Aaron Johnson
U.S. Naval Research Laboratory
aaron.m.johnson@nrl.navy.mil
CSci 6545
George Washington University
11/18/2013
Overview
What is Tor?
Tor is a system for anonymous communication and
censorship circumvention.
What is Tor?
Users
Onion Routers
Destinations
Tor is based on onion routing.
What is Tor?
Users
Onion Routers
Destinations
Tor is based on onion routing.
What is Tor?
Users
Onion Routers
Destinations
Tor is based on onion routing.
What is Tor?
Users
Onion Routers
Destinations
Tor is based on onion routing.
What is Tor?
Unencrypted
Users
Onion Routers
Destinations
Tor is based on onion routing.
Motivation
Why Tor?
• Individuals avoiding
censorship
• Individuals avoiding
surveillance
• Journalists
protecting
themselves or
sources
• Law enforcement
during
investigations
• Intelligence
analysts for
gathering data
Why Tor?
• Over 500000 daily users
• 2.4GiB/s aggregate traffic
• Over 4000 relays in
over 80 countries
Tor History
1996: “Hiding Routing Information” by David M. Goldschlag, Michael
G. Reed, and Paul F. Syverson. Information Hiding: First International
Workshop.
1997: "Anonymous Connections and Onion Routing," Paul F. Syverson,
David M. Goldschlag, and Michael G. Reed. IEEE Security & Privacy
Symposium.
1998: Distributed network of 13 nodes at NRL, NRAD, and UMD.
2000: “Towards an Analysis of Onion Routing Security” by Paul
Syverson, Gene Tsudik, Michael Reed, and Carl Landweh r. Designing
Privacy Enhancing Technologies: Workshop on Design Issues in
Anonymity and Unobservability.
2003: Tor network is deployed (12 US nodes, 1 German), and Tor code
is released by Roger Dingledine and Nick Mathewson under the free
and open MIT license.
2004: “Tor: The Second-Generation Onion Router” by Roger
Dingledine, Nick Mathewson, and Paul Syverson. USENIX Security
Symposium.
2006: The Tor Project, Inc. incorporated as a non-profit.
Tor Today
• Funding levels at $1-2 million (current and
former funders include DARPA, NSF, US State
Dept., SIDA, BBG, Knight Foundation, Omidyar
Network, EFF)
• The Tor Project, Inc. employs a small team for
software development, research, funding
management, community outreach, and user
support
• Much bandwidth, research, development, and
outreach still contributed by third parties
Other anonymous communication
designs and systems
• Single-hop anonymous proxies:
anonymizer.com, anonymouse.org
• Dining Cryptographers network: Dissent,
Herbivore
• Mix networks: MixMinion, MixMaster,
BitLaundry
• Onion routing: Crowds, Java Anon Proxy, I2P,
Aqua, PipeNet, Freedom
• Others: Anonymous buses, XOR trees,
Security Model
Threat Model
Adversary is local and active.
Threat Model
Adversary is local and active.
Not global
Threat Model
Adversary is local and active.
• Adversary may run relays
Threat Model
Adversary is local and active.
• Adversary may run relays
• Destination may be malicious
Threat Model
Adversary is local and active.
• Adversary may run relays
• Destination may be malicious
• Adversary may observe some ISPs
Security Definitions
• Identity is primarily IP address but can include
other identifying information
• Sender anonymity: Connection initiator cannot
be determined
• Receiver anonymity: Connection recipient
cannot be determined
• Unobservability: It cannot be determined who
is using the system.
Design
General Tor Functionality
• Provides connection-oriented bidirectional
communication
• Only makes TCP connections
• Provides standard SOCKS interface to
applications
• Provides application-specific software for
some popular applications (e.g. HTTP)
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)
2. Hidden services (anonymity wrt all)
3. Censorship circumvention (unobservability)
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)
2. Hidden services (anonymity wrt all)
3. Censorship circumvention (unobservability)
Exit Circuits
Exit Circuits
1. Client learns about relays from a directory server.
Centralized, point of failure
Exit Circuits
1. Client learns about relays from a directory server.
Exit Circuits
1. Client learns about relays from a directory server.
2. Clients begin all circuits with a selected guard.
Exit Circuits
Only guards directly observe client
1. Client learns about relays from a directory server.
2. Clients begin all circuits with a selected guard.
Exit Circuits
1. Client learns about relays from a directory server.
2. Clients begin all circuits with a selected guard.
3. Relays define individual exit policies.
Exit Circuits
1.
2.
3.
4.
Client learns about relays from a directory server.
Clients begin all circuits with a selected guard.
Relays define individual exit policies.
Clients multiplex streams over a circuit.
Exit Circuits
Different streams on circuit can be linked.
1.
2.
3.
4.
Client learns about relays from a directory server.
Clients begin all circuits with a selected guard.
Relays define individual exit policies.
Clients multiplex streams over a circuit.
Exit Circuits
1.
2.
3.
4.
5.
Client learns about relays from a directory server.
Clients begin all circuits with a selected guard.
Relays define individual exit policies.
Clients multiplex streams over a circuit.
New circuits replace existing ones periodically.
Exit Circuits
Circuits creation protects anonymity with
respect to all but sender
1.
2.
3.
4.
5.
Client learns about relays from a directory server.
Clients begin all circuits with a selected guard.
Relays define individual exit policies.
Clients multiplex streams over a circuit.
New circuits replace existing ones periodically.
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
13
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[0,CREATE, gx1]
u
1
2
3
1. CREATE/CREATED
13
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[0,CREATED, gy1]
1. CREATE/CREATED
13
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
1. CREATE/CREATED
13
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[0,{[EXTEND,2, gx2]}s1]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[l1,CREATE, gx2]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[l1,CREATED, gy2]
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[0,{EXTENDED}s1]
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[0,{{[EXTEND,3,gx3]}s2}s1]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[l1,{[EXTEND,3,gx3]}s2]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
[l2,CREATE,gx3]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[l2,CREATED,gy3]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[l1,{EXTENDED,gy3}s2]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
{m}si: Encrypted using the DH session key gxiyi
u
1
2
3
[0,{{EXTENDED,gy3}s2}s1]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)
2. Hidden services (anonymity wrt all)
3. Censorship circumvention (unobservability)
Hidden Services
User wants to
Userservice
wants to hide
hide
service
HS
Hidden Services
HS chooses and
HS chooses and
publishes
introduction
point
publishes introduction
IP
point (IP)
HS
guard
IP
Hidden Services
Learns about HS on
Learns
aboutaddress)
web
(.onion
HS on web
HS
guard
IP
Hidden Services
Client looks up IP at a Hidden Service
Directory using .onion address
guard
HS
guard
IP
Hidden Services
guard
RP
Client builds circuit to chosen
Rendezvous Point (RP)
HS
guard
IP
Hidden Services
Notifies
HS of RP
through IP
Notifies HS of RP
through IP
guard
RP
guard
RP
HS
guard
IP
Hidden Services
guard
RP
guard
IP
HS
RP
Hidden Services
guard
RP
Build new
circuit to RP
guard
HS
guard
IP
Hidden Services
Communicate
guard
RP
guard
HS
guard
IP
Tor Protocols
1. Exit circuits (anonymity wrt all but sender)
2. Hidden services (anonymity wrt all)
3. Censorship circumvention (unobservability)
Blocking Tor
• Tor directory and
relay IPs are public
• Tor connections are
made over TLS
• Tor cells have a fixed
length
Blocking Tor
• Tor directory and
relay IPs are public
• Tor connections are
made over TLS
• Tor cells have a fixed
length
• Tor bridges are kept
private, released via
– CAPTCHA
– Email request
– Personal communication
Blocking Tor
• Tor directory and
relay IPs are public
• Tor connections are
made over TLS
• Tor cells have a fixed
length
Pluggable transports
• obfsproxy3 makes
protocol look like
strings of random bits
• Flash proxies use
transient web clients
over WebSockets
Blocking Tor
• Tor directory and
relay IPs are public
• Tor connections are
made over TLS
• Tor cells have a fixed
length
• Not observed to be a
problem currently
– ScrambleSuit: randomized
lengths
– StegoTorus:
Steganographic HTTP
– SkypeMorph/FreeWave;
Steganographic VOIP
Blocking Tor
• Tor directory and
relay IPs are public
• Tor connections are
made over TLS
• Tor cells have a fixed
length
• Countries have
manpower to
enumerate bridges
• Network surveillance
used to detect possible
Tor connections,
followup scans confirm
Attacks
Attacks on Tor
•
•
•
•
•
•
•
Correlation attack
Guard compromise
Bandwidth manipulation
Congestion/throughput attack
Latency attack
Application-layer attacks
DoS attacks
Correlation Attack
68
Correlation Attack
69
Correlation Attack
70
Correlation Attack
71
Correlation Attack
72
Node Adversary
Controls a fixed allotment of relays based on
bandwidth budget
• We assume adversary has 100 MiB/s –
comparable to large family of relays
• Adversaries apply 5/6th of bandwidth to guard
relays and the rest to exit relays. (We found
this to be the most effective allocation we
tested.)
73
Time to first compromised circuit
October 2012 – March 2013
50% of clients use a
compromised circuit
in less than 70 days
74
Attacks on Tor
•
•
•
•
•
•
•
Correlation/throughput attack
Guard compromise
Bandwidth manipulation
Congestion attack
Latency attack
Application-layer attacks
DoS attacks