The Tor Network Cryptography 2, Part 2, Lecture 6 Ruben Niederhagen June 16th, 2014
Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality, data integrity, authentication, and non-repudiation.
Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures.
Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures. Privacy goals of cryptography: deniability, anonymity, perfect forward secrecy,...
Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality symmetric encryption, data integrity hash functions, authentication asymmetric encrytpion, and non-repudiation signatures. Privacy goals of cryptography: deniability, anonymity, perfect forward secrecy,... May depend on meta-data: sender, receiver, keying data...
Tor Network Introduction 3/33 Who needs anonymity?
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,...
Tor Network Introduction 3/33 Who needs anonymity? opposition in autocratic regimes, journalists under dictatorship, journalists in democracies, law enforcement, spies, criminals, terrorists, citizens under data-retention laws, freedom of speech,... Anonymity only works by hiding in the masses. You can help people in need of anonymity by using anonymity-enhancing software even if you do not depend on it yourself!
Tor Network Introduction 4/33 Tor (previously an acronym for The Onion Router) is free software for enabling online anonymity and resisting censorship. Wikipedia
Tor Network Introduction 5/33 Additional goals: deployability: usable in the real world, interoperable with existing protocols; usability: anonymity requires many users; flexibility: easy addition of future features; simplicity: avoid bugs, understand security parameters and features.
Tor Network Introduction 6/33 Non-goals: not peer-to-peer: requires centralized directory servers; not secure against end-to-end attacks: no protection against global adversary; no protocol normalization: no anonymization towards receiver; not steganographic: does not hide usage of the network.
Tor Network Thread Model 7/33 Global passive adversary: global view on the network, sees entry and exit links, and sees timing and volume patterns.
Tor Network Thread Model 7/33 Global passive adversary: global view on the network, sees entry and exit links, and sees timing and volume patterns. Tor does not protect against this type of adversary!
Tor Network Thread Model 8/33 Real-world adversary: view on a fraction the network, generate, modify, delete, or delay traffic, operate Tor routers, or compromise some Tor routers.
Tor Network Thread Model 8/33 Real-world adversary: view on a fraction the network, generate, modify, delete, or delay traffic, operate Tor routers, or compromise some Tor routers.? Tor attempts to protect against this type of adversary.
Tor Network Design Overview 9/33
Tor Network Design Overview 9/33
Tor Network Design Overview 9/33
Tor Network Design Overview 9/33
Tor Network Design Overview 9/33
Tor Network Design Overview 10/33
Tor Network Design Overview 10/33
Tor Network Design Overview 10/33
Tor Network Design Overview 10/33
Tor Network Design Overview 11/33 User Entry Middle Exit Data
Tor Network Design Details 12/33 Players: Onion Router (OR): Routers in the onion overlay network. Onion Proxy (OP): Local proxy of each Tor user. Directory Server: More-trusted entity providing an OR directory. Each OR maintains a TLS connection to all other ORs. Each OP maintains TLS connections to his entry ORs. Tor is using TLS cipher suites with ephemeral keys.
Tor Network Design Details 12/33 Players: Onion Router (OR): Routers in the onion overlay network. Onion Proxy (OP): Local proxy of each Tor user. Directory Server: More-trusted entity providing an OR directory. Each OR maintains a TLS connection to all other ORs. Each OP maintains TLS connections to his entry ORs. Tor is using TLS cipher suites with ephemeral keys. TLS is used for OR authentication and transport integrity, NOT for payload encryption!
Tor Network Design Details 13/33 Keys Asymmetric Keys: Each OR publishes a Router Identity Key in the directory. Additionally, directory servers have: a long-term Authority Identity Key (stored offline) and a medium-term Authority Signing Key (3 12 months). OPs do NOT have identity keys! Symmetric Keys: All TLS connections use short-term ephemeral keys. Onion encryption keys are short-term ephemeral keys; Tor is using AES128 in counter mode for onion encryption.
Tor Network Design Details 14/33 Directory Server:
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs. Each consensus is restricted to a specific time period.
Tor Network Design Details 14/33 Directory Server: ORs send a signed statement to the directory servers. The directory servers test if the OR accepts connections. Periodically, the directory servers vote on the network state. The consensus is signed by all agreeing directory servers. On bootstrap, a client connects to a directory server to receive a the signed consensus document. The client accepts the consensus document if it is signed by at least halve of the directory servers. Later, the clients request cached consensus docs from known ORs. Each consensus is restricted to a specific time period. The consensus document contains bandwidth and exit policy informations for each OR.
Consensus Document (1) 15/33 network-status-version 3 vote-status consensus valid-after 2014-06-14 14:00:00 fresh-until 2014-06-14 15:00:00 valid-until 2014-06-14 17:00:00 [...] contact Peter Palfrader vote-digest DE88ACE5E41B7BDD59A9FA29481D7D2BCF20C08D dir-source maatuska 49015F78743... 171.25.193.9 171.25.193.9 443 80 contact 4096R/23291265 Linus Nordberg vote-digest ECFE99490D9E6ED7AB7598AD5B8BCDA43E5C53DF dir-source dannenberg 585769C78... dannenberg.ccc.de 193.23.244.244 80 443 [...]
Consensus Document (2) 16/33 r CalgaryRelay AhtWK/ebprD1KAbOKdWFQ+mlVE0 FIUMkqViP7mkBn... 2014-06-14 01:15:53 70.72.146.227 9001 9030 s Fast HSDir Running Stable V2Dir Valid v Tor 0.2.3.25 w Bandwidth=247 p reject 1-65535 r TelosTorExit2 AhzRl+9BYl9I1Znz0ZM6GpU7mBs RGvsM1rZM2v3n... 2014-06-13 23:25:19 62.210.74.186 443 80 s Exit Fast HSDir Running Stable V2Dir Valid v Tor 0.2.4.22 w Bandwidth=69200 p reject 25 [...]
Consensus Document (3) 17/33 directory-footer [...] directory-signature 49015F787433103580E3B66A1707A00E60F2D15B F98E385F2982778F50925F54F832E2FE744B5ED7 -----BEGIN SIGNATURE----- qqbsasctppsb5butm6frzuoudk+oux76eb+gpaglzac/yqofqxpzbb9i[...] -----END SIGNATURE----- directory-signature 585769C78764D58426B8B52B6651A5A71137189A 6B82B0EC44BD79CB0D1F1BB2A0C597E0FEC71AE9 -----BEGIN SIGNATURE----- LcmuTT/5qwA+L9pcxGbRTz74YiqH4rQo5Wz3piSXmD/j4rcahfbmVHmi[...] -----END SIGNATURE----- [...] https://gitweb.torproject.org/torspec.git/head:/dir-spec.txt
Tor Network Design Details 18/33 Tor Statistics (June 13th, 2014): Total Bandwidth of Routers [KBytes/s] 4650769 Total Number of Routers 5477 Total Number of Authority Routers 10 Total Number of Bad Directory Routers 0 Total Number of Bad Exit Routers 11 Total Number of Exit Routers 977 Total Number of Fast Routers 4588 Total Number of Guard Routers 2152 Total Number of Stable Routers 3824 Total Number of Valid Routers 5477 Total Number of Directory Mirror Routers 3430
Tor Network Design Details 19/33 Router Flags: Authority if the router is a directory authority. BadDirectory if the router is believed to be useless as a directory cache (because its directory port isn t working, its bandwidth is always throttled,... ). Exit if the router is more useful for building general-purpose exit circuits than for relay circuits. BadExit if the router is believed to be useless as an exit node (because its ISP censors it, because of TLS stripping,... ). Fast if the router is suitable for high-bandwidth circuits. Guard if the router is suitable for use as an entry guard. Stable if the router is suitable for long-lived circuits. Valid if the router has been validated.
Number of Routers 20/33 Germany the Netherlands USA
Number of Exit Routers 21/33 Germany the Netherlands USA
Tor Network Design Details 22/33 Cells: Control: padding, create, created, destroy,... 2 1 509 CircID CMD DATA
Tor Network Design Details 22/33 Cells: Control: padding, create, created, destroy,... 2 1 509 CircID CMD DATA Relay: relay data, relay begin, relay end, relay teardown, relay connected, relay extend, relay extended, relay truncate, relay truncated, relay drop,... 2 1 2 6 2 1 498 CircID Relay StreamID Digest Len CMD DATA Onion Encrypted
Tor Network Design Details 23/33 OP OR 1 OR 2 website (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} create c 2, E(g x2 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 1, {{begin, website:80}} (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} (TCP handshake) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} relay c 1, {{data, HTTP GET... }} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } HTTP GET... (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } relay c 2, {data, (response)} HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)
Tor Network Design Details 23/33 OP OR 1 OR 2 website create c 1, E(g x1 ) created c 1, g y1, H(g xy 1 1 ) relay c 1, {extend, OR 2, E(g x2 )} relay c 1, {extended, g y2, H(g xy 2 2 )} relay c 1, {{begin, website:80}} relay c 1, {{connected}} create c 2, E(g x2 ) created c 2, g y2, H(g xy 2 2 ) relay c 2, {begin, website:80} relay c 2, {connected} (TCP handshake) relay c 1, {{data, HTTP GET... }} relay c2, {data, HTTP GET... } relay c 1, {{data, response}} relay c 2, {data, (response)} HTTP GET... (response) (link TLS encrypted) (link TLS encrypted)
Tor Network Circuits 24/33
Tor Network Circuits 24/33
Tor Network Circuits 24/33
Tor Network Circuits 24/33
Tor Network Circuits 24/33
Tor Network Circuits 24/33
Tor Network Circuits 24/33 Adversary able to detect pattern in massage flow!
Tor Network Circuits 24/33 Adversary able to detect pattern in massage flow!
Tor Network Circuits 25/33 Choosing nodes for circuits:
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits.
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs)
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs.
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits.
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits. All connections potentially compromised iff guard node is compromised; fine otherwise.
Tor Network Circuits 25/33 Choosing nodes for circuits: Circuit length: 3 ORs entry, mid, and exit. Attacks most efficient at entry and exit; no need for long circuits. Avoid both entry and exit to be controlled by attacker. Probability: (c/n) 2 per circuit (c: attacker-controlled ORs, N: total ORs) Risk grows with many connections/re-routs. Choose a guard node as single entry for all circuits. All connections potentially compromised iff guard node is compromised; fine otherwise. Probability pinned to c/n regardless of number of connections.
Rendezvous Points, Hidden Services 26/33 Provide location hidden, anonymous services (responder anonymity): Access control: Filter incoming connections, avoid DoS. Robustness: Long-term pseudonymous identity, not tied to single OR. Smear-resistance: Rendezvous router protected against illegal activities. Application transparency: Hidden services directly accessible via the Tor network.
Rendezvous Points, Hidden Services 27/33
Rendezvous Points, Hidden Services 27/33
Rendezvous Points, Hidden Services 27/33
Rendezvous Points, Hidden Services 27/33
Rendezvous Points, Hidden Services 27/33
Rendezvous Points, Hidden Services 27/33
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns:
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation,
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation,
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting.
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting. Observing user content (see below).
Tor Network Attacks 28/33 Passive Attacks: Observing user traffic patterns: end-to-end timing correlation, end-to-end size correlation, website fingerprinting. Observing user content (see below). Option distinguishability.
Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys!
Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit.
Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks.
Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks. Run onion proxy: Usually not more likely than compromising users machine; possible in company settings with institutional onion proxy.
Tor Network Attacks 29/33 Active Attacks: Compromise keys: TLS session key, circuit session key, OR private key. Past connections can t be compromised due to ephemeral keys! Iterate compromise: Follow circuit from end to end. Possible only during lifetime of circuit. Run recipient: Simplifies passive attacks. Run onion proxy: Usually not more likely than compromising users machine; possible in company settings with institutional onion proxy. DoS non-observed nodes: Force traffic on controlled nodes by disabling other nodes.
Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes.
Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks.
Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks. Tagging attacks: Manipulate payload and observe garbled content on exit nodes. Prevented by integrity checks.
Tor Network Attacks 30/33 Active Attacks (cont.): Run hostile OR: Observe connections, induce traffic patterns. Mitigated by use of guard nodes. Introducing timing into messages: Strengthens passive attacks. Tagging attacks: Manipulate payload and observe garbled content on exit nodes. Prevented by integrity checks. Replay attacks: Replaying handshake messages results in different session key; replaying relay messages results in broken decryption (AES-CTR).
Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators.
Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source.
Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version!
Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version! Audit Tor source code!
Tor Network Attacks 31/33 Active Attacks (cont.): Smear attacks: Use Tor for socially disapproved acts, bring network to disrepute. Exit policies reduce abuse; string exit-node operators. Distribute hostile code: Backdoored or broken Tor client or server software. Tor binaries are signed, Tor is open source. Verify your version! Audit Tor source code! Block access to Tor (censorship): IP addressed of directory servers are well-known. Tor offers bridge nodes which are protected from full-enumeration. Steganographic protocols can be used to tunnel Tor traffic.
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle.
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by:
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,...
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,... Use the Tor Browser Bundle to handle.
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache,... Use the Tor Browser Bundle to handle. User data in the last hop; encrypt actual connection with, e.g., TLS.
Tor Network Attacks 32/33 De-anonymization by information leaks: DNS resolution: usually via UDP; use torsocks to handle. Browser-fingerprinting user can be identified by: browser plugins, screen resolution, system colors, cookies, DOM storage, TLS session IDs, page cache, Tails: Live CD/USB operating system... preconfigured to use Tor safely. Use the Tor Browser Bundle to handle. User data in the last hop; encrypt actual connection with, e.g., TLS.
Tor Network 33/33 Run exit nodes! Run onion routers! Run bridge nodes!