On Mon, 2010-10-18 at 14:49 -0400, Gregory Maxwell wrote: > On Mon, Oct 18, 2010 at 2:37 PM, <[email protected]> wrote: > > Maybe this subject has already been discussed here. > > > > Given, an attacker succeeds to break into a large number of tornodes and > > gets a copy of the secret keys from all those nodes. This would increase > > the chance to decrypt parts of the traffic that goes through the tor > > network. Am I right? > [snip] > > No, Tor uses perfect forward secrecy. The session key for every node > to node link is encrypted with one-time ephemeral keying.
If an attacker compromises the private keys of an OR, he can authenticate himself as the OR during the TLS and the circuit establishment process. Consequently, the attacker could read and decrypt traffic by mounting a man in the middle attack. Due to the property of perfect forward secrecy it can only affect connections that are established after the key was compromised. All connections prior to this event are still protected due to the property of the used DH key exchange protocol [1]. To answer your other question: > So would it be of advantage for the to network to change keys from > time to time, like one should do with his passwords? Yes, it has advantages. Tor has this concept of long term key, mid term key, and short term key (see section 1.1 of the Tor spec [2]). The short term key should be rotated at least once a day according to the spec. However, I'm not sure in which interval Tor changes the mid term key and long term key respectively. Anyway, once the computer is compromised, changing the keys is more or less meaningless. --Benne [1] http://www.cypherpunks.ca/~iang/pubs/torsec.pdf [2] https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=doc/spec/tor-spec.txt *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
