MAT A Sek-13-5-a.pdf, Blatt 2 Outline TOR and the need for deanonymisation Data transformation Scoring Results Current status Software GCHQI

Transcription

1 MAT A Sek-13-5-a.pdf, Blatt 1 A potential technique todeanonymise users ofthe TORnetwork OPC-MCR, GCHQ GCHQI

2 MAT A Sek-13-5-a.pdf, Blatt 2 Outline TOR and the need for deanonymisation Data transformation Scoring Results Current status Software GCHQI

3 "The Onion Router" What is TOR? Hides source of traffic by passing encrypted versions of your internet traffic between multiple TOR routers Notation: MAT A Sek-13-5-a.pdf, Blatt 3 - "Client" - the initiator of communication - "Guard node" - the TOR router the client contacts - "Exit node" - the TOR router that relays your traffic to the final destination (with no extra encryption so this link can be exploited by SIGINT system)

4 UK SECRET STRAP1 COMINT MAT A Sek-13-5-a.pdf, Blatt 4 What is TOR?

5 Who uses TOR? TOR was created by the US government and is now maintained by the Electronic Frontier Foundation (EFF) EFF will tell you there are many pseudo-legitimate uses for TOR We're interested as bad people use TOR, in particular: - Terrorists - Paedophiles MAT A Sek-13-5-a.pdf, Blatt 5

6 MAT A Sek-13-5-a.pdf, Blatt 6 Aim Find client IPaddress associated with TOR exit node traffic Attack based on externals - specifically packet timings - Strong crypt is being used This information is exempt from disclosure under the Freedom of lnformatioi^\c^000ajtdmaw3esu other UK information legislation. Refer disclosure requests to GCHQ onj

7 MAT A Sek-13-5-a.pdf, Blatt 7 Aim We'll make our task easier by assuming we own the exit node being used - Allows us to see all the traffic associated with at circuit - Demultiplex traffic by (unknown) user This information is exempt from disclosure under the Freedom ofinformation Act 2000 and may besubject other UK information legislation. Refer disclosure requests togchq on^^^^^^^^^^^^^^^^^^^^^

8 Sidenote: Circuit tracing One suggestion was to track packets through each hop in the TOR network We experimented with spotting all links in circuits created by GCHQ Visibility was too low to be a sensible approach - 13 out of 8294 potential inter-tor-router links were seen We will directly correlate: - exit node traffic, and MAT A Sek-13-5-a.pdf, Blatt 8 - traffic between client and guard node

9 UK SECRET STRAP1 COMINT MAT A Sek-13-5-a.pdf, Blatt 9 Own

10 MAT A Sek-13-5-a.pdf, Blatt 10 Test datacollection Used the standard "TOR button" web-browser package to access TOR Made minor changes to ensure we could collect exit node traffic 1. "News": Search for news, visit news websites 2. "TOR": Browse the TOR website and then use a privacy checking website Split into 2a and 2b as TOR changed circuit mid-way through 1. "Download": visit to SlashDot followed by downloading a large PDF file. 2. "Forum": Search on Google followed by browsing a PC technical help forum. other UK information legislation. Refer disclosure requests to GCHQ on(

11 MAT A Sek-13-5-a.pdf, Blatt 11 Flattening oftimingpatterns (ICTR-NE) observed that TOR can flatten out timing patterns TOR uses a rate-limiting store-and-forward procedure at each TOR router Graph shows bytes of exit node traffic in green and client traffic in red whilst downloading a 1MB file (figure from -5QQ00 h = llllllihlllllll III hh illnlllllnlillll lllll lllllliillllhllii n I T 50; 100s 150s 200s IGCHQ

12 Cumulative packet counts Our new insight is to use cumulative packet counts Hope packets are approximately preserved - Approximate as TOR repacketises data See strong correlation MAT A Sek-13-5-a.pdf, Blatt 12 Exit Guard StoC ~\ r 1 r ~\ :46 15: :52 15:54 15:56 15:45 15:48 15:50 15:52 15:54 15:56 StoC T 16:02 16:04 16:06 StoC :08 16:02 16:04 16:06 16:08 ~stoc 51 StoC 16:12 16:14 15:16 16:18 T 2a 2b 15:22 16:24 16:25 ~1 1 16:28 16:22 15:24 Time (hh:mm) i 1 16:26 16:28 GCHQI This information is exempt from disclosure under the Freedom of Inforn other UK information legislation. Refer disclosure requests to GCHQ or

13 An idea of" UK TOP SECRETSTRAP1 COMINT MAT A Sek-13-5-a.pdf, Blatt 13 Scoring:basicidea - Bin time into intervals - For each interval get a pair (E,, G,) Cumulative exit node packets upto time i Cumulative guard node packets upto time i - Measure the correlation between these pairs We use Is time-windows - Easy for the SIGINT system - Seems to work GCHQI

14 MAT A Sek-13-5-a.pdf, Blatt 14 Scoring:refinements We also expect counts to be similar - Fit a linear model G, = a+pe, - Only accept sessions where V2 < p< 2 GCHQI

15 MAT A Sek-13-5-a.pdf, Blatt 15 Scoring:refinements There may be an unknown time-offset - Traffic takes time to relay through the TOR network - SIGINT clocks may not be synchronised - We slide the traces against each other and find the best match - Truncate to exit node trace (we know that it is a complete TOR circuit) other UK information legislation. Refer disclosure requests to GCHQ on

16 We show how the score behaviour as a function of time slide See high correlation (pink) at small time offset Also generally see (3 (blue) in a sensible range MAT A Sek-13-5-a.pdf, Blatt 16 Self-comparison CtoS CtoS CtoS CtoS CtoS 500 2a 2b r~2-500 _i_ StoC StoC StoC StoC StoC P 'A 500 A 2a 2b Time offset / s IGCHQ other UK information legislation. Refer disclosure requests to GCHQ on

17 MAT A Sek-13-5-a.pdf, Blatt 17 Falsepositives Want an algorithm with very low false positive rate Used 2 hours of (timestamp, source IP, destination IP) tuples captured from 4 10G internet bearers Filtered to tuples between a guard node and a non- TOR node Allow time to arbitrarily slide +/- 2 hours - In real redeployment one would restrict this slide Allow us to plot ROC curves for the technique GCHQI

18 UK TOP SECRET STRAF Falsepositives MAT A Sek-13-5-a.pdf, Blatt 18 Linear - log ROC curve plot Server-to-client good - We miss the very short "2a" session with no false-positives - Threshold r 2 =0.998 High as comparing increasing functions Client-to-server direction - many false positives - There's less structure in data as less data flows in this direction when web-browsinq This information is exempt from disclosure under the Freedom of Infot 1e-06 other UK information legislation. Refer disclosure requests to GCHQ c

19 MAT A Sek-13-5-a.pdf, Blatt 19 A larger experiment We want to find some false hits to understand worst case accuracy for the server-to-client direction Let's open the aperture very wide bearer hours of logs with any time slide - Filter to all traffic involving a TOR node Not just likely guard-to-client traffic as before We find some false hits (540) but rate is assessed to be low enough. 92% of false hits are against the big download session which has little structure

20 The next step We are collecting the required logs of packet times with TOR guard nodes in SIGINT GTE / JTRIG have adapted some TOR exit nodes we own to collect the required exit node data - We are keen to engage with others with exit nodes too Then run the attack - Expect to basically work MAT A Sek-13-5-a.pdf, Blatt 20 - Some extra work might be required to only allow queries on sessions with enough structure Need the bulk data first to progress this question This information is exempt from disclosure under the Freedom of lnformatjorw\c^ooc^ridma^

21 MAT A Sek-13-5-a.pdf, Blatt 21 R package An R packaqe can be downloaded from Includes algorithm and the collected web-browsing data Recommend R packages for sharing analytics, can contain: - R / C / Fortran code - Example data - Runnable examples and documentation - Unit tests This information is exempt from disclosure under the Freedom of Informatioj^c^OOOariajTTaW]

22 MAT A Sek-13-5-a.pdf, Blatt 22 Conclusion Have shown a potential externals-based deanonymisation attack for TOR - Requires SIGINT collection of guard-to-client packet times - Requires TOR collection from exit nodes we own Hope to get this running live at GCHQ soon Full paper and software available from

23 MAT A Sek-13-5-a.pdf, Blatt 23 IGCHQ