[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Does TOR use any non-ephemeral (non-DHE) ciphers?

On Wed, Sep 24, 2008 at 08:38:23AM -0400, 7v5w7go9ub0o wrote:
> David Howe has been running some tests, and has discovered that in many 
> cases, SSL transactions can be recorded, and decrypted by Wireshark 
> after the fact - this because an ephemeral cipher was NOT chosen by the 
> server; i.e. a cipher was chosen that does not provide "Perfect Forward 
> Secrecy" . This ability of Wireshark provides a motivation to steal or 
> subpoena private keys - which may awaken governmental interest in TOR 
> private keys!?

This isn't news.  If you have compromised a private key used for SSL
sessions, and a ciphersuite without PFS is used, you can decrypt those
sessions after the fact.  That's basically what "without PFS" means.
> So this begs the questions:
> Does TOR use any non-ephemeral (non-DHE) ciphers?

You mean ciphersuites, not ciphers.  The answer is "No; Tor always
uses ephemeral-key modes with TLS."

From the specification:
   Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
   or whose symmetric keys are less then KEY_LEN bits, or whose digests are
   less than HASH_LEN bits.  Responders SHOULD NOT select any SSLv3
   ciphersuite other than those listed above.

There's also a Diffie-Hellman key exchange when extending circuits.
You can find out more about how Tor works by reading the design paper
or the specification (search for "tor-spec.txt").

(Also, it's Tor, not TOR.)