58

.onion addresses normally should be made of a base32 string of the first 80 bits of the SHA1 hash of the private key of the server (see .onion address specification).

Today I ran into a service which clearly doesn't have an arbitrary address: http://sms4tor3vcr2geip.onion/

How does that work and is it secure?

Community
  • 1
  • 1
    It is actually an encoding of a hash of the PUBLIC key, not private, per the spec you linked ("a base32 encoding of a10-octet hash of Bob's service's public key"). – Ryan Tate Apr 22 '16 at 16:09
  • I don't seem to be able to submit a new answer to this old question, but the current standard for onion addresses has progressed to version 3, which are more secure, and are much longer. An example of the new format would be compasshoptbngkg7yjeur6fl7izfiodsqgfjfdaxccsnpptyvkz2uid.onion and these are generated using the mkp224o utility downloadable from https://github.com/cathugger/mkp224o. Instructions for compiling and running this on linux (like my Raspberry PI 4) are at https://reviewer.ablative.website/post/tor-onion-v3-vanity-address/ – DavesPlanet Dec 14 '21 at 23:54

5 Answers5

69

Shallot is an older program, there are newer alternatives available now:

Scallion - uses GPU hashing, needs .NET or Mono: http://github.com/lachesis/scallion

Eschalot - uses wordlist search, needs Unix or Linux: http://blacksunhq56imku.onion

Eschalot can find longer human-readable names like seedneedgoldcf6m.onion, hostbathdarkviph.onion, etc.

The performance chart quoted above is a bit obsolete now, 8-10 character long .onions are easy enough to find.

There was a discussion back in the day, when shallot first surfaced, about whether custom names for hidden services are bad or not.

Problem number one: generated keys have a much larger public exponent than the standard keys produced by TOR, which puts a somewhat higher load on the TOR relays.

Answer: it was concluded that the difference is negligible compared to the other encryption tasks the relays perform constantly. In eschalot, the largest public exponent is limited to 4294967295 (4 bytes).

Problem number two: TOR developers can decide to filter and block all the custom names.

Answer: yes, they can, but they have not yet and there is really no reason for them to do so. They can just as easily change the standard for the random names too and cause chaos and mass exodus on the network.

Problem number three: generated names are easily spoofed, since the visitor clicking on a link somewhere out there can be tricked by the seemingly right .onion prefix without checking the whole thing. To demonstrate, which one is the real SilkRoad?

silkroada7bc3kld.onion
silkroadqksl72eb.onion
silkroadcqgi4von.onion
silkroady3c2vzwt.onion
silkroadf3drdfun.onion
silkroadbdcmw7rj.onion

Answer: neither, I generated all of them to demonstrate the problem. If you recognized that those were all fakes, you probably spend more time on the SilkRoad than I care to know about :).

To be fair, completely random addresses are even worse - if somebody edits one of the onion links wikis and replaces one random address with another, the casual visitor using that wiki would not know the difference.

Solution: it's essentially up to the person to pay attention which site he is really visiting, but the site owner can create a human readable address that is easier to remember, even if it's a completely random gibberish. As long as it's long and easy to memorize and identify. Some examples:

fledarmyusertvmu.onion
wifefeelkillwovk.onion
ladyfirehikehs66.onion
woodcubabitenem2.onion

I did not spend the time to intentionally generate good names, just picked some from the list I had left after testing eschalot. With a (very) large wordlist, unique looking names are easy to generate, but it will take time to go through the results and manually locate the ones that are decent.

Well, that was my opinion and it could be wrong.

-- Hiro

Hiro
  • 706
  • 5
  • 2
  • The eschallot link seems to be down... any other place to obtain this program? –  Jul 19 '13 at 16:07
  • Found eschalot: skunksworkedp2cg.onion It has a link to the eschalot source code, I didn't test it yet. –  Jan 18 '15 at 20:17
  • @nus: There is also a github clone: https://github.com/ReclaimYourPrivacy/eschalot – serv-inc Dec 29 '15 at 17:39
  • The clone is current, the onion link above is dead, but there is a mirror: http://nope7beergoa64ih.onion/eschalot/ – serv-inc Dec 30 '15 at 10:10
9

You can use brute-force to find a key that partly match the hash you want. One tool for this is Shallot. The readme of Shallot says this about the security:

It is sometimes claimed that private keys generated by Shallot are less secure than those generated by Tor. This is false. Although Shallot generates a keypair with an unusually large public exponent e, it performs all of the sanity checks specified by PKCS #1 v2.1 (directly in sane_key), and then performs all of the sanity checks that Tor does when it generates an RSA keypair (by calling the OpenSSL function RSA_check_key).

To get an idea of the time involved in generating with Shallot, also from the readme:

Time to Generate a .onion with a Given Number of Initial Characters on a 1.5Ghz Processor: 

characters | time to generate (approx.)
-------------------------------------------------------------------    
1   | less than 1 second    
2   | less than 1 second    
3   | less than 1 second   
4   | 2 seconds    
5   | 1 minute    
6   | 30 minutes    
7   | 1 day    
8   | 25 days  
9   | 2.5 years  
10 | 40 years  
11 | 640 years  
12 | 10 millenia  
13 | 160 millenia  
14 | 2.6 million years
Johan Nilsson
  • 221
  • 1
  • 4
  • 4
    Possibly a stupid question, but what happens when there are collisions? – Stephen Touset Jan 31 '13 at 22:53
  • 1
    someone can imposter your site if they manage to generate the same private key... –  Feb 01 '13 at 00:49
  • 1
    You can see from the table above that matching all 16 would be quite a feat. – David Schwartz Feb 01 '13 at 03:13
  • 6
    some obscure government agencies have more than one 1.5Ghz processors at their disposal though... –  Apr 20 '14 at 03:40
  • 7
    >> https://facebookcorewwwi.onion/. It didn't a take millenia to generate – balki Jun 04 '15 at 13:25
  • 1
    666 million years for 16 characters. Or less than one year with a billion cores. A billion cores is a lot, but it's probably just on the edge of feasibility for someone like the NSA. – user253751 Aug 07 '15 at 07:36
  • @DavidSchwartz, with GPU acceleration, not so much. A ballpark estimate is that Scallion could generate any given 16-character address using modern GPUs in around 600,000 GPU-years -- well within the capabilities of a three-letter agency, or someone like Google or Amazon. – Mark May 26 '16 at 20:44
  • @balki Facebook people said multiple times they were just very lucky, e.g. http://archives.seul.org/tor/talk/Oct-2014/msg00433.html. The "corewwwi" doesn't really make *that* much sense, could easily be a result of a wordlist search. – The Vee Aug 03 '16 at 14:26
  • There are 2^80 combinations for a full key NVIDIA GTX 1070 gives 4140 MH/s or around 15 TH/h, which is roughly 2^44 h/h It takes around 0.15 kW, 1 kWh costs $0.10 so one hour costs around $0.015/h We need 2^36 hours, so the total cost of electricity will a bit higher than $1b. Coolling will probably take many times this amount, but lets leave it at that. – stroncium Dec 19 '16 at 06:55
  • If we want to perform the task in 1 year, which is 8760 hours, we will need around 8m videocards. Each videocard costs around $400, so we also need $3.2b to buy videocards. It is also important to note that a huge percentage of them probably wont last even close to one year of 24/7 computations, so it is somewhat safe to multyply it by 1.5, giving us 12m GPUs and $5b price. 8m GPUs will require 1.2GW on power. It is around an output of big nuclear power plant. – stroncium Dec 19 '16 at 06:56
  • Estimated total number of high-end GPUs sold in 2014 was around 3m. I doubt it will be possible to buy all the GPUs(expecially without taking everyones attention), and it also take years to scale production. So I guess its safe to assume you will need around 8-16 years to acquire required number of GPUs(while buying 25-50% of volume produced). We should include the building of datacenter for that system into price, but let's leave to future enthusiasts. – stroncium Dec 19 '16 at 06:57
  • All in all we are speaking of project taking at least 10 years, requiring specially architected large-scale building and personal nuclear power plant. In the process of creating it we will buy half of all high-end GPUs produced every year for 8 years. The cost of GPUs and electricity itself will be around $7b. If we will ever want to repeat the process, we will need another huge sum, around $5b. – stroncium Dec 19 '16 at 06:57
  • In "600,000 GPU-years" does this refer to GPU-core-years in the same way "1 CPU-second" means use of one CPU core over a second? The GTX 1070 has almost 2000 total SIMD, so in that case the figure goes to "300 GTX 1070-years" – jli Oct 14 '17 at 05:23
2

Adding to Johan Nilsson's answer (as I can't post comments): It seems that even 13-character named .onion URLs have been created, a comment on this Tor blog entry mentions a 13-character onion URL: deeproadworksbwj.onion (don't connect to it, I don't know what it is or if it's good).

user3212853
  • 21
  • 1
1

These links for eschalot are current as of this post:

The original link seems dead (as also confirmed by the second eschalot source). If you would rather do the search yourself:

serv-inc
  • 451
  • 1
  • 4
  • 11
1

I presume that they simply brute-force the private key generation, discarding the ones which do not have the desired properties.

Since it's only 7 characters at the beginning which I guess they wanted, it can't be too computationally expensive?

Tinned_Tuna
  • 1,018
  • 7
  • 12
  • any idea of how computationally expensive? –  Jan 27 '13 at 21:52
  • 3
    7 Chars in Base32 = 32^7 bits of entropy, so you'd need to search (on average) 32^6 (About 1 billion). So, take your average time to compute a key for TOR and times it by a billion. – Tinned_Tuna Jan 28 '13 at 00:10
  • 2
    These names are generated in almost the same way that novelty tripcodes are generated on image boards like 4chan. – Tom Marthenal Jan 31 '13 at 04:23