU core) of computation
 to try that many possibilities on my laptop.

 Due to proliferation of Bitcoin, there are now very efficient SHA-256
 generators for off-the-shelf GPUs. The numbers at [1] suggest
 performance that's at least two orders of magnitude faster than your
 laptop — and for double-SHA-256 instead of a single SHA-1 (which I
 assume can be done by the same software after some simple adaptation).

 [1] https://en.bitcoin.it/wiki/Mining_hardware_comparison

 Of course this requires being able to change something trivial about the
 public key when generating the .onion address.

 Not necessarily — you can generate the hash first, and then check
 whether the public key is legal. I.e., generate a 512-bit prime p, and
 then go on with producing a completely random 512-bit e, and checking
 whether SHA-1(ASN.1-RSAPublicKey(modulus=p*e, exponent=65537)) (which
 is how Tor computes the .onion address) produces the desired result.
 If it does, check whether e is prime. Density of primes in the range
 of e is ~1/512, so that's just 9 bits more of search space, and
 primality checking efficiency doesn't matter much.

Shallot computes a single public modulus p*q and searches for a public
exponent e which produces a SHA-1 hash with the desired properties.
That's much faster than doing a 512-bit-by-512-bit bignum multiply for
each hash, *and* the search for a suitable exponent could (in theory)
be performed in parallel across many (untrusted) computers.


Robert Ransom
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Choosing a name for a .onon

[Robert Ransom]

On 2012-03-30, Maxim Kammerer m...@dee.su wrote:
 On Fri, Mar 30, 2012 at 06:06, Robert Ransom rransom.8...@gmail.com wrote:
 Shallot computes a single public modulus p*q and searches for a public
 exponent e which produces a SHA-1 hash with the desired properties.

 For some reason I thought that that would produce non-standard RSA
 keys, perhaps because the old ssl-genrsa only supported e={3,65537}
 (whereas the new ssl-genpkey doesn't have this limitation). Isn't the
 point of e like 3 or 65537 (with few bits set) to make encryption
 fast?

Yes.  (Note that hidden service identity public keys are only used for
signature verification, which is not the same as encryption with any
modern padding scheme.)

But Tor didn't enforce that requirement for hidden service identity
keys soon enough, and I don't think OpenSSL's RSA implementation
benefits much from those particular choices of e (other than from the
fact that they're short).

 Do you know whether Shallot-produced RSA keys have any
 noticeable detrimental effect on relays load because of the
 unrestricted exponent?

Maybe a little.  No one will let Shallot run long enough to produce a
really big public exponent, though.  (Relays raise 1024-bit numbers to
320-bit powers all the time for forward secrecy.  Shallot won't
generate 320-bit public exponents.)

Maliciously generated hidden service identity keys could have much
larger public exponents, but hopefully no one will bother implementing
that DoS attack.


 That's much faster than doing a 512-bit-by-512-bit bignum multiply for
 each hash, *and* the search for a suitable exponent could (in theory)
 be performed in parallel across many (untrusted) computers.

 Sure, but you don't have to do it in the most straightforward way. You
 can multiply once, and then add 2p for each hash. The overhead for a
 GPU / FPGA implementation should be negligible, and the search can be
 parallelized as well.

Maybe.  But note that the public exponent is stored at the end of the
public key blob, so updating the exponent (or a piece of it) also
makes generating each hash easier.

 If adding large multiples of p, the nodes can be
 untrusted, too, I guess.

No -- the Euclidean algorithm would break that *very* quickly.


Robert Ransom
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk