[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Backward decryption of Tor traffic after Debian OpenSSL bug disclosure

On Fri, May 16, 2008 at 09:39:29PM +0400, unknown_x@xxxxxxxxxxxxx wrote:
> // Backward decryption of Tor traffic after Debian OpenSSL bug disclosure
> Let some passive adversary haves a records of traffic between users Debian
> GNU/Linux tor-client and servers of Tor-network (a lot of Debian's too).
> The records dated 2006-may 2008.
> Now Debian OpenSSL PRNG bug disclosed. All ~250000 "pseudorandom" values known.
> Is it possible to adversary use this data to backward partially decryption of
> recorded and stored users traffic?


> From predicted states of broken PRNG he can compute Diffie-Hellman params,
> reconstructs ephemerial keys and extract session AES keys between nodes in circuit
> if two of circuit has broken PRNG's.
> Is it real? Or openSSL PRNG used in tor for generating auth. keys only and not
> for session keys material in the case of tor?

It's real.

I've just added two more paragraphs to
to try to make it clearer:

  Worse, this attack works against past traffic too: what if an attacker
  logged traffic over the past two years? As long as there's a single
  non-weak non-colluding Tor relay in your circuit, you're fine --
  that relay will provide encryption that the attacker can't break,
  then or now. But if you ever picked a path that consisted entirely of
  relays with broken RNGs, and an attacker logged this traffic, then he
  can unwrap the traffic from his logs using the same approach as above.

  Similarly, if anybody has logs of traffic coming out of a Debian
  or Ubuntu Tor client, they can strip it of its encryption, and thus
  retroactively break the anonymity.

Now, it would take some work to write the program to sort it all out,
walk all the computations backwards, etc. But we would like to have better
security than "let's hope nobody writes the program that breaks it".

Bad stuff,