[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: What about private & Public Keys

On Mon, Oct 18, 2010 at 09:43:38PM +0200, Benedikt Westermann wrote:
> On Mon, 2010-10-18 at 14:49 -0400, Gregory Maxwell wrote: 
> > On Mon, Oct 18, 2010 at 2:37 PM,  <Thomas.Hluchnik@xxxxxxxxxxxxx> wrote:
> > > Maybe this subject has already been discussed here.
> > >
> > > Given, an attacker succeeds to break into a large number of
> > > tornodes and gets a copy of the secret keys from all those
> > > nodes. This would increase the chance to decrypt parts of the
> > > traffic that goes through the tor network. Am I right?

What others have said about forward secrecy and the rotation of
different kinds of Tor keys is all valid and reasonable, but I wanted
to back up a bit and note that you are expressing concern about an
attack that requires more effort than other attacks an adversary as
stong as the one you describe is more likely to be able to mount.

Unless you choose a path for which he has broken all three onion keys
an adversary won't be able to decrypt your Tor traffic.  And because
of the forward secrecy others noted, he will only be able to do this
if he sits at or between the client and the first Tor node _while the
circuit is being built_ . But more importantly, if he has indeed
compromised a large number of Tor nodes, he is likely to be in a
position to observe your traffic entering and exiting the Tor
network. Then he does not have to read anything to break anonymity
(link source and destination); timing patterns will make that
trivial. And if he can watch the same traffic entering and leaving the
Tor network, only end-to-end application encryption will matter for
confidentiality of that traffic; whether or not any Tor keys are
broken or nodes in the path are compromised, he will know who you are
talking to and what is being said. (And if that weren't enough he can
compromise the integrity of the traffic in that case too.)

So yes, it is important to protect against the threats you noted.  And
with enough keys, an adversary in a single optimal position could
break anonymity (and confidentiality).  But Tor has those fairly well
covered. And an adversary compromising a large chunk of the network
can do more damage without needing to use the keys he thus
obtains. Fortunately, this requires a significant adversary to be
widely effective.

To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/