Tor: The Second-Generation Onion Router

Presented by: Alexander Truong

Authors: Roger Dingledine, Nick Mathewson, Paul Syverson

Anonymous Communication Systems

▪ Relay based (Chaum’s Mix-Net)

▪ High-latency▪ Babel, Mix-master, Mixminion

▪ Resistant to global adversary

▪ E-mail

▪ Low-latency▪ Tor, Anonymizer, Java Anon Proxy, PipeNet, Freedom

▪ Vulnerable to timing attacks and volume analysis

▪ E-mail, chat, SSH, web browsing

Onion Routing

▪ Onion routing dates back to 1996

▪ Anonymizes TCP applications

▪ Volunteer-based Onion Routers (OR)

▪ Security Objective: Relationship Unlinkability, Message Unlinkability w.r.t. subject

PKA(PKB(PKC(M) + C) + AB)

PKB(PKC(M) + AC)

PKC(M)

Message M

S A B C

Tor design improvements

▪ Security

▪ Perfect forward secrecy; Removed mixing, padding, traffic shaping; Hidden services via rendezvous points; End-to-end integrity checking; Leaky-pipe circuit topology

▪ Efficiency

▪ TCP stream multiplexing; Congestion control; Directory servers

▪ Usability

▪ SOCKS proxy interface; Exit policies

Design Goals of Tor

▪ Practical to deploy: low bandwidth, smear-resistant, easy to implement

▪ Easy to use: Minimal application modification, configuration, delay

▪ Security requirement: Difficult to use Less users Less anonymity

▪ Well-understood, simple design to facilitate implementation and security analysis

▪ Flexible for future testing and research

Threat Model

▪ Tor does not protect against a strong global adversary

▪ Focus on traffic analysis attacks

▪ We assume the adversary can

▪ observe a fraction of network traffic

▪ generate, modify, delete, delay traffic

▪ operate onion routers

▪ compromise onion routers

Tor

▪ Overlay network: operates in user space without elevated privileges

▪ Operators deploy Onion Routers (OR)

▪ maintains a TLS connection to every other OR

▪ Users run Onion Proxies (OP)

▪ fetch directories, create circuits across network, multiplexes TCP streams to circuits

▪ Directory servers

▪ Cells (packets)

▪ Circuits and streams

Directory Servers

▪ Trusted servers called directory servers maintain a directory of ORs and their identity key.

▪ Clients fetch a trusted directory if it is signed by threshold of directory servers

▪ In previous onion routing designs, ORs flooded the network to update network status

▪ Adversary can exploit differences in network views caused by delays

Onion Router

▪ Long-term identity key

▪ Sign TLS certs, router descriptor, sign directories

▪ Short-term onion key

▪ Decrypt user circuit requests

▪ Negotiate short-term keys

▪ Rotated periodically

Cells

▪ 512 bytes of header + payload

▪ Control Cells

▪ padding, create[d], destroy

▪ Relay Cells

▪ data, begin/connected, end, teardown, extend[ed], truncate[d], sendme, drop

▪ 128-bit AES counter mode, stream cipher

Relay Cells

▪ Sending a relay cell to OR3

1. OP assigns a digest, then encrypts the relay cell K1(K2(K3(Relay Cell)))

2. OR1 and OR2 decrypts, checks the digest, finds an invalid digest, and passes the cell onto the next OR

3. OR3 decrypts and finds a valid digest and processes the cell

▪ OP can send to any OR on the circuit, enabling a leaky pipe topology

Circuits

▪ Efficient circuit usage: circuits are shared by multiple TCP streams

▪ Low delay: circuits are constructed preemptively

▪ Minimal user impact: circuits are created in the background

▪ Reduce linkability

▪ periodically create new circuits

▪ expire unused or old circuits

TCP streams

HTTP1

HTTP2

SSH1

IRC1

XYZ1

Circuits

C1

C2

Circuit Construction

▪ Negotiate symmetric key using Diffie-Hellman with each OR in the circuit

▪ OP uses “create”, “created”, “relay extend”, “relay extended” cells to create a circuit.

OP OR1 OR2

(create, )

(created, )

(relay extend, )

(create, )

(created, )

(relay extended, )

TCP connections

▪ An application requests the OP’s SOCKS interface to create a TCP connection

▪ OP uses relay commands to open TCP streams and exit nodes

▪ Some applications resolve a hostname before connecting to Tor

▪ Privoxy filters HTTP requests and skips DNS resolution

SOCKS proxy interface

Onion Proxy

Application

TCP traffic

Circuit

Relay cells

Location-hidden service

▪ Service can be offered without revealing IP address

▪ Filter incoming requests

▪ Protect against DDoS

▪ Maintain pseudonymity

▪ HS able to migrate IPs

▪ Smear-resistance for rendezvous points

▪ Users are not required to modify applications

Introduction points

▪ A hidden service (HS) advertises introduction points (IP) on a lookup service, signed with the owner’s public key.

▪ Many IPs must be created to resist DoS attacks

Tor network

HS

IPIP IP

Rendezvous Point Set Up

1. OP sets up a circuit with Rendezvous Point (RP) with a rendezvous cookie

2. OP contacts IP with RP, rendezvous cookie, and DH handshake half

3. IP sends to HS

4. HS creates circuit to RP with cookie and completed DH handshake

RP

OP HSIP

OP HS

RP

(1)

(2) (3)

(4)

Integrity checking

▪ TLS protects against external adversary

▪ OP creates a SHA-1 digest with each node in the circuit to protect against internal adversary

▪ Initial digest of shared key

▪ Incrementally add to digest▪ Contents of all relay cells each node created

▪ First 4 bytes of the current digest

▪ To modify a cell, adversary must deduce digest from all traffic and shared key

Limiting bandwidth▪ Tor limits incoming bytes over a long-term average

▪ Uses the token bucket algorithm

▪ Circuit-level throttling

▪ Uses a packaging window and delivery window

▪ Packaging or delivering a cell decrements the corresponding window

▪ Relay sendme increments a window

▪ When packaging window is 0, OR stops reading until receiving a relay sendme

▪ Stream-level throttling

▪ Similar to circuit-level throttling, has a packaging window and delivery window

▪ Sends relay sendme only when bytes are flushed to TCP stream

Exit policies

▪ Potential abuse of the Tor network deters deployment

▪ Onion Router operators may be mistaken for users abusing the network

▪ Exit policies allow operators to restrict/filter traffic to prevent abuse

Attacks▪ Passive

▪ Observe network edges for entering and exiting traffic to analyze timing, volume, user-selected options

▪ Active attacks

▪ Attack trustworthy routers; Perform illegal activities (smear) on reliable routers

▪ Deny service to users, then observe effect on network

▪ Directory attacks

▪ Subvert directory servers; Trick servers to list a compromised OR

▪ Rendezvous attacks

▪ Attack/flood introduction points

Future Research

▪ More scalable design, more anonymity and supports more users

▪ Effectiveness of padding links

▪ Incremental updates from directory servers

Questions?