[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Does TOR use any non-ephemeral (non-DHE) ciphers?
On Wed, Sep 24, 2008 at 08:38:23AM -0400, 7v5w7go9ub0o wrote:
> David Howe has been running some tests, and has discovered that in many
> cases, SSL transactions can be recorded, and decrypted by Wireshark
> after the fact - this because an ephemeral cipher was NOT chosen by the
> server; i.e. a cipher was chosen that does not provide "Perfect Forward
> Secrecy" . This ability of Wireshark provides a motivation to steal or
> subpoena private keys - which may awaken governmental interest in TOR
> private keys!?
This isn't news. If you have compromised a private key used for SSL
sessions, and a ciphersuite without PFS is used, you can decrypt those
sessions after the fact. That's basically what "without PFS" means.
> So this begs the questions:
> Does TOR use any non-ephemeral (non-DHE) ciphers?
You mean ciphersuites, not ciphers. The answer is "No; Tor always
uses ephemeral-key modes with TLS."
From the specification:
Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
or whose symmetric keys are less then KEY_LEN bits, or whose digests are
less than HASH_LEN bits. Responders SHOULD NOT select any SSLv3
ciphersuite other than those listed above.
There's also a Diffie-Hellman key exchange when extending circuits.
You can find out more about how Tor works by reading the design paper
or the specification (search for "tor-spec.txt").
(Also, it's Tor, not TOR.)