Tor Tor Anonymity Network Free software that helps people surf on the Web anonymously and dodge censorship. CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk Initially developed at the U.S. Naval Research Laboratory (NRL), and was later open sourced for public use. As of 2015, Tor has a total user base of 2 million people, and the Tor network consists of roughly 6000 relays, mostly run by volunteers. CS470, A.A.Selçuk Tor 1 CS470, A.A.Selçuk Tor 2 Tor Basics Onion Routing: A technique that allows anonymous communication over a network of computers. Messages are routed through a circuit (a path of Tor relays), encrypted multiple times like an onion, with the enc. keys of the relays. Tor Basics When a message reaches a relay, it is decrypted once, and is forwarded towards the next relay. Since a node only knows its previous and next nodes, this assures the real source of the message stays anonymous. A circuit contains three Tor relays by default. These relays are often referred as the entry node, middleman, and exit node. CS470, A.A.Selçuk Tor 3 CS470, A.A.Selçuk Tor 4 1
Tor Basics Circuit Construction: A list of relays are obtained from a Tor directory server A random path is chosen from source to destination. Tor Basics Circuits are build incrementally, one hop at a time. At every iteration, TLS keys are negotiated between Tor relay and source. These keys are used to encrypt the data, which is sent through the SOCKS protocol. CS470, A.A.Selçuk Tor 5 CS470, A.A.Selçuk Tor 6 Hidden Services Hidden Service Setup Mechanism To let people serve a variety of services like web publishing or instant messaging without their locations getting compromised. Accessed through an onion address. (e.g. https://facebookcorewwwi.onion/) Not actual DNS names, but with the appropriate software installed, browsers can access sites with.onion addresses by sending the request through Tor. Use introduction points and rendezvous points to achieve anonymity. 3. Client obtains service descriptor and intro point address from directory 1. Server creates onion routes to introduction points 2. Server gives intro points descriptors and addresses to service lookup directory Source: http://www.cs.utexas.edu/~shmat/courses/cs380s/tor.ppt CS470, A.A.Selçuk Tor 7 CS470, A.A.Selçuk Tor 8 2
Hidden Service Setup Mechanism Possible Attacks Against Tor 4. Client creates a route to a rendezvous point 7. Rendezvous point mates the circuits from client & server 6. If server chooses to talk to client, connect to rendezvous point Passive attacks: Traffic correlation/analysis Website fingerprinting 5. Client sends the address of the rendezvous point and any authorization, if needed, to the server through an intro point Active attacks: Iterated compromise Distributing hostile code Blocking access to the Tor network Source: http://www.cs.utexas.edu/~shmat/courses/cs380s/tor.ppt CS470, A.A.Selçuk Tor 9 CS470, A.A.Selçuk Tor 10 Passive Attacks Traffic Correlation/Analysis: Since Tor is a low-latency anonymous communication system, an adversary watching the two ends (entry and exit nodes) of a circuit can correlate the traffic by examining the arrival and departure times of the packets. Traffic Correlation/Analysis Johnson et al. (CCS 2013) Chakravarty et al. (PAM 2014) Analysis shows that an adversary controlling at least two endpoint relays can de-anonymize 80-90%, with a false positive rate of 5-6%. Tor s Response: Select the entry guard nodes more carefully, and keep them longer. https://blog.torproject.org/category/tags/entryguards (good read!) Active area of research CS470, A.A.Selçuk Tor 11 CS470, A.A.Selçuk Tor 12 3
Website Fingerprinting Training a classifier by using machine learning and applying the classifier to the current data to find out which user is visiting which website. To train the classifier, packet sizes, timestamps of the packets, etc. can be used. Research (e.g., Juarez et al. (CCS 14)) indicate that Tor s size makes using website fingerprinting to identify users impossible in practice (and that they assume too much ). Active Attacks Iterated Compromise: If an adversary compromises a relay in the circuit, and then compromises the next one until all relays in the circuit become compromised, the adversary may de-cloak the user. But the adversary should complete the iteration within a life-time of a circuit. (Default life time of a circuit is 10 minutes.) CS470, A.A.Selçuk Tor 13 CS470, A.A.Selçuk Tor 14 Active Attacks Distributing Hostile Code: All Tor releases are signed by the Tor Project with an official public key; hence, the Tor users can verify the Tor release. If the attacker can somehow trick some Tor users to run a Tor-like software, he can degrade their anonymity. Active Attacks Blocking Access to the Tor Network: Mostly by governments, to prevent people reaching censored websites or resources. The Great Firewall of China (GFC) was using simple IP black-listing to block access to Tor. Users were still able to access via bridges (unpublished Tor relays). GFC then used the unique cipher list in the TLS hello message sent by the Tor clients to identify and block the Tor connection. Tor solved the problem by imitating the Firefox s cipher list in the TLS client hello. CS470, A.A.Selçuk Tor 15 CS470, A.A.Selçuk Tor 16 4
Tor Bridges Bridges are relays not listed in the main Tor directory. Since there is no public list of all bridges, even if all known Tor relays are black-listed, bridges can still be used to access the Internet via Tor. Snowden documents contain information on NSA s efforts to break Tor. Among them is a presentation, Tor Stinks. There, NSA admits they will never be able to decloak all Tor users or a specific Tor user. Nevertheless, they have some tools and techniques to spoil the Tor network. Getting three bridges from bridges.torproject.org CS470, A.A.Selçuk Tor 17 CS470, A.A.Selçuk Tor 18 Attacks against the Tor browser bundle: These attacks try to spoil Firefox s vulnerabilities. EgotisticalGiraffe exploits a vulnerability in an XML extension of Javascript. Firefox v.11.0-16.0.2 were vulnerable to this attack. FoxAcid servers Web servers designed to launch prepared attacks against visitors directed with a specific tag. By using these servers NSA aims to take control of the visitors computers. Few details are available CS470, A.A.Selçuk Tor 19 Circuit Reconstruction: By inserting high-bandwidth nodes, NSA can own all three nodes in a circuit and reveal the identities of Tor users. NSA admits that it is hard to own all the relays in a circuit, and they don t have enough nodes to apply this attack. They say that GCHQ also owns some nodes, and by working together they may be able to apply this attack. GCHQ is working on de-anonymizing Tor users too. They say they tried tracking packets in the circuits, but the method was unsuccessful. They think of applying traffic correlation attacks by owning / observing the guard node and the exit node. (next slide) CS470, A.A.Selçuk Tor 20 5
Capitalize on human error: Instead of going after Tor and its implementation, intelligence agencies mostly go after the human error. For example, in the conviction of the Silkroad (illegal market operated as a Tor hidden service) founder Ross Ulbricht, law enforcement probably used his non-anonymous moves on the Internet, like the photographs he shared on the social media. GCHQ s traffic correlation mechanism (Source: Spiegel) CS470, A.A.Selçuk Tor 21 CS470, A.A.Selçuk Tor 22 Conclusion Tor is a robust system, and its current network size makes most attacks impractical. Disclosed documents show that intelligence agencies fail to break Tor. They mostly try to de-cloak Tor users by using glitches in the browser bundle or by capitalizing on targeted people s mistakes. CS470, A.A.Selçuk Tor 23 6