Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

proposal 114: changed descriptor format, key length discussion, typos

svn:r10413
Karsten Loesing 18 years ago
parent
1cb1ebbfe0
commit
07ed34aadb
1 changed files with 27 additions and 24 deletions
Unified View Show Diff Stats
  1. 27 24
      doc/spec/proposals/114-distributed-storage.txt

+ 27 - 24
doc/spec/proposals/114-distributed-storage.txt
View File 

@@ -10,6 +10,7 @@ Change history:
 
 
 
   13-May-2007  Initial proposal
 
   13-May-2007  Initial proposal
 
   14-May-2007  Added changes suggested by Lasse Overlier
 
   14-May-2007  Added changes suggested by Lasse Overlier
 
+  30-May-2007  Changed descriptor format, key length discussion, typos
 
 
 
 Overview:
 
 Overview:
 
 
 
@@ -216,15 +217,16 @@ Design:
 
     date, and "cookie" is a shared secret between the hidden service provider
 
     date, and "cookie" is a shared secret between the hidden service provider
 
     and its clients. (The "time-period" should be constructed in a way that
 
     and its clients. (The "time-period" should be constructed in a way that
 
     periods do not change at the same moment for all descriptors by including
 
     periods do not change at the same moment for all descriptors by including
 
-    the "permanent-id" in the construction.) Amonst other things, the
 
+    the "permanent-id" in the construction.) Amongst other things, the
 
     descriptor contains the public key of the hidden service provider, the
 
     descriptor contains the public key of the hidden service provider, the
 
     value of h(time-period + cookie), and the signature of the descriptor
 
     value of h(time-period + cookie), and the signature of the descriptor
 
     content with the private key of the hidden service provider.
 
     content with the private key of the hidden service provider.
 
 
 
     The introduction points that are included in the descriptor are encrypted
 
     The introduction points that are included in the descriptor are encrypted
 
     using a key that is derived from the same shared key that is used to
 
     using a key that is derived from the same shared key that is used to
 
-    generate the descriptor ID. [usage of a derived key as encryption key
 
+    generate the descriptor ID. [correction to use another key than
 
-    instead of the shared key itself suggested by LO]
 
+    h(time-period + cookie) as encryption key for introduction points made by
 
+    LO]
 
 
 
     A new text-based format is proposed for descriptors instead of an
 
     A new text-based format is proposed for descriptors instead of an
 
     extension of the existing binary format for reasons of future
 
     extension of the existing binary format for reasons of future
 
@@ -238,8 +240,8 @@ Design:
 
         h(time-period + cookie)
 
         h(time-period + cookie)
 
         timestamp
 
         timestamp
 
         {
 
         {
 
-          list of (introduction point IP, port, public service key)
 
+          list of intro points (ID, IP, onion port, onion key, service key)
 
-        } encrypted with h(time-period + cookie + 'introduction')
 
+        } encrypted with cookie
 
       } signed with permanent-private-key
 
       } signed with permanent-private-key
 
 
 
     A hidden service directory can verify that a descriptor was created by the
 
     A hidden service directory can verify that a descriptor was created by the
 
@@ -331,7 +333,7 @@ Specification:
 
 
 
   The proposed changes affect multiple sections in several specification
 
   The proposed changes affect multiple sections in several specification
 
   documents that are only mentioned in the following. The detailed
 
   documents that are only mentioned in the following. The detailed
 
-  specification will follow as soon as the design decision above are final.
 
+  specification will follow as soon as the design decisions above are final.
 
 
 
   dir-spec-v2.txt
 
   dir-spec-v2.txt
 
 
 
@@ -392,24 +394,25 @@ Implementation:
 
 
 
   There are three key lengths that might need some discussion:
 
   There are three key lengths that might need some discussion:
 
 
 
-    1) desciptor-id, formerly known as onion address: It is generated by OPs
 
+    1) descriptor-id, formerly known as onion address: It is generated by OPs
 
        internally and used for storing and looking up descriptors. There is no
 
        internally and used for storing and looking up descriptors. There is no
 
        need to remember a descriptor-id for a human. In order to reduce
 
        need to remember a descriptor-id for a human. In order to reduce
 
-       the success rate of collisions it could be extended to 256 bits instead
 
+       the success rate of collisions it could be extended to the full output
 
-       of 80 bits. This requires a secure hash function with an output of 256
 
+       of SHA-1 of 160 bits instead of 80 bits. [extending the descriptor-id
 
-       instead of 160 bits, e.g. SHA-256. [extending the descriptor-id length
 
+       length suggested by LO]
 
-       from 80 to 256 bits suggested by LO]
 
+
 
-
 
+    2) permanent-id: This is the first part of the onion address that a client
 
-    2) permanent-id: This is the first half of the onion address that a client
 
+       passes to his OP. The overall onion address should be easy to memorize.
 
-       passes to his OP. The onion address should be easy to memorize.
 
+       Therefore, its overall length should only be extended from the existing
 
-       Therefore, the overall length of an onion address should not be
 
+       80 bits to as few bits as necessary. The length of the permanent-id has
 
-       extended over the existing 80 bits, so that 40 bits is the maximum
 
+       an influence on the probability that an adversary creates an own key
 
-       length of the permanent-id. However, the question remains open, if an
 
+       pair that leads to the same descriptor-id in a given time-period as an
 
-       onion address of 40+40=80 bits can generate a descriptor-id with enough
 
+       honest service's key. 32 bits should provide sufficient protection to
 
-       entropy to justify 256 instead of 80 bits. Otherwise, the onion address
 
+       avoid collisions, given the fact that key generation is expensive and
 
-       would need to be extended to 128, 160, 224, or 256 bits, making it
 
+       the attack needed to be performed for every time-period.
 
-       harder to memorize for human-beings.
 
+
 
-
 
+    3) cookie: This is the second part of the onion address that is passed to
 
-    3) cookie: This is the second half of the onion address that is passed to
 
+       an OP. In order to provide confidentiality of introduction points, this
 
-       an OP. It should have the same size as permanent-id.
 
+       secret key should have 128 bits. In total, this leads to an onion
 
+       address of 160 bits instead of the current 80 bits.