Backward decryption of Tor traffic after Debian OpenSSL bug disclosure
Roger Dingledine
arma at mit.edu
Sat May 24 04:06:19 UTC 2008
On Fri, May 16, 2008 at 09:39:29PM +0400, unknown_x at Safe-mail.net wrote:
> // Backward decryption of Tor traffic after Debian OpenSSL bug disclosure
>
> Let some passive adversary haves a records of traffic between users Debian
> GNU/Linux tor-client and servers of Tor-network (a lot of Debian's too).
> The records dated 2006-may 2008.
>
> Now Debian OpenSSL PRNG bug disclosed. All ~250000 "pseudorandom" values known.
>
> Is it possible to adversary use this data to backward partially decryption of
> recorded and stored users traffic?
Yes.
> From predicted states of broken PRNG he can compute Diffie-Hellman params,
> reconstructs ephemerial keys and extract session AES keys between nodes in circuit
> if two of circuit has broken PRNG's.
>
> Is it real? Or openSSL PRNG used in tor for generating auth. keys only and not
> for session keys material in the case of tor?
It's real.
I've just added two more paragraphs to
https://blog.torproject.org/blog/debian-openssl-flaw%3A-what-does-it-mean-tor-clients%3F
to try to make it clearer:
Worse, this attack works against past traffic too: what if an attacker
logged traffic over the past two years? As long as there's a single
non-weak non-colluding Tor relay in your circuit, you're fine --
that relay will provide encryption that the attacker can't break,
then or now. But if you ever picked a path that consisted entirely of
relays with broken RNGs, and an attacker logged this traffic, then he
can unwrap the traffic from his logs using the same approach as above.
Similarly, if anybody has logs of traffic coming out of a Debian
or Ubuntu Tor client, they can strip it of its encryption, and thus
retroactively break the anonymity.
Now, it would take some work to write the program to sort it all out,
walk all the computations backwards, etc. But we would like to have better
security than "let's hope nobody writes the program that breaks it".
Bad stuff,
--Roger
More information about the tor-talk
mailing list