Transcript slides

Tor: The SecondGeneration Onion Router
Authors: Roger Dingledine, Nick Mathewson, Paul Syverson
Presented by: Alexander Truong
Anonymous Communication Systems
▪ Relay based (Chaum’s Mix-Net)
▪ High-latency
▪ Babel, Mix-master, Mixminion
▪ Resistant to global adversary
▪ E-mail
▪ Low-latency
▪ Tor, Anonymizer, Java Anon Proxy, PipeNet, Freedom
▪ Vulnerable to timing attacks and volume analysis
▪ E-mail, chat, SSH, web browsing
Onion Routing
▪ Onion routing dates back to 1996
▪ Anonymizes TCP applications
▪ Volunteer-based Onion Routers (OR)
▪ Security Objective: Relationship Unlinkability, Message Unlinkability w.r.t. subject
PKA(PKB(PKC(M) + C) + AB)
PKB(PKC(M) + AC)
PKC(M)
Message M
S
A
B
C
Tor design improvements
▪ Security
▪ Perfect forward secrecy; Removed mixing, padding, traffic shaping;
Hidden services via rendezvous points; End-to-end integrity checking;
Leaky-pipe circuit topology
▪ Efficiency
▪ TCP stream multiplexing; Congestion control; Directory servers
▪ Usability
▪ SOCKS proxy interface; Exit policies
Design Goals of Tor
▪ Practical to deploy: low bandwidth, smear-resistant, easy to implement
▪ Easy to use: Minimal application modification, configuration, delay
▪ Security requirement: Difficult to use → Less users → Less anonymity
▪ Well-understood, simple design to facilitate implementation and security analysis
▪ Flexible for future testing and research
Threat Model
▪ Tor does not protect against a strong global adversary
▪ Focus on traffic analysis attacks
▪ We assume the adversary can
▪ observe a fraction of network traffic
▪ generate, modify, delete, delay traffic
▪ operate onion routers
▪ compromise onion routers
Tor
▪ Overlay network: operates in user space without elevated privileges
▪ Operators deploy Onion Routers (OR)
▪ maintains a TLS connection to every other OR
▪ Users run Onion Proxies (OP)
▪ fetch directories, create circuits across network, multiplexes TCP streams to circuits
▪ Directory servers
▪ Cells (packets)
▪ Circuits and streams
Directory Servers
▪ Trusted servers called directory servers maintain a directory of ORs and their
identity key.
▪ Clients fetch a trusted directory if it is signed by threshold of directory servers
▪ In previous onion routing designs, ORs flooded the network to update network
status
▪ Adversary can exploit differences in network views caused by delays
Onion Router
▪ Long-term identity key
▪ Sign TLS certs, router descriptor, sign directories
▪ Short-term onion key
▪ Decrypt user circuit requests
▪ Negotiate short-term keys
▪ Rotated periodically
Cells
▪ 512 bytes of header + payload
▪ Control Cells
▪ padding, create[d], destroy
▪ Relay Cells
▪ data, begin/connected, end, teardown,
extend[ed], truncate[d], sendme, drop
▪ 128-bit AES counter mode, stream
cipher
Relay Cells
▪ Sending a relay cell to OR3
1. OP assigns a digest, then encrypts the relay cell K1(K2(K3(Relay Cell)))
2. OR1 and OR2 decrypts, checks the digest, finds an invalid digest, and passes the cell
onto the next OR
3. OR3 decrypts and finds a valid digest and processes the cell
▪ OP can send to any OR on the circuit, enabling a leaky pipe topology
Circuits
▪ Efficient circuit usage: circuits are shared by
multiple TCP streams
▪ Low delay: circuits are constructed
preemptively
TCP streams
Circuits
▪ Minimal user impact: circuits are created in
the background
HTTP1
C1
HTTP2
C2
▪ Reduce linkability
SSH1
▪ periodically create new circuits
IRC1
▪ expire unused or old circuits
XYZ1
Circuit Construction
▪ Negotiate symmetric key using Diffie-Hellman with each OR in the circuit
▪ OP uses “create”, “created”, “relay extend”, “relay extended” cells to create a
circuit.
OP
OR1
OR2
(create, 𝐸(𝑃𝐾1 , 𝑔 𝑥1 ))
(created, 𝑔 𝑦1 |𝐻(𝑔 𝑥1𝑦1 ))
(relay extend, 𝐸(𝐾1 , 𝑂𝑅2 |𝐸(𝑃𝐾2 , 𝑔 𝑥2 )))
(create, 𝐸(𝑃𝐾2 , 𝑔 𝑥2 )))
(created, 𝑔 𝑦2 |𝐻(𝑔 𝑥2𝑦2 ))
(relay extended, 𝑔 𝑦2 |𝐻(𝑔 𝑥2𝑦2 ))
TCP connections
▪ An application requests the OP’s SOCKS
interface to create a TCP connection
▪ OP uses relay commands to open TCP
streams and exit nodes
Application
TCP traffic
SOCKS proxy interface
▪ Some applications resolve a hostname
before connecting to Tor
▪ Privoxy filters HTTP requests and skips DNS
resolution
Onion Proxy
Relay cells
Circuit
Location-hidden service
▪ Service can be offered without revealing IP address
▪ Filter incoming requests
▪ Protect against DDoS
▪ Maintain pseudonymity
▪ HS able to migrate IPs
▪ Smear-resistance for rendezvous points
▪ Users are not required to modify applications
Introduction points
▪ A hidden service (HS) advertises
introduction points (IP) on a lookup
service, signed with the owner’s public
key.
HS
▪ Many IPs must be created to resist DoS
attacks
IP
IP
Tor network
IP
Rendezvous Point Set Up
1. OP sets up a circuit with
Rendezvous Point (RP) with a
rendezvous cookie
(2)
OP
IP
(3)
HS
(1)
2. OP contacts IP with RP,
rendezvous cookie, and DH
handshake half
RP
3. IP sends to HS
4. HS creates circuit to RP with
cookie and completed DH
handshake
OP
RP
(4)
HS
Integrity checking
▪ TLS protects against external adversary
▪ OP creates a SHA-1 digest with each node in the circuit to protect against internal
adversary
▪ Initial digest of shared key
▪ Incrementally add to digest
▪ Contents of all relay cells each node created
▪ First 4 bytes of the current digest
▪ To modify a cell, adversary must deduce digest from all traffic and shared key
Limiting bandwidth
▪ Tor limits incoming bytes over a long-term average
▪ Uses the token bucket algorithm
▪ Circuit-level throttling
▪ Uses a packaging window and delivery window
▪ Packaging or delivering a cell decrements the corresponding window
▪ Relay sendme increments a window
▪ When packaging window is 0, OR stops reading until receiving a relay sendme
▪ Stream-level throttling
▪ Similar to circuit-level throttling, has a packaging window and delivery window
▪ Sends relay sendme only when bytes are flushed to TCP stream
Exit policies
▪ Potential abuse of the Tor network deters deployment
▪ Onion Router operators may be mistaken for users abusing the network
▪ Exit policies allow operators to restrict/filter traffic to prevent abuse
Attacks
▪ Passive
▪ Observe network edges for entering and exiting traffic to analyze timing, volume, userselected options
▪ Active attacks
▪ Attack trustworthy routers; Perform illegal activities (smear) on reliable routers
▪ Deny service to users, then observe effect on network
▪ Directory attacks
▪ Subvert directory servers; Trick servers to list a compromised OR
▪ Rendezvous attacks
▪ Attack/flood introduction points
Future Research
▪ More scalable design, more anonymity and supports more users
▪ Effectiveness of padding links
▪ Incremental updates from directory servers
Questions?