Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013
Overview
What is Tor? Tor is a system for anonymous communication and censorship circumvention.
What is Tor? Tor is based on onion routing. UsersDestinationsOnion Routers
What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.
What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.
What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.
What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing. Unencrypted
Motivation
Why Tor? Individuals avoiding censorship Individuals avoiding surveillance Journalists protecting themselves or sources Law enforcement during investigations Intelligence analysts for gathering data
Why Tor? Over daily users 2.4GiB/s aggregate traffic Over 4000 relays in over 80 countries
Tor History 1996: “Hiding Routing Information” by David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Information Hiding: First International Workshop. 1997: "Anonymous Connections and Onion Routing," Paul F. Syverson, David M. Goldschlag, and Michael G. Reed. IEEE Security & Privacy Symposium. 1998: Distributed network of 13 nodes at NRL, NRAD, and UMD. 2000: “Towards an Analysis of Onion Routing Security” by Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability. 2003: Tor network is deployed (12 US nodes, 1 German), and Tor code is released by Roger Dingledine and Nick Mathewson under the free and open MIT license. 2004: “Tor: The Second-Generation Onion Router” by Roger Dingledine, Nick Mathewson, and Paul Syverson. USENIX Security Symposium. 2006: The Tor Project, Inc. incorporated as a non-profit.
Tor Today Funding levels at $1-2 million (current and former funders include DARPA, NSF, US State Dept., SIDA, BBG, Knight Foundation, Omidyar Network, EFF) The Tor Project, Inc. employs a small team for software development, research, funding management, community outreach, and user support Much bandwidth, research, development, and outreach still contributed by third parties
Other anonymous communication designs and systems Single-hop anonymous proxies: anonymizer.com, anonymouse.org Dining Cryptographers network: Dissent, Herbivore Mix networks: MixMinion, MixMaster, BitLaundry Onion routing: Crowds, Java Anon Proxy, I2P, Aqua, PipeNet, Freedom Others: Anonymous buses, XOR trees,
Security Model
Threat Model Adversary is local and active.
Threat Model Adversary is local and active. Not global
Threat Model Adversary is local and active. Adversary may run relays
Threat Model Adversary is local and active. Adversary may run relays Destination may be malicious
Threat Model Adversary is local and active. Adversary may run relays Destination may be malicious Adversary may observe some ISPs
Security Definitions Identity is primarily IP address but can include other identifying information Sender anonymity: Connection initiator cannot be determined Receiver anonymity: Connection recipient cannot be determined Unobservability: It cannot be determined who is using the system.
Design
General Tor Functionality Provides connection-oriented bidirectional communication Only makes TCP connections Provides standard SOCKS interface to applications Provides application-specific software for some popular applications (e.g. HTTP)
Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)
Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)
Exit Circuits
1.Client learns about relays from a directory server.
Exit Circuits 1.Client learns about relays from a directory server. Centralized, point of failure
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard.
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. Only guards directly observe client
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies.
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit.
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. Different streams on circuit can be linked.
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. 5.New circuits replace existing ones periodically.
Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. 5.New circuits replace existing ones periodically. Circuits creation protects anonymity with respect to all but sender
Creating a Circuit u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit [0,CREATE, g x1 ] 1.CREATE/CREATED u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit [0,CREATED, g y1 ] 1.CREATE/CREATED u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{[EXTEND,2, g x2 ]} s1 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATE, g x2 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATED, g y2 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{EXTENDED} s1 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{[EXTEND,3,g x3 ]} s2 } s1 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] u123 [l 1,{[EXTEND,3,g x3 ]} s2 ] 15 {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATE,g x3 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATED,g y3 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 1,{EXTENDED,g y3 } s2 ] u {m} s i : Encrypted using the DH session key g xiyi
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{EXTENDED,g y3 } s2 } s1 ] u {m} s i : Encrypted using the DH session key g xiyi
Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)
Hidden Services HS User wants to hide service
Hidden Services IP HS chooses and publishes introduction point IP HS HS chooses and publishes introduction point (IP) guard
Hidden Services guard IP HS Learns about HS on web Learns about HS on web (.onion address)
Hidden Services guard IP HS Client looks up IP at a Hidden Service Directory using.onion address guard
Hidden Services guard IP HS RP Client builds circuit to chosen Rendezvous Point (RP)
guard Hidden Services guard IP HS Notifies HS of RP through IP RP guard RP Notifies HS of RP through IP
guard Hidden Services guard IP HS RP
guard Hidden Services guard IP HS RP guard Build new circuit to RP
guard Hidden Services guard IP HS RP guard Communicate
Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)
Blocking Tor Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length
Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Tor bridges are kept private, released via – CAPTCHA – request – Personal communication
Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Pluggable transports obfsproxy3 makes protocol look like strings of random bits Flash proxies use transient web clients over WebSockets
Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Not observed to be a problem currently – ScrambleSuit: randomized lengths – StegoTorus: Steganographic HTTP – SkypeMorph/FreeWave; Steganographic VOIP
Blocking Tor Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Countries have manpower to enumerate bridges Network surveillance used to detect possible Tor connections, followup scans confirm
Attacks
Attacks on Tor Correlation attack Guard compromise Bandwidth manipulation Congestion/throughput attack Latency attack Application-layer attacks DoS attacks
68 Correlation Attack
69 Correlation Attack
70 Correlation Attack
71 Correlation Attack
72 Correlation Attack
73 Node Adversary Controls a fixed allotment of relays based on bandwidth budget We assume adversary has 100 MiB/s – comparable to large family of relays Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)
Time to first compromised circuit October 2012 – March % of clients use a compromised circuit in less than 70 days
Attacks on Tor Correlation/throughput attack Guard compromise Bandwidth manipulation Congestion attack Latency attack Application-layer attacks DoS attacks