[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor security advisory: Debian flaw causes weak identity keys

Roger Dingledine wrote:
>   This is a critical security announcement.
>   A bug in the Debian GNU/Linux distribution's OpenSSL package was
>   announced today. This bug would allow an attacker to figure out
>   keys generated by these buggy versions of the OpenSSL library.
>   all private keys generated by affected versions of OpenSSL must be
>   considered to be compromised.
>   Tor uses OpenSSL, so Tor users and admins need to take action in
>   to remain secure in response to this problem.
>   If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
>   distribution, first follow the instructions at
>   to upgrade your OpenSSL package to a safe version. If you're
running a
>   Tor server or a Tor hidden service, then also follow the
>   below to replace your Tor identity keys.
>   Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
>   This advisory applies to Tor 0.2.0.x and/or any
>   system running _any_ Tor version. Tor clients and servers that are
>   running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
>   to do anything.
>   Specific versions affected: All Tor 0.2.0.x development versions up
>   through, and most Debian/Ubuntu/related users
regardless of
>   Tor version.
>   A local attacker or malicious directory cache may be able to trick
>   a client running 0.2.0.x into believing a false directory
consensus, thus
>   (e.g.) causing the client to create a path wholly owned by the
>   Further, relay identity keys or hidden service secret keys that
>   generated on most versions of Debian, Ubuntu, or other
Debian-derived OS
>   are also weak (regardless of your Tor version):

I see the report is by Florian (Weimer of) D(ebian) - spooky isn't it -

its a bit like that Florian D <flockmock@xxxxxxxxx> who chimed in

" Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3

attack on Tor? in it.wikipedia)", to or-talk back in February 2008.

Did they do it on purpose? Was someone protecting a deliberate flaw?

>   First, all affected Debian/Ubuntu/similar users (regardless
>   of Tor version) should apt-get upgrade to the latest (i.e. today's)
>   OpenSSL package.
>   Second, all Tor clients and servers running 0.2.0.x should upgrade
> (Again: Tor clients and servers that are running
>   and aren't using Debian/Ubuntu/related don't need to do anything.)
>   Third, Tor servers and hidden services running on
>   (regardless of Tor version) should discard their identity keys and
>   generate fresh ones. To discard your Tor server's keys, delete
>   the "keys/secret_*" files in your datadirectory (often it is
>   /var/lib/tor/). To discard your hidden service secret key, delete
>   the "private_key" file from the hidden service directory that you
>   configured in your torrc. [This will change the .onion address of
>   hidden service.]
>   Due to a bug in Debian's modified version of OpenSSL 0.9.8, all
>   generated keys (and other cryptographic material!) have a
>   small amount of entropy.

That lack of "entropy" is the predictability of the random number 
generator which seeds the PKE keys.

>  This flaw means that brute force attacks which
>   are very hard against the unmodified OpenSSL library (e.g. breaking
>   keys) are very practical against these keys. See the URL above for
>   more information about the flaw in Debian's OpenSSL packages.
>   While we believe the v2 authority keys (used in Tor 0.1.2.x) were
>   generated correctly, at least three of the six v3 authority keys
>   in Tor 0.2.0.x) are known to be weak. This fraction is
>   close to the majority vote needed to create a networkstatus
>   so the Tor release changes these three affected keys.
>   Relay identity keys and hidden service secret keys generated in
>   flawed way are also breakable. That is, any encryption operations
>   respect to a weak-key relay (including link encryption and onion
>   encryption) can be easily broken, and their descriptors can be
>   forged. Soon we will begin identifying weak-key relays and cutting
>   out of the network. (We will likely put out another release in a
>   days with a new identity key for our bridge authority; we apologize
>   the inconvenience to our bridge users.)
>   Finally, while we don't know of any attacks that will reveal the
>   location of a weak-key hidden service, an attacker could derive its
>   secret key and then pretend to be the hidden service.

3 of the 6 v3 authority keys compromised would have been enough to have
spoofed the entire Tor network.

OR-Talk users should always suspect a group of people who attempt a 
character assassination of a lone individual on this forum. Its often 
accompanied by flamers and accusations that the target is themselves a 
troll (if not for the fact that trolls are there all the time - not
for the odd topic.) 

Who's for humble pie then?

Scott ?
Ben ?
Dominik ?
Andrew ?

No?? - I thought not... I wonder why??