Tor security advisory: Debian flaw causes weak identity keys
arma at mit.edu
Tue May 13 15:55:35 UTC 2008
This is a critical security announcement.
A bug in the Debian GNU/Linux distribution's OpenSSL package was
announced today. This bug would allow an attacker to figure out private
keys generated by these buggy versions of the OpenSSL library. Thus,
all private keys generated by affected versions of OpenSSL must be
considered to be compromised.
Tor uses OpenSSL, so Tor users and admins need to take action in order
to remain secure in response to this problem.
If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
distribution, first follow the instructions at
to upgrade your OpenSSL package to a safe version. If you're running a
Tor server or a Tor hidden service, then also follow the instructions
below to replace your Tor identity keys.
Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
WHO IS AFFECTED:
This advisory applies to Tor 0.2.0.x and/or any Debian/Ubuntu/related
system running _any_ Tor version. Tor clients and servers that are
running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
to do anything.
Specific versions affected: All Tor 0.2.0.x development versions up
through 0.2.0.25-rc, and most Debian/Ubuntu/related users regardless of
A local attacker or malicious directory cache may be able to trick
a client running 0.2.0.x into believing a false directory consensus, thus
(e.g.) causing the client to create a path wholly owned by the attacker.
Further, relay identity keys or hidden service secret keys that were
generated on most versions of Debian, Ubuntu, or other Debian-derived OS
are also weak (regardless of your Tor version):
WHAT TO DO:
First, all affected Debian/Ubuntu/similar users (regardless
of Tor version) should apt-get upgrade to the latest (i.e. today's)
Second, all Tor clients and servers running 0.2.0.x should upgrade to
0.2.0.26-rc. (Again: Tor clients and servers that are running 0.1.2.x
and aren't using Debian/Ubuntu/related don't need to do anything.)
Third, Tor servers and hidden services running on Debian/Ubuntu/related
(regardless of Tor version) should discard their identity keys and
generate fresh ones. To discard your Tor server's keys, delete
the "keys/secret_*" files in your datadirectory (often it is
/var/lib/tor/). To discard your hidden service secret key, delete
the "private_key" file from the hidden service directory that you
configured in your torrc. [This will change the .onion address of your
Due to a bug in Debian's modified version of OpenSSL 0.9.8, all
generated keys (and other cryptographic material!) have a stunningly
small amount of entropy. This flaw means that brute force attacks which
are very hard against the unmodified OpenSSL library (e.g. breaking RSA
keys) are very practical against these keys. See the URL above for
more information about the flaw in Debian's OpenSSL packages.
While we believe the v2 authority keys (used in Tor 0.1.2.x) were
generated correctly, at least three of the six v3 authority keys (used
in Tor 0.2.0.x) are known to be weak. This fraction is uncomfortably
close to the majority vote needed to create a networkstatus consensus,
so the Tor 0.2.0.26-rc release changes these three affected keys.
Relay identity keys and hidden service secret keys generated in this
flawed way are also breakable. That is, any encryption operations with
respect to a weak-key relay (including link encryption and onion
encryption) can be easily broken, and their descriptors can be easily
forged. Soon we will begin identifying weak-key relays and cutting them
out of the network. (We will likely put out another release in a few
days with a new identity key for our bridge authority; we apologize for
the inconvenience to our bridge users.)
Finally, while we don't know of any attacks that will reveal the
location of a weak-key hidden service, an attacker could derive its
secret key and then pretend to be the hidden service.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
More information about the tor-announce