[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: What about private & Public Keys

On Mon, 2010-10-18 at 14:49 -0400, Gregory Maxwell wrote: 
> On Mon, Oct 18, 2010 at 2:37 PM,  <Thomas.Hluchnik@xxxxxxxxxxxxx> wrote:
> > Maybe this subject has already been discussed here.
> >
> > Given, an attacker succeeds to break into a large number of tornodes and gets a copy of the secret keys from all those nodes. This would increase the chance to decrypt parts of the traffic that goes through the tor network. Am I right?
> [snip]
> No, Tor uses perfect forward secrecy. The session key for every node
> to node link is encrypted with one-time ephemeral keying.

If an attacker compromises the private keys of an OR, he can
authenticate himself as the OR during the TLS and the circuit
establishment process. Consequently, the attacker could read and decrypt
traffic by mounting a man in the middle attack.

Due to the property of perfect forward secrecy it can only affect
connections that are established after the key was compromised. All
connections prior to this event are still protected due to the property
of the used DH key exchange protocol [1]. 

To answer your other question:
> So would it be of advantage for the to network to change keys from
> time to time, like one should do with his passwords?

Yes, it has advantages. 

Tor has this concept of long term key, mid term key, and short term key
(see section 1.1 of the Tor spec [2]). The short term key should be
rotated at least once a day according to the spec. However, I'm not sure
in which interval Tor changes the mid term key and long term key
respectively. Anyway, once the computer is compromised, changing the
keys is more or less meaningless. 


[1] http://www.cypherpunks.ca/~iang/pubs/torsec.pdf

To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/