Adrian Crenshaw writes: > Hi all, > I was under the impression that the .onion names for Tor Hidden Services > were pseudo-random based on the public key. How was someone able to choose > one/choose some character in one? As an example: > http://silkroadvb5piz3r.onion (hope it is not against policy to post that > link, only example I know. ) How did they choose the first 8 characters?
The basic answer is "try a lot of possibilities on a computer until the one you want comes up"! According to https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt the .onion name is a base32-encoded version of the first 80 bits of the SHA1 of the hidden service public key. base32 is 5 bits per character, so the prefix "silkroad" in the .onion address above is 5×8=40 bits (indeed, exactly half of the 80 bits in the entire .onion name). Choosing the first 40 bits of a hash generally requires trying an average of 2⁴⁰ possibilities; my laptop does about 3-4 million SHA1 operations per second (per CPU core) so it would take me 3-4 days (per CPU core) of computation to try that many possibilities on my laptop. Since hash value searches are completely parallelizable, you can make this arbitrarily faster by adding more computers to the search. Of course this requires being able to change something trivial about the public key when generating the .onion address. (Generating a new public key from scratch would be very time-consuming; making a 1024-bit keypair from scratch on my machine takes around 0.1 second, depending on how lucky the key-generation process gets, which is considerably longer than the 0.0000003 seconds that trying a SHA1 operation requires.) I'm not sure exactly what you would change because I'm not sure what data is (or can be) included in a hidden service public key, but there's probably something you can change without actually needing to make a new keypair. There's a nice description of the possibility of creating a public key with a chosen set of bits at the beginning or end at http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html although note that the Tor hidden service identifiers are 80 bits, while PGP short key IDs are only 32 bits, so it's 2⁴⁸ times as hard to fake a hidden service as it is to make a colliding PGP short key ID. (Full PGP fingerprints are 160 bits.) I first got interested in this when I used to develop a live-CD called LNX-BBC (for "bootable business card"). At that time we were using MD5 checksums on our web site, and I wrote a program to try lots of possibilities so that all of our MD5 values started with "bbcbbc" in hexadecimal (on average only 2²⁴ MD5 attempts). For more on the base32 encoding, see https://en.wikipedia.org/wiki/Base32 -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk