The Tor Network - Eindhoven University of Technology · /department of mathematics and computer...

transcript

/ department of mathematics and computer science

The Tor NetworkCryptography 2, Part 2, Lecture 6

Ruben Niederhagen

June 16th, 2014

Tor Network — Introduction

“Classic” goals of cryptography:I confidentiality,I data integrity,I authentication, andI non-repudiation.

“Privacy” goals of cryptography:I deniability,I anonymity,I perfect forward secrecy,I . . .

May depend on meta-data: sender, receiver, keying data. . .

“Classic” goals of cryptography:I confidentiality – symmetric encryption,I data integrity – hash functions,I authentication – asymmetric encrytpion, andI non-repudiation – signatures.

Who needs anonymity?

I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

Anonymity only works by hiding in the masses.You can help people in need of anonymity by using anonymity-enhancingsoftware even if you do not depend on it yourself!

Who needs anonymity?I opposition in autocratic regimes,

I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,

I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,

I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,

I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,

I citizens under data-retention laws,I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,

I freedom of speech,I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,

I . . .

Who needs anonymity?I opposition in autocratic regimes,I journalists under dictatorship,I journalists in democracies,I law enforcement, spies,I criminals, terrorists,I citizens under data-retention laws,I freedom of speech,I . . .

“Tor (previously an acronym for The Onion Router) is free software forenabling online anonymity and resisting censorship.”

Wikipedia

Additional goals:I deployability:usable in the real world, interoperable with existing protocols;

I usability:anonymity requires many users;

I flexibility:easy addition of future features;

I simplicity:avoid bugs, understand security parameters and features.

Non-goals:I not peer-to-peer:requires centralized directory servers;

I not secure against end-to-end attacks:no protection against global adversary;

I no protocol normalization:no anonymization towards receiver;

I not steganographic:does not hide usage of the network.

Tor Network — Thread Model

Global passive adversary:I global view on the network,I sees entry and exit links, andI sees timing and volume patterns.

Tor does not protect against this type of adversary!

Global passive adversary:I global view on the network,I sees entry and exit links, andI sees timing and volume patterns.

Tor does not protect against this type of adversary!

“Real-world” adversary:I view on a fraction the network,I generate, modify, delete, or delay traffic,I operate Tor routers, orI compromise some Tor routers.

Tor attempts to protect against this type of adversary.

“Real-world” adversary:I view on a fraction the network,I generate, modify, delete, or delay traffic,I operate Tor routers, orI compromise some Tor routers.

Tor attempts to protect against this type of adversary.

Tor Network — Design Overview

Entry Middle Exit

Tor Network — Design Details

Players:I Onion Router (OR):Routers in the onion overlay network.

I Onion Proxy (OP):Local proxy of each Tor user.

I Directory Server:More-trusted entity providing an OR directory.

Each OR maintains a TLS connection to all other ORs.Each OP maintains TLS connections to his entry ORs.

Tor is using TLS cipher suites with ephemeral keys.

TLS is used for OR authentication and transport integrity,NOT for payload encryption!

Players:I Onion Router (OR):Routers in the onion overlay network.

I Onion Proxy (OP):Local proxy of each Tor user.

I Directory Server:More-trusted entity providing an OR directory.

Each OR maintains a TLS connection to all other ORs.Each OP maintains TLS connections to his entry ORs.

Tor is using TLS cipher suites with ephemeral keys.

TLS is used for OR authentication and transport integrity,NOT for payload encryption!

KeysI Asymmetric Keys:

• Each OR publishes a “Router Identity Key” in the directory.• Additionally, directory servers have:

• a long-term “Authority Identity Key” (stored offline) and• a medium-term “Authority Signing Key” (3–12 months).

• OPs do NOT have identity keys!I Symmetric Keys:

• All TLS connections use short-term ephemeral keys.• Onion encryption keys are short-term ephemeral keys;Tor is using AES128 in counter mode for onion encryption.

Directory Server:

I ORs send a signed statement to the directory servers.I The directory servers test if the OR accepts connections.I Periodically, the directory servers vote on the network state.I The consensus is signed by all agreeing directory servers.I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

I The client accepts the consensus document if it is signed by at leasthalve of the directory servers.

I Later, the clients request cached consensus docs from known ORs.I Each consensus is restricted to a specific time period.I The consensus document contains bandwidth and exit policyinformations for each OR.

Directory Server:I ORs send a signed statement to the directory servers.

I The directory servers test if the OR accepts connections.I Periodically, the directory servers vote on the network state.I The consensus is signed by all agreeing directory servers.I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

Directory Server:I ORs send a signed statement to the directory servers.I The directory servers test if the OR accepts connections.

I Periodically, the directory servers vote on the network state.I The consensus is signed by all agreeing directory servers.I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

Directory Server:I ORs send a signed statement to the directory servers.I The directory servers test if the OR accepts connections.I Periodically, the directory servers vote on the network state.

I The consensus is signed by all agreeing directory servers.I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

Directory Server:I ORs send a signed statement to the directory servers.I The directory servers test if the OR accepts connections.I Periodically, the directory servers vote on the network state.I The consensus is signed by all agreeing directory servers.

I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

Directory Server:I ORs send a signed statement to the directory servers.I The directory servers test if the OR accepts connections.I Periodically, the directory servers vote on the network state.I The consensus is signed by all agreeing directory servers.I On bootstrap, a client connects to a directory server to receive a thesigned consensus document.

I Later, the clients request cached consensus docs from known ORs.

I Each consensus is restricted to a specific time period.I The consensus document contains bandwidth and exit policyinformations for each OR.

I Later, the clients request cached consensus docs from known ORs.I Each consensus is restricted to a specific time period.

I The consensus document contains bandwidth and exit policyinformations for each OR.

Consensus Document (1)

network-status-version 3vote-status consensusvalid-after 2014-06-14 14:00:00fresh-until 2014-06-14 15:00:00valid-until 2014-06-14 17:00:00[...]contact Peter Palfradervote-digest DE88ACE5E41B7BDD59A9FA29481D7D2BCF20C08Ddir-source maatuska 49015F78743... 171.25.193.9

171.25.193.9 443 80contact 4096R/23291265 Linus Nordbergvote-digest ECFE99490D9E6ED7AB7598AD5B8BCDA43E5C53DFdir-source dannenberg 585769C78... dannenberg.ccc.de

193.23.244.244 80 443[...]

r CalgaryRelay AhtWK/ebprD1KAbOKdWFQ+mlVE0 FIUMkqViP7mkBn...2014-06-14 01:15:53 70.72.146.227 9001 9030

s Fast HSDir Running Stable V2Dir Validv Tor 0.2.3.25w Bandwidth=247p reject 1-65535r TelosTorExit2 AhzRl+9BYl9I1Znz0ZM6GpU7mBs RGvsM1rZM2v3n...

2014-06-13 23:25:19 62.210.74.186 443 80s Exit Fast HSDir Running Stable V2Dir Validv Tor 0.2.4.22w Bandwidth=69200p reject 25[...]

directory-footer[...]directory-signature 49015F787433103580E3B66A1707A00E60F2D15B

F98E385F2982778F50925F54F832E2FE744B5ED7-----BEGIN SIGNATURE-----qqBSASctPPSB5buTm6FrzuOUDK+Oux76Eb+gpAglZAc/yqOfqXPzBb9I[...]-----END SIGNATURE-----directory-signature 585769C78764D58426B8B52B6651A5A71137189A

6B82B0EC44BD79CB0D1F1BB2A0C597E0FEC71AE9-----BEGIN SIGNATURE-----LcmuTT/5qwA+L9pcxGbRTz74YiqH4rQo5Wz3piSXmD/j4rcahfbmVHmi[...]-----END SIGNATURE-----[...]

https://gitweb.torproject.org/torspec.git/HEAD:/dir-spec.txt

Tor Statistics (June 13th, 2014):

Total Bandwidth of Routers [KBytes/s] 4650769Total Number of Routers 5477Total Number of ’Authority’ Routers 10Total Number of ’Bad Directory’ Routers 0Total Number of ’Bad Exit’ Routers 11Total Number of ’Exit’ Routers 977Total Number of ’Fast’ Routers 4588Total Number of ’Guard’ Routers 2152Total Number of ’Stable’ Routers 3824Total Number of ’Valid’ Routers 5477Total Number of ’Directory Mirror’ Routers 3430

Router Flags:I “Authority” if the router is a directory authority.I “BadDirectory” if the router is believed to be useless as a directorycache (because its directory port isn’t working, its bandwidth isalways throttled, . . . ).

I “Exit” if the router is more useful for building general-purpose exitcircuits than for relay circuits.

I “BadExit” if the router is believed to be useless as an exit node(because its ISP censors it, because of TLS stripping, . . . ).

I “Fast” if the router is suitable for high-bandwidth circuits.I “Guard” if the router is suitable for use as an entry guard.I “Stable” if the router is suitable for long-lived circuits.I “Valid” if the router has been ’validated’.

Number of Routers

Germany the Netherlands USA

Number of Exit Routers

Germany the Netherlands USA

Cells:I Control: padding, create, created, destroy, . . .

CircID CMD DATA2 1 509

I Relay: relay data, relay begin, relay end, relay teardown, relayconnected, relay extend, relay extended, relay truncate, relaytruncated, relay drop, . . .

CircID Relay StreamID Digest Len CMD DATA2 1 2 6 2 1 498

Onion Encrypted

Cells:I Control: padding, create, created, destroy, . . .

CircID CMD DATA2 1 509

I Relay: relay data, relay begin, relay end, relay teardown, relayconnected, relay extend, relay extended, relay truncate, relaytruncated, relay drop, . . .

CircID Relay StreamID Digest Len CMD DATA2 1 2 6 2 1 498

Onion Encrypted

OP OR 1 OR 2 website

(link TLS encrypted) (link TLS encrypted)

create c1, E(g x1)

created c1, g y1 , H(g xy11 )

relay c1, {extend, OR 2, E(g x2)}create c2, E(g x2)

relay c1, {extended, g y2 , H(g xy22 )}

relay c1, {{begin, website:80}} relay c2, {begin, website:80}(TCP handshake)

relay c2, {connected}relay c1, {{connected}}

relay c1, {{data, HTTP GET . . . }}relay c2, {data, HTTP GET . . . }

HTTP GET . . .

(response)

relay c2, {data, (response)}relay c1, {{data, response}}

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

relay c1, {extend, OR 2, E(g x2)}

create c2, E(g x2)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

relay c1, {{begin, website:80}}

relay c2, {begin, website:80}(TCP handshake)

HTTP GET . . .

(response)

create c1, E(g x1)

relay c1, {{begin, website:80}} relay c2, {begin, website:80}

(TCP handshake)relay c2, {connected}relay c1, {{connected}}

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

relay c2, {connected}

relay c1, {{connected}}

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

relay c1, {{data, HTTP GET . . . }}

relay c2, {data, HTTP GET . . . }HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

create c1, E(g x1)

HTTP GET . . .

(response)

relay c2, {data, (response)}

relay c1, {{data, response}}

create c1, E(g x1)

HTTP GET . . .

(response)

Tor Network — Circuits

Adversary able to detect pattern in massage flow!

Choosing nodes for circuits:

I Circuit length: 3 ORs – entry, mid, and exit.Attacks most efficient at entry and exit; no need for long circuits.

I Avoid both entry and exit to be controlled by attacker.Probability: (c/N)2 per circuit(c : attacker-controlled ORs, N: total ORs)

I Risk grows with many connections/re-routs.I Choose a guard node as single entry for all circuits.I All connections potentially compromised iff guard node iscompromised; fine otherwise.

I Probability pinned to c/N regardless of number of connections.

Choosing nodes for circuits:I Circuit length: 3 ORs – entry, mid, and exit.Attacks most efficient at entry and exit; no need for long circuits.

I Risk grows with many connections/re-routs.

I Choose a guard node as single entry for all circuits.I All connections potentially compromised iff guard node iscompromised; fine otherwise.

I Risk grows with many connections/re-routs.I Choose a guard node as single entry for all circuits.

I All connections potentially compromised iff guard node iscompromised; fine otherwise.

Rendezvous Points, Hidden Services

Provide location hidden, anonymous services (responder anonymity):I Access control:Filter incoming connections, avoid DoS.

I Robustness:Long-term pseudonymous identity, not tied to single OR.

I Smear-resistance:Rendezvous router protected against illegal activities.

I Application transparency:Hidden services directly accessible via the Tor network.

Tor Network — Attacks

Passive Attacks:I Observing user traffic patterns:

• end-to-end timing correlation,• end-to-end size correlation,• website fingerprinting.

I Observing user content (see below).I Option distinguishability.

• end-to-end timing correlation,

• end-to-end size correlation,• website fingerprinting.

• end-to-end timing correlation,• end-to-end size correlation,

• website fingerprinting.I Observing user content (see below).I Option distinguishability.

I Observing user content (see below).

I Option distinguishability.

Active Attacks:I Compromise keys:TLS session key, circuit session key, OR private key.Past connections can’t be compromised due to ephemeral keys!

I Iterate compromise:Follow circuit from end to end.Possible only during lifetime of circuit.

I Run recipient:Simplifies passive attacks.

I Run onion proxy:Usually not more likely than compromising users machine;possible in company settings with institutional onion proxy.

I DoS non-observed nodes:Force traffic on controlled nodes by disabling other nodes.

Active Attacks (cont.):I Run hostile OR:Observe connections, induce traffic patterns.Mitigated by use of guard nodes.

I Introducing timing into messages:Strengthens passive attacks.

I Tagging attacks:Manipulate payload and observe garbled content on exit nodes.Prevented by integrity checks.

I Replay attacks:Replaying handshake messages results in different session key;replaying relay messages results in broken decryption (AES-CTR).

Active Attacks (cont.):I Smear attacks:Use Tor for socially disapproved acts, bring network to disrepute.Exit policies reduce abuse; string exit-node operators.

I Distribute hostile code:Backdoored or broken Tor client or server software.Tor binaries are signed, Tor is open source.

• Verify your version!• Audit Tor source code!

I Block access to Tor (censorship):IP addressed of directory servers are well-known.Tor offers bridge nodes which are protected from full-enumeration.Steganographic protocols can be used to tunnel Tor traffic.

• Verify your version!

• Audit Tor source code!I Block access to Tor (censorship):IP addressed of directory servers are well-known.Tor offers bridge nodes which are protected from full-enumeration.Steganographic protocols can be used to tunnel Tor traffic.

De-anonymization by information leaks:I DNS resolution: usually via UDP; use torsocks to handle.

I Browser-fingerprinting – user can be identified by:

• browser plugins,• screen resolution,• system colors,• cookies,• DOM storage,• TLS session IDs,• page cache,• . . .

Use the Tor Browser Bundle to handle.I User data in the last hop;encrypt actual connection with, e.g., TLS.

Tails: Live CD/USB operating systempreconfigured to use Tor safely.

De-anonymization by information leaks:I DNS resolution: usually via UDP; use torsocks to handle.I Browser-fingerprinting – user can be identified by:

Use the Tor Browser Bundle to handle.

I User data in the last hop;encrypt actual connection with, e.g., TLS.

• browser plugins,

• screen resolution,• system colors,• cookies,• DOM storage,• TLS session IDs,• page cache,• . . .

• browser plugins,• screen resolution,

• system colors,• cookies,• DOM storage,• TLS session IDs,• page cache,• . . .

• browser plugins,• screen resolution,• system colors,

• cookies,• DOM storage,• TLS session IDs,• page cache,• . . .

• browser plugins,• screen resolution,• system colors,• cookies,

• DOM storage,• TLS session IDs,• page cache,• . . .

• browser plugins,• screen resolution,• system colors,• cookies,• DOM storage,

• TLS session IDs,• page cache,• . . .

• browser plugins,• screen resolution,• system colors,• cookies,• DOM storage,• TLS session IDs,

• page cache,• . . .

• browser plugins,• screen resolution,• system colors,• cookies,• DOM storage,• TLS session IDs,• page cache,

• . . .

Tor Network

Run exit nodes!

Run onion routers!

Run bridge nodes!

The Tor Network - Eindhoven University of Technology · /department of mathematics and computer...

Documents