Pluggable Transports Roadmap

Similar documents
(2½ hours) Total Marks: 75

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

(S//REL) Open Source Multi-Hop Networks

L13. Reviews. Rocky K. C. Chang, April 10, 2015

0x1A Great Papers in Computer Security

Anonymity. Assumption: If we know IP address, we know identity

A SIMPLE INTRODUCTION TO TOR

Telex Anticensorship in the

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Real-time protocol. Chapter 16: Real-Time Communication Security

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Port-Scanning Resistance in Tor Anonymity Network. Presented By: Shane Pope Dec 04, 2009

CE Advanced Network Security Anonymity II

CS 494/594 Computer and Network Security

CSE484 Final Study Guide

Anonymous Network Concepts & Implementation

The Parrot is Dead: Observing Unobservable Network Communications. Amir Houmansadr Chad Brubaker Vitaly Shmatikov

AIT 682: Network and Systems Security

CSC Network Security

Low-Cost Traffic Analysis of Tor

ENEE 459-C Computer Security. Security protocols (continued)

Session key establishment protocols

Session key establishment protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

ENEE 459-C Computer Security. Security protocols

Anonymous communications: Crowds and Tor

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Network Security and Cryptography. 2 September Marking Scheme

Weighted Factors for Measuring Anonymity Services: A Case Study on Tor, JonDonym, and I2P

Key Establishment and Authentication Protocols EECE 412

Telex Anticensorship in the Network Infrastructure

Linux Network Administration

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

IP Mobility vs. Session Mobility

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement

The OpenSSH Protocol under the Hood

CLIENT SERVER SYNERGY USING VPN

Network Security Chapter 8

Information Security: Principles and Practice Second Edition. Mark Stamp

Computer Networks. Wenzhong Li. Nanjing University

Facade: High-Throughput, Deniable Censorship Circumvention Using Web Search

Transport Level Security

Authentication CHAPTER 17

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Network Security and Cryptography. December Sample Exam Marking Scheme

CIS 4360 Secure Computer Systems Applied Cryptography

CSE 565 Computer Security Fall 2018

Cryptanalysis. Ed Crowley

Protocols for Anonymous Communication

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Cryptography ThreeB. Ed Crowley. Fall 08

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

The Secure Shell (SSH) Protocol

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

Transport Layer Security

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Metrics for Security and Performance in Low-Latency Anonymity Systems

2.1 Basic Cryptography Concepts

8. Network Layer Contents

Cryptography and Network Security

Chapter 10 : Private-Key Management and the Public-Key Revolution

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Network Access Flows APPENDIXB

David Wetherall, with some slides from Radia Perlman s security lectures.

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

Summary on Crypto Primitives and Protocols

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

ANET: An Anonymous Networking Protocol

Computer Security CS 526

CSE 127: Computer Security Cryptography. Kirill Levchenko

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Onion services. Philipp Winter Nov 30, 2015

Mobile network security report: Ukraine

Firepower Threat Defense Site-to-site VPNs

Chapter 4: Securing TCP connections

Configuring Virtual Servers

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

A different kind of Crypto

CS 361S - Network Security and Privacy Spring Homework #1

Evaluation Criteria for Web Application Firewalls

Feedback Week 4 - Problem Set

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

The Loopix Anonymity System

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

TSIN02 - Internetworking

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Lecture 1: Course Introduction

Total No. of Questions : 09 ] [ Total No.of Pages : 02

Transcription:

Pluggable Transports Roadmap Steven J. Murdoch and George Kadianakis steven.murdoch@cl.cam.ac.uk,asn@torproject.org Tor Tech Report 2012-03-003 March 17, 2012 Abstract Of the currently available pluggable transports, obfs2 is a good default due to its efficiency and resistance to blocking. StegoTorus offers alternative pluggable transports which are significantly harder to block, but come with a much higher overhead. Suggestions for future development include: efficiency improvements, splitting and joining Tor cells to disguise Tor s distinctive packet-size probability distribution, efficient ways to hide ciphertext in compressed data, hardening obfs2 against a passive adversary, and designing a HTTP transport capable of traversing a proxy server. 1 Introduction This paper discusses the currently available pluggable transports for Tor, and their various advantages and disadvantages. It concludes with suggestions for further development. 1.1 Dust Dust [3] defines a packet format in which there are no identifiable patterns in the payload. Therefore, it is hoped, Deep Packet Inspection (DPI) equipment should be unable to reliably block Dust packets, or identify Dust hosts. In addition to the packet format, Dust defines a public-key key-exchange protocol which is resistant to a passive or active adversary, but does not provide perfect-forward-secrecy. Part of the key exchange is performed offline, and the remainder is online. 1.1.1 Strengths Dust assumes a reasonably strong threat model, in that the adversary may be active. Dust also goes to some lengths to ensure that there are no static fingerprints in the payload packets, and permits padding to be added so as to disguise packet length. Dust is versatile, and can be carried both by TCP and UDP.

1.1.2 Weaknesses Currently Dust does not provide reliable in-order delivery, so cannot be directly used as a Tor pluggable transport. Deployment is also made more difficult by having key-exchange partially offline. Packets which are entirely random do stand out, but it is not clear that DPI equipment can perform such entropy tests. 1.2 obfs2 obfs2 [1] is currently the only protocol supported by the obsfproxy framework. In a similar way to Dust, it aims to have no static protocol fingerprint, but it is simpler. obfs2 depends on a reliable in-order transport (typically TCP) and offers a reliable in-order transport to layers above (i.e. Tor). 1.2.1 Strengths obfs2 is relatively simple and has no static protocol signature to block. It is already implemented as a pluggable transport and has been tested in the field. obfs2 has a low overhead (just a key-exchange) and uses only symmetric cryptography so is fast. 1.2.2 Weaknesses obfs2 is not resistant to either an active or passive adversary, as someone who has recorded the initial key exchange can recover the session key and decode the traffic. obfs2 also makes no attempt to hide packet lengths. Like Dust, obfs2 s high-entropy output format does make it possible to distinguish from most other protocols. 1.3 StegoTorus: Packet Chopping StegoTorus defines a series of transports, all based on the packet chopper, but the packet chopper can be used by itself. Like Dust and obfs2, packets are indistinguishable from random. By using public key cryptography, StegoTorus is resistant to a passive adversary, but the lack of key-exchange authentication means that it is vulnerable to a man-in-the-middle attack. The key exchange also does not provide perfect-forward-secrecy. The chopper provides a reliable in-order transport, and so is suitable to be used as a Tor pluggable transport. The chopper depends on an underlying reliable transport, but it does not have to be in-order. The packet format permits padding to be added. 1.3.1 Strengths The packet chopper has been implemented and tested as a pluggable transport, and is more resilient than obfs2 to passive attacks. The packet chopper is also more versatile in that it does not need an in-order transport. 2

1.3.2 Weaknesses The packet chopper is more complex than obfs2 and has more overhead. Like obfs2 and Dust, the high entropy packets could conceivably be detected. 1.4 StegoTorus: Embed Module The embed module is built on the packet chopper. It takes a network trace and substitutes the output of the chopper into the payload of the trace. Since traces are to be collected from encrypted communication, an adversary should not be able to tell that the encrypted payload has been replaced with another encrypted payload. 1.4.1 Strengths Unlike the previous transports, the embed module does not have an unusually high entropy of payload. Provided the packet traces are selected appropriately it should be very hard to distinguish this transport s use. 1.4.2 Weaknesses Before this transport can be used, a sufficiently large number packet traces have to be distributed to clients that they cannot all simply be blocked. If the operator of the DPI system has a better understanding of the protocol being impersonated than the designer of the embedder, it might be possible to develop blocking mechanisms. The embed module can only impersonate encrypted protocols, and has a moderately high overhead due to padding. 1.5 StegoTorus: HTTP Module An alternative to the embed module is HTTP. This also requires network traces, but is no longer restricted to only encrypted protocols. Instead, Javascript, PDF and SWF files are used for server to client communication (client to server communication uses the cookie header). 1.5.1 Strengths Here, even blocking all encrypted protocols will not be sufficient to block the HTTP transport. As such, it is one of the most blocking-resistant protocols developed. 1.5.2 Weaknesses Unfortunately, the overhead of the HTTP module is very high and as a result performance is low. Currently, HTTP protocol compliance is not sufficiently complete to permit traffic being processed through a HTTP proxy. 3

1.6 bananaphone bananaphone [2] is an encoding scheme which transforms a stream of binary data into a stream of tokens (eg, something resembling natural language text) such that the stream can be decoded by concatenating the hashes of the tokens. 1.6.1 Strengths The strength of bananaphone is that its output resembles arbitrarily formatted data. For example, its output can look like a natural language, or the chunks of an MP3 file. Furthermore, bananaphone can also be used to generate payloads for other pluggable transports (e.g. HTTP or IRC transports). 1.6.2 Weaknesses bananphone is not able to produce truly realistic looking output. That is, bananaphone output emulating a natural language will look wrong upon human inspection. Standalone bnanaphone is not able to withstand adversaries willing to whitelist specific network protocols. 1.7 Easy-Come-Easy-Go Transports (ECEGT) Another deployment idea is to create a number of easy-to-implement but easy-to-block pluggable transports. Pluggable transport proxies are designed to be modular and to allow fast development of pluggable transports, while most DPI systems are not currently designed with the same modular mindset. 1.7.1 Strengths The main strength of this idea is that by carefully selecting the strengths of each ECEGT, censors might be forced to build distinguishers for each one of them. For example, a simple obfs2-over-base64 transport would reduce the entropy of obfs2 and also obfuscate the packet sizes a bit. This will probably force censors to add more rules to their DPI systems, which not only takes time but also increases their false-positive rates. 1.7.2 Weaknesses The obvious weakness of ECEGT is that censors can easily find ways to block them. 2 Protocol trade-offs The discussion above has shown some trade-offs which must be made when designing a protocol. 4

2.0.3 Perfect forward secrecy To achieve perfect forward secrecy, a Diffie-Hellman key exchange needs to be performed. This requires public key cryptography, and also one more round-trip than otherwise necessary. While desirable, Tor already provides perfect forward secrecy, so it is not essential that the pluggable transport does so. 2.0.4 Resistance to passive and active attacks A goal of any blocking resistance scheme is resistance to being reliably fingerprinted by a passive attack. However, some (such as obfs2) only try to avoid identification by string matching rather than an arbitrary passive attack. To reliably resist passive attacks, public key cryptography can be used. Resisting active attacks is harder. Unless there is out-of-band exchange of an authentication key, a man-in-the-middle can always impersonate both sides of the communication. However, while resisting active attacks is desirable, the underlying Tor protocol already provides resistance. 2.0.5 Entropy fingerprinting Tor traffic is encrypted and therefore inevitably is high-entropy. Any transport which attempts to reduce the entropy of data must therefore significantly increase the payload size. This restricts efficient blocking resistant protocols to impersonating encrypted protocols, or perhaps compressed data (on the assumption that DPI equipment will not decode the compressed data). 2.0.6 Padding and splitting Even if traffic payload is disguised, directly encoding Tor packets will lead to a characteristic set of packet sizes. By basing network traffic on observed network traces, StegoTorus resists blocking based on packet sizes but at the cost of a high padding overhead. 3 Potential censorship techniques It is difficult to predict the approach which will be taken by censors, especially as some are willing to block all encrypted traffic, at least temporarily. Some potential techniques (e.g. entropy detection, protocol whitelisting, etc.) are implicit in the development of fingerprinting resistant transports. However one approach which could work, even against the StegoTorus HTTP module, is to require all data be sent via a HTTP proxy (which itself blocks encrypted traffic). This is done in some high-security corporate environments so it is likely that commercially available filtering equipment is capable of enforcing this policy. 5

4 Further avenues of research In case HTTP proxy filtering is deployed, it would be useful to have a pluggable transport which was compatible enough with HTTP to make it through unscathed. Further efficiency improvements could be made to all protocols. Some possibilities are simple (e.g. compression of Tor data, taking advantage of the predictable TLS headers), but more sophisticated approaches could lead to better results. obfs2 could be extended to resist passive attack by performing a public-key handshake. A better understanding of how to reliably embed encrypted data in compressed fields would make it more difficult to develop filtering equipment capable for distinguishing common compression algorithms from ciphertext. Padding to disguise packet size is expensive, but simply joining or splitting packets would disguise Tor s protocol signature at little or no cost. This approach is not capable of matching an arbitrary packet-size probability distribution, but it would defeat simple packet-size fingerprinting attacks. 5 Changes to Tor There is no transport protocol proposed which is both efficient and very likely to remain unblocked, so the decision to move obfuscation out of Tor still seems appropriate. References [1] George Kadianakis and Nick Mathewson. obfs2 (the twobfuscator). Technical report. https://gitweb.torproject.org/obfsproxy.git/blob/head:/doc/obfs2/ protocol-spec.txt. [2] Leif Ryge. bananaphone: Reverse hash encoding. Technical report. https://github.com/ leif/bananaphone. [3] Brandon Wiley. Dust: A blocking-resistant internet transport protocol. Technical report. http://blanu.net/dust.pdf. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback