[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor security advisory: Debian flaw causes weak identity keys

     On Tue, 13 May 2008 14:55:37 -0700 (PDT) Anon Mus
<a_green_lantern@xxxxxxxxx> wrote:
>Roger Dingledine wrote:
>>   This is a critical security announcement.
>>   A bug in the Debian GNU/Linux distribution's OpenSSL package was
>>   announced today. This bug would allow an attacker to figure out
>>   keys generated by these buggy versions of the OpenSSL library.
>>   all private keys generated by affected versions of OpenSSL must be
>>   considered to be compromised.
>>   Tor uses OpenSSL, so Tor users and admins need to take action in
>>   to remain secure in response to this problem.
>>   If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
>>   distribution, first follow the instructions at
>>   to upgrade your OpenSSL package to a safe version. If you're
>running a
>>   Tor server or a Tor hidden service, then also follow the
>>   below to replace your Tor identity keys.
>>   Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
>>   This advisory applies to Tor 0.2.0.x and/or any
>>   system running _any_ Tor version. Tor clients and servers that are
>>   running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
>>   to do anything.
>>   Specific versions affected: All Tor 0.2.0.x development versions up
>>   through, and most Debian/Ubuntu/related users
>regardless of
>>   Tor version.
>>   A local attacker or malicious directory cache may be able to trick
>>   a client running 0.2.0.x into believing a false directory
>consensus, thus
>>   (e.g.) causing the client to create a path wholly owned by the
>>   Further, relay identity keys or hidden service secret keys that
>>   generated on most versions of Debian, Ubuntu, or other
>Debian-derived OS
>>   are also weak (regardless of your Tor version):
>I see the report is by Florian (Weimer of) D(ebian) - spooky isn't it -
>its a bit like that Florian D <flockmock@xxxxxxxxx> who chimed in
>" Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3
>attack on Tor? in it.wikipedia)", to or-talk back in February 2008.
>Did they do it on purpose? Was someone protecting a deliberate flaw?
>>   First, all affected Debian/Ubuntu/similar users (regardless
>>   of Tor version) should apt-get upgrade to the latest (i.e. today's)
>>   OpenSSL package.
>>   Second, all Tor clients and servers running 0.2.0.x should upgrade
>> (Again: Tor clients and servers that are running
>>   and aren't using Debian/Ubuntu/related don't need to do anything.)
>>   Third, Tor servers and hidden services running on
>>   (regardless of Tor version) should discard their identity keys and
>>   generate fresh ones. To discard your Tor server's keys, delete
>>   the "keys/secret_*" files in your datadirectory (often it is
>>   /var/lib/tor/). To discard your hidden service secret key, delete
>>   the "private_key" file from the hidden service directory that you
>>   configured in your torrc. [This will change the .onion address of
>>   hidden service.]
>>   Due to a bug in Debian's modified version of OpenSSL 0.9.8, all
>>   generated keys (and other cryptographic material!) have a
>>   small amount of entropy.
>That lack of "entropy" is the predictability of the random number 
>generator which seeds the PKE keys.
     Of course.
>>  This flaw means that brute force attacks which
>>   are very hard against the unmodified OpenSSL library (e.g. breaking
>>   keys) are very practical against these keys. See the URL above for
>>   more information about the flaw in Debian's OpenSSL packages.
>>   While we believe the v2 authority keys (used in Tor 0.1.2.x) were
>>   generated correctly, at least three of the six v3 authority keys
>>   in Tor 0.2.0.x) are known to be weak. This fraction is
>>   close to the majority vote needed to create a networkstatus
>>   so the Tor release changes these three affected keys.
>>   Relay identity keys and hidden service secret keys generated in
>>   flawed way are also breakable. That is, any encryption operations
>>   respect to a weak-key relay (including link encryption and onion
>>   encryption) can be easily broken, and their descriptors can be
>>   forged. Soon we will begin identifying weak-key relays and cutting
>>   out of the network. (We will likely put out another release in a
>>   days with a new identity key for our bridge authority; we apologize
>>   the inconvenience to our bridge users.)
>>   Finally, while we don't know of any attacks that will reveal the
>>   location of a weak-key hidden service, an attacker could derive its
>>   secret key and then pretend to be the hidden service.
>3 of the 6 v3 authority keys compromised would have been enough to have
>spoofed the entire Tor network.
>OR-Talk users should always suspect a group of people who attempt a 
>character assassination of a lone individual on this forum. Its often 
>accompanied by flamers and accusations that the target is themselves a 
>troll (if not for the fact that trolls are there all the time - not
>for the odd topic.) 
>Who's for humble pie then?
>Scott ?

     If the earlier complaint on OR-TALK is, in fact, due to the Debian
error referred to in Roger's announcement, then I do indeed apologize.
At this point, however, that is not at all clear to me.

>Ben ?
>Dominik ?
>Andrew ?
>No?? - I thought not... I wonder why??
     Obviously, you thought wrong.  If I become aware that I have falsely
accused someone in public, I have no problem with making a public apology,
nor am I too chicken-shit to allow my own name to appear on items that I
post to mailing lists.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *