Is it possible to look up the public key for a .onion-address?
.onionaddresses are a (partial) hash of a descriptor which contains a public RSA key, so I was wondering: it is possible to see the public key that is found when connecting to a
.onionhidden service using Tor?
While in general it is a dangerous idea to use the same cryptographic key for different algorithms, there are many statistical reasons why knowing the public key is interesting. For example, looking for low-entropy keys by checking if the key is used by others or looking for common prime factors.
In theory, it should be just a matter of fetching /tor/rendezvous2/<hidden service identity> via HTTP from the hidden service directory responsible for that hidden service, as per the rend spec, in particular section 1.6.
In practice, you need to find the right server to download it from and then form the request correctly. That's a bit icky to do manually. There is a script by DonnchaC, retrieve_hs_descriptor, which depends on Stem and helps with that part.
As an example, right now the descriptor for the DuckDuckGo hidden service can be found, among other places, at
and looks like this:
rendezvous-service-descriptor yj446zqor4cczgxzl3kgtmdbfgwkj6de version 2 permanent-key -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAJ/SzzgrXPxTlFrKVhXh3buCWv2QfcNgncUpDpKouLn3AtPH5Ocys0jE aZSKdvaiQ62md2gOwj4x61cFNdi05tdQjS+2thHKEm/KsB9BGLSLBNJYY356bupg I5gQozM65ENelfxYlysBjJ52xSDBd8C4f/p9umdzaaaCmzXG/nhzAgMBAAE= -----END RSA PUBLIC KEY----- secret-id-part a2pcyuhciqsrah34benwufa54aandwzh publication-time 2013-10-01 15:59:47 protocol-versions 2,3 introduction-points -----BEGIN MESSAGE----- //OUTPUT CUT -----END MESSAGE----- signature -----BEGIN SIGNATURE----- VEToDAxw1X77NwcM6/DG+I3uu8lLlFpI//rUHjLRC0unA7kRp6xY4E6xpcbl4KUX EUUkJ3hXhmB3gFAjUkk70IDr5HIP86Z/ZTl6WvbTFWYLUPJQtt08XSmY788FG1lA nTnNbqms5Nt5HKsG5khZf5viIuU3ei+u0SIv3gHy3JY= -----END SIGNATURE-----
Note that for servers running a Tor version 0.2.4.x or 0.2.3.23 or later, the answer is even trickier. Such servers, when acting as hidden service directories, will require these HTTP requests to be done via an encrypted connection, i.e. over Tor and not using plain-text HTTP. So that makes it a bit more tricky. The easiest approach might be to modify Tor and have it dump HS descriptors when you fetch them.
Otherwise you could use Stem get_hidden_service_descriptor function. The following python script will print the HS descriptor for the onion address passed as command line parameter.
import sys from stem.control import Controller with Controller.from_port(port = 9051) as controller: controller.authenticate() print(controller.get_hidden_service_descriptor(sys.argv))
Didn't atagar or other folks make a python tool to fetch and dump hidden service details?
Maybe. I just looked at Tor and adding a dump after the log_debug "Successfully stored rend desc" in rendcommon.c seemed like a straight-forward idea. -- I also looked at the control spec but it seems we don't like talking about hidden services much.
The retrieve_hs_descriptor link is currently dead, but there is https://stem.torproject.org/api/descriptor/hidden_service_descriptor.html.