The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Similar documents
A SIMPLE INTRODUCTION TO TOR

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

2 ND GENERATION ONION ROUTER

Anonymous communications: Crowds and Tor

Anonymity. Assumption: If we know IP address, we know identity

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

Onion services. Philipp Winter Nov 30, 2015

0x1A Great Papers in Computer Security

Analysing Onion Routing Bachelor-Thesis

Tor: Online anonymity, privacy, and security.

Challenges in building overlay networks: a case study of Tor. Steven Murdoch Principal Research Fellow University College London

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

CS Paul Krzyzanowski

CS526: Information security

Protocols for Anonymous Communication

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

CE Advanced Network Security Anonymity II

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Privacy defense on the Internet. Csaba Kiraly

Anonymity Analysis of TOR in Omnet++

OnlineAnonymity. OpenSource OpenNetwork. Communityof researchers, developers,usersand relayoperators. U.S.501(c)(3)nonpro%torganization

Tor: An Anonymizing Overlay Network for TCP

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

CS6740: Network security

How Alice and Bob meet if they don t like onions

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis

CS 134 Winter Privacy and Anonymity

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Anonymous Communications

Pluggable Transports Roadmap

anonymous routing and mix nets (Tor) Yongdae Kim

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Lecture III : Communication Security Mechanisms

Peeling Onions Understanding and using

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

TorScan: Tracing Long-lived Connections and Differential Scanning Attacks

Tor: The Second-Generation Onion Router

Research Collection. Systematic Testing of Tor. Master Thesis. ETH Library. Author(s): Lazzari, Marco. Publication Date: 2014

Introduction to Computer Security

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Anonymity Tor Overview

BBC Tor Overview. Andrew Lewman March 7, Andrew Lewman () BBC Tor Overview March 7, / 1

Surfing safely over the Tor anonymity network. Georg Koppen Philipp Winter

What's the buzz about HORNET?

CS232. Lecture 21: Anonymous Communications

ANONYMOUS CONNECTIONS AND ONION ROUTING

Dissecting Tor Bridges A Security Evaluation of their Private and Public Infrastructures

Port-Scanning Resistance in Tor Anonymity Network. Presented By: Shane Pope Dec 04, 2009

Chapter 4: Securing TCP connections

Network Security Chapter 8

Introduction and Overview. Why CSCI 454/554?

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Anonymous Communication and Internet Freedom

Network Security. Thierry Sans

Virtual Private Networks

Anonymous Communication and Internet Freedom

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

ENEE 459-C Computer Security. Security protocols (continued)

A New Replay Attack Against Anonymous Communication Networks

IP Security IK2218/EP2120

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

CSC 4900 Computer Networks: Security Protocols (2)

FBI Tor Overview. Andrew Lewman January 17, 2012

Achieving Privacy in Mesh Networks

Weighted Factors for Measuring Anonymity Services: A Case Study on Tor, JonDonym, and I2P

(S//REL) Open Source Multi-Hop Networks

Analysis on End-to-End Node Selection Probability in Tor Network

Introduction to Tor. January 20, Secure Web Browsing and Anonymity. Tor Mumbai Meetup, Sukhbir Singh

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Network Security and Cryptography. December Sample Exam Marking Scheme

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Telex Anticensorship in the

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

8. Network Layer Contents

ENEE 459-C Computer Security. Security protocols

CSCE 715: Network Systems Security

Cryptography opportunities in Tor. Nick Mathewson The Tor Project 21 January 2013

AIT 682: Network and Systems Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen. 20 June 2017 EPFL Summer Research Institute

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

e-commerce Study Guide Test 2. Security Chapter 10

Tor Experimentation Tools

Extremely Sensitive Communication

(2½ hours) Total Marks: 75

Transcription:

The Tor Network Cryptography 2, Part 2, Lecture 6 Ruben Niederhagen June 16th, 2014

Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality, data integrity, authentication, and non-repudiation.

Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures.

Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures. Privacy goals of cryptography: deniability, anonymity, perfect forward secrecy,...

Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures. Privacy goals of cryptography: deniability, anonymity, perfect forward secrecy,... May depend on meta-data: sender, receiver, keying data...

Tor Network Introduction 3/33 Who needs anonymity?

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,...

Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,... Anonymity only works by hiding in the masses. You can help people in need of anonymity by using anonymity-enhancing software even if you do not depend on it yourself!

Tor Network Introduction 4/33 Tor (previously an acronym for The Onion Router) is free software for enabling online anonymity and resisting censorship. Wikipedia

Tor Network Introduction 5/33 Additional goals: deployability: usable in the real world, interoperable with existing protocols; usability: anonymity requires many users; flexibility: easy addition of future features; simplicity: avoid bugs, understand security parameters and features.

Tor Network Introduction 6/33 Non-goals: not peer-to-peer: requires centralized directory servers; not secure against end-to-end attacks: no protection against global adversary; no protocol normalization: no anonymization towards receiver; not steganographic: does not hide usage of the network.

Tor Network Thread Model 7/33 Global passive adversary: global view on the network, sees entry and exit links, and sees timing and volume patterns.

Tor Network Thread Model 7/33 Global passive adversary: global view on the network, sees entry and exit links, and sees timing and volume patterns. Tor does not protect against this type of adversary!

Tor Network Thread Model 8/33 Real-world adversary: view on a fraction the network, generate, modify, delete, or delay traffic, operate Tor routers, or compromise some Tor routers.

Tor Network Thread Model 8/33 Real-world adversary: view on a fraction the network, generate, modify, delete, or delay traffic, operate Tor routers, or compromise some Tor routers.? Tor attempts to protect against this type of adversary.

Tor Network Design Overview 9/33

Tor Network Design Overview 9/33

Tor Network Design Overview 9/33

Tor Network Design Overview 9/33

Tor Network Design Overview 9/33

Tor Network Design Overview 10/33

Tor Network Design Overview 10/33

Tor Network Design Overview 10/33

Tor Network Design Overview 10/33

Tor Network Design Overview 11/33 User Entry Middle Exit Data

Tor Network Design Details 12/33 Players: Onion Router (OR): Routers in the onion overlay network. Onion Proxy (OP): Local proxy of each Tor user. Directory Server: More-trusted entity providing an OR directory. Each OR maintains a TLS connection to all other ORs. Each OP maintains TLS connections to his entry ORs. Tor is using TLS cipher suites with ephemeral keys.

Tor Network Design Details 12/33 Players: Onion Router (OR): Routers in the onion overlay network. Onion Proxy (OP): Local proxy of each Tor user. Directory Server: More-trusted entity providing an OR directory. Each OR maintains a TLS connection to all other ORs. Each OP maintains TLS connections to his entry ORs. Tor is using TLS cipher suites with ephemeral keys. TLS is used for OR authentication and transport integrity, NOT for payload encryption!

Tor Network Design Details 13/33 Keys Asymmetric Keys: Each OR publishes a Router Identity Key in the directory. Additionally, directory servers have: a long-term Authority Identity Key (stored offline) and a medium-term Authority Signing Key (3 12 months). OPs do NOT have identity keys! Symmetric Keys: All TLS connections use short-term ephemeral keys. Onion encryption keys are short-term ephemeral keys; Tor is using AES128 in counter mode for onion encryption.

Tor Network Design Details 14/33 Directory Server:

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs. Each consensus is restricted to a specific time period.

Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs. Each consensus is restricted to a specific time period. The consensus document contains bandwidth and exit policy informations for each OR.

Consensus Document (1) 15/33 network-status-version 3 vote-status consensus valid-after 2014-06-14 14:00:00 fresh-until 2014-06-14 15:00:00 valid-until 2014-06-14 17:00:00 [...] contact Peter Palfrader vote-digest DE88ACE5E41B7BDD59A9FA29481D7D2BCF20C08D dir-source maatuska 49015F78743... 171.25.193.9 171.25.193.9 443 80 contact 4096R/23291265 Linus Nordberg vote-digest ECFE99490D9E6ED7AB7598AD5B8BCDA43E5C53DF dir-source dannenberg 585769C78... dannenberg.ccc.de 193.23.244.244 80 443 [...]

Consensus Document (2) 16/33 r CalgaryRelay AhtWK/ebprD1KAbOKdWFQ+mlVE0 FIUMkqViP7mkBn... 2014-06-14 01:15:53 70.72.146.227 9001 9030 s Fast HSDir Running Stable V2Dir Valid v Tor 0.2.3.25 w Bandwidth=247 p reject 1-65535 r TelosTorExit2 AhzRl+9BYl9I1Znz0ZM6GpU7mBs RGvsM1rZM2v3n... 2014-06-13 23:25:19 62.210.74.186 443 80 s Exit Fast HSDir Running Stable V2Dir Valid v Tor 0.2.4.22 w Bandwidth=69200 p reject 25 [...]

Consensus Document (3) 17/33 directory-footer [...] directory-signature 49015F787433103580E3B66A1707A00E60F2D15B F98E385F2982778F50925F54F832E2FE744B5ED7 -----BEGIN SIGNATURE----- qqbsasctppsb5butm6frzuoudk+oux76eb+gpaglzac/yqofqxpzbb9i[...] -----END SIGNATURE----- directory-signature 585769C78764D58426B8B52B6651A5A71137189A 6B82B0EC44BD79CB0D1F1BB2A0C597E0FEC71AE9 -----BEGIN SIGNATURE----- LcmuTT/5qwA+L9pcxGbRTz74YiqH4rQo5Wz3piSXmD/j4rcahfbmVHmi[...] -----END SIGNATURE----- [...] https://gitweb.torproject.org/torspec.git/head:/dir-spec.txt

Tor Network Design Details 18/33 Tor Statistics (June 13th, 2014): Total Bandwidth of Routers [KBytes/s] 4650769 Total Number of Routers 5477 Total Number of Authority Routers 10 Total Number of Bad Directory Routers 0 Total Number of Bad Exit Routers 11 Total Number of Exit Routers 977 Total Number of Fast Routers 4588 Total Number of Guard Routers 2152 Total Number of Stable Routers 3824 Total Number of Valid Routers 5477 Total Number of Directory Mirror Routers 3430

Tor Network Design Details 19/33 Router Flags: Authority if the router is a directory authority. BadDirectory if the router is believed to be useless as a directory cache (because its directory port isn t working, its bandwidth is always throttled,... ). Exit if the router is more useful for building general-purpose exit circuits than for relay circuits. BadExit if the router is believed to be useless as an exit node (because its ISP censors it, because of TLS stripping,... ). Fast if the router is suitable for high-bandwidth circuits. Guard if the router is suitable for use as an entry guard. Stable if the router is suitable for long-lived circuits. Valid if the router has been validated.

Number of Routers 20/33 Germany the Netherlands USA

Number of Exit Routers 21/33 Germany the Netherlands USA

Tor Network Design Details 22/33 Cells: Control: padding, create, created, destroy,... 2 1 509 CircID CMD DATA

Tor Network Design Details 22/33 Cells: Control: padding, create, created, destroy,... 2 1 509 CircID CMD DATA Relay: relay data, relay begin, relay end, relay teardown, relay connected, relay extend, relay extended, relay truncate, relay truncated, relay drop,... 2 1 2 6 2 1 498 CircID Relay StreamID Digest Len CMD DATA Onion Encrypted

Tor Network Design Details 23/33 OP OR 1 OR 2 website (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} create c 2, E(g x2 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 1, {{begin, website:80}} (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} (TCP handshake) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} relay c 1, {{data, HTTP GET... }} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } HTTP GET... (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } relay c 2, {data, (response)} HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)

Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } relay c 1, {{data, response}} relay c 2, {data, (response)} HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)

Tor Network Circuits 24/33

Tor Network Circuits 24/33

Tor Network Circuits 24/33

Tor Network Circuits 24/33

Tor Network Circuits 24/33

Tor Network Circuits 24/33

Tor Network Circuits 24/33 Adversary able to detect pattern in massage flow!

Tor Network Circuits 24/33 Adversary able to detect pattern in massage flow!

Tor Network Circuits 25/33 Choosing nodes for circuits:

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits.

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs)

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs.

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits.

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits. All connections potentially compromised iff guard node is compromised; fine otherwise.

Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits. All connections potentially compromised iff guard node is compromised; fine otherwise. Probability pinned to c/n regardless of number of connections.

Rendezvous Points, Hidden Services 26/33 Provide location hidden, anonymous services (responder anonymity): Access control: Filter incoming connections, avoid DoS. Robustness: Long-term pseudonymous identity, not tied to single OR. Smear-resistance: Rendezvous router protected against illegal activities. Application transparency: Hidden services directly accessible via the Tor network.

Rendezvous Points, Hidden Services 27/33

Rendezvous Points, Hidden Services 27/33

Rendezvous Points, Hidden Services 27/33

Rendezvous Points, Hidden Services 27/33

Rendezvous Points, Hidden Services 27/33

Rendezvous Points, Hidden Services 27/33

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns:

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation,

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation,

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting.

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting. Observing user content (see below).

Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting. Observing user content (see below). Option distinguishability.

Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys!

Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit.

Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks.

Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks. Run onion proxy: Usually not more likely than compromising users machine; possible in company settings with institutional onion proxy.

Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks. Run onion proxy: Usually not more likely than compromising users machine; possible in company settings with institutional onion proxy. DoS non-observed nodes: Force traffic on controlled nodes by disabling other nodes.

Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes.

Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks.

Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks. Tagging attacks: Manipulate payload and observe garbled content on exit nodes. Prevented by integrity checks.

Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks. Tagging attacks: Manipulate payload and observe garbled content on exit nodes. Prevented by integrity checks. Replay attacks: Replaying handshake messages results in different session key; replaying relay messages results in broken decryption (AES-CTR).

Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators.

Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source.

Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version!

Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version! Audit Tor source code!

Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version! Audit Tor source code! Block access to Tor (censorship): IP addressed of directory servers are well-known. Tor offers bridge nodes which are protected from full-enumeration. Steganographic protocols can be used to tunnel Tor traffic.

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle.

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by:

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,...

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,... Use the Tor Browser Bundle to handle.

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,... Use the Tor Browser Bundle to handle. User data in the last hop; encrypt actual connection with, e.g., TLS.

Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache, Tails: Live CD/USB operating system... preconfigured to use Tor safely. Use the Tor Browser Bundle to handle. User data in the last hop; encrypt actual connection with, e.g., TLS.

Tor Network 33/33 Run exit nodes! Run onion routers! Run bridge nodes!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback