aaron johnson u.s. naval research laboratory [email protected]
DESCRIPTION
Aaron Johnson U.S. Naval Research Laboratory [email protected]. CSci 6545 George Washington University 11/18/2013. Overview. What is Tor?. Tor is a system for anonymous communication and censorship circumvention. What is Tor?. Tor is based on onion routing. Users. - PowerPoint PPT PresentationTRANSCRIPT
Overview
What is Tor?
Tor is a system for anonymous communication and censorship circumvention.
What is Tor?
Tor is based on onion routing.
Users DestinationsOnion Routers
What is Tor?
Users DestinationsOnion Routers
Tor is based on onion routing.
What is Tor?
Users DestinationsOnion Routers
Tor is based on onion routing.
What is Tor?
Users DestinationsOnion Routers
Tor is based on onion routing.
What is Tor?
Users DestinationsOnion Routers
Tor is based on onion routing.
Unencrypted
Motivation
Why Tor?
• Individuals avoiding censorship
• Individuals avoiding surveillance
• Journalists protecting themselves or sources
• Law enforcement during investigations
• Intelligence analysts for gathering data
Why Tor?
• Over 500000 daily users• 2.4GiB/s aggregate traffic
• Over 4000 relays in over 80 countries
Tor History1996: “Hiding Routing Information” by David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Information Hiding: First International Workshop.1997: "Anonymous Connections and Onion Routing," Paul F. Syverson, David M. Goldschlag, and Michael G. Reed. IEEE Security & Privacy Symposium.1998: Distributed network of 13 nodes at NRL, NRAD, and UMD.2000: “Towards an Analysis of Onion Routing Security” by Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landweh r. Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability.2003: Tor network is deployed (12 US nodes, 1 German), and Tor code is released by Roger Dingledine and Nick Mathewson under the free and open MIT license.2004: “Tor: The Second-Generation Onion Router” by Roger Dingledine, Nick Mathewson, and Paul Syverson. USENIX Security Symposium.2006: The Tor Project, Inc. incorporated as a non-profit.
Tor Today• Funding levels at $1-2 million (current and
former funders include DARPA, NSF, US State Dept., SIDA, BBG, Knight Foundation, Omidyar Network, EFF)
• The Tor Project, Inc. employs a small team for software development, research, funding management, community outreach, and user support
• Much bandwidth, research, development, and outreach still contributed by third parties
Other anonymous communication designs and systems
• Single-hop anonymous proxies: anonymizer.com, anonymouse.org
• Dining Cryptographers network: Dissent, Herbivore
• Mix networks: MixMinion, MixMaster, BitLaundry
• Onion routing: Crowds, Java Anon Proxy, I2P, Aqua, PipeNet, Freedom
• Others: Anonymous buses, XOR trees,
Security Model
Threat Model
Adversary is local and active.
Threat Model
Adversary is local and active.
Not global
Threat Model
Adversary is local and active.• Adversary may run relays
Threat Model
Adversary is local and active.• Adversary may run relays• Destination may be malicious
Threat Model
Adversary is local and active.• Adversary may run relays• Destination may be malicious• Adversary may observe some ISPs
Security Definitions
• Identity is primarily IP address but can include other identifying information
• Sender anonymity: Connection initiator cannot be determined
• Receiver anonymity: Connection recipient cannot be determined
• Unobservability: It cannot be determined who is using the system.
Design
General Tor Functionality
• Provides connection-oriented bidirectional communication
• Only makes TCP connections• Provides standard SOCKS interface to
applications• Provides application-specific software for
some popular applications (e.g. HTTP)
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)2. Hidden services (anonymity wrt all)3. Censorship circumvention (unobservability)
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)2. Hidden services (anonymity wrt all)3. Censorship circumvention (unobservability)
Exit Circuits
Exit Circuits
1. Client learns about relays from a directory server.
Exit Circuits
1. Client learns about relays from a directory server.
Centralized, point of failure
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.
Only guards directly observe client
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.
Different streams on circuit can be linked.
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.5. New circuits replace existing ones periodically.
Exit Circuits
1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.5. New circuits replace existing ones periodically.
Circuits creation protects anonymity with respect to all but sender
Creating a Circuit
u 1 2 3
13
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
[0,CREATE, gx1]
1. CREATE/CREATED
u 1 2 3
13
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
[0,CREATED, gy1]
1. CREATE/CREATED
u 1 2 3
13
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
u 1 2 3
13
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[0,{[EXTEND,2, gx2]}s1]
u 1 2 3
14
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[l1,CREATE, gx2]
u 1 2 3
14
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[l1,CREATED, gy2]u 1 2 3
14
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[0,{EXTENDED}s1]u 1 2 3
14
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[0,{{[EXTEND,3,gx3]}s2}s1]
u 1 2 3
15
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
u 1 2 3[l1,{[EXTEND,3,gx3]}s2]
15
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l2,CREATE,gx3]
u 1 2 3
15
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l2,CREATED,gy3]u 1 2 3
15
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l1,{EXTENDED,gy3}s2]u 1 2 3
15
{m}si: Encrypted using the DH session key gxiyi
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[0,{{EXTENDED,gy3}s2}s1]u 1 2 3
15
{m}si: Encrypted using the DH session key gxiyi
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)2. Hidden services (anonymity wrt all)3. Censorship circumvention (unobservability)
Hidden Services
HS
User wants to hide serviceUser wants to hide
service
Hidden Services
IP
HS chooses and publishes
introduction point IP
HS
HS chooses and publishes introduction
point (IP)
guard
Hidden Services
guard IP
HS
Learns about HS on web
Learns about HS on web (.onion address)
Hidden Services
guard IP
HS
Client looks up IP at a Hidden Service Directory using .onion address
guard
guard
Hidden Services
guard IP
HS
RP
Client builds circuit to chosen Rendezvous Point (RP)
guard
Hidden Services
guard IP
HS
Notifies HS of RP through IP
RP
guard
RP
Notifies HS of RP through IP
guard
Hidden Services
guard IP
HS
RP
RP
guard
Hidden Services
guard IP
HS
RP
guard
Build new circuit to RP
guard
Hidden Services
guard IP
HS
RP
guard
Communicate
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)2. Hidden services (anonymity wrt all)3. Censorship circumvention (unobservability)
Blocking Tor
• Tor directory and relay IPs are public
• Tor connections are made over TLS
• Tor cells have a fixed length
• Tor directory and relay IPs are public
• Tor connections are made over TLS
• Tor cells have a fixed length
Blocking Tor
• Tor bridges are kept private, released via– CAPTCHA– Email request– Personal communication
• Tor directory and relay IPs are public
• Tor connections are made over TLS
• Tor cells have a fixed length
Blocking Tor
Pluggable transports • obfsproxy3 makes
protocol look like strings of random bits
• Flash proxies use transient web clients over WebSockets
• Tor directory and relay IPs are public
• Tor connections are made over TLS
• Tor cells have a fixed length
Blocking Tor
• Not observed to be a problem currently– ScrambleSuit: randomized
lengths– StegoTorus:
Steganographic HTTP– SkypeMorph/FreeWave;
Steganographic VOIP
Blocking Tor
• Tor directory and relay IPs are public
• Tor connections are made over TLS
• Tor cells have a fixed length
• Countries have manpower to enumerate bridges
• Network surveillance used to detect possible Tor connections, followup scans confirm
Attacks
Attacks on Tor
• Correlation attack• Guard compromise• Bandwidth manipulation• Congestion/throughput attack• Latency attack• Application-layer attacks• DoS attacks
68
Correlation Attack
69
Correlation Attack
70
Correlation Attack
71
Correlation Attack
72
Correlation Attack
73
Node AdversaryControls a fixed allotment of relays based on bandwidth budget
• We assume adversary has 100 MiB/s – comparable to large family of relays
• Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)
74
Time to first compromised circuitOctober 2012 – March 2013
50% of clients use a compromised circuit in less than 70 days
Attacks on Tor
• Correlation/throughput attack• Guard compromise• Bandwidth manipulation• Congestion attack• Latency attack• Application-layer attacks• DoS attacks