Tor: The Second-Generation Onion Router ROGER DINGLEDINE, NICK MATHEWSON, PAUL SYVERSON THE FREE HAVEN PROJECT &NAVAL RESEARCH LAB PRESENTED BY: COREY WHITE Table of Contents Background Information Tor Enhancements over Original Related Work Design Goals and Assumptions The Tor Design Rendezvous Point and hidden Services Design Decisions Attack and Defenses Early experience: Tor in the Wild Open Questions in Low-Latency Anonymity Future Direction Conclusion Background Information What is an Onion Routing (Original)? Onion routing is an anonymous communication technique over a computer network. Messages are constantly encrypted and then sent through several network nodes called onion routers which creates a circuit of nodes. Each onion router removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where this is process is repeated. Thus the analogy “onion router”. This prevents these intermediary nodes from knowing the origin, destination, and contents of the message. Background Information continued.. What is Tor Onion Routing?: Second Generation Onion Routing Tor is a distributed overlay network which anonymizes TCPbased applications (e.g. web browsing, secure shell, instant messaging applications.) Clients choose the circuit paths Message are put in cells and unwrapped at each node or onion router with a symmetric key. The ORs only know the successor or predecessor but not any other Onion Router. Background Information http://en.wikipedia.org/wiki/File:Onion_diagram.svg Tor Enhancements over Previous Onion Routing applications Tor uses telescoping path-built design Previous designs allowed hostiles to record traffic and compromise successive nodes. Tor uses SOCKS proxy interface Previous designs required a separate application proxy for each application protocol. Tor is able to share one circuit for many TCP streams Previous designs required a separate circuit for each application level request. Which is a threat to anonymity. Leaky pipe circuit topology Tor Enhancements over Previous Onion Routing applications continued.. Directory servers Previous designs resorted to flooding info on the network. Variable exit policies End-to-end integrity checks Previous designs had no integrity checks. Rendezvous points/hidden services Previous designs included replay onions. Congestion control: uses end-to-end acks Previous designs didn’t address traffic bottlenecks. Related Work Chaum’s Mix-Net design Correspondence hiding between sender & receiver by wrapping messages in layers and relaying through “mix” routers. Babel ‘s Mix master and Mixminion Try to maximize anonymity at the cost of high latency. Anonymizer Single-hop proxy PipeNet Low-latency design giving user anonymity by shutting down the network by not sending. Related Work P2P Tarzan and MorphMix designs Rely and generate traffic for other participating users and hide who originated or relayed a request. Hordes/Crowds Hides the initiator of traffic thorough multicast responses Freedom Supports session keys and address of the server in a circuit. Rennhard’s Anonymity Network Builds circuits in stages which helps to obtain perfect forward secrecy by extending them one hop at a time. Design Goals and Assumptions Main Goals: Disrupt attackers from linking communication partners, or from linking multiple communications to or from a single user. Sub Goals: Deployability: must be inexpensive to implement (e.g. requiring kernel patches), can’t require non-anonymous parties like websites to run the software. Usability: a security requirement to hide users among users which should not require modification of applications, no prohibitive delays, and few configuration decisions, and easy implementation on all common OS platforms. Design Goals and Assumptions continued.. Sub Goals: Flexibility: the protocol should be flexible and well specified for future research work. Simple design: the protocols design and security must be user friendly. Non Goals or Weaknesses No peer to peer environments Unsecure against end-to-end attacks No protocol normalization-Tor must be layered with filtering proxy when using variable protocols like HTTP. No steganographic-Tor doesn’t conceal who is connected on the network Design Goals and Assumptions continued.. Thread Model Passive adversaries are the most common threats They can also launch active attacks by compromising keys and or routers, deny service to trustworthy routers to force users toward compromised routers, or deny service to users to see if other traffic stops. Adversaries also can subvert directory servers and decrease node reliability by attacking nodes or by performing antisocial activity from reliable nodes in order to take them down. Tor aims to prevent traffic analysis attacks, where the adversary uses traffic patterns to learn which points of the network to attack. Tor Design Tor is an overlay network Each router has a user-level process w/o special privileges. Each onion router maintains a TLS connection to every other onion router. Each user runs local software called onion proxy (OP) to fetch directories, establish circuits across the network, and handle connections from users. Each router maintains a long-term & short term onion identity key. These are used to sign TLS certificates which sign the OR’s router descriptor(summary of keys, address, bandwidth ,etc.) Tor Design continued.. Cells Traffic passes along the connections in fixed-sized cells which are 512 bytes with a header and a payload. Cells consists of a header(circuit identifier or circID) to determine which circuit the cell refers to. Also a command to describe what to do about the cell’s payload. Cells are either control cells: always interpreted by the nodes that receive them or… relay cells: which carry end-to-end stream data. Also relay cells have an additional header on front of the payload containing a streamID, integrity checksum, length of payload and relay command. Tor Design continued.. Relay Commands Relay data: data flowing down stream Relay begin: to open a stream Relay end: to close a stream cleanly Relay teardown: to close a broken stream Relay connected: to notify successful relay begin Relay extend/extended: to extend the circuit by a hop Relay send me: congestion control Relay drop: implements long-range dummies Tor Design continued.. Alice builds a two-hop circuit and begins fetching a web page. https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html Tor Design continued.. Relay Cells Once a connection is established a user can send relay cells (relay truncated, destroy, create cells) OR receive relay cells, look up the corresponding circuit and decrypts the relay header and payload with the session key for the circuit. Also checks for a valid digest for outgoing cells. If not valid, the OR finds the circID for the next step in the circuit, replaces the appropriate circID, and sends the decrypted relay cell to the next OR. Tor Design continued.. Opening and Closing Streams A user like Alice can obtain a TCP connection via SOCKS The OP chooses a new open circuit and suitable OR to be an exit node The OP then sends a relay begin cell to host, the host responds with relay connected cell. The SOCKS relays to notify its success. The OP now accepts data from the TCP stream, which is packaged into relay data cells and passes these to the intended OR. SOCKS’s weakness is revealing of user destinations if the intended application does DNS resolution first. Tor Design continued.. Integrity Checking on Streams Integrity checks are only done at the edges of each stream(leaky-pipe circuit topology allows a streams edge to be any hop in the circuit) The OP and the hop initialize a SHA-1 digest with a derivative of the key, then both add to the digest the contents of all relay cells they create. Each side also keeps a SHA-1 digest of data received , to verify correctness of the hashes. A cell has four bytes to lower overhead, which leaves an adversary’ chances of guessing a valid hash to very low, also the OP or OR tear down the circuit if they get a bad hash. Tor Design continued.. Rate limiting and fairness Tor uses a token bucket approach to enforce long-term average rate of incoming bytes, while still allowing short-term bursts above the allowed bandwidth to limit bandwidth usage. Tor provides good latency for interactive streams and good overall throughput to the bulk streams by acting as if the entire cell has been read disregarding the cell’s fullness. The local application may be waiting for a reply and this method accomadates this position without waiting for more bytes. Tor Design continued.. Congestion Control (circuit-level throttling) Each OR keeps track of two windows, the packaging window: tracks how many relay data cells allowed to the OR for packaging back to the OP. The delivery window: tracks how many relay data cells given to TCP streams outside the network. OR after receiving enough data cells, it sends a send me relay to the OP with streamID zero. It then increments the packaging window by 100. If the window reaches 0 the OR stops reading from TCP connections for all streams on the corresponding circuit, and stops until another send me relay is received Congestion Control (Stream-level throttling) Similar to circuit level throttling but checks for successful flushed TCP stream, and only sends “send me” relays when flushed under a set threshold by the user. Rendezvous Points and Hidden Services Rendezvous points are building blocks for location-hidden services(responder anonymity) It allows an OP to offer a TCP service without revealing his IP address. This protects against DoS attacks. Goal for location hidden servers Access-control: filters incoming requests to prevent flooding Robustness: Users maintains a long-term pseudonymous identity even during failure Smear-resistance: frame prevention on rendezvous routers Application transparency: no modification of user special software. Rendezvous Points continued.. Rendezvous Points in Tor User 1 generates a long-term public key pair to identify his service. User 1 chooses some introduction points, and advertises them on the lookup service, signing the advertisement with his public key. User 1 builds a circuit to each of his introduction points, and tells them to wait for requests. User 2 learns about User 1 ’s service out of band (perhaps via lookup service If user 2 wants to access User 1 ’s service anonymously, she must connect via Tor to the lookup serivce. User 2 chooses an OR as the rendezvous point for her connection to user 1’s service. She builds a circuit to the RP, and gives it a randomly chosen “rendezvous cookie” to recognize user 1. User 2 opens an anonymous stream to one of user 1’s introduction points, and gives it a message (encrypted with User 1’s public key) telling the RP and rendezvous cookie, and the start of a DH handshake. The introduction point then sends the message to user 1. Rendezvous Points continued.. If User 1 wants to talk to user 2 he builds a circuit to user 2’s RP and sends the rendezvous cookie, the second of half of the DH handshake, and a hash of the session key they now share. By the same argument, this enables user 2 of knowing she shares the key only with user 1. The RP connects user 2’s circuit to user 1’s. at this point the RP can’t recognize user 2, user 1, or the data they transmit. User 2 sends a relay begin cell along the circuit. It arrives at user 1’s OP, which connects to user 1’s web server. An anonymous stream has been established, and user 2 and user 1 can now communicate as normal. Other Design Decisions DoS and Tor Tor is vulnerable to DoS attacks because users can consume more network resources than allowed or render the network unusable for other users. Tor deals with these attacks with Puzzle solving: done at the beginning of a TLS handshake or accepting create cells, this limits the attack multiplier. Limiting rates: this limits the rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow. Other Design Decisions continued.. Exit Policies and Abuse: Tor deals with abuse thorough its abuse policy including.. Exit Policy: tells which external addresses and ports will connect to where. Open exit nodes: connect anywhere Middleman nodes: only relay traffic to other Tor nodes. Private exit nodes: allows a client to connect more securely to a host. This prevents eavesdropping. Other Design Decisions continued.. Directory Servers Tor uses small group of onion routers to track changes in network topology and node state, including keys and exit policies. These directory servers act as HTTP servers that fetch state and router lists, and allows for other ORs to upload state information. The directory servers combine this info with their own network liveliness and generate the signed description or directory of the entire network. All new nodes must be approved by the directory servers and their keys to prevent attackers from taking over the network by creating many servers. Attacks and Defense Passive Attacks Observing traffic patterns: Observance of user traffic will not reveal destinations or date, but reveals patterns of sent and received data. Observing user content: Tor uses Privoxy and related filtering service to anonymize application data streams. Optional distinguishability: allows for clients to choose configuration options but is a threat to anonymity. End-to-end timing correlation: hides the connection between the onion proxy and the first Tor node, this runs the OP on the Tor node and or behind the firewall. Attacks and Defense End-to-end size correlation: simple packet counting is effective attack which confirms endpoints of a stream. Website fingerprinting: Is a database of patterns of file sizes and access patterns for targeted websites. This is less effective against Tor because it’s streams are multiplex within the same circuit. Attacks and Defense Active Attacks Compromise keys: Compromised session keys that leave control cells and encrypted cells on every circuit on the connection vulnerable. Iterated compromise: This is compromising of the ORs, this is hindered because session keys are forward in secrecy, which won’t allow nodes to decrypt recorded traffic once the circuit is closed. Run a recipient: an adversary learns the timing patterns of connecting users and introduces arbitrary patterns in its response. Attacks and Defense Onion Proxy: compromising of onion proxies compromises all future connections through it. Tagging attacks: hostile nodes tag a cell by altering, but integrity checks on cells prevent this attack Replay attacks: Tor is not vulnerable to replay attacks because of protocols of session keys during a handshake. Smear attack: Exit policies deter the abusive socially unacceptable acts on the network. Distribute hostile code: tricks users into running subverted Tor software that reduces their anonymity. Attacks and Defense Directory Attacks Destroying directory servers: few destroyed directories won’t effect the network, but half destroyed is harmful because it doesn’t have enough to display a view of the network and give a consensus directory. Subvert a directory server: compromising a directory server an attacker can influence the view of the final directory. Subvert a majority of directory servers: allows for compromising of ORs in the final directory Trick the directory servers into listing a hostile OR: This is deterred by Tor’s directory server operators filtering out hostile ORs. Early Experiences: Tor in the Wild Tor network Tor as of May 2004, has 32 nodes( 24 in the US , 8 in Europe) Each node has 768/768 connection and many have 10 Mb. Each node processed 800,000 relay cells per week Tor has been used for web browsing, FTP, IRC, Kazaa, etc. Latency attributed to two factors: bouncing of traffic around the world several times and end-to-end congestion which protects users from DoS. Open Questions in Low-Latency Anonymity How often should users rotate to fresh circuit?: Frequent rotation is expensive and inefficient and could lead to attacks, while infrequent rotation make the user’s traffic linkable. How to choose path lengths?: using two hops per user could disrupt anonymity because of the timing pattern it could create. How to disrupt end-to-end confirmation?: affects both high and low latency systems. Tor uses long-range wrapping of control commands in similar looking relay cells to reduce to chance of this attack. Future Directions Tor wants to improve on Scalability Bandwidth classes: advertisement of bandwidth levels Incentives: rewards including publicity and better anonymity Cashing at exit nodes: running a cache proxy Better directory distribution: distribute up-to-date network snapshots Further specification review: more external review of Tor Multisystem interoperability: allow more testing design comparisons Wider-scale deployment: more users for better design evaluation Conclusion Tor is great with providing anonymity ,deterring replay attacks and ensuring integrity checks. It is very versatile allowing web- browsing FTP, IRC, AIM, Kazaa, SSH, and recipient-anonymous email via rendezvous points. Unfortunately its vulnerabilities to several passive and active attacks within its network at critical areas leave it in need of vast improvements and research in the future.
© Copyright 2024