Aaron Johnson U.S. Naval Research Laboratory [email protected]

Aaron JohnsonU.S. Naval Research [email protected]

CSci 6545George Washington University

11/18/2013

Overview

What is Tor?

Tor is a system for anonymous communication and censorship circumvention.

What is Tor?

Tor is based on onion routing.

Users DestinationsOnion Routers

What is Tor?



What is Tor?



What is Tor?



What is Tor?



Unencrypted

Motivation

Why Tor?

• Individuals avoiding censorship

• Individuals avoiding surveillance

• Journalists protecting themselves or sources

• Law enforcement during investigations

• Intelligence analysts for gathering data

Why Tor?

• Over 500000 daily users• 2.4GiB/s aggregate traffic

• Over 4000 relays in over 80 countries

Tor History1996: “Hiding Routing Information” by David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Information Hiding: First International Workshop.1997: "Anonymous Connections and Onion Routing," Paul F. Syverson, David M. Goldschlag, and Michael G. Reed. IEEE Security & Privacy Symposium.1998: Distributed network of 13 nodes at NRL, NRAD, and UMD.2000: “Towards an Analysis of Onion Routing Security” by Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landweh r. Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability.2003: Tor network is deployed (12 US nodes, 1 German), and Tor code is released by Roger Dingledine and Nick Mathewson under the free and open MIT license.2004: “Tor: The Second-Generation Onion Router” by Roger Dingledine, Nick Mathewson, and Paul Syverson. USENIX Security Symposium.2006: The Tor Project, Inc. incorporated as a non-profit.

Tor Today• Funding levels at $1-2 million (current and

former funders include DARPA, NSF, US State Dept., SIDA, BBG, Knight Foundation, Omidyar Network, EFF)

• The Tor Project, Inc. employs a small team for software development, research, funding management, community outreach, and user support

• Much bandwidth, research, development, and outreach still contributed by third parties

Other anonymous communication designs and systems

• Single-hop anonymous proxies: anonymizer.com, anonymouse.org

• Dining Cryptographers network: Dissent, Herbivore

• Mix networks: MixMinion, MixMaster, BitLaundry

• Onion routing: Crowds, Java Anon Proxy, I2P, Aqua, PipeNet, Freedom

• Others: Anonymous buses, XOR trees,

Security Model

Threat Model

Adversary is local and active.

Threat Model

Adversary is local and active.

Not global

Threat Model

Adversary is local and active.• Adversary may run relays

Threat Model

Adversary is local and active.• Adversary may run relays• Destination may be malicious

Threat Model

Adversary is local and active.• Adversary may run relays• Destination may be malicious• Adversary may observe some ISPs

Security Definitions

• Identity is primarily IP address but can include other identifying information

• Sender anonymity: Connection initiator cannot be determined

• Receiver anonymity: Connection recipient cannot be determined

• Unobservability: It cannot be determined who is using the system.

Design

General Tor Functionality

• Provides connection-oriented bidirectional communication

• Only makes TCP connections• Provides standard SOCKS interface to

applications• Provides application-specific software for

some popular applications (e.g. HTTP)

Tor Protocols

1. Exit circuits (anonymity wrt all but sender)2. Hidden services (anonymity wrt all)3. Censorship circumvention (unobservability)

Tor Protocols


Exit Circuits

Exit Circuits

1. Client learns about relays from a directory server.

Exit Circuits

1. Client learns about relays from a directory server.

Centralized, point of failure

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.

Only guards directly observe client

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.

Different streams on circuit can be linked.

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.5. New circuits replace existing ones periodically.

Exit Circuits

1. Client learns about relays from a directory server.2. Clients begin all circuits with a selected guard.3. Relays define individual exit policies.4. Clients multiplex streams over a circuit.5. New circuits replace existing ones periodically.

Circuits creation protects anonymity with respect to all but sender

Creating a Circuit

u 1 2 3

13

{m}si: Encrypted using the DH session key gxiyi

Creating a Circuit

[0,CREATE, gx1]

1. CREATE/CREATED

u 1 2 3

13


Creating a Circuit

[0,CREATED, gy1]

1. CREATE/CREATED

u 1 2 3

13


Creating a Circuit

1. CREATE/CREATED

u 1 2 3

13


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[0,{[EXTEND,2, gx2]}s1]

u 1 2 3

14


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[l1,CREATE, gx2]

u 1 2 3

14


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[l1,CREATED, gy2]u 1 2 3

14


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[0,{EXTENDED}s1]u 1 2 3

14


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

3. [Repeat with layer of encryption]

[0,{{[EXTEND,3,gx3]}s2}s1]

u 1 2 3

15


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


u 1 2 3[l1,{[EXTEND,3,gx3]}s2]

15


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l2,CREATE,gx3]

u 1 2 3

15


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l2,CREATED,gy3]u 1 2 3

15


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l1,{EXTENDED,gy3}s2]u 1 2 3

15


Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[0,{{EXTENDED,gy3}s2}s1]u 1 2 3

15


Tor Protocols


Hidden Services

HS

User wants to hide serviceUser wants to hide

service

Hidden Services

IP

HS chooses and publishes

introduction point IP

HS

HS chooses and publishes introduction

point (IP)

guard

Hidden Services

guard IP

HS

Learns about HS on web

Learns about HS on web (.onion address)

Hidden Services

guard IP

HS

Client looks up IP at a Hidden Service Directory using .onion address

guard

guard

Hidden Services

guard IP

HS

RP

Client builds circuit to chosen Rendezvous Point (RP)

guard

Hidden Services

guard IP

HS

Notifies HS of RP through IP

RP

guard

RP

Notifies HS of RP through IP

guard

Hidden Services

guard IP

HS

RP

RP

guard

Hidden Services

guard IP

HS

RP

guard

Build new circuit to RP

guard

Hidden Services

guard IP

HS

RP

guard

Communicate

Tor Protocols


Blocking Tor

• Tor directory and relay IPs are public

• Tor connections are made over TLS

• Tor cells have a fixed length




Blocking Tor

• Tor bridges are kept private, released via– CAPTCHA– Email request– Personal communication




Blocking Tor

Pluggable transports • obfsproxy3 makes

protocol look like strings of random bits

• Flash proxies use transient web clients over WebSockets




Blocking Tor

• Not observed to be a problem currently– ScrambleSuit: randomized

lengths– StegoTorus:

Steganographic HTTP– SkypeMorph/FreeWave;

Steganographic VOIP

Blocking Tor




• Countries have manpower to enumerate bridges

• Network surveillance used to detect possible Tor connections, followup scans confirm

Attacks

Attacks on Tor

• Correlation attack• Guard compromise• Bandwidth manipulation• Congestion/throughput attack• Latency attack• Application-layer attacks• DoS attacks

68

Correlation Attack

69

Correlation Attack

70

Correlation Attack

71

Correlation Attack

72

Correlation Attack

73

Node AdversaryControls a fixed allotment of relays based on bandwidth budget

• We assume adversary has 100 MiB/s – comparable to large family of relays

• Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)

74

Time to first compromised circuitOctober 2012 – March 2013

50% of clients use a compromised circuit in less than 70 days

Attacks on Tor

• Correlation/throughput attack• Guard compromise• Bandwidth manipulation• Congestion attack• Latency attack• Application-layer attacks• DoS attacks

Documents

Aaron Johnson U.S. Naval Research Laboratory [email protected]