Cryptanalysis of a fair anonymity for the tor network

Similar documents
Anonymity. Assumption: If we know IP address, we know identity

ENEE 459-C Computer Security. Security protocols (continued)

ENEE 459-C Computer Security. Security protocols

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

The New Cell-Counting-Based Against Anonymous Proxy

0x1A Great Papers in Computer Security

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Protocols for Anonymous Communication

Analysing Onion Routing Bachelor-Thesis

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

ANONYMOUS CONNECTIONS AND ONION ROUTING

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

CE Advanced Network Security Anonymity II

Digital Cash Systems

A SIMPLE INTRODUCTION TO TOR

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

2 ND GENERATION ONION ROUTER

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Onion services. Philipp Winter Nov 30, 2015

CS Paul Krzyzanowski

Privacy Enhancing Technologies CSE 701 Fall 2017

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Robust EC-PAKA Protocol for Wireless Mobile Networks

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

CPSC 467: Cryptography and Computer Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Notes for Lecture 24

Encryption. INST 346, Section 0201 April 3, 2018

Avoiding The Man on the Wire: Improving Tor s Security with Trust-Aware Path Selection

CPSC 467b: Cryptography and Computer Security

1 A Tale of Two Lovers

Tor Experimentation Tools

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CPSC 467b: Cryptography and Computer Security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Blind Signatures and Their Applications

A New Replay Attack Against Anonymous Communication Networks

CS 134 Winter Privacy and Anonymity

Cryptographic proof of custody for incentivized file-sharing

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CS526: Information security

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Identification Schemes

Public-key Cryptography: Theory and Practice

Grenzen der Kryptographie

CS3235 Seventh set of lecture slides

Anonymity. With material from: Dave Levin and Michelle Mazurek

Anonymity and Privacy

The Onion Routing Performance using Shadowplugin-TOR

Introduction to Modern Cryptography. Benny Chor

Signature Validity States

Core: A Peer-To-Peer Based Connectionless Onion Router

14. Internet Security (J. Kurose)

Chapter 9: Key Management

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

An efficient implementation of Monero subaddresses. 1 Introduction. Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Security properties of two authenticated conference key agreement protocols

Please ensure answers are neat and legible. Illegible answers may be given no points.

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

System-Level Failures in Security

CS Computer Networks 1: Authentication

S. Erfani, ECE Dept., University of Windsor Network Security

(2½ hours) Total Marks: 75

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

NYMBLE: Blocking Misbehaving Users in Anonymizing Networks

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Security: Focus of Control

Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization

Dawn Song

Computer Networks. Wenzhong Li. Nanjing University

Peer-to-Peer Systems and Security

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

ANET: An Anonymous Networking Protocol

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Design and Analysis of Efficient Anonymous Communication Protocols

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Security Handshake Pitfalls

Introduction to Computer Security

Study Guide for the Final Exam

Computer Security Spring 2010 Paxson/Wagner HW 4. Due Thursday April 15, 5:00pm

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Transcription:

Cryptanalysis of a fair anonymity for the tor network Amadou Moctar Kane KSecurity, BP 47136, Dakar, Senegal amadou1@gmailcom April 16, 2015 Abstract The aim of this paper is to present an attack upon the protocol of Diaz et al [4], which goal is to introduce a fair anonymity in the Tor network This attack allows an attacker to impersonate Tor users with the complicity of an exit node Keywords : Cryptography, Tor, privacy, anonymity, group signature 1 Introduction Designed for the low-latency anonymous communication [7], Tor is now the major tool intended to reduce the mass surveillance Unfortunately Tor also became a haven for criminals, which complicates the task of its supporters In order to correct this situation, a protocol designed to establish a responsible Tor was introduced first by [3] (using secret sharing schemes) and later by Diaz et al [4] (using group signatures and blind signatures) The use of blind or group signatures in anonymity revocation exists already in many papers For example, on the internet, Claessens et al [1] introduced a revocable anonymity based on blind and group signatures Later Köpsell et al [2] proposed a revocable anonymity based on a proxy system, threshold group signatures and blind signature In the next section, we present the scheme of Diaz et al [4], and before the conclusion, we will exhibit the weakness of their protocol and the proposed improvement 2 Presentation of Diaz et al s scheme In order to endow Tor with fairness capabilities, this scheme works by introducing variations in the way a user negotiates the symmetric keys with the entry and exit nodes It introduces the group signature, the blind signature, the blind group signature, the commitment and other cryptographic tools during the handshake with the entry and the exit node In addition, in order to prevent the user to employ one identity for negotiating with the entry node, and a different one with the exit node, the entry node has to blindly sign the message that the user will send to the exit node The resulting modified handshake schemes are shown below, where U i denotes any arbitrary user, EN denotes the entry node and EX the exit node During the handshake with EN, U i first group-signs g x 1 and g x 2, sends g x 1 to EN and also requests EN to blindly sign a group signature of g x 2 If all the operations succeed, EN accepts the connection 1

21 Entry Node Handshake: U i : σ 1 GSSign(g x 1, mk i ) U i creates a group signature over g x 1, using her member key mk i U i : σ 2 GSSign(g x 2, mk i ) U i creates a group signature over g x 2, using her member key mk i U i : com Com(σ 2, r 1 ) Denote a commitment com to a message σ 2, where the sender uses uniform random coins r 1 ; U i : (β, π) BGSBlind(com, r 2 ) Blind group signature (BGS) scheme is just like a blind signature in which the signer issues a group signature instead of a conventional signature Using some random secret value (r 2 ), the user creates a blinded version (β) of the message (com) to be blindly signed and a proof of correctness π U i : φ P rovezk(x, w) where x = (β, π, σ 1 ), w = (mk i, r 1, r 2 ) such that: σ 2 GSSign(g x 2, mk i ), (β, π) BGSBlind(Com(σ 2, r 1 ), r 2 ) P rovezk(x, w) and V erifyzk refer to creating a non-interactive proof showing that the statement x is in the language (which will be determined by the context) with the witness w, and to verify the statement x based on the proof π U i EN : g x 1, σ 1, β, π, φ EN : V erifyzk(β, π, φ, σ 1 ) EN : GSV erify(σ 1, g x 1 ) Allows the EN with the group key to verify the group signature σ 1 EN : β BGSSign(β, sbk) Upon receiving the blinded messages, the EN runs any necessary verification and creates a blinded group signature using its private key (sbk) EN : K 1 = g x 1y 1 EN U i : g y 1, β, H(K 1 h sk1 ) U i : σ 3 BGSUnblind( β, r 2 ) The user receives the blinded group signature and unblinds it, using the secret value (r 2 ) generated during the blind process U i : K 1 = g x 1y 1 22 Exit Node Handshake: U i EX : g x 2, σ 2, σ 3 U i initiates the handshake with EX, she sends the group signature on g x 2 (σ 3 ) that was blindly signed by EN, along with the blind signature itself (σ 2 ) EX : GSV erify(σ 2, g x 2 ) Allows the EX with the group key to verify the group signature σ 2 EX : BGSV erify(σ 3, σ 2 ) Allows the EX with the group key to verify the blinded signature of σ 2 EX : K 2 = g x 2y 2 EX Ui : g y 2, H(K 2 h sk2 ) U i : K 2 = g x 2y 2 If all the verifications succeed, then EX accepts the connection 2

3 Attack on the protocol Let s suppose that the exit node (EX) is a malicious relay In order to conduct this attack, the EX have to copy the elements of the handshake with honest Tor users and then send the copies to its accomplices who are in the network Hence, after the connection of U i, the EX will copy and send g x 2, σ 2 and y 2, to its accomplice U j U j can choose any entry node EN, but it should finish by its accomplice (the exit node), it should also choose x 11, r 11, r 22 as it is currently done with x 1, r 1, r 2 Handshake with the EN: U j : σ 1 GSSign(g x 11, mk j ) U j creates a group signature over g x 11, using its member key mk j U j : com Com(σ 2, r 11 ) Denote a commitment com to a message σ 2, where the sender uses uniform random coins r 11 ; U j : (β, π) BGSBlind(com, r 22 ) Blind group signature (BGS) scheme is just like a blind signature in which the signer issues a group signature instead of a conventional signature Using some random secret value (r 22 ), the user creates a blinded version (β) of the message (com) to be blindly signed and a proof of correctness π U i : φ P rovezk(x, w) where x = (β, π, σ 1 ), w = (mk j, r 11, r 22 ) such that: σ 2 GSSign(g x 2, mk i ), (β, π) BGSBlind(Com(σ 2, r 11 ), r 22 ) P rovezk(x, w) and V erifyzk refer to creating a non-interactive proof showing that the statement x is in the language (which will be determined by the context) with the witness w, and to verify the statement x based on the proof π U i EN : g x 11, σ 1, β, π, φ EN : V erifyzk(β, π, φ, σ 1 ) EN : GSV erify(σ 1, g x 11 ) Allows the EN with the group key to verify the group signature σ 1 EN : β BGSSign(β, sbk) Upon receiving the blinded messages, the EN runs any necessary verification and creates a blinded group signature using its private key (sbk) EN : K 1 = g x 11y 1 EN U i : g y 1, β, H(K 1 h sk1 ) U i : σ 3 BGSUnblind( β, r 22 ) The user receives the blinded group signature and unblinds it, using the secret value (r 22 ) generated during the blind process The result of this operation is the final signature U i : K 1 = g x 11y 1 Handshake with EX : U j EX : g x 2, σ 2, σ 3 When EX recognizes g x 2, it actes as follows EX : K 2 = g x 2y 2 EX U j : g y 2, H(K 2 h s K 2 ) U j which already have y 2 can create K 2 U j : K 2 = g x 2y 2, then EX accepts the connection The anonymity revocation: As proposed in [4], Let s suppose that U j established a circuit and she is communicating with some server S (external to Tor) Also, let us suppose that eventually, U j performs some illegitimate action When 3

that happens, S denounces this behavior following some predefined method Specifically, the exit node provides the following information to retrieve U j s identity: 1 {msg} K, where msg is the message received and denounced by S, and K is the symmetric key negotiated between U i and the exit node 2 (K = g x 2y 2, g x 2 ), where g x 2 is U i s share of the handshake and g y 2 is the share created by the exit node 3 σ 2, ie, a group signature of g x 2 issued by U i In order to verify that the received denounce is valid, it is necessary to check that the message received from S, msg, corresponds to the encryption {msg} K received from the exit node Also, σ 2 must be a valid group signature over g x 2 Finally, the exit node may be required to prove that it knows the discrete logarithm y 2 of g x 2y 2 to the base g x 2 If these checks succeed, then the member with key mk i (U i ) is considere to be the responsible of msg Hence, U i s key can be consequently revoked and U i can be prosecuted while the responsible of this message is U j Remark: If the user has at least two accomplices on the Tor network (an entry node and an exit node), it can impersonate a Tor user without being member of Tor 31 Improvement In order to correct this weakness, we propose to keep the handshake of Tor as it is currently done [7], except for the last relay where Alice (the sender) will group-sign and timestamp Bob s IP She will also establish a secure connection with Bob in order to prevent a man-in-the-middle attack (for example a hash was included in the Tor handshake in order to prevent such attack) The revocation of the key will be done as follows: A judge (or an organization responsible for the fight against cybercrime) will contact the last relay to tell the EX that at the time t it sent the offending message to Bob The organization or the judge would first prove that the offending message comes from the secure connection that is passed through the last relay The last relay will exhibit the IP of Bob which was signed and timestamped by Alice If all verifications are successful then the group manager will vote in order to revoke or not Alice s member key This improvement can be implemented in TAP and in Ntor 32 Example in TAP The beginning of the Tor authentication protocol is: Alice OR1 : Create c1, E(g x 1 ) OR1 Alice : Created c1, g y 1, H(K1) Alice OR1 : Relay c1 {Extend, OR2, E(g x 2 )} OR1 OR2 : Create c2 E(g x 2 ) OR2 OR1 : Created c2, g y 2, H(K2) OR1 Alice : Relay c1 {Extended, OR2, E(g y 2, H(K2))} The single change, which we will introduce in this protocol is to timestamp and to group-sign the IP of the recipient (ζ T imestampgssign(< website >: 443, mk i )) and to add it on the following line of TAP 4

Alice OR1 : Relay c1 {{ Begin <website>:443 ζ}} (the concatenation is designated by ) Before any other action (TCP handshake, ), OR2 will verify if the timestamp and the group signatures are correct If these are correct, then it will continue the protocol as described in the first design of Tor [7] 33 A revocable anonymity in the hidden services Figure 1: Normal use of hidden services and rendezvous servers As described in [5], a normal setup of communication between a client and a hidden service is done as shown in Figure1 First the Hidden Server (HS) connects (1) to a node in the Tor network and asks if it is OK for the node to act as an Introduction Point for its service If the node accepts, we keep the circuit open and continue Next, the Hidden Server contacts (2) the Directory Server (DS) and asks it to publish the contact information of its hidden service In order to retrieve data from the service the client connects (3) to DS and asks for the contact information of the identified service and retrieves it if it exists (including the addresses of Introduction Points) In our scheme we keep all the circuits of Figure 1 as such, except for two connections ((2), (3)) concerning the directory server that we modify as follows: Connection (2): The Hidden Server contacts the Directory Server (DS) and asks it to publish its contact information The HS will group-sign and timestamp a file file 1 where it writes the IP of the introduction points and the name of the Hidden server (as it is done with ζ in section 32) Connection (3): The Client connects to DS asking for the contact information of the identified service (including the addresses of Introduction Points) In its answer, the DS will send file 1 to the client Revocation of the anonymity Let s suppose that the client has a proof showing that this Hidden server is promoting child abuse, the client will exhibit to those who are allowed to revoke the anonymity its proof and file 1 Members of the revocation group (group manager) will revoke this Alice member key s (mk i ) if they are convinced, otherwise they will not 5

4 Security analysis In this scheme, we identify three possible attacks, such as when a user is trying to cheat to remain anonymous in any case We also have the case of those who try to impersonate some Tor users in order to commit crimes with their identities Finally, we have attackers who may try to revoke the anonymity of a Tor user, without the consensus of Tor members 41 Attack of the user who wishes to remain anonymous in all cases The attacker refuses to insert ζ or file 1 In this case, it is in the responsibility of the last node or the DS to reject the Alice s request It may be noted that if the last relay tries to help Alice to cheat then its liability could be engaged, for example, if it transfers the message to Bob without having received a correct ζ T imestampgssign(< website >: 443, mk i ) Threaten members of the network to prevent the reconstitution of the IP address In this scheme, due to the properties of group signature, Alice will perhaps be able to identify the different members which can revoke its member key, however these members should be protected against any threat 42 Revocation of the anonymity without the consensus An attacker may try to revoke the anonymity of Tor users without the consent of Tor s members An attacker could guess the circuit by looking into Onion routers (OR) This attack is impossible, because, even if the attacker sees Alice s group-signature, it cannot guess Alice s member key Attack on ζ In case of an attack, of a legal action or illegal coercion, a node cannot revoke the anonymity alone Hence, it is impossible to revoke the anonymity without the participation of the group manager End-to-end timing correlation Could the timestamp which we have introduced, help in the End-to-end timing correlation? No, it should not be the case, since the file is not timestamped for the outputting circuit, and between the last relay and the true destination of the packet (Bob) there is no trace of timestamp 43 Impersonate Tor users The revocation of the anonymity could encourage malicious people, to try to impersonate Tor users by using the following methods Spoofing file 1 or ζ The attacker cannot use file 1 (or ζ) effectively in order to accuse Alice if the connection between Alice and Bob is secured (to avoid a man-in-the-middle attack) For example, if Alice wants to log on securedemail, she should send Alice OR1 : Relay c1 {{ Begin <securedemailcom>:443 ζ}}, where ζ T imestampgssign(< securedemailcom >: 443, mk i ) Then the output node could try to impersonate Alice by connecting to securedemail, but it would not succeed due to the fact that it needs to have Alice s passwords and the fact that the connection between Alice and securedemail is secure against attacks such as the man-in-the-middle 6

However, if Alice sends on an unsecured traffic, Alice OR1 : Relay c1 {{ Begin <non-secured-webcom>:80 ζ}}, where ζ T imestampgssign(< non secured webcom >: 80, mk i ), during the time of validity of the timestamp, then the exit node could impersonate Alice in non-secured-webcom, it could also lead to a man-in-the-middle attack, hence the importance of combining Tor with a secure connection Other attacks A malicious node could delay Alice s message in order to create a stop delivery (due to the timestamp) 5 Conclusion In this paper we showed that the scheme of Diaz et al was deficient, due to the fact that malicious nodes (essentially the exit nodes) may allow an attacker to impersonate a honest Tor user The scheme proposed in order to correct these shortcomings, could also be an improved with additional research on the use of group signatures, which should protect the identity of those who are responsible of the anonymity revocation References [1] Claessens J, Diaz C, Goemans C, Dumortier J, Preneel B, & Vandewalle J Revocable anonymous access to the Internet, Internet Research, 13(4), 242-258, 2003 [2] Köpsell S, Wendolsky R, & Federrath H Revocable anonymity In Emerging Trends in Information and Communication Security, 206-220, 2006 [3] Kane A M Another Tor is possible Cryptology eprint Archive (2014), 787 [4] Diaz J, Arroyo D, & Rodriguez F B Fair anonymity for the Tor network arxiv preprint arxiv:14124707, 2014 [5] Overlier L, Syverson P Locating hidden servers In Security and Privacy, 2006 IEEE Symposium on (pp 15-pp) [6] M Wright, M Adler, BN Levine, C Shields An analysis of the degradation of anonymous protocols, 2002 [7] Dingledine R, Mathewson N, Syverson P Tor: The second-generation onion router Naval Research Lab Washington DC, (2004) [8] Syverson P Practical Vulnerabilities of the Tor Anonymity Network Advances in Cyber Security: Technology, Operation, and Experiences, (2013) [9] McCoy D, Bauer K, Grunwald D, Kohno T, Sicker D Shining light in dark places: Understanding the Tor network In Privacy Enhancing Technologies (2008, January), (pp 63-76) [10] Panchenko A, Niessen L, Zinnen A, and Engel T Website fingerprinting in onion routing based anonymization networks WPES, page 103-114 ACM, 2011 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback