Tor security advisory: Debian flaw causes weak identity keys
Scott Bennett
bennett at cs.niu.edu
Wed May 14 00:06:04 UTC 2008
On Tue, 13 May 2008 14:55:37 -0700 (PDT) Anon Mus
<a_green_lantern at yahoo.com> wrote:
>Roger Dingledine wrote:
>> SUMMARY:
>> This is a critical security announcement.
>>
>> A bug in the Debian GNU/Linux distribution's OpenSSL package was
>> announced today. This bug would allow an attacker to figure out
>private
>> keys generated by these buggy versions of the OpenSSL library.
>Thus,
>> all private keys generated by affected versions of OpenSSL must be
>> considered to be compromised.
>>
>> Tor uses OpenSSL, so Tor users and admins need to take action in
>order
>> to remain secure in response to this problem.
>>
>> If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
>> distribution, first follow the instructions at
>>
>http://lists.debian.org/debian-security-announce/2008/msg00152.html
>> to upgrade your OpenSSL package to a safe version. If you're
>running a
>> Tor server or a Tor hidden service, then also follow the
>instructions
>> below to replace your Tor identity keys.
>>
>> Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
>> 0.2.0.26-rc.
>>
>>
>> WHO IS AFFECTED:
>> This advisory applies to Tor 0.2.0.x and/or any
>Debian/Ubuntu/related
>> system running _any_ Tor version. Tor clients and servers that are
>> running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
>> to do anything.
>>
>> Specific versions affected: All Tor 0.2.0.x development versions up
>> through 0.2.0.25-rc, and most Debian/Ubuntu/related users
>regardless of
>> Tor version.
>>
>>
>> IMPACT:
>> A local attacker or malicious directory cache may be able to trick
>> a client running 0.2.0.x into believing a false directory
>consensus, thus
>> (e.g.) causing the client to create a path wholly owned by the
>attacker.
>>
>> Further, relay identity keys or hidden service secret keys that
>were
>> generated on most versions of Debian, Ubuntu, or other
>Debian-derived OS
>> are also weak (regardless of your Tor version):
>>
>http://lists.debian.org/debian-security-announce/2008/msg00152.html
>>
>>
>
>I see the report is by Florian (Weimer of) D(ebian) - spooky isn't it -
>
>its a bit like that Florian D <flockmock at gmail.com> who chimed in
>about,
>
>" Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3
>
>attack on Tor? in it.wikipedia)", to or-talk back in February 2008.
>
>Did they do it on purpose? Was someone protecting a deliberate flaw?
>
>> WHAT TO DO:
>> First, all affected Debian/Ubuntu/similar users (regardless
>> of Tor version) should apt-get upgrade to the latest (i.e. today's)
>> OpenSSL package.
>>
>> Second, all Tor clients and servers running 0.2.0.x should upgrade
>to
>> 0.2.0.26-rc. (Again: Tor clients and servers that are running
>0.1.2.x
>> and aren't using Debian/Ubuntu/related don't need to do anything.)
>>
>> Third, Tor servers and hidden services running on
>Debian/Ubuntu/related
>> (regardless of Tor version) should discard their identity keys and
>> generate fresh ones. To discard your Tor server's keys, delete
>> the "keys/secret_*" files in your datadirectory (often it is
>> /var/lib/tor/). To discard your hidden service secret key, delete
>> the "private_key" file from the hidden service directory that you
>> configured in your torrc. [This will change the .onion address of
>your
>> hidden service.]
>>
>>
>> DETAILS:
>> Due to a bug in Debian's modified version of OpenSSL 0.9.8, all
>> generated keys (and other cryptographic material!) have a
>stunningly
>> small amount of entropy.
>
>That lack of "entropy" is the predictability of the random number
>generator which seeds the PKE keys.
>
Of course.
>
>> This flaw means that brute force attacks which
>> are very hard against the unmodified OpenSSL library (e.g. breaking
>RSA
>> keys) are very practical against these keys. See the URL above for
>> more information about the flaw in Debian's OpenSSL packages.
>>
>> While we believe the v2 authority keys (used in Tor 0.1.2.x) were
>> generated correctly, at least three of the six v3 authority keys
>(used
>> in Tor 0.2.0.x) are known to be weak. This fraction is
>uncomfortably
>> close to the majority vote needed to create a networkstatus
>consensus,
>> so the Tor 0.2.0.26-rc release changes these three affected keys.
>>
>> Relay identity keys and hidden service secret keys generated in
>this
>> flawed way are also breakable. That is, any encryption operations
>with
>> respect to a weak-key relay (including link encryption and onion
>> encryption) can be easily broken, and their descriptors can be
>easily
>> forged. Soon we will begin identifying weak-key relays and cutting
>them
>> out of the network. (We will likely put out another release in a
>few
>> days with a new identity key for our bridge authority; we apologize
>for
>> the inconvenience to our bridge users.)
>>
>> Finally, while we don't know of any attacks that will reveal the
>> location of a weak-key hidden service, an attacker could derive its
>> secret key and then pretend to be the hidden service.
>>
>>
>
>
>3 of the 6 v3 authority keys compromised would have been enough to have
>spoofed the entire Tor network.
>
>
>OR-Talk users should always suspect a group of people who attempt a
>character assassination of a lone individual on this forum. Its often
>accompanied by flamers and accusations that the target is themselves a
>troll (if not for the fact that trolls are there all the time - not
>just
>for the odd topic.)
>
>Who's for humble pie then?
>
>Scott ?
If the earlier complaint on OR-TALK is, in fact, due to the Debian
error referred to in Roger's announcement, then I do indeed apologize.
At this point, however, that is not at all clear to me.
>Ben ?
>Dominik ?
>Andrew ?
>
>
>No?? - I thought not... I wonder why??
>
Obviously, you thought wrong. If I become aware that I have falsely
accused someone in public, I have no problem with making a public apology,
nor am I too chicken-shit to allow my own name to appear on items that I
post to mailing lists.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-talk
mailing list