[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3 attack on Tor? in it.wikipedia)



Ben Wilhelm wrote:
> Anon Mus wrote:
>> Ben,
>>
>> I think you are using the purely theoretical  numbers and applying
them
>>
>> to the problem as if they were reality.
>>
>> As I remember the problem with the selection of primes for PKE is,
>>
>> 1. the seeding of the pseudo-random number generator
>>
>> e.g. with a 16bit seed then only 65,000 or so entry points into the 
>> number generation which leads that number of keys.
>>
>> Even for an 8byte random seed the number of keys generated would be 
>> about 10^19 keys and obviously, following your example, this
represents
>>
>> less than a milligram of your hydrogen memory, about a breath of air
in
>>
>> the lungs of the average human being.
>
> Yes, this is correct - if you use a horrifically insecure 
> random-number generator, you'll end up with a horrifically insecure 
> public key. Any serious application of crypto will use a
random-number 
> generator with far more than 16 bits of entropy. I don't actually
know 
> what the current standard for pseudo-random crypto generators are,
but 
> I give as a simple example Boost's Mersenne Twister generator, which,

> as I understand it, can be given something on the order of 20,000
bits 
> of entropy as a seed. (Obviously, this is far more than is strictly 
> needed to generate all 256-bit primes.)
>

Hands up those tor nodes using Boost's Mersenne Twister generator.

>> 2. the pseudo-random numbers generators, themselves have not been
>> proven to be numerically complete. Indeed their very form suggests
not.
>
> This is untrue in several ways. There's nothing in the structure of a

> psuedorandom generator which makes it impossible to analyse, and many

> pseudorandom generators are understood extremely well. Again, this 
> isn't something I'm particularly expert in, but it's a solved problem

> to roughly the same extent that the entire public-key cryptography 
> issue is a solved problem (i.e. "solved, barring spectacular and 
> unexpected advances".)
>
> Note that you could simply use a source of truly secure entropy to 
> bypass these issues entirely, and most non-embedded operating systems

> include such a thing built-in.
>

Hands up those tor nodes using a true entropy dongle.

FYI - I empirically tested a common pseudo-random number generator in 
the 90's and found it seriously wanting. So you and I will have to
agree 
to disagree over this.

>> Of course, the scenario for this attack, as originally outlined (
Re: 
>> OSI 1-3 attack on Tor? in it.wikipedia), is still intact, fully
correct
>>
>> and easily provable.
>
> We've described logically why your original attack would not work (at

> least, why it would not allow any kind of security breaches - 
> obviously you can bring the Tor network down using such an attack,
but 
> that's not exactly avoidable.) It is neither intact nor correct, and,

> assuming no security bugs in the Tor implementation, I believe it is 
> provably so.
>
> -Ben
>
>

"We've" ?? - whose the we?? (rhetorical)

Lets see whats been admitted so far shall we,

Roger Dingledine wrote:

"Mike Perry also brought up an attack like this when he was working on 
SoaT. Alas (or perhaps fortunately), he's been working on Torbutton-dev

lately instead. The number of competent anonymity programmers and 
designers in the world is still woefully small."


OK - so the basic attack works - Mr Dingledine says so..

Ben Wilhelm wrote:

"Much more plausibly, you could claim that the US government has 
backdoors into most (if not all) modern OSes, including the ones used
to 
generate Tor's directory server private keys. If the government got the

private keys that way there would be, of course, no barrier to them 
intercepting Tor communications in exactly the way you claim."

OK - so you yourself accept that spyware could steal private keys. (And

there's lots of spyware out there)

I myself wrote:

"1. Attacker sets up  a number of genuine tor servers, could be tor
nodes right up to guard level - attacker therefore has these keys."


OK - NO ONE has challenged this, it would be silly to do so, so I guess
it stands as accepted.


Ben, all thats left is you (and your "we") disagreeing with the storage
of public/private key pairs (A.3.). For my part I am 100% certain this
is so!! I know it for a fact.

Therefore, please be good enough to lay this matter to rest and accept
that most is proven, if not totally accepted by all. There will always
be die-hards and face savers but we try not to encourage them to
dis-inform or-talk tor USers (thats the "US" not the "WE").


-K-





      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping