Cryptography Reference
In-Depth Information
hidden server that is the original owner of
good-stuff.onion
.Only
the owner of a matching key can re-establish the link.
The usual problems of timing attacks are also possible in this
world. If a user can control how a rendezvous point re-broadcasts
information to a hidden server, a sophisticated client might be able
to identify a hidden server by noting when the data leaves the ren-
dezvous point and when it arrives. If the data packets leave and ar-
rive in a pattern that stands out from the noise, it would be possible
to find a hidden server in much the same way that an eavesdropper
can identify both sides of a communication.
If hidden servers don't introduce enough layers of indirection and
proxied communication, then you might also look to
valet nodes
.
These replace the
directory servers
with a cloud of flexible, irregular
servers that know the right
introduction points
. After a hidden server
negotiates a connection with an introduction point, the introduction
point turns around and finds some valet nodes on its own. The hid-
den server doesn't contact a directory server and it doesn't broadcast
its own information. This reduces the weakness posed by a directory
server.
How does the client find a valet node? The information for con-
necting with the valet node and the various public keys for negoti-
ating a tunnel with the introduction point are bundled together and
circulated, perhaps out of the network.
10.7.3 Stopping Bad Users
Bad users of the onion routing network can ruin the reputation of
other users. The Wikipedia, for instance, often blocks TOR exit nodes
completebecausesomepeoplehaveusedthenetworktohidetheir
identities while defacing the wiki's entries. Is it possible to build
up anonymous reputations for users that follow them from visit to
visit, effectively banning the bad user? There are no simple solutions
because there's little way to establish that a new user to the system
isn't someone who acted poorly in the past. But it is possible to put
some hurdles in the way by giving returning users some additional
powers if they present some form of anonymous credentials.
One straight-forward solution is to use some form of certificates
signed with a blind signature, a technique that borrows from some
of the early solutions for building anonymous digital cash. [SSG97,
DMS03] When you register, you get an anonymous coin to be spent
redeeming services in the future. If you behave well, you can get a
new coin when you turn in the old one.
Section 12.5.1 uses blind
signatures for zero
knowledge proofs.
For the sake of simplicity, let the coin be some random number,
