Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

Similar presentations


Presentation on theme: "Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013."— Presentation transcript:

1 Aaron Johnson U.S. Naval Research Laboratory aaron.m.johnson@nrl.navy.mil CSci 6545 George Washington University 11/18/2013

2 Overview

3 What is Tor? Tor is a system for anonymous communication and censorship circumvention.

4 What is Tor? Tor is based on onion routing. UsersDestinationsOnion Routers

5 What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.

6 What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.

7 What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing.

8 What is Tor? UsersDestinationsOnion Routers Tor is based on onion routing. Unencrypted

9 Motivation

10 Why Tor? Individuals avoiding censorship Individuals avoiding surveillance Journalists protecting themselves or sources Law enforcement during investigations Intelligence analysts for gathering data

11 Why Tor? Over 500000 daily users 2.4GiB/s aggregate traffic Over 4000 relays in over 80 countries

12 Tor History 1996: “Hiding Routing Information” by David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Information Hiding: First International Workshop. 1997: "Anonymous Connections and Onion Routing," Paul F. Syverson, David M. Goldschlag, and Michael G. Reed. IEEE Security & Privacy Symposium. 1998: Distributed network of 13 nodes at NRL, NRAD, and UMD. 2000: “Towards an Analysis of Onion Routing Security” by Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability. 2003: Tor network is deployed (12 US nodes, 1 German), and Tor code is released by Roger Dingledine and Nick Mathewson under the free and open MIT license. 2004: “Tor: The Second-Generation Onion Router” by Roger Dingledine, Nick Mathewson, and Paul Syverson. USENIX Security Symposium. 2006: The Tor Project, Inc. incorporated as a non-profit.

13 Tor Today Funding levels at $1-2 million (current and former funders include DARPA, NSF, US State Dept., SIDA, BBG, Knight Foundation, Omidyar Network, EFF) The Tor Project, Inc. employs a small team for software development, research, funding management, community outreach, and user support Much bandwidth, research, development, and outreach still contributed by third parties

14 Other anonymous communication designs and systems Single-hop anonymous proxies: anonymizer.com, anonymouse.org Dining Cryptographers network: Dissent, Herbivore Mix networks: MixMinion, MixMaster, BitLaundry Onion routing: Crowds, Java Anon Proxy, I2P, Aqua, PipeNet, Freedom Others: Anonymous buses, XOR trees,

15 Security Model

16 Threat Model Adversary is local and active.

17 Threat Model Adversary is local and active. Not global

18 Threat Model Adversary is local and active. Adversary may run relays

19 Threat Model Adversary is local and active. Adversary may run relays Destination may be malicious

20 Threat Model Adversary is local and active. Adversary may run relays Destination may be malicious Adversary may observe some ISPs

21 Security Definitions Identity is primarily IP address but can include other identifying information Sender anonymity: Connection initiator cannot be determined Receiver anonymity: Connection recipient cannot be determined Unobservability: It cannot be determined who is using the system.

22 Design

23 General Tor Functionality Provides connection-oriented bidirectional communication Only makes TCP connections Provides standard SOCKS interface to applications Provides application-specific software for some popular applications (e.g. HTTP)

24 Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)

25 Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)

26 Exit Circuits

27 1.Client learns about relays from a directory server.

28 Exit Circuits 1.Client learns about relays from a directory server. Centralized, point of failure

29 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard.

30 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. Only guards directly observe client

31 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies.

32 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit.

33 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. Different streams on circuit can be linked.

34 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. 5.New circuits replace existing ones periodically.

35 Exit Circuits 1.Client learns about relays from a directory server. 2.Clients begin all circuits with a selected guard. 3.Relays define individual exit policies. 4.Clients multiplex streams over a circuit. 5.New circuits replace existing ones periodically. Circuits creation protects anonymity with respect to all but sender

36 Creating a Circuit u123 13 {m} s i : Encrypted using the DH session key g xiyi

37 Creating a Circuit [0,CREATE, g x1 ] 1.CREATE/CREATED u123 13 {m} s i : Encrypted using the DH session key g xiyi

38 Creating a Circuit [0,CREATED, g y1 ] 1.CREATE/CREATED u123 13 {m} s i : Encrypted using the DH session key g xiyi

39 Creating a Circuit 1.CREATE/CREATED u123 13 {m} s i : Encrypted using the DH session key g xiyi

40 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{[EXTEND,2, g x2 ]} s1 ] u123 14 {m} s i : Encrypted using the DH session key g xiyi

41 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATE, g x2 ] u123 14 {m} s i : Encrypted using the DH session key g xiyi

42 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATED, g y2 ] u123 14 {m} s i : Encrypted using the DH session key g xiyi

43 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{EXTENDED} s1 ] u123 14 {m} s i : Encrypted using the DH session key g xiyi

44 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{[EXTEND,3,g x3 ]} s2 } s1 ] u123 15 {m} s i : Encrypted using the DH session key g xiyi

45 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] u123 [l 1,{[EXTEND,3,g x3 ]} s2 ] 15 {m} s i : Encrypted using the DH session key g xiyi

46 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATE,g x3 ] u123 15 {m} s i : Encrypted using the DH session key g xiyi

47 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATED,g y3 ] u123 15 {m} s i : Encrypted using the DH session key g xiyi

48 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 1,{EXTENDED,g y3 } s2 ] u123 15 {m} s i : Encrypted using the DH session key g xiyi

49 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{EXTENDED,g y3 } s2 } s1 ] u123 15 {m} s i : Encrypted using the DH session key g xiyi

50 Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)

51 Hidden Services HS User wants to hide service

52 Hidden Services IP HS chooses and publishes introduction point IP HS HS chooses and publishes introduction point (IP) guard

53 Hidden Services guard IP HS Learns about HS on web Learns about HS on web (.onion address)

54 Hidden Services guard IP HS Client looks up IP at a Hidden Service Directory using.onion address guard

55 Hidden Services guard IP HS RP Client builds circuit to chosen Rendezvous Point (RP)

56 guard Hidden Services guard IP HS Notifies HS of RP through IP RP guard RP Notifies HS of RP through IP

57 guard Hidden Services guard IP HS RP

58 guard Hidden Services guard IP HS RP guard Build new circuit to RP

59 guard Hidden Services guard IP HS RP guard Communicate

60 Tor Protocols 1.Exit circuits (anonymity wrt all but sender) 2.Hidden services (anonymity wrt all) 3.Censorship circumvention (unobservability)

61 Blocking Tor Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length

62 Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Tor bridges are kept private, released via – CAPTCHA – Email request – Personal communication

63 Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Pluggable transports obfsproxy3 makes protocol look like strings of random bits Flash proxies use transient web clients over WebSockets

64 Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Blocking Tor Not observed to be a problem currently – ScrambleSuit: randomized lengths – StegoTorus: Steganographic HTTP – SkypeMorph/FreeWave; Steganographic VOIP

65 Blocking Tor Tor directory and relay IPs are public Tor connections are made over TLS Tor cells have a fixed length Countries have manpower to enumerate bridges Network surveillance used to detect possible Tor connections, followup scans confirm

66 Attacks

67 Attacks on Tor Correlation attack Guard compromise Bandwidth manipulation Congestion/throughput attack Latency attack Application-layer attacks DoS attacks

68 68 Correlation Attack

69 69 Correlation Attack

70 70 Correlation Attack

71 71 Correlation Attack

72 72 Correlation Attack

73 73 Node Adversary Controls a fixed allotment of relays based on bandwidth budget We assume adversary has 100 MiB/s – comparable to large family of relays Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)

74 Time to first compromised circuit October 2012 – March 2013 74 50% of clients use a compromised circuit in less than 70 days

75 Attacks on Tor Correlation/throughput attack Guard compromise Bandwidth manipulation Congestion attack Latency attack Application-layer attacks DoS attacks


Download ppt "Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013."

Similar presentations


Ads by Google