On Fri, Nov 28, 2014 at 03:22:18PM +0000, Steven Murdoch wrote: > On 24 Nov 2014, at 18:54, Tom Ritter <t...@ritter.vg> wrote: > > > Attached is a document written in the specification format for one > > aspect of CA-signed .onion addresses - specifically a "What is a safe > > way to sign (or not sign) a statement using the .onion key" It > > presents a couple options - I'd love to get feedback from folks on > > which they prefer. > > An alternative scheme could be to take advantage of the fact that Tor > does not RSA sign the descriptor itself but a SHA-1 hash of the > descriptor. So if the signature for the purpose of getting a CA to > accept the request uses a different hash function then there should > not be any confusion. > > For example, rather than using the SHA-1 hash, use the SHA-1 HMAC > under a hard-coded “key”. For the attacker to abuse this signature > they would need to find a document which hashes to the same thing. > This sounds like (but should be checked) to have the same difficulty > as performing a collision attack (2^80 best case, 2^60 using > cryptanalytic attacks). > > A convenient result of this scheme is that changing the “key” lets the > same onion key be used for other purposes, and if the key is well > chosen then the chances of someone using the same approach is > negligible.
While finding M1 and M2 such that SHA-1-HMAC(k1,M1) = SHA-1-HMAC(k2,M2) should be difficult for k1 \not= k2, even when k1 and k2 are known, it is easy to find M2 (given k1 and M1) such that SHA-1-HMAC(k1,M1) = SHA-1(M2), by the construction of HMAC, right? Something like: M2 = (k1 \xor opad) || SHA-1[ (k1 \xor ipad) || M1 ] ? So I think the above is dangerous. - Ian _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev