A Usability Evaluation of the Tor Anonymity Network By Gregory Norcie.
Anonymity With Tor
Transcript of Anonymity With Tor
Anonymity With TorThe Onion Router
Nathan S. Evans Christian Grothoff
Technische Universitat Munchen
July 5, 2012
“It’s a series of tubes.” – Ted Stevens
Overview
I What is Tor?
I Motivation
I Background Material
I How Tor Works
I Hidden Services
I Attacks
I Specific Attack
I Summary
What is Tor?
I Tor is a P2P network of Chaum inspired low-latency mixeswhich are used to provide anonymous communication betweenparties on the Internet.
What is Tor?
I Sender anonymity for low latency applicationsI Common usage: Web browsing
I Sender anonymityI Web server cannot identify client
I Advanced usage:I Hidden services (send/receive anonymity)I FilesharingI IRCI Any application that communicates using TCP
⇒ Tor provides users with a service that effectively hides theiridentity on the Internet.
Motivation
I Internet packets travel from A to B transparently
I A knows B, and B knows A (by IP address)
I Routers, etc. can determine that A and B are communicating
I This may reveal unintended information (e.g. person X’sbank)
I EncryptionI For example, TLS (HTTPS)I Provides Data anonymityI Does not hide routing information
Motivation - Routing Example
10.0.0.1www.google.com
Review: MixingDavid Chaum’s mix (1981) and cascades of mixes are thetraditional basis for destroying linkability:
Review: MixingDavid Chaum’s mix (1981) and cascades of mixes are thetraditional basis for destroying linkability:
Onion Routing
I Multiple mix servers
I Subset of mix servers chosen by initiatorI Chosen mix servers create “circuit”
I Initiator contacts first server S1, sets up symmetric key KS1
I Then asks first server to connect to second server S2; throughthis connection sets up symmetric key with second server KS2
I ...I Repeat with server Si until circuit of desired length n
constructed
Onion Routing Example
I Client sets up symmetric key KS1 with server S1
S1
S2
Client
Exchange
KS1
Onion Routing Example
I Via S1 Client sets up symmetric key KS2 with server S2
S1
S2
Client
Exchange
KS2
Onion Routing Example
I Client encrypts m as KS1(KS2(m)) and sends to S1
S1
S2
Client
(KS2
KS1
(m))
Onion Routing Example
I S1 decrypts, sends on to S2, S2 decrypts, revealing m
S1
S2
Client
(KS2
KS1
(m))KS
2(m)
Tor - How it Works
I Low latency P2P Network of mix servers
I Designed for interactive traffic (https, ssh, etc.)I ”Directory Servers“ store list of participating servers
I Contact information, public keys, statisticsI Directory servers are replicated for security
I Clients choose servers randomly with bias towards highBW/uptime
I Clients build long lived Onion routes ”circuits“ using theseservers
I Circuits are bi-directional
I Circuits are hard coded at length three
Tor - How it Works - Example
I Example of Tor client circuit
Client
Server
Tor Node 1 Tor Node 2 Tor Node 3
Tor Node 4 Tor Node 5 Tor Node 6
Tor Node 7 Tor Node 8 Tor Node 9
Tor - How it Works - Servers
I Servers connected in ”full mesh“I All servers exchange symmetric keysI Allows fast sending between servers, regardless of which
circuitsI Allows combining of multiple messages with same next-hop
I New servers publish information to directory servers
I Once online for a certain period, they are added to the ”live“list
I They are then available for use by clients
Tor - How it Works - Servers
I Servers are classified into three categories for usability,security and operator preference
I Entry nodes (aka guards) - chosen for first hop in circuitI Generally long lived ”good“ nodesI Small set chosen by client which are used for client lifetime
(security)
I Middle nodes - chosen for second hop in circuit, leastrestricted set
I Exit nodes - last hop in circuitI Visible to outside destinationI Support filtering of outgoing trafficI Most vulerable position of nodes
Hidden Services in Tor
I Hidden services allow Tor servers to receive incomingconnections anonymously
I Can provide access to services available only via TorI Web, IRC, etc.I For example, host a website without your ISP knowing
I Uses a ”Rendezvous point“ to connect two Tor circuits
I Uses ”Introduction points“, which allow outside peers tocontact hidden server (while keeping it hidden)
I Publishes Intro. point addresses to ”Lookup server“
I Client gets Introduction point address from lookup server,sends random rendezvous point to hidden server
I Data travels a total of 7 hops (once established)
Hidden Services Example 1
Hidden Services Example 2
Hidden Services Example 3
Hidden Services Example 4
Hidden Services Example 5
Hidden Services Example 6
Types of Attacks on Tor
I Exit Relay Snooping
I Website fingerprinting
I Traffic Analysis
I Intersection Attack
I DoS
Why attack Tor?
I Tor is the most popular and widely used free software P2Pnetwork used to achieve anonymity on the Internet:
I Tor has a large user baseI The project is well supportedI Generally assumed to give users strong anonymity
Our results:
All the Tor nodes involved in a circuit can be discovered, reducingTor users level of anonymity and revealing a problem with Tor’s
protocol
Key Tor Properties
I Data is forwarded through the network
I Each node knows only the previous hop and the next hop
I Only the originator knows all the hops
I Number of hops is hard coded (currently set to three)
Key security goal: No node in the path can discover the full path
Our Basis for Deanonymization
I Target user is running Tor from 2009 with default settingsI Three design issues enable users to be deanonymized
1. No artificial delays induced on connections2. Path length is set at a small finite number (3)3. Paths of arbitrary length through the network can be
constructed
Regular Path Example
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Circular Path Example 1/5
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Circular Path Example 2/5
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Circular Path Example 3/5
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Circular Path Example 4/5
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Circular Path Example 5/5
Client
Server
Tor Node 1 Tor Node 2
Tor Node 3
Attack Implementation
I Exit node “injects” JavaScript “ping” code into HTMLresponse
I Client browses as usual, while JavaScript continues to “phonehome”
I Exit node measures variance in latencyI While continuing to measure, attack strains possible first
hop(s)I If no significant variance observed, pick another node from
candidates and start overI Once sufficient change is observed in repeated measurements,
initial node has been found
Attack Example
Client
Tor Node 3 - Our Exit Node
Server
Tor Node 1 - Unknown Node Malicious Client
Tor Node 2 - Known High BW Tor Node 1
High BW Tor Node 2 Malicious Server
Queue example 1 (3 circuits)
A
A0
B
B0
B1
B2
B3
B4
B5
C
C1
C0
t = 0Output Queue
Queue example 2 (3 circuits)
A B
B0
B1
B2
B3
B4
B5
C
C1
C0
t = 0
A0
t = 1Output Queue
Queue example 3 (3 circuits)
A B
B1
B2
B3
B4
B5
C
C1
C0
t = 0
A0
t = 1
B0
t = 2Output Queue
Queue example 4 (3 circuits)
A B
B1
B2
B3
B4
B5
C
C0
t = 0
A0
t = 1
B0
t = 2
C1
t = 3Output Queue
Queue example 5 (3 circuits)
A B
B2
B3
B4
B5
C
C0
t = 0
A0
t = 1
B0
t = 2
C1
t = 3
B1
t = 4Output Queue
Queue example 6 (3 circuits)
A B
B3
B4
B5
C
C0
t = 0
A0
t = 1
B0
t = 2
C1
t = 3
B1
t = 4
B2
t = 5Output Queue
Queue example 7 (3 circuits)
A B
B4
B5
C
C0
t = 0
A0
t = 1
B0
t = 2
C1
t = 3
B1
t = 4
B2
t = 5
B3
t = 6Output Queue
Queue example 8 (3 circuits)
A B
B5
C
C0
t = 0
A0
t = 1
B0
t = 2
C1
t = 3
B1
t = 4
B2
t = 5
B3
t = 6
B4
t = 7Output Queue
Queue example 1 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D0
D1
D2
D3
D4
D5
E
E0
E1
E2
E3
E4
F G
G0
G1
H
H0
H1
I
I0
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0Output Queue
Queue example 2 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E0
E1
E2
E3
E4
F G
G0
G1
H
H0
H1
I
I0
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1Output Queue
Queue example 3 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G0
G1
H
H0
H1
I
I0
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2Output Queue
Queue example 4 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H0
H1
I
I0
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3Output Queue
Queue example 5 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I0
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4Output Queue
Queue example 6 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I1
I2
I3
I4
J
J0
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4
I0
t = 5Output Queue
Queue example 7 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I1
I2
I3
I4
J
J1
K
K0
L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4
I0
t = 5
J0
t = 6Output Queue
Queue example 8 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I1
I2
I3
I4
J
J1
K L
L0
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4
I0
t = 5
J0
t = 6
K0
t = 7Output Queue
Queue example 9 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I1
I2
I3
I4
J
J1
K L
L1
L2
L3
M
M0
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4
I0
t = 5
J0
t = 6
K0
t = 7
L0
t = 8Output Queue
Queue example 10 (15 circuits)
A
A0
A1
A2
A3
B
B0
B1
B2
B3
C
C1
C2
C3
C4
D
D1
D2
D3
D4
D5
E
E1
E2
E3
E4
F G
G1
H
H1
I
I1
I2
I3
I4
J
J1
K L
L1
L2
L3
M
M1
N
N0
N1
N2
N3
N4
N5
N6
O
O0
O1
O2
O3
O4
O5
C0
t = 0
D0
t = 1
E0
t = 2
G0
t = 3
H0
t = 4
I0
t = 5
J0
t = 6
K0
t = 7
L0
t = 8
M0
t = 9Output Queue
Attack Example
Client
Tor Node 3 - Our Exit Node
Server
Tor Node 1 - Unknown Node Malicious Client
Tor Node 2 - Known High BW Tor Node 1
High BW Tor Node 2 Malicious Server
Attack Implementation
I Modified exit node
I Modified malicious client node
I Lightweight malicious web server running on GNUlibmicrohttpd
I Client side JavaScript for latency measurements
I Instrumentation client to receive data
Gathered Data Example (1/8)
1
2
3
4
5
6
7
0 200 400 600 800 1000 1200
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
160
Late
ncy
varia
nce
(in s
econ
ds)
Byt
es e
xpen
ded
by a
ttack
er (
in k
B)
Sample number
Latency measurement graph freedomsurfers
Control RunAttack Run
Downloaded Data
Gathered Data Example (2/8)
1
5
10
15
20
25
3031
0 200 400 600 800 1000 1200
10
20
30
40
50
Late
ncy
varia
nce
(in s
econ
ds)
Byt
es e
xpen
ded
by a
ttack
er (
in k
B)
Sample number
Latency measurement graph bloxortsipt41
Control RunAttack Run
Downloaded Data
Gathered Data Example (3/8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0 200 400 600 800 1000 1200
10
20
30
40
Late
ncy
varia
nce
(in s
econ
ds)
Byt
es e
xpen
ded
by a
ttack
er (
in k
B)
Sample number
Latency measurement graph carini
Control RunAttack Run
Downloaded Data
Gathered Data Example (4/8)
1
2
3
4
5
6
7
8
9
10
11
12
13
0 200 400 600 800 1000 1200
10
20
30
40
Late
ncy
varia
nce
(in s
econ
ds)
Byt
es e
xpen
ded
by a
ttack
er (
in k
B)
Sample number
Latency measurement graph carini
Control RunAttack Run
Downloaded Data
Gathered Data Example (5/8)
0
100
200
300
400
500
600
1 2 3 4 5 6 7
Num
ber o
f mea
sure
men
ts in
rang
e
Range of measurements (in seconds)
Histogram of latency measurements for freedomsurfers
Control RunAttack Run
Control Run Regression LineAttack Run Regression Line
Gathered Data Example (6/8)
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Num
ber o
f mea
sure
men
ts in
rang
e
Range of measurements (in seconds)
Histogram of latency measurements for bloxortsipt41
Control RunAttack Run
Control Run Regression LineAttack Run Regression Line
Gathered Data Example (7/8)
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Num
ber o
f mea
sure
men
ts in
rang
e
Range of measurements (in seconds)
Histogram of latency measurements for carini
Control RunAttack Run
Control Run Regression LineAttack Run Regression Line
Gathered Data Example (8/8)
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10 11 12 13
Num
ber o
f mea
sure
men
ts in
rang
e
Range of measurements (in seconds)
Histogram of latency measurements for carini
Control RunAttack Run
Control Run Regression LineAttack Run Regression Line
Statistical Analysis
I Use modified χ2 test
I Compare baseline distribution to attack distribution
I High χ2 value indicates distribution changed in the rightdirection
I Product of χ2 confidence values over multiple runs
I Iterate over suspect routers until single node stands out
Cumulative Product of χ2 p-values
1-1x10-20
1-1x10-10
.99999
.99.9
0 0 5 10 15 20 25 30
Pro
duct
of C
onfid
ence
Val
ues
Number of Runs
RattensalatSEC
wie6ud6Bhamakor
yavsauk
dontmesswithmecThor
Raccooneponymousraga
BlueStar88awranglerrutgersedu
conf555nickmf62525
miskatonicWeAreAHedge
anon1984n2c64177124055
bondserver3
1-1x10-10
.99999
.99
.9
0 0 2 4 6 8 10 12 14
Pro
duct
of C
onfid
ence
Val
ues
Number of Runs
Privacyhostingc64177124055
DieYouRebelScum1ArikaYumemiya
aukmrkoolltor
TorSchleimmyrnaloy
judasDoodles123
tin0baphomet
kalliodiora
aquatoriusEinlauf
dontmesswithmeaskatasuna
century
What We Actually Achieve
I We do identify the entire path through the Tor network
I We do achieve this on the 2009 Tor network
I Attack works on routers with differing bandwidths
I This means that if someone were performing this attack froman exit node, Tor becomes as effective as a network ofone-hop proxies
Why Our Attack is Effective
I Since we run the exit router, only a single node needs to befound
I Our multiplication of bandwidth technique allows lowbandwidth connections to DoS high bandwidth connections(solves common DoS limitation)
Fixes
I Don’t use a fixed path length (or at least make it longer)
I Don’t allow infinite path lengths (this is fixed in Tor now!)
I Induce delays into connections (probably not going to happen)
I Monitor exit nodes for strange behavior (been donesomewhat)
I Disable JavaScript in clients
I Use end-to-end encryption
Attack Improvements/Variants
I Use meta refresh tags for measurements instead of JavaScript
I Parallelize testing (rule out multiple possible first nodes atonce)
I Improved latency measures for first hop to further narrowpossible first hops
Conclusion
I Initial Tor implementation allowed arbitrary length paths
I Arbitrary path lengths allow latency altering attack
I Latency altering attack allows detection of significant changesin latency
I Significant changes in latency reveal paths used
Questions?