1. Guard Sets for Onion Routing JOSHUA FREE

2. Tor Most popular low-latency distributed anonymity network Controversial decisions of guard selection strategies

3. Tor - Circuit Pick a guard node Pick a relay node Pick an exit node Image Source - Harrison Neal: HANtwister talk

4. Tor - Circuit Creates a circuit of nodes Every node only knows about previous and next node Image Source - Harrison Neal: HANtwister talk

5. Guard Selection Three guard Users chooses 3 guards to use for 30-60 days Single guard Users choose a single guard to use for 9 months Controversial which system should be used Image Source - Scribblenauts

6. Vulnerabilities Direct Observation ◦A corrupt guard node with a few corrupt exit relays will be able identify at least one circuit from a particular user Guard Fingerprinting ◦Aims to identify the set of guards used by a user ◦Because users pick their own guards, the set is likely to be unique Statistic Disclosure Attack ◦In case a guard, or set of guards, are only used by a small number of users, it is possible to link their patterns of actions to long term identifiers

7. Paper’s Contribution Present a design for “guard sets” ◦Sets of relays providing a certain amount of bandwidth that are used as a group by multiple users ◦Provides near optimal spread ◦Protecting against attacks current guard schemes are susceptible to Design an algorithm ◦Automates the assignment of guards to guard sets and to users ◦Based on a binary tree structure ◦Considers the dynamic conditions of Tor with routers joining and leaving continuously

8. How to make Guard Sets - Setup 1.Split guards into available bandwidth quanta (a guard can be slit into multiple quanta) 2.Sort quanta in descending order according to their guard bandwidth 3.Cycle through each quantum appending them to a set 4.Once the sum of quantum bandwidths exceed the threshold, it is now a guard set 5.Continue with remaining quanta If there is left over quanta after creating guard sets this quanta is discarded and the bandwidth is wasted.

9. How to make Guard Sets - Upkeep 1.Detect guard sets with bandwidth below a threshold (typically ½ creation threshold) 2.Order any spare quanta in descending order and append to the guard set until it meets threshold 3.If it meets the threshold the guard set is ok 4.If threshold cannot be met, remove the guard set and make quanta available for other guard sets

10. How this combats known attacks Direct Observation ◦Having no rotation means few clients come in contact with malicious guard nodes ◦Having a larger sets means rotation is not needed if a router is non-responsive Guard Fingerprinting ◦Large sets of users using the same sets of guards stops fingerprinting Statistic Disclosure Attack ◦Large and roughly equal sets of users prevents statistical attacks on the basis of discovering a user’s guards.

11. Affect on the Tor network Rotation vs spread of load ◦Previous methods had to deal with this compromise: 1.Increase rotation and spread the load amongst old and new guards but increase rate of compromise 2.Decrease rotation and decrease rate of compromise but increase the difference in load between old and new guards ◦Not an issue for guard sets

12. Evaluation - Anonymity A user is considered compromised if it ever uses a corrupt guard 1 year of data starting 1 st of January 2013 Probabilities of guards serving in a number of guard sets before going offline ◦1 set is 95% ◦2 sets is 3% ◦3 sets is 2% This provides greater anonymity than other schemes

13. Evaluation - Fingerprinting Single Guard ◦Clients using new guards have a guard that is almost unique to them Three Guards ◦Worse than Single Guard, virtually all users have unique sets of guards. The most likely set have an expected 4.7 users – most users have unique guards Guard Sets ◦On average there will be 108 guard sets with 25,463 users for each set ◦Worst case scenario a set will have 795 users Guard sets prove vastly more effective against finger printing

14. Evaluation – Network performance Guard set creation and deletion ◦By analysing tor data the authors found that guard set deletion due to bandwidth changes over short periods of time will happen infrequently. Client’s expected bandwidth ◦80% of clients have same experience as with single guard ◦90% of clients have sub 75MB/s vs 85% in one guard ◦Both single guard and guard sets are worse than three guard ◦Upon initialising (all guard sets have equal load) guard sets perform slightly worse than single guards

15. Criticisms ◦They went into detail about the effects on guard fingerprinting, but were relatively vague when it came to statistical analysis and direct observation ◦Their initial assumption that any client that uses a corrupt guard node is immediately compromised makes for upper bound estimates ◦There was a large increase in available guard bandwidth in late 2013. They commented on this to justify their adaptive design, but did not take it into consideration as to how it may have skewed their data.

16. Thank you