Privacy and anonymity continued

Chapter 7.3 (traffic flow security) Anonymous email (chapter 10.6)

TOR http://www.torproject.org/

"Anonymity loves company [...] it is not possible to be anonymous alone“ – Roger Dingledine

Hundreds > 700 of volunteers run their machines as TOR nodes around the world

> 200,000 active users per week Typically 3 nodes used for each

route Bandwidth < 100MB/s TOR nodes are TOR onion routers

The Onion Router (TOR)

Roger Dingledine – many presentations on youtube

Alice wants to communicate with Bob

http://www.iusmentis.com/society/privacy/remailers/onionrouting/

Alice gets a directory listing from a central server of TOR nodes

Directory server keys ship with the code

Alice randomly chooses 3 nodes and uses public-key cryptography to set up the channelThe process is similar to Mix net

entry node

Once the communication channel is established, the data is moved with symmetric keys

exit node

TOR supports real-time communication

TOR changes the route periodically (e.g., every 10 minutes) to avoid traffic analysis

Some security analysis

Each TOR node routes messages for many hosts

It is difficult to keep track of how messages are routed within TOR network Assuming majority of TOR nodes are not

corrupted or collude

However, there are some issues in a stronger adversary model:

All TOR nodes are semi-honest, so entry/exit nodes know something about Alice and Bob

However, attacker may know who initiates or receives the traffic

AttackerKnows Alice startsSome communication

Entry nodeKnows Alice startsSome communication

Exit nodeKnows Bob is the receiver

Solution: for Alice and Bob to become TOR nodes as well

Resources regarding TOR and onion routing

http://www.onion-router.net/ Download TOR at

https://www.torproject.org/ http://www.freehaven.net/~arma/cv-

pres.html

How TOR helps whistleblowers? --Hidden service E.g., wikileaks

http://gaddbiwdftapglkq.onion/

Paul Syverson NRL, onion routing inventor

TOR location hidden service

Alice can connect to Bob's server without knowing where it is or possibly who he is

Server needs to Be accessible from anywhere Resist censorship Require minimal redundancy for resilience in

denial of service (DoS) attack Can survive to provide selected service even

during full blown distributed DoS attack Resistant to physical attack (you can't find

them) How is this possible?

Basic ideas of hidden services

Use an intermediary to marry client and server Similar ideas used in Skype as well

For users behind NAT (network address translator)

http://www.freehaven.net/~arma/cv-pres.html

2’. Alice obtains Service Descriptor (including Intro Pt. address) at Lookup Server

4. Alice sends RP addr. and any authorization through IP to Bob