[tor-dev] Quick logjam/Tor analysis.
Nick Mathewson
nickm at torproject.org
Tue May 26 13:25:22 UTC 2015
I posted this on a blog comment, but others may be interested too.
As near as I can tell, the "logjam"/"weakdh" attacks should not affect
current Tor software very much, for a few reasons:
* All currently supported Tor versions, when built with OpenSSL 1.0 or
later, prefer 256-bit elliptic-curve Diffie Hellman for their TLS
connections, not the 1024-bit Diffie Hellman over Z_p as discussed in
this paper.
* We have never enabled "Export" crypto server-side or client-side.
* All currently supported Tor versions perform their circuit handshakes
using the Curve25519-based "ntor" protocol, not the old "TAP" protocol
which used 1024-bit DH.
* Actually, I think even the TAP protocol might be safe, since it
sends an encrypted g^x, so even if you can take the discrete log of
g^y, you don't even have g^x to use it with unless you can also break
RSA1024.
* The TLS encryption in Tor is, for the most part, redundant with the layer
of forward secrecy in the circuit handshakes, so that if either one is
secure, Tor traffic should not be decryptable.
Recommendations:
* If you've ignored all our requests to upgrade to a recent Tor version
(0.2.6 stable would be best), please do so soon. Anything older than
0.2.4 is NOT supported.
* If you're running OpenSSL 0.9.8 or earlier, you should consider upgrading
to 1.0.0 or later.
* Make sure to apply vendor patches for your non-Tor software as they
become available.
More information about the tor-dev
mailing list