[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] key generation on first boot with low entropy

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] key generation on first boot with low entropy
From: Gerardus Hendricks <konfkukor@xxxxxxxxxx>
Date: Wed, 15 Jan 2014 12:33:15 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 15 Jan 2014 06:41:42 -0500
In-reply-to: <8761pmz9uc.fsf@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <8761pmz9uc.fsf@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 1/14/14 7:39 PM, anarcat wrote:
> How does tor generate its private key? Does it use /dev/random? Is there
> an issue with bootstrapping a new tor node straight from the first
> install, when entropy is potentially low?

Hi. I'm not entirely sure of the answer. I'll make a guess.
Reading the source of (the tarballed) Tor 0.2.4.20.

RSA router key and identity is created in router.c

router.c line 767 in init_keys()
line 770 --> prkey = init_key_from_file(keydir, 1, LOG_ERR)
line 393 --> prkey = crypto_pk_new()

crypto.c line 382 in crypto_pk_new()
line 386 --> rsa = RSA_new()

RSA_new() is from OpenSSL [1]

(curve25519 keys might be handled differently, I haven't looked)

I think you can find a lot of information on how OpenSSL handles itsentropy. I'm not sure, but I think OpenSSL uses the non-blocking/dev/urandom which is secure under most conditions, but not in yourscenario.

You might want to delay Tor startup / key generation a bit and not do itimmediately after boot. If it is possible in your setup, you can simplywrite entropic bits to /dev/(u)random, like so:


echo "Jf3Gy7K5gvD2dcF" > /dev/urandom

Of course that string should be longer, and should be different in everyinstance you use it in (and of course it should be secret for any attacker)

Thanks for linking haveged. I hadn't hear about it before. I do havesome doubts about its utility. As someone else has put it a year ago ina relevant thread (read it) [3]:

"as a non-mathematician, this sounds a bit like "we make a lot [ofentropy] out of little". Maybe somebody could shed some light on this.."


Regards,
Gerard

[1] https://www.openssl.org/docs/crypto/RSA_new.html
[2] http://man7.org/linux/man-pages/man4/random.4.html
[3] https://lists.torproject.org/pipermail/tor-talk/2013-January/027075.html
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] key generation on first boot with low entropy
  - From: Nick Mathewson

References:
- [tor-talk] key generation on first boot with low entropy
  - From: anarcat

Prev by Author: Re: [tor-talk] startpage and ixquick
Next by Author: Re: [tor-talk] Open source firewall.
Previous by thread: [tor-talk] key generation on first boot with low entropy
Next by thread: Re: [tor-talk] key generation on first boot with low entropy
Index(es):
- Author
- Thread