Skip to main content
Springer Nature Link
Log in

“Major Key Alert!” Anomalous Keys in Tor Relays

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10957))

Included in the following conference series:

  • 2229 Accesses

Abstract

In its more than ten years of existence, the Tor network has seen hundreds of thousands of relays come and go. Each relay maintains several RSA keys, amounting to millions of keys, all archived by The Tor Project. In this paper, we analyze 3.7 million RSA public keys of Tor relays. We (i) check if any relays share prime factors or moduli, (ii) identify relays that use non-standard exponents, (iii) characterize malicious relays that we discovered in the first two steps, and (iv) develop a tool that can determine what onion services fell prey to said malicious relays. Our experiments revealed that ten relays shared moduli and 3,557 relays—almost all part of a research project—shared prime factors, allowing adversaries to reconstruct private keys. We further discovered 122 relays that used non-standard RSA exponents, presumably in an attempt to attack onion services. By simulating how onion services are positioned in Tor’s distributed hash table, we identified four onion services that were targeted by these malicious relays. Our work provides both The Tor Project and onion service operators with tools to identify misconfigured and malicious Tor relays to stop attacks before they pose a threat to Tor users.

All four authors contributed substantially and share first authorship. The names are ordered alphabetically.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The name is an acronym for “identifying targeted onion services.”.

  2. 2.

    Our project page is available online at https://nymity.ch/anomalous-tor-keys/.

  3. 3.

    This information includes IP addresses, ports, version numbers, and cryptographic information, just to name a few.

  4. 4.

    The term “hidden services” was used in the past but was discontinued, in part because onion services provide more than just “hiding” a web site.

  5. 5.

    Both the tool and our list of onion services are available online at https://nymity.ch/anomalous-tor-keys/.

  6. 6.

    The onion service seems to be identical to the website https://www.marxists.org (visited on 2017-05-09).

  7. 7.

    We here use Jaggard and Syverson’s nomenclature of an adversary that either targets specific Tor users (targeting) or hoovers up all available data to deanonymize as many users as possible (hoovering) [17].

  8. 8.

    We refer to these relays as randomly chosen for simplicity, but the path selection algorithm is more complicated.

References

  1. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: CCS. ACM (2015). https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf. Accessed 22 Sept 2017

  2. Bernstein, D.J.: How to find smooth parts of integers (2004). https://cr.yp.to/factorization/smoothparts-20040510.pdf. Accessed 9 May 2017

  3. Bernstein, D.J., et al.: Factoring RSA keys from certified smart cards: coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_18, https://smartfacts.cr.yp.to/smartfacts-20130916.pdf

    Chapter  Google Scholar 

  4. Biryukov, A., Pustogarov, I., Weinmann, R.P.: Trawling for Tor hidden services: detection, measurement, deanonymization. In: Security and Privacy. IEEE (2013). http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf. Accessed 9 May 2017

  5. Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc. 46(2) (1999). http://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf. Accessed 9 May 2017

  6. Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16

    Chapter  Google Scholar 

  7. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997). https://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf. Accessed 9 May 2017

    Article  MathSciNet  Google Scholar 

  8. Dingledine, R.: Tor security advisory: “relay early” traffic confirmation attack, July 2014. https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/. Accessed 9 May 2017

  9. Dingledine, R., Mathewson, N.: Tor protocol specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt. Accessed 9 May 2017

  10. Dorey, K., Chang-Fong, N., Essex, A.: Indiscreet logs: Diffie-Hellman backdoors in TLS. In: NDSS. Internet Society (2017). https://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ndss2017_04A-2_Dorey_paper.pdf. Accessed 19 Sept 2017

  11. Freedom of the Press Foundation: SecureDrop. https://securedrop.org. Accessed 19 Sept 2017

  12. Gajek, J.: ssl-dh-params. https://nmap.org/nsedoc/scripts/ssl-dh-params.html. Accessed 22 Sept 2017

  13. Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr. 67(2), 245–269 (2013). Accessed 9 May 2017

    Article  MathSciNet  Google Scholar 

  14. Hastings, M., Fried, J., Heninger, N.: Weak keys remain widespread in network devices. In: IMC. ACM (2016). https://www.cis.upenn.edu/~nadiah/papers/weak-keys/weak-keys.pdf. Accessed 9 May 2017

  15. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX Security. USENIX (2012). https://factorable.net/weakkeys12.extended.pdf. Accessed 9 May 2017

  16. Heninger, N., Halderman, J.A.: Fastgcd. https://factorable.net/fastgcd-1.0.tar.gz. Accessed 9 May 2017

  17. Jaggard, A.D., Syverson, P.: Oft target. In: HotPETs (2017). https://petsymposium.org/2017/papers/hotpets/oft-target-1707.pdf

  18. Jansen, R., Hopper, N.: Shadow: running Tor in a box for accurate and efficient experimentation. In: NDSS. Internet Society (2012). http://www.robgjansen.com/publications/shadow-ndss2012.pdf. Accessed 9 May 2017

  19. Johnson, D.: Stem docs. https://stem.torproject.org. Accessed 9 May 2017

  20. Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_37

    Chapter  Google Scholar 

  21. Litzenberger, D.: PyCrypto - the Python cryptography toolkit. https://www.dlitz.net/software/pycrypto/. Accessed 9 May 2017

  22. Mathewson, N.: Next-generation hidden services in Tor. https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt. Accessed 1 Aug 2017

  23. Matic, S., Kotzias, P., Caballero, J.: CARONTE: detecting location leaks for deanonymizing Tor hidden services. In: CCS. ACM (2015). https://software.imdea.org/~juanca/papers/caronte_ccs15.pdf. Accessed 9 May 2017

  24. Muffett, A.: Facebook brute forcing hidden services, October 2014. https://lists.torproject.org/pipermail/tor-talk/2014-October/035413.html. Accessed 9 May 2017

  25. Nurmi, J.: Ahmia - search Tor hidden services. https://ahmia.fi/onions/. Accessed 9 May 2017

  26. O’Cearbhaill, D.: Trawling Tor hidden service - mapping the DHT (2013). https://donncha.is/2013/05/trawling-tor-hidden-services/. Accessed 9 May 2017

  27. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). https://people.csail.mit.edu/rivest/Rsapaper.pdf. Accessed 9 May 2017

  28. Roberts, L.M.: Anomalous keys in Tor relays. Technical report, April 2017. https://lists.torproject.org/pipermail/tor-dev/2017-April/012161.html. Accessed 2 Aug 2017

  29. Swanson, E.: Scallion - GPU-based onion hash generator. https://github.com/lachesis/scallion. Accessed 9 May 2017

  30. The Tor Project: CollecTor. https://collector.torproject.org. Accessed 9 May 2017

  31. The Tor Project: Servers - Tor metrics. https://metrics.torproject.org/networksize.html. Accessed 9 May 2017

  32. The Tor Project: Tor directory protocol, version 3. https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt. Accessed 2 Aug 2017

  33. The Tor Project: Tor research safety board. https://research.torproject.org/safetyboard.html. Accessed 9 May 2017

  34. The Tor Project: Tor shared random subsystem specification. https://gitweb.torproject.org/torspec.git/tree/srv-spec.txt. Accessed 2 Aug 2017

  35. Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman. In: NDSS. Internet Society (2017). https://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ndss2017_04A-1_Valenta_paper_0.pdf. Accessed 19 Sept 2017

  36. Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service. In: Financial Cryptography. ACM (2016). https://eprint.iacr.org/2015/1000.pdf. Accessed 9 May 2017

  37. Winter, P.: Are vanity onion domains a good idea?, October 2015. https://moderncrypto.org/mail-archive/messaging/2015/001928.html. Accessed 9 May 2017

  38. Winter, P., Ensafi, R., Loesing, K., Feamster, N.: Identifying and characterizing Sybils in the Tor network. In: USENIX Security. USENIX (2016). https://nymity.ch/sybilhunting/pdf/sybilhunting-sec16.pdf. Accessed 9 May 2017

Download references

Acknowledgements

We want to thank Nadia Heninger and Josh Fried for augmenting their database with our moduli and attempting to find factors in them. We also want to thank Ralf-Philipp Weinmann, Ivan Pustogarov, Alex Biryukov from the Trawling research team and Donncha O’Cearbhaill from The Tor Project for providing us with additional information that helped us in our analysis of the weak keys. Finally, we want to thank Edward W. Felten for providing valuable feedback on an earlier version of our paper. This research was supported by the Center for Information Technology Policy at Princeton University and the National Science Foundation Awards CNS-1540066, CNS-1602399, CNS-1111539, CNS-1314637, CNS-1520552, and CNS-1640548.

Author information

Authors and Affiliations

  1. The Tor Project, Cambridge, USA

    George Kadianakis

  2. Princeton University, Princeton, USA

    Claudia V. Roberts, Laura M. Roberts & Philipp Winter

Authors
  1. George Kadianakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claudia V. Roberts
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Laura M. Roberts
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Philipp Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philipp Winter .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University College London, London, UK

    Sarah Meiklejohn

  2. Security Research Laboratories, NEC, Kawasaki, Japan

    Kazue Sako

A Potentially Targeted Onion Services

A Potentially Targeted Onion Services

Table 4. The details of the attacks on four onion services. The second column shows the fingerprints of the HSDirs that were participating in the attack. The third column shows the affected onion service descriptors, followed by the date of the attack in the last column.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2018 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kadianakis, G., Roberts, C.V., Roberts, L.M., Winter, P. (2018). “Major Key Alert!” Anomalous Keys in Tor Relays. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-58387-6_1

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-58386-9

  • Online ISBN: 978-3-662-58387-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics