tag:blogger.com,1999:blog-37798047.post7853628144997732288..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Tor is still DHE 1024 (NSA crackable)David Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-37798047.post-47982589398271995702013-09-11T11:45:41.542-04:002013-09-11T11:45:41.542-04:00So, why not use both ECDHE and DHE to encrypt? (an...So, why not use both ECDHE and DHE to encrypt? (and use zillion-bits)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-1228310769017804522013-09-08T21:38:10.719-04:002013-09-08T21:38:10.719-04:00One thing to remember is that traffic once recorde...One thing to remember is that traffic once recorded can be scrutinized any time. Get the uncrackable encrypted data today and break it the day after tomorrow.<br /><br />So updating to the <i>presumably</i> less (or more) insecure version which uses elliptical keys won't help you with the things you did with Tor 2.3 in case your traffic has been recorded and stored away by the NSA during that time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-52827095745985248192013-09-08T15:10:00.801-04:002013-09-08T15:10:00.801-04:00>> the newer Elliptical keys may turn out to...>> the newer Elliptical keys may turn out to be relatively easier to crack than people thought<br /><br />> That wold be news to me. Do you have a reference?<br /><br /><br />There's concern that the constants used to define the elliptical curves were influenced by the NSA and give them a way to break it.<br />https://www.schneier.com/essay-198.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-4779693582483895002013-09-08T12:47:54.259-04:002013-09-08T12:47:54.259-04:00> the newer Elliptical keys may turn out to be ...> the newer Elliptical keys may turn out to be relatively easier to crack than people thought<br /><br />That wold be news to me. Do you have a reference?Ronhttps://www.blogger.com/profile/11752242624438232184noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-15563909190435567632013-09-07T17:00:51.448-04:002013-09-07T17:00:51.448-04:00Question:
The article is a bit weak on the detail...Question:<br /><br />The article is a bit weak on the details:<br /><br /><br />Did you do the traffic analysis after "your" TOR-Software decrypted the target-adress. (have you altered the tor software or "hooked" the decryption routine, that you can analyse the negotiated keys)<br /><br /><br />Or did you really only run a rouge exit node (one that redirects, filters and manipulates out and ingoing traffic comming out or in of your exit node )<br /><br />And just baited about https-everywhere and weak SSL-encryption.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-70926471269275646852013-09-07T09:24:11.644-04:002013-09-07T09:24:11.644-04:00Run 1024 DHE TLS over OpenVPN configured with Open...Run 1024 DHE TLS over OpenVPN configured with OpenSSL configured with enable-ec_nistp_64_gcc_128 to support ECC curve P-256. Sounds layered and suboptimal, but suffices?drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-86495592894686056452013-09-06T23:30:40.497-04:002013-09-06T23:30:40.497-04:00If you weren't so clearly misinformed I'd ...If you weren't so clearly misinformed I'd think maybe I actually have something to worry about. However you didn't even get the recommended version right. The 2.4 version is a release candidate and wouldn't normally be recommended by the Tor project. When it is ready it'll certainly be the recommended version no doubt. You come off more like an incompetent reporter than someone who has a clue what they are talking. Learn to read. The project clearly advises users NOT to use the version of Tor shipping with Ubuntu. The version shipping with Debian is kept up to date. 2.3.x is the latest stable release and what most users should be using. You doing nothing more than speculating on something you have no clue about.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-39747073946128604912013-09-06T21:16:02.453-04:002013-09-06T21:16:02.453-04:00This is a helpful post that highlights an importan...This is a helpful post that highlights an important security issue. However, the paragraph on Tor software being out of date--and the reasons it might be so--isn't quite right. The current recommended stable version of Tor is 0.2.3.25-12. The current alpha release is Tor 0.2.4.17-rc, and people running relays are being encouraged to use this version on the mailing lists. So the repositories, by recommending Tor 0.2.3.x, aren't necessarily out of date. However, the Tor website does advise against using the Ubuntu repositories because they aren't "reliably updated" (https://www.torproject.org/docs/debian#ubuntu). Also, the most up to date version of Tor can be found at the following repository: deb http://deb.torproject.org/torproject.org/ tor-nightly-0.2.4.x-wheezy main. None of this, of course, is to say that 2048 bit keys shouldn't be adopted as quickly as possible, but I think it's important to be clear about which version of Tor is which.Shawnhttp://shamiller.netnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-59089893546643355252013-09-06T18:47:55.531-04:002013-09-06T18:47:55.531-04:00In principle, the shared secret can have any size....In principle, the shared secret can have any size. A cursory Google search shows NSS had a 1024-bit limit that was lifted in 2004. Have you checked 1024-bit is always the size chosen by the encryption software?<br /><br />Also, I know 1024-bit factorization is likely "broken in practice", but I couldn't find much info on Diffie-Hellman key exchange sizes. Could you link to it?arcnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-70624696205670870072013-09-06T17:09:48.164-04:002013-09-06T17:09:48.164-04:00Fascinating! Thank you for the analysis and data....Fascinating! Thank you for the analysis and data. Do you know where the 1024-bit limit on DHE comes from? Is that a Tor-specific limitation? Is it that the older versions generated a 1024-bit DH key by default? I don't see anything in the specification of TLS that limits DH to 1024-bit keys.Anonymousnoreply@blogger.com