[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Does TOR use any non-ephemeral (non-DHE) ciphers?
- To: or-talk@xxxxxxxxxxxxx
- Subject: Does TOR use any non-ephemeral (non-DHE) ciphers?
- From: 7v5w7go9ub0o <7v5w7go9ub0o@xxxxxxxxx>
- Date: Wed, 24 Sep 2008 08:38:23 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 24 Sep 2008 08:39:04 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=+8qxH26P8nLL3d+mwGWHVzgjk1F/phX+oX+0Oxh8oLs=; b=Hv5tkEibFCMtIONfaTcwv9Og5essVGvtAwUF2AOw1GVlCXsZeeMwrtWlg1FmroXsoA MO6ooq1fRnLwpJclhbfhYLIoOVRs2WW0af8906NQU2FN/QUXZfqWHjwenKVL8n1RL+jm HDchq3ywUgH8CZV7LXSr7T/jDXUX1/K23W0r8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=QrVkT974yyasg0DgETvVDLNrNlU3Ka1s+3KpHkmYT2TTUyFMyRLoaccih/HCA0u0Tj rhQINOdyYznzP3eNEmdQHviHFTZoyddJ7ABCMHy8FjmxomTe71VDMe0Ds/R9MaJKKBt6 lM4qS18Ke4Da+0BTjRwqqsCHtOMrb954YPi5Y=
- In-reply-to: <48d8aa14.0610c00a.38d0.53a6@xxxxxxxxxxxxx>
- References: <48d8aa14.0610c00a.38d0.53a6@xxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.16 (X11/20080707)
David Howe has been running some tests, and has discovered that in many
cases, SSL transactions can be recorded, and decrypted by Wireshark
after the fact - this because an ephemeral cipher was NOT chosen by the
server; i.e. a cipher was chosen that does not provide "Perfect Forward
Secrecy" . This ability of Wireshark provides a motivation to steal or
subpoena private keys - which may awaken governmental interest in TOR
private keys!?
So this begs the questions:
Does TOR use any non-ephemeral (non-DHE) ciphers?
The following is from David Howe's 9/23/08 posting in GRC's
"cryptography" newsgroup:
"Apache 2.2 webserver, default configuration
XCA generated self signed webserver cert
Internet explorer (versions 6,7,8beta)
Firefox (versions 2.x,3.x)
Wireshark 1.0.3
Testing: for each session, a Wireshark capture was created *without*
access to the key. Fresh instance of Wireshark each capture. After all
captures are made, they are copied to another machine where Wireshark is
configured with the private key, to examine the packets.
Results:
IE (all versions) readable
FF (both versions) unreadable (error in dissector log)
After further analysis, it appears that the apache webserver takes the
first suitable match from the list of offered cryptographic suites, not
an abstract "Best" match.
In the case of IE, the first match is for TLS_RSA_WITH_RC4_128_MD5 which
has no DHE (perfect forward secrecy) component. in FF, the first match
is for TLS_DHE_RSA_WITH_AES_256_CBC_SHA which DOES have a PFS component.
Further testing is required, first to see if I can configure Apache to
give preference to DHE enabled solutions, and second to see what the
default behaviour of IIS is. I will update this post once I have more
results."