[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Does TOR use any non-ephemeral (non-DHE) ciphers?

David Howe has been running some tests, and has discovered that in many cases, SSL transactions can be recorded, and decrypted by Wireshark after the fact - this because an ephemeral cipher was NOT chosen by the server; i.e. a cipher was chosen that does not provide "Perfect Forward Secrecy" . This ability of Wireshark provides a motivation to steal or subpoena private keys - which may awaken governmental interest in TOR private keys!?

So this begs the questions:

Does TOR use any non-ephemeral (non-DHE) ciphers?

The following is from David Howe's 9/23/08 posting in GRC's "cryptography" newsgroup:

"Apache 2.2 webserver, default configuration
XCA generated self signed webserver cert
Internet explorer (versions 6,7,8beta)
Firefox (versions 2.x,3.x)
Wireshark 1.0.3

Testing: for each session, a Wireshark capture was created *without*
access to the key. Fresh instance of Wireshark each capture. After all
captures are made, they are copied to another machine where Wireshark is
configured with the private key, to examine the packets.

IE (all versions) readable
FF (both versions) unreadable (error in dissector log)

After further analysis, it appears that the apache webserver takes the
first suitable match from the list of offered cryptographic suites, not
an abstract "Best" match.

In the case of IE, the first match is for TLS_RSA_WITH_RC4_128_MD5 which
has no DHE (perfect forward secrecy) component. in FF, the first match
is for TLS_DHE_RSA_WITH_AES_256_CBC_SHA which DOES have a PFS component.

Further testing is required, first to see if I can configure Apache to
give preference to DHE enabled solutions, and second to see what the
default behaviour of IIS is. I will update this post once I have more