<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:287471781;
mso-list-type:hybrid;
mso-list-template-ids:834573942 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:572088652;
mso-list-type:hybrid;
mso-list-template-ids:-1928853600 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">The 40-bit attack only applies in a scenario like the following:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">I generate 2^40 RSA key pairs. I now (probably) have two RSA key pairs with the same 80-bit URL.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">I convince someone to use one of the two as their hidden service name<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I now have a second RSA key pair that can masquerade as the first. But that’s not horribly useful to me, as I also have the first key pair as well! I can convince them to use the key I generated (#2), without
having to first generate a collision, and achieve the same result.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">There is an actual issue (the pre-image attack), where I just generate key pairs until I do collide, but:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">That’s 2^80 / #hiddenservices key pairs. That’s a lot.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">I have no control over which hidden service I accidentally collide with.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If hidden services become widely used and there are lots of them, this conceivably becomes an issues sometime in the future, which is why I expressed concern about it on the management call. It really is time
for the Tor folks to fix this before it becomes a problem.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">But the existing state of the .onion world is so bad, that allowing EV certificates and HTTPS for Tor is a significant improvement. The size and potential weakness of the onion hashes merit continuing attention,
and perhaps a timeline to phase them out, but they’re not a practical attack today.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>kirk_hall@trendmicro.com<br>
<b>Sent:</b> Thursday, February 12, 2015 5:19 PM<br>
<b>To:</b> Gervase Markham; Jeremy Rowley (jeremy.rowley@digicert.com); Ben Wilson (Ben.Wilson@digicert.com)<br>
<b>Cc:</b> CABFPub (public@cabforum.org)<br>
<b>Subject:</b> Re: [cabfpub] Ballot 144 -.onion domains<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">Responding both the Ryan and Gerv.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Ryan -- you are correct that concerns (1) and (2) are related -- (1) relates to accidental clashes that give different customers the same domain. Gerv -- you are right, the change is extremely small -- but giving the same domain to
different customers is something not allowed today, so it would be quite a change to allow it.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">This link has some information on the subject, but I really don’t understand the explanation of why clashes aren’t a concern.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><a href="http://scanmail.trustwave.com/?c=4062&d=06bd1NDNyitNeRu7PAd2ei4rReZfm42vwvHq-Aye6Q&s=5&u=https%3a%2f%2ftrac%2etorproject%2eorg%2fprojects%2ftor%2fwiki%2fdoc%2fHiddenServiceNames">https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames</a>
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On (2) – this concern is of an intentional clash created by a hacker for evil purpose – a much more serious issue. I notice that in Facebook’s existing .onion cert, they managed to get the following .onion domain:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">*.m.facebookcorewwwi.onion<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">See screen shot below or attached.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I’m sure that didn’t happen randomly, so there must have been some very serious computing that happened to get that particular 16 digit “random” hash of a Facebook public key,
<u>facebookcorewwwi</u>. If Facebook can reverse engineer to get that .onion domain, couldn’t a hacker (or googlegoogle.onion, for another example) do the same and get a duplicate cert with the same domain?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><img border="0" width="419" height="521" id="Picture_x0020_1" src="cid:image001.png@01D046E8.B2667340"><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Gervase Markham [<a href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>]
<br>
Sent: Thursday, February 12, 2015 1:41 PM<br>
To: Kirk Hall (RD-US); Jeremy Rowley (<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>); Ben Wilson (<a href="mailto:Ben.Wilson@digicert.com">Ben.Wilson@digicert.com</a>)<br>
Cc: CABFPub (<a href="mailto:public@cabforum.org">public@cabforum.org</a>)<br>
Subject: Re: [cabfpub] Ballot 144 -.onion domains<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 12/02/15 20:43, <a href="mailto:kirk_hall@trendmicro.com">
<span style="color:windowtext;text-decoration:none">kirk_hall@trendmicro.com</span></a> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> For example, Evil Corp. and Angel Corp. could each submit a request
<o:p></o:p></p>
<p class="MsoPlainText">> for a .onion cert and get the same domain: _[same 16 digit hash of
<o:p></o:p></p>
<p class="MsoPlainText">> their public keys].onion_ if their public keys hash to the same value.
<o:p></o:p></p>
<p class="MsoPlainText">> One cert would say O=Evil Corp. the other would say O=Angel Corp., so
<o:p></o:p></p>
<p class="MsoPlainText">> that a .onion domain would not be uniquely identified with one
<o:p></o:p></p>
<p class="MsoPlainText">> subject. While unlikely, it could happen.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Have you been able to put a figure on the likelihood of this occurrence?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I think I could calculate it, but I'm interested in what figure you came up with that led to your concern.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> (2) Does this also create an opportunity for a hacker? For example,
<o:p></o:p></p>
<p class="MsoPlainText">> one of the .onion domains in the SANs field of the Facebook cert you
<o:p></o:p></p>
<p class="MsoPlainText">> created is _*.xx.fbcdn23dssr3jqnq.onion_ – could a hacker create a
<o:p></o:p></p>
<p class="MsoPlainText">> public key that would hash to the same value in order to get a cert
<o:p></o:p></p>
<p class="MsoPlainText">> with the same .onion domain and imitate the Facebook cert? (This is
<o:p></o:p></p>
<p class="MsoPlainText">> maybe the more serious case.)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Being able to create some text which hashes to a specific, defined value that you are targetting would be what's called a Preimage attack:<o:p></o:p></p>
<p class="MsoPlainText"><a href="http://scanmail.trustwave.com/?c=4062&d=1Kbd1DcsoIiM28iB8TpHOt2pwq4Xal25iEgt6dbC6g&s=5&u=http%3a%2f%2fen%2ewikipedia%2eorg%2fwiki%2fPreimage%5fattack"><span style="color:windowtext;text-decoration:none">http://en.wikipedia.org/wiki/Preimage_attack</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">SHA-1 has no known preimage attacks.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Tor .onion names use 80 bits of the SHA-1 hash, which is not the full hash, so it's possible that they might be slightly easier to attack.<o:p></o:p></p>
<p class="MsoPlainText">While there are no known attacks, my understanding is that the Tor people are looking at moving to SHA-256 as a precautionary measure.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> (3) Another concern is there is no central registry to identify the
<o:p></o:p></p>
<p class="MsoPlainText">> owner of a .onion domain (of course, there could be multiple owners of
<o:p></o:p></p>
<p class="MsoPlainText">> the domain under the scenario above). If there is no Subject info in
<o:p></o:p></p>
<p class="MsoPlainText">> the O field, etc., with no registry there is no real way to contact
<o:p></o:p></p>
<p class="MsoPlainText">> the domain (or cert owner).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">.onion certs are going to be EV, right? So they would have Subject info in the O field.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<pre><o:p> </o:p></pre>
<pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre>
<pre>The information contained in this email and any attachments is confidential <o:p></o:p></pre>
<pre>and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre>
<pre>If you are not the intended recipient, you are not authorized to use or <o:p></o:p></pre>
<pre>disclose this information, and we request that you notify us by reply mail or<o:p></o:p></pre>
<pre>telephone and delete the original message from your mail system.<o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>