[tor-talk] key generation on first boot with low entropy

Gerardus Hendricks konfkukor at riseup.net
Wed Jan 15 11:33:15 UTC 2014


On 1/14/14 7:39 PM, anarcat wrote:
 > How does tor generate its private key? Does it use /dev/random? Is there
 > an issue with bootstrapping a new tor node straight from the first
 > install, when entropy is potentially low?

Hi. I'm not entirely sure of the answer. I'll make a guess.
Reading the source of (the tarballed) Tor 0.2.4.20.

RSA router key and identity is created in router.c

router.c line 767 in init_keys()
line 770 --> prkey = init_key_from_file(keydir, 1, LOG_ERR)
line 393 --> prkey = crypto_pk_new()

crypto.c line 382 in crypto_pk_new()
line 386 --> rsa = RSA_new()

RSA_new() is from OpenSSL [1]

(curve25519 keys might be handled differently, I haven't looked)

I think you can find a lot of information on how OpenSSL handles its 
entropy. I'm not sure, but I think OpenSSL uses the non-blocking 
/dev/urandom which is secure under most conditions, but not in your 
scenario.

You might want to delay Tor startup / key generation a bit and not do it 
immediately after boot. If it is possible in your setup, you can simply 
write entropic bits to /dev/(u)random, like so:

echo "Jf3Gy7K5gvD2dcF" > /dev/urandom

Of course that string should be longer, and should be different in every 
instance you use it in (and of course it should be secret for any attacker)

Thanks for linking haveged. I hadn't hear about it before. I do have 
some doubts about its utility. As someone else has put it a year ago in 
a relevant thread (read it) [3]:

"as a non-mathematician, this sounds a bit like "we make a lot [of 
entropy] out of little". Maybe somebody could shed some light on this.."

Regards,
Gerard

[1] https://www.openssl.org/docs/crypto/RSA_new.html
[2] http://man7.org/linux/man-pages/man4/random.4.html
[3] https://lists.torproject.org/pipermail/tor-talk/2013-January/027075.html


More information about the tor-talk mailing list