tor : the second generation onion router
DESCRIPTION
Tor : The Second Generation Onion Router. Roger Dingledine , Nick Mathewson, Paul Syverson . Presented by Amruta P atwardhan. Original Onion Routing. Onion Routing is a overlay network that can anonymize TCP-based application like web browsing, Secure shell, instant messaging. - PowerPoint PPT PresentationTRANSCRIPT
Tor: The Second-Generation Onion Router
Presented by: Alexander Truong
Authors: Roger Dingledine, Nick Mathewson, Paul Syverson
Anonymous Communication Systems
▪ Relay based (Chaum’s Mix-Net)
▪ High-latency▪ Babel, Mix-master, Mixminion
▪ Resistant to global adversary
▪ Low-latency▪ Tor, Anonymizer, Java Anon Proxy, PipeNet, Freedom
▪ Vulnerable to timing attacks and volume analysis
▪ E-mail, chat, SSH, web browsing
Onion Routing
▪ Onion routing dates back to 1996
▪ Anonymizes TCP applications
▪ Volunteer-based Onion Routers (OR)
▪ Security Objective: Relationship Unlinkability, Message Unlinkability w.r.t. subject
PKA(PKB(PKC(M) + C) + AB)
PKB(PKC(M) + AC)
PKC(M)
Message M
S A B C
Tor design improvements
▪ Security
▪ Perfect forward secrecy; Removed mixing, padding, traffic shaping; Hidden services via rendezvous points; End-to-end integrity checking; Leaky-pipe circuit topology
▪ Efficiency
▪ TCP stream multiplexing; Congestion control; Directory servers
▪ Usability
▪ SOCKS proxy interface; Exit policies
Design Goals of Tor
▪ Practical to deploy: low bandwidth, smear-resistant, easy to implement
▪ Easy to use: Minimal application modification, configuration, delay
▪ Security requirement: Difficult to use Less users Less anonymity
▪ Well-understood, simple design to facilitate implementation and security analysis
▪ Flexible for future testing and research
Threat Model
▪ Tor does not protect against a strong global adversary
▪ Focus on traffic analysis attacks
▪ We assume the adversary can
▪ observe a fraction of network traffic
▪ generate, modify, delete, delay traffic
▪ operate onion routers
▪ compromise onion routers
Tor
▪ Overlay network: operates in user space without elevated privileges
▪ Operators deploy Onion Routers (OR)
▪ maintains a TLS connection to every other OR
▪ Users run Onion Proxies (OP)
▪ fetch directories, create circuits across network, multiplexes TCP streams to circuits
▪ Directory servers
▪ Cells (packets)
▪ Circuits and streams
Directory Servers
▪ Trusted servers called directory servers maintain a directory of ORs and their identity key.
▪ Clients fetch a trusted directory if it is signed by threshold of directory servers
▪ In previous onion routing designs, ORs flooded the network to update network status
▪ Adversary can exploit differences in network views caused by delays
Onion Router
▪ Long-term identity key
▪ Sign TLS certs, router descriptor, sign directories
▪ Short-term onion key
▪ Decrypt user circuit requests
▪ Negotiate short-term keys
▪ Rotated periodically
Cells
▪ 512 bytes of header + payload
▪ Control Cells
▪ padding, create[d], destroy
▪ Relay Cells
▪ data, begin/connected, end, teardown, extend[ed], truncate[d], sendme, drop
▪ 128-bit AES counter mode, stream cipher
Relay Cells
▪ Sending a relay cell to OR3
1. OP assigns a digest, then encrypts the relay cell K1(K2(K3(Relay Cell)))
2. OR1 and OR2 decrypts, checks the digest, finds an invalid digest, and passes the cell onto the next OR
3. OR3 decrypts and finds a valid digest and processes the cell
▪ OP can send to any OR on the circuit, enabling a leaky pipe topology
Circuits
▪ Efficient circuit usage: circuits are shared by multiple TCP streams
▪ Low delay: circuits are constructed preemptively
▪ Minimal user impact: circuits are created in the background
▪ Reduce linkability
▪ periodically create new circuits
▪ expire unused or old circuits
TCP streams
HTTP1
HTTP2
SSH1
IRC1
XYZ1
Circuits
C1
C2
Circuit Construction
▪ Negotiate symmetric key using Diffie-Hellman with each OR in the circuit
▪ OP uses “create”, “created”, “relay extend”, “relay extended” cells to create a circuit.
OP OR1 OR2
(create, )
(created, )
(relay extend, )
(create, )
(created, )
(relay extended, )
TCP connections
▪ An application requests the OP’s SOCKS interface to create a TCP connection
▪ OP uses relay commands to open TCP streams and exit nodes
▪ Some applications resolve a hostname before connecting to Tor
▪ Privoxy filters HTTP requests and skips DNS resolution
SOCKS proxy interface
Onion Proxy
Application
TCP traffic
Circuit
Relay cells
Location-hidden service
▪ Service can be offered without revealing IP address
▪ Filter incoming requests
▪ Protect against DDoS
▪ Maintain pseudonymity
▪ HS able to migrate IPs
▪ Smear-resistance for rendezvous points
▪ Users are not required to modify applications
Introduction points
▪ A hidden service (HS) advertises introduction points (IP) on a lookup service, signed with the owner’s public key.
▪ Many IPs must be created to resist DoS attacks
Tor network
HS
IPIP IP
Rendezvous Point Set Up
1. OP sets up a circuit with Rendezvous Point (RP) with a rendezvous cookie
2. OP contacts IP with RP, rendezvous cookie, and DH handshake half
3. IP sends to HS
4. HS creates circuit to RP with cookie and completed DH handshake
RP
OP HSIP
OP HS
RP
(1)
(2) (3)
(4)
Integrity checking
▪ TLS protects against external adversary
▪ OP creates a SHA-1 digest with each node in the circuit to protect against internal adversary
▪ Initial digest of shared key
▪ Incrementally add to digest▪ Contents of all relay cells each node created
▪ First 4 bytes of the current digest
▪ To modify a cell, adversary must deduce digest from all traffic and shared key
Limiting bandwidth▪ Tor limits incoming bytes over a long-term average
▪ Uses the token bucket algorithm
▪ Circuit-level throttling
▪ Uses a packaging window and delivery window
▪ Packaging or delivering a cell decrements the corresponding window
▪ Relay sendme increments a window
▪ When packaging window is 0, OR stops reading until receiving a relay sendme
▪ Stream-level throttling
▪ Similar to circuit-level throttling, has a packaging window and delivery window
▪ Sends relay sendme only when bytes are flushed to TCP stream
Exit policies
▪ Potential abuse of the Tor network deters deployment
▪ Onion Router operators may be mistaken for users abusing the network
▪ Exit policies allow operators to restrict/filter traffic to prevent abuse
Attacks▪ Passive
▪ Observe network edges for entering and exiting traffic to analyze timing, volume, user-selected options
▪ Active attacks
▪ Attack trustworthy routers; Perform illegal activities (smear) on reliable routers
▪ Deny service to users, then observe effect on network
▪ Directory attacks
▪ Subvert directory servers; Trick servers to list a compromised OR
▪ Rendezvous attacks
▪ Attack/flood introduction points
Future Research
▪ More scalable design, more anonymity and supports more users
▪ Effectiveness of padding links
▪ Incremental updates from directory servers
Questions?