Anonymity C S 6 8 2 A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L 2 0 1 9
Tor: The Second- Generation Onion Router R. DINGLEDINE N. MATHEWSON P. SYVERSON
So, what is Onion-Routing? A technique for Anonymous communication over a computer network. Encrypting a message like an onion(??) What is Anonymity? Maintaining (real-world) identity hidden while using web services.
Anonymity Systems Chaum s Mix-Net Design Hiding correspondence between sender and receiver by wrapping messages in layers of public key encryption These messages would traverse a series of mixes enroute to the receiver Mixes decrypt, delay and re-order messages before passing the onward High Latency = More Security Max Anonymity ->Large Latencies Network Resist on Global Adversaries Too much lag for some TCP apps Low Latency = Less Security (Tor) Time dependent packets Bidirectional protocols Time dependency is a concern
Why Tor? Perfect forward secrecy Recording of traffic -> Telescoping path-building design Separation of protocol cleaning from anonymity Original routing required separate application proxy -> Tor uses Standard SOCKS proxy Many TCP streams can share one circuit Separate circuits for each TCP app -> Tor multiplexes multiple TCP streams. Leaky-pipe circuit topology Tor initiators can direct traffic nodes partway down circuit Congestion control End-to-end ACKs -> maintain anonymity while allowing edge nodes to detect congestion or flooding
Why Tor? Directory servers Tor uses trusted nodes as Directory Servers to provide network state Variable exit policies Provides a mechanism to advertise policies, describing hosts and ports a node connects End-to-end integrity checking No integrity checking -> Tor verifies data integrity before it leaves Rendezvous points and hidden services Tor clients negotiate rendezvous points to connect to hidden servers
Tor Design: Goals & Non-Goals Goals Deployability: 1. Not expensive to run 2. No heavy liability on operators 3. Not be difficult or expensive to implement 4. Not require non-anonymous parties Usability: (More users -> More security Thus,) 1. Not require modifying familiar application 2. Not introduce prohibitive delays 3. Few configuration decisions as possible 4. Easily implementable on all common platforms Flexibility: 1. Tor serve as a test-bed for future research 2. Future systems will not need to reinvent Tor s design Simple Design: 1. Design and security must be well understood 2. Aim to deploy a simple and stable system that integrates the best accepted approaches to protecting anonymity
Tor Design: Goals & Non-Goals Non - Goals Not peer-to-peer: Decentralizing peer-to-peer environment with thousands of short-lived severs that may be controlled by adversaries. Not secured against end-to-end attacks No protocol normalization: Tor has to be layered with filtering proxy to get anonymity while using complex and variable protocols like HTTP. Not steganographic: No conceal on who is connected to the network.
The Tor Design Each user runs local software called Onion Proxy(OP) that is responsible for Fetching OR directories, establishing circuits, handling connections from applications Onion router (OR) keys: Long-term identity key: signs TLS certificates, OR descriptors and directories if applicable Short-term onion key: used with circuit establishment requests Short-term TLS Key: link level between ORs
The Tor Design: Cells Traffic passes along in fixed-size cells of 512 bytes. Two kind of cells: Control and Relay CircID: Which circuit the cell refers to. Control commands(cmd): Padding (keepalive) Create/ed (set up a circuit) Destroy (tear down a circuit) Relay Cells have additional header: streamid, end-to-end checksum for integrity checking, length of the relay payload, and a relay command Relay commands: Relay data, relay begin, relay end, relay teardown, relay connected, relay extend/ed, relay truncate/ed, relay sendme, relay drop
The Tor Design: Circuits and Streams
The Tor Design: Leaky-Pipe Circuits
The Tor Design: Integrity Checking Check Integrity at the edges of each stream Initial SHA-1 digest set at the time of key negotiation as a derivative of negotiated key Digest added incrementally to all relay cells exchanged First 4 bytes of current digest added to each cell Digest is encrypted as part of the relay header
The Tor Design: Rate Limiting & Fairness Volunteers are more willing to run services that can limit their bandwidth usage (token byte approach) Limit number of incoming bytes not to overwhelm volunteer ORs Preferential treatment of interactive streams Preferential treatment presents a possible end-to-end attack
The Tor Design: Congestion Control Needed in addition to bandwidth rate limiting to prevent circuit congestion Additional to TCP congestion control Two-fold congestion control: Circuit-level throttling & Stream-level throttling Packaging: tracks number of cells packaged by the OR and directed towards the OP Delivery: tracks number of cells OR is willing to deliver outside the network Each window is initialized to maximum allowable value of 1000. When a certain block of cells (100) is packaged or delivered, the window size is decremented The OR sends a relay sendme towards the client s OP The receiving OR increments its window size by the block size (100 in this case)
The Tor Design: Congestion Control
Rendezvous Points & Hidden Services The server advertises a set of ORs as introduction points (IP) The client chooses an OR as a rendezvous point (RP) and builds a circuit to it The client contacts one of service provider s IP and informs it of its RP If the service provider wants to respond to the client, it builds a circuit to the client s RP The RP connects the client s circuit to the service provider s circuit The client send a relay begin cell to the service provider over the established circuit..and they communicate as explained before
Exit Policies & Abuse Anonymity permits abusers to hide the origins of their activity Attackers can implicate exit nodes for their abuse Tor allows each OR to specify an exit policy that describes which external addresses and ports it will connect Open exit nodes will connect to anywhere Middleman nodes only relay traffic to other Tor nodes Private exit nodes only connect to a local host or network Restricted exit nodes prevent access to abuse-prone addresses and services
Directory Servers Directories in Tor are a small group of redundant well-known onion routers to track changes in the topology of the network and the node state Each directory acts as an HTTP server, clients fetch network info ORs post signed statements to the directories They must be synchronized Tor assumes that a threshold of participants agree on the set of directory servers with human administrators resolving problems when consensus cannot be reached
Attacks: Passive Observing User traffic patterns Traffic patterns Yes, Destination or Data No Observing User Content: To responders may not be encrypted Option distinguishability: Clients choose if they want to rotate circuits more often to avoid traceability End-to-End timing correlation: Minimally hides such correlations End-to-End size correlation: Just like timing Website Fingerprinting: Build a database of Fingerprints for a website and use that info to confirm a user s connection
Attacks: Active Compromise Keys Iterated compromise: Adversary has to complete this attack within the lifetime of the circuit. Run a recipient Run an onion proxy: Compromising an onion proxy DoS non observed nodes: Observer DoSes non-observed nodes so that nodes he observes become more busy Run a Hostile OR Tagging attacks Integrity checks prevent this attack
Attacks: Active Replace contents of unauthenticated protocols: Prefer protocols with End-to-End authentication Replay Attack: Replaying one side of the handshake will result in a different negotiated session key Smear Attack: Use the Tor network for socially disapproved acts. Exit policies Distribute Hostile Node: Running subverted Tor software Signing all Tor releases with official public key
Attacks: Directory Destroy directory servers: Other directory servers will decide a valid directory Subvert a directory server: Majority of votes to reach decision Subvert a majority of directory servers: Oh well Encourage directory server dissent: Fight of the directories. Tor does not address this attack Trick the directory servers into listing a hostile OR Operators will filter out most hostiles ORs Convince the directory that a malfunctioning OR is working Directory servers assume that an OR is running correctly if they can start a TLS connection to it.
Attacks: Rendezvous Points Make many introduction requests: Attacker floods Bob s IP. Block requests that lack authorization tokens Attack an IP: Simply re-advertise new. Compromise an IP: Flood Bob with introduction requests or prevent valid ones. Close circuit or periodically send rendezvous requests Compromise a RP: Encrypted
Tor in the wild (of 2004) 32 Nodes Each node has at least 768Kb/768Kb connection Several companies have taken use of Tor Processed 800,000 relay cells per week
Conclusions When designing anonymity preserving systems, the main challenge is striking balance between scalability, decentralization and privacy Tor adds several enhancements to the original Onion Routing system, but there are still many open issues, vulnerabilities and areas of future work More information is needed about the selection of volunteer ORs and circuit establishment.
Low-Cost Traffic Analysis of Tor STEVEN MURDOCH GEORGE DANEZIS
What is this paper about? Attack on Tor, using Tor itself. Traffic Analysis attack as we discussed earlier and linkability.
Traffic Analysis on Tor Using the ability to route over Tor a modest adversary can still detect the path that target connections are using. Due to the low-latency design, Tor does not use any batching strategy. This means that the load on a Tor node affects the latency of all connection streams through that node.
The Attack Setup Adversary controls a network server and a corrupt Tor node The victim uses this network server through the Tor network. The corrupt server sends short bursts of data to the user.
The Attack Setup Goal: Identify which nodes are carrying the traffic with the pattern For each node, they performed a test where the stream went through the target node and one where it s not. Obviously for this to be a success, the traffic modulation and probe latency in the first case should be higher than the second one. If this is not the case, then either the stream was not affected (false negatives) or echos of the victim stream and affected the probe stream (false positives) The was done on a Debian GNU/Linux 3.0 using Tor 0.0.9. OR was setup to be a client only that chooses routes of 1 The corrupt server was simulated by a TCP server that sent pseudorandom generated data for random time periods.
Results
Results
Discussion Timing characteristics of streams are not substantially altered is no surprise. Tor s low latency is a requirement. Interference in timing might be a good solution. Perfect-interference: The output streams all have the same shape, or a random one. BUT, Latency++. Non-interference: Difficult to implement. But will be easier for adversaries Linkability: A variant of this attack can be used to determine if two streams belong to the same initiator. Also more nodes!= Better Anonymity
Variants of the Attacks Detect the effects on request sent from the initiator when modulating traffic into a loop. Alternatively the adversary can probe all nodes and observe the result. This test can be used to eliminate nodes that are NOT on the path. Then repeat until you get 3 nodes. Another attack is to DoS attack the server and watch the load of the victim for correlations. At what cost? O(N)
Understanding the Artifacts If a different stream is relayed will delay the probe stream and leak information on latency. Also the OS, Memory Management, TCP protocol etc. could delay and give information.
Conclusions This kind of attack can be performed by a modest adversary. This attack does not give away the originator of the communication, however, it gives information about the path. All of the strategies involve an increase in latency.
Any questions? I promise you I won t tell anyone.
Thank You