[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Does TOR use any non-ephemeral (non-DHE) ciphers?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Does TOR use any non-ephemeral (non-DHE) ciphers?
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Wed, 24 Sep 2008 11:46:29 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 24 Sep 2008 11:46:35 -0400
In-reply-to: <48DA34BF.3010302@xxxxxxxxx>
Mail-followup-to: Nick Mathewson <nickm@xxxxxxxxxxxxx>, or-talk@xxxxxxxxxxxxx
References: <48d8aa14.0610c00a.38d0.53a6@xxxxxxxxxxxxx> <48DA34BF.3010302@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Sep 24, 2008 at 08:38:23AM -0400, 7v5w7go9ub0o wrote:
> David Howe has been running some tests, and has discovered that in many 
> cases, SSL transactions can be recorded, and decrypted by Wireshark 
> after the fact - this because an ephemeral cipher was NOT chosen by the 
> server; i.e. a cipher was chosen that does not provide "Perfect Forward 
> Secrecy" . This ability of Wireshark provides a motivation to steal or 
> subpoena private keys - which may awaken governmental interest in TOR 
> private keys!?

This isn't news.  If you have compromised a private key used for SSL
sessions, and a ciphersuite without PFS is used, you can decrypt those
sessions after the fact.  That's basically what "without PFS" means.

> So this begs the questions:
> 
> 
> 
> 
> Does TOR use any non-ephemeral (non-DHE) ciphers?

You mean ciphersuites, not ciphers.  The answer is "No; Tor always
uses ephemeral-key modes with TLS."

From the specification:
   Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
   or whose symmetric keys are less then KEY_LEN bits, or whose digests are
   less than HASH_LEN bits.  Responders SHOULD NOT select any SSLv3
   ciphersuite other than those listed above.

There's also a Diffie-Hellman key exchange when extending circuits.
You can find out more about how Tor works by reading the design paper
or the specification (search for "tor-spec.txt").

(Also, it's Tor, not TOR.)

yrs,
-- 
Nick

Follow-Ups:
- Re: Does TOR use any non-ephemeral (non-DHE) ciphers?
  - From: 7v5w7go9ub0o

References:
- Re: hijacking DNS server
  - From: Erilenz
- Does TOR use any non-ephemeral (non-DHE) ciphers?
  - From: 7v5w7go9ub0o

Prev by Author: Re: Tor 0.2.1.5-alpha is out
Next by Author: Re: peculiar server "bandwidth" posted by server "mnl" and possible new type of attack
Previous by thread: Does TOR use any non-ephemeral (non-DHE) ciphers?
Next by thread: Re: Does TOR use any non-ephemeral (non-DHE) ciphers?
Index(es):
- Author
- Thread