[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] compress "compromise keys"

To: or-cvs@freehaven.net
Subject: [or-cvs] compress "compromise keys"
From: arma@seul.org (Roger Dingledine)
Date: Tue, 4 Nov 2003 02:18:18 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: or-cvs-outgoing@seul.org
Delivered-to: or-cvs@seul.org
Delivery-date: Tue, 04 Nov 2003 02:18:34 -0500
Reply-to: or-dev@freehaven.net
Sender: owner-or-cvs@freehaven.net

Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/home2/arma/work/onion/cvs/doc

Modified Files:
	tor-design.tex 
Log Message:
compress 'compromise keys'


Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -d -r1.91 -r1.92
--- tor-design.tex	4 Nov 2003 06:54:09 -0000	1.91
+++ tor-design.tex	4 Nov 2003 07:18:16 -0000	1.92
@@ -1455,31 +1455,16 @@
 
 \subsubsection*{Active attacks}
 
-\emph{Compromise keys.}
-If a TLS session key is compromised, an attacker
-can view all the cells on TLS connection until the key is
-renegotiated.  (These cells are themselves encrypted.)  If a TLS
-private key is compromised, the attacker can fool others into
-thinking that he is the affected OR, but still cannot accept any
-connections. \\
-If a circuit session key is compromised, the
-attacker can unwrap a single layer of encryption from the relay
-cells traveling along that circuit.  (Only nodes on the circuit can
-see these cells.) If an onion private key is compromised, the attacker
-can impersonate the OR in circuits, but only if the attacker has
-also compromised the OR's TLS private key, or is running the
-previous OR in the circuit.  (This compromise affects newly created
-circuits, but because of perfect forward secrecy, the attacker
-cannot hijack old circuits without compromising their session keys.)
-In any case, periodic key rotation limits the window of opportunity
-for compromising these keys. \\
-Only by
-compromising a node's identity key can an attacker replace that
-node indefinitely, by sending new forged descriptors to the
-directory servers.  Finally, an attacker who can compromise a
-directory server's identity key can influence every client's view
-of the network---but only to the degree made possible by gaining a
-vote with the rest of the the directory servers.
+\emph{Compromise keys.} An attacker who learns the TLS session key can see
+the (still encrypted) relay cells on that circuit; learning the circuit
+session key lets him unwrap one layer of the encryption. An attacker
+who learns an OR's TLS private key can impersonate that OR, but he must
+also learn the onion key to decrypt \emph{create} cells (and because of
+perfect forward secrecy, he cannot hijack already established circuits
+without also compromising their session keys). Periodic key rotation
+limits the window of opportunity for these attacks. On the other hand,
+an attacker who learns a node's identity key can replace that node
+indefinitely by sending new forged descriptors to the directory servers.
 
 \emph{Iterated compromise.} A roving adversary who can
 compromise ORs (by system intrusion, legal coersion, or extralegal

Prev by Author: [or-cvs] rerepatches on sec1-3
Next by Author: [or-cvs] you guessed it, more edits
Previous by thread: [or-cvs] rerepatches on sec1-3
Next by thread: [or-cvs] Edits based on comments
Index(es):
- Author
- Thread