Is it possible to look up the public key for a .onion-address?

  • I know .onion addresses are a (partial) hash of a descriptor which contains a public RSA key, so I was wondering: it is possible to see the public key that is found when connecting to a .onion hidden service using Tor?

    While in general it is a dangerous idea to use the same cryptographic key for different algorithms, there are many statistical reasons why knowing the public key is interesting. For example, looking for low-entropy keys by checking if the key is used by others or looking for common prime factors.

  • In theory, it should be just a matter of fetching /tor/rendezvous2/<hidden service identity> via HTTP from the hidden service directory responsible for that hidden service, as per the rend spec, in particular section 1.6.

    In practice, you need to find the right server to download it from and then form the request correctly. That's a bit icky to do manually. There is a script by DonnchaC, retrieve_hs_descriptor, which depends on Stem and helps with that part.

    As an example, right now the descriptor for the DuckDuckGo hidden service can be found, among other places, at

    and looks like this:

    rendezvous-service-descriptor yj446zqor4cczgxzl3kgtmdbfgwkj6de
    version 2
    -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----
    secret-id-part a2pcyuhciqsrah34benwufa54aandwzh
    publication-time 2013-10-01 15:59:47
    protocol-versions 2,3
    -----BEGIN MESSAGE-----
    -----END MESSAGE-----
    -----BEGIN SIGNATURE-----
    -----END SIGNATURE-----

    Note that for servers running a Tor version 0.2.4.x or or later, the answer is even trickier. Such servers, when acting as hidden service directories, will require these HTTP requests to be done via an encrypted connection, i.e. over Tor and not using plain-text HTTP. So that makes it a bit more tricky. The easiest approach might be to modify Tor and have it dump HS descriptors when you fetch them.

    Otherwise you could use Stem get_hidden_service_descriptor function. The following python script will print the HS descriptor for the onion address passed as command line parameter.

    import sys
    from stem.control import Controller
    with Controller.from_port(port = 9051) as controller:

    Didn't atagar or other folks make a python tool to fetch and dump hidden service details?

    Maybe. I just looked at Tor and adding a dump after the log_debug "Successfully stored rend desc" in rendcommon.c seemed like a straight-forward idea. -- I also looked at the control spec but it seems we don't like talking about hidden services much.

    Script linked, answer updated accordingly.

    The retrieve_hs_descriptor link is currently dead, but there is

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM