anonymous routing and mix nets (Tor) Yongdae Kim Significant fraction of these slides are borrowed from CS155 at Stanford

Anonymous web browsing Why? Discuss health issues or financial matters anonymously Bypass Internet censorship in parts of the world Conceal interaction with gambling sites Law enforcement Two goals: Hide user identity from target web site: (1), (4) Hide browsing pattern from employer or ISP: (2), (3) Stronger goal: mutual anonymity (e.g. remailers)

Current state of the world I ISPs tracking customer browsing habits: Sell information to advertisers Embed targeted ads in web pages (1.3%) Example: MetroFi (free wireless) [Web Tripwires: Reis et al. 2008] Several technologies used for tracking at ISP: NebuAd, Phorm, Front Porch Bring together advertisers, publishers, and ISPs At ISP: inject targeted ads into non-SSL pages Tracking technologies at enterprise networks: Vontu (symantec), Tablus (RSA), Vericept

Current state of the world II EU directive 2006/24/EC: 3 year data retention For ALL traffic, requires EU ISPs to record: Sufficient information to identify endpoints (both legal entities and natural persons) Session duration … but not session contents Make available to law enforcement … but penalties for transfer or other access to data For info on US privacy on the net: “privacy on the line” by W. Diffie and S. Landau

Part 1: network-layer privacy Goals: Hide user’s IP address from target web site Hide browsing destinations from network

1st attempt: anonymizing proxy HTTPS:// anonymizer.com ? URL=target User1 Web1 SSL anonymizer.com HTTP User2 Web2 User3 Web3

Anonymizing proxy: security Monitoring ONE link: eavesdropper gets nothing Monitoring TWO links: Eavesdropper can do traffic analysis More difficult if lots of traffic through proxy Trust: proxy is a single point of failure Can be corrupt or subpoenaed Example: The Church of Scientology vs. anon.penet.fi Protocol issues: Long-lived cookies make connections to site linkable

How proxy works Proxy rewrites all links in response from web site Updated links point to anonymizer.com Ensures all subsequent clicks are anonymized Proxy rewrites/removes cookies and some HTTP headers Proxy IP address: if a single address, could be blocked by site or ISP anonymizer.com consists of >20,000 addresses Globally distributed, registered to multiple domains Note: chinese firewall blocks ALL anonymizer.com addresses Other issues: attacks (click fraud) through proxy

Goal: no single point of failure 2nd Attempt: MIX nets Goal: no single point of failure

MIX nets [Chaum’81] Every router has public/private key pair Sender knows all public keys To send packet: Pick random route: R2  R3  R6  srvr Onion packet: R1 msg srvr R6 R2 R4 Epk2( R3, Epk3( R6, Epk6( srvr , msg)

Eavesdropper’s view at a single MIX Eavesdropper observes incoming and outgoing traffic Crypto prevents linking input/output pairs Assuming enough packets in incoming batch If variable length packets then must pad all to max len Note: router is stateless Ri user1 batch user2 user3

Performance Main benefit: Problems: Privacy as long as at least one honest router on path Problems: High latency (lots of public key ops) Inappropriate for interactive sessions May be OK for email (e.g. Babel system) No forward security R2 R3 R6 srvr

3rd Attempt: Tor MIX circuit-based method Goals: privacy as long as one honest router on path, and reasonable performance

The Tor design Trusted directory contains list of Tor routers User’s machine preemptively creates a circuit Used for many TCP streams New circuit is created once a minute stream1 stream2 R3 R1 R5 stream1 srvr1 R4 R2 R6 stream2 one minute later srvr2

Creating circuits K1 K1 K2 K2 TLS encrypted TLS encrypted Create C1 D-H key exchange K1 K1 Relay C1 Extend R2 Extend R2 D-H key exchange K2 K2

Once circuit is created User has shared key with each router in circuit Routers only know ID of successor and predecessor K1 K1, K2, K3, K4 R1 K2 R2 K3 R3 K4 R4

Sending Data K2 K1 Relay C1 Begin site:80 Relay C2 Begin site:80 TCP handshake Relay C1 data HTTP GET Relay C2 data HTTP GET HTTP GET Relay C1 data resp Relay C2 data resp resp

Complete View

Properties Performance: Tor crypto: Downside: Fast connection time: circuit is pre-established Traffic encrypted with AES: no pub-key on traffic Tor crypto: provides end-to-end integrity for traffic Forward secrecy via TLS Downside: Routers must maintain state per circuit Each router can link multiple streams via CircuitID all steams in one minute interval share same CircuitID

Privoxy Tor only provides network level privacy Privoxy: No application-level privacy e.g. mail progs add “From: email-addr” to outgoing mail Privoxy: Web proxy for browser-level privacy Removes/modifies cookies Other web page filtering

Anonymity attacks: watermarking Goal: R1 and R3 want to test if user is communicating with server Basic idea: R1 and R3 share sequence: 1, 2, … , n  {-10,…,10} R1: introduce inter-packet delay to packets leaving R1 and bound for R2 . Packet i delayed by i (ms) Detect signal at R3 R1 R2 R3

Anonymity attacks: congestion Main idea: R8 can send Tor traffic to R1 and measure load on R1 Exploit: malicious server wants to identify user Server sends burst of packets to user every 10 seconds R8 identifies when bursts are received at R1 Follow packets from R1 to discover user’s ID R1 R2 R3 R8

Tor: 히든 서비스 (server-side) HiddenServiceID.onion ex) facebookcorewwwi.onion (1) 히든 서비스 ID (HID): Base32_encode(First 10 bytes of SHA-1(new 1024-bit RSA public key)) Bob (xyz.onion) (Tor Hidden Service via Onion Proxy) IP1 (2) 3개의 Tor relay 임의 선택 하여, Introduction points 로 사용 Alice (Tor Client) IP2 IP3 Tor Network https://www.torproject.org/docs/hidden-services.html.en

Tor: 히든 서비스 (server-side) Step 3,4 are done hourly! (3) Directory authorities 로 부터 Consensus 히든 서비스 디렉토리 (HS Dir) 목록 정보 획득. (4) Service descriptor 생성 Hidden Service Descriptor: [Descriptor ID + its public key + Introduction Points (IPs) ] signed by its private key Bob (Tor Hidden Service) HSDir=1 HSDir=1 (5) 생성한 Service descriptor를 해당 HSDir 들에 업로드 (to a set of 6 HSDirs via a 3-hop circuit) 자세한 내용은 다음 슬라이드에서 설명.. Alice (Tor Client) IP1 IP2 IP3 Tor Network https://www.torproject.org/docs/hidden-services.html.en & Donncha O’Cearbhaill’s blog post (Trawling Tor Hidden Service)

Tor: 히든 서비스 (server-side) HS descriptor ID (Fingerprint) computation: hs-descriptor-id = SHA1( permanent-id || SHA1 ( time-period || replica) ) Permanent-id: first 80 bits (10 bytes) of SHA1 (public key) Time period: (current-time + permanent-id-byte * 86400 / 256) / 86400 Permanent-id-byte: first unsigned byte of perm-id Replica: which set of HSDirs 예제) facebookcorewwwi.onion descriptor-id = SHA1( facebookcorewwwi || SHA1(16583 || 0)) SHA1( facebookcorewwwi || SHA1(16583 || 1)) replica 0: ys5pml4c6txpw5hnq5v4zn2htytfejf2 replica 1: fq7r4ki5uwcxdxibdl7b7ndvf2mvw2k2 A simple Distributed Hash Table (DHT) Descriptor ID 위치 (replica 포함) 에서 가장 근접한 3기의 HSDir Tor Relay 에 Service Descriptor를 업로드!

Tor: 히든 서비스 (client-side) xyz.onion 의 hs-descriptor-id 를 계산하고, 앞 슬라이드에서 설명한 방식과 동일하게 해당 서비스의 Descriptor를 저장하고 있는 HS Dir 들을 파악 해당 HS Dir 들로 부터 xyz.onion 의 Service descriptor 를 내려받아 히든 서비스의 public key 와 Introduction points (IP) 파악 DB DB Bob (xyz.onion) (Tor Hidden Service) Go to xyz.onion HSDir=1 HSDir=1 IP1 IP2 IP3 Alice (Tor Client) Tor Network Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful

Tor: 히든 서비스 (client-side) (3) one-time secret (cookie) 생성 (4) 임의의 Tor relay 를 선택하여 rendezvous point (by sending the cookie)로 사용 (5) 해당 rendezvous point 까지 Tor circuit 생성 후, (6) introduce message (cookie & addr. of RP)를 생성하여 Introduction Points (IP) 들에 전송 Cookie Bob (xyz.onion) (Tor Hidden Service) Rendezvous point (RP) Go to xyz.onion (7) IP는 Bob 에게 해당 메시지를 전달 Introduce Msg. IP1 IP2 IP3 Alice (Tor Client) Tor Network Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful

Tor: 히든 서비스 (client-side) (6) Bob 이 introduce message 를 본인의 public key를 사용해 복호화 하여, Rendezvous Point (RP) 의 주소와 Cookie 획득 (7) Bob 이 RP까지 Tor Circuit을 생성하여 연결 후, Rendezvous message (Cookie 포함)를 전송 (8) 인증 후, RP 는 Alice 와 Bob 사이의 메시지들을 단순히 전달. (end-to-end encrypted) Cookie Bob (xyz.onion) (Tor Hidden Service) Rendezvous point (RP) Go to xyz.onion IP1 IP2 IP3 Alice (Tor Client) Tor Network Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful