Tor security advisory: Debian flaw causes weak identity keys

Scott Bennett bennett at cs.niu.edu
Wed May 14 00:06:04 UTC 2008


     On Tue, 13 May 2008 14:55:37 -0700 (PDT) Anon Mus
<a_green_lantern at yahoo.com> wrote:
>Roger Dingledine wrote:
>> SUMMARY:
>>   This is a critical security announcement.
>>
>>   A bug in the Debian GNU/Linux distribution's OpenSSL package was
>>   announced today. This bug would allow an attacker to figure out
>private
>>   keys generated by these buggy versions of the OpenSSL library.
>Thus,
>>   all private keys generated by affected versions of OpenSSL must be
>>   considered to be compromised.
>>
>>   Tor uses OpenSSL, so Tor users and admins need to take action in
>order
>>   to remain secure in response to this problem.
>>
>>   If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
>>   distribution, first follow the instructions at
>>    
>http://lists.debian.org/debian-security-announce/2008/msg00152.html
>>   to upgrade your OpenSSL package to a safe version. If you're
>running a
>>   Tor server or a Tor hidden service, then also follow the
>instructions
>>   below to replace your Tor identity keys.
>>
>>   Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
>>   0.2.0.26-rc.
>>
>>
>> WHO IS AFFECTED:
>>   This advisory applies to Tor 0.2.0.x and/or any
>Debian/Ubuntu/related
>>   system running _any_ Tor version. Tor clients and servers that are
>>   running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
>>   to do anything.
>>
>>   Specific versions affected: All Tor 0.2.0.x development versions up
>>   through 0.2.0.25-rc, and most Debian/Ubuntu/related users
>regardless of
>>   Tor version.
>>
>>
>> IMPACT:
>>   A local attacker or malicious directory cache may be able to trick
>>   a client running 0.2.0.x into believing a false directory
>consensus, thus
>>   (e.g.) causing the client to create a path wholly owned by the
>attacker.
>>
>>   Further, relay identity keys or hidden service secret keys that
>were
>>   generated on most versions of Debian, Ubuntu, or other
>Debian-derived OS
>>   are also weak (regardless of your Tor version):
>>    
>http://lists.debian.org/debian-security-announce/2008/msg00152.html
>>
>>   
>
>I see the report is by Florian (Weimer of) D(ebian) - spooky isn't it -
>
>its a bit like that Florian D <flockmock at gmail.com> who chimed in
>about,
>
>" Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3
>
>attack on Tor? in it.wikipedia)", to or-talk back in February 2008.
>
>Did they do it on purpose? Was someone protecting a deliberate flaw?
>
>> WHAT TO DO:
>>   First, all affected Debian/Ubuntu/similar users (regardless
>>   of Tor version) should apt-get upgrade to the latest (i.e. today's)
>>   OpenSSL package.
>>
>>   Second, all Tor clients and servers running 0.2.0.x should upgrade
>to
>>   0.2.0.26-rc. (Again: Tor clients and servers that are running
>0.1.2.x
>>   and aren't using Debian/Ubuntu/related don't need to do anything.)
>>
>>   Third, Tor servers and hidden services running on
>Debian/Ubuntu/related
>>   (regardless of Tor version) should discard their identity keys and
>>   generate fresh ones. To discard your Tor server's keys, delete
>>   the "keys/secret_*" files in your datadirectory (often it is
>>   /var/lib/tor/). To discard your hidden service secret key, delete
>>   the "private_key" file from the hidden service directory that you
>>   configured in your torrc. [This will change the .onion address of
>your
>>   hidden service.]
>>
>>
>> DETAILS:
>>   Due to a bug in Debian's modified version of OpenSSL 0.9.8, all
>>   generated keys (and other cryptographic material!) have a
>stunningly
>>   small amount of entropy.
>
>That lack of "entropy" is the predictability of the random number 
>generator which seeds the PKE keys.
>
     Of course.
>
>>  This flaw means that brute force attacks which
>>   are very hard against the unmodified OpenSSL library (e.g. breaking
>RSA
>>   keys) are very practical against these keys. See the URL above for
>>   more information about the flaw in Debian's OpenSSL packages.
>>
>>   While we believe the v2 authority keys (used in Tor 0.1.2.x) were
>>   generated correctly, at least three of the six v3 authority keys
>(used
>>   in Tor 0.2.0.x) are known to be weak. This fraction is
>uncomfortably
>>   close to the majority vote needed to create a networkstatus
>consensus,
>>   so the Tor 0.2.0.26-rc release changes these three affected keys.
>>
>>   Relay identity keys and hidden service secret keys generated in
>this
>>   flawed way are also breakable. That is, any encryption operations
>with
>>   respect to a weak-key relay (including link encryption and onion
>>   encryption) can be easily broken, and their descriptors can be
>easily
>>   forged. Soon we will begin identifying weak-key relays and cutting
>them
>>   out of the network. (We will likely put out another release in a
>few
>>   days with a new identity key for our bridge authority; we apologize
>for
>>   the inconvenience to our bridge users.)
>>
>>   Finally, while we don't know of any attacks that will reveal the
>>   location of a weak-key hidden service, an attacker could derive its
>>   secret key and then pretend to be the hidden service.
>>
>>   
>
>
>3 of the 6 v3 authority keys compromised would have been enough to have
>spoofed the entire Tor network.
>
>
>OR-Talk users should always suspect a group of people who attempt a 
>character assassination of a lone individual on this forum. Its often 
>accompanied by flamers and accusations that the target is themselves a 
>troll (if not for the fact that trolls are there all the time - not
>just 
>for the odd topic.) 
>
>Who's for humble pie then?
>
>Scott ?

     If the earlier complaint on OR-TALK is, in fact, due to the Debian
error referred to in Roger's announcement, then I do indeed apologize.
At this point, however, that is not at all clear to me.

>Ben ?
>Dominik ?
>Andrew ?
>
>
>No?? - I thought not... I wonder why??
>
     Obviously, you thought wrong.  If I become aware that I have falsely
accused someone in public, I have no problem with making a public apology,
nor am I too chicken-shit to allow my own name to appear on items that I
post to mailing lists.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************



More information about the tor-talk mailing list