Opened 4 years ago

Last modified 3 years ago

#17244 needs_information defect

Low entropy PRNG usage in Tor Browser?

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should look for places where Tor Browser may leak the state of a low-entropy PRNG, thus linking a user across sites. Math.random() is a possibility. (I haven't investigated yet.)

Child Tickets

Change History (8)

comment:1 Changed 4 years ago by arthuredelstein

For Math.random(), it appears a separate PRNG state is initialized for each JS context. So, unless I am missing something, it appears that separate sites cannot be linked through PRNG state.

However, the Math.random() state is initialized with the local time in microseconds, which is very low entropy. Soeder et al showed that it is possible to run the PRNG in reverse (see section 4.2.2). So it should be relatively easy to extract the local time from Math.random(). If we want to hide the local clock skew, it will be necessary to change Math.random() to a high-entropy (non clock-based) source.

Last edited 4 years ago by arthuredelstein (previous) (diff)

comment:2 Changed 4 years ago by gk

Cc: gk added

comment:3 Changed 4 years ago by yawning

https://bugzilla.mozilla.org/show_bug.cgi?id=322529 has a long rambling discussion on this, and no patch.

To alleviate tracking concerns the seed needs to be changed. To make the world a better place, the algorithm could be replaced with something sensible as well (Just replacing the algorithm is insufficient to prevent the bad guys from making an educated guess about the clock, even if the algorithm has backtracking resistance).

comment:4 in reply to:  3 Changed 4 years ago by arthuredelstein

Replying to yawning:

https://bugzilla.mozilla.org/show_bug.cgi?id=322529 has a long rambling discussion on this, and no patch.

To alleviate tracking concerns the seed needs to be changed. To make the world a better place, the algorithm could be replaced with something sensible as well (Just replacing the algorithm is insufficient to prevent the bad guys from making an educated guess about the clock, even if the algorithm has backtracking resistance).

Thanks for making this point and for the link. One possibility would be to use the '@mozilla.org/security/random-generator;1' (which is used to implement window.crypto.getRandomValues()), either as the seed alone or to replace both the seed and the algorithm. I don't know what the downsides might be -- perhaps there might be a performance penalty.

It's interesting to see that Mozilla attempted to prevent cross-site tracking when they decided to re-seed the PRNG for each JS context in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=475585

comment:5 Changed 3 years ago by gk

Keywords: TorBrowserTeam201510 removed
Severity: Normal
Status: newneeds_information

https://bugzilla.mozilla.org/show_bug.cgi?id=868860 is supposed to initialize the seed way better. Does that alleviate your concerns?

comment:6 Changed 3 years ago by cypherpunks

comment:7 in reply to:  3 Changed 3 years ago by gk

Replying to yawning:

https://bugzilla.mozilla.org/show_bug.cgi?id=322529 has a long rambling discussion on this, and no patch.

FWIW ESR 45 will have this fixed.

comment:8 Changed 3 years ago by bugzilla

ff45-esr-will-have?

Note: See TracTickets for help on using tickets.