"Major Key Alert!" Anomalous Keys in Tor Relays

In its more than ten years of existence, the Tor network has seen hundreds of thousands of relays come and go. Each relay maintains several RSA keys, amounting to millions of keys, all archived by The Tor Project. In this paper, we analyze 3.7 million RSA public keys of Tor relays. We (i) check if any relays share prime factors or moduli, (ii) identify relays that use non-standard exponents, (iii) characterize malicious relays that we discovered in the first two steps, and (iv) develop a tool that can determine what onion services fell prey to said malicious relays. Our experiments revealed that ten relays shared moduli and 3,557 relays—almost all part of a research project—shared prime factors, allowing adversaries to reconstruct private keys. We further discovered 122 relays that used non-standard RSA exponents, presumably in an attempt to attack onion services. By simulating how onion services are positioned in Tor’s distributed hash table, we identified four onion services that were targeted by these malicious relays. Our work provides both The Tor Project and onion service operators with tools to identify misconfigured and malicious Tor relays to stop attacks before they pose a threat to Tor users.

[1]  Nadia Heninger,et al.  Factoring as a Service , 2016, Financial Cryptography.

[2]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[3]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[4]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[5]  Aleksander Essex,et al.  Indiscreet Logs: Diffie-Hellman Backdoors in TLS , 2017, NDSS.

[6]  D. Bernstein HOW TO FIND SMOOTH PARTS OF INTEGERS , 2004 .

[7]  Nicholas Hopper,et al.  Shadow: Running Tor in a Box for Accurate and Efficient Experimentation , 2011, NDSS.

[8]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[9]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[10]  Nick Feamster,et al.  Identifying and Characterizing Sybils in the Tor Network , 2016, USENIX Security Symposium.

[11]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[13]  Philipp Winter,et al.  Anomalous keys in Tor relays , 2017, ArXiv.

[14]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[15]  Juan Caballero,et al.  CARONTE: Detecting Location Leaks for Deanonymizing Tor Hidden Services , 2015, CCS.

[16]  Nadia Heninger,et al.  Weak Keys Remain Widespread in Network Devices , 2016, Internet Measurement Conference.

[17]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[18]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[19]  Ian Goldberg,et al.  Anonymity and one-way authentication in key exchange protocols , 2012, Designs, Codes and Cryptography.