Anonymity With Tor

Anonymity With TorThe Onion Router

Nathan S. Evans Christian Grothoff

Technische Universitat Munchen

July 5, 2012

“It’s a series of tubes.” – Ted Stevens

Overview

I What is Tor?

I Motivation

I Background Material

I How Tor Works

I Hidden Services

I Attacks

I Specific Attack

I Summary

What is Tor?

I Tor is a P2P network of Chaum inspired low-latency mixeswhich are used to provide anonymous communication betweenparties on the Internet.

What is Tor?

I Sender anonymity for low latency applicationsI Common usage: Web browsing

I Sender anonymityI Web server cannot identify client

I Advanced usage:I Hidden services (send/receive anonymity)I FilesharingI IRCI Any application that communicates using TCP

⇒ Tor provides users with a service that effectively hides theiridentity on the Internet.

Motivation

I Internet packets travel from A to B transparently

I A knows B, and B knows A (by IP address)

I Routers, etc. can determine that A and B are communicating

I This may reveal unintended information (e.g. person X’sbank)

I EncryptionI For example, TLS (HTTPS)I Provides Data anonymityI Does not hide routing information

Motivation - Routing Example

10.0.0.1www.google.com

Review: MixingDavid Chaum’s mix (1981) and cascades of mixes are thetraditional basis for destroying linkability:

Onion Routing

I Multiple mix servers

I Subset of mix servers chosen by initiatorI Chosen mix servers create “circuit”

I Initiator contacts first server S1, sets up symmetric key KS1

I Then asks first server to connect to second server S2; throughthis connection sets up symmetric key with second server KS2

I ...I Repeat with server Si until circuit of desired length n

constructed

Onion Routing Example

I Client sets up symmetric key KS1 with server S1

S1

S2

Client

Exchange

KS1


I Via S1 Client sets up symmetric key KS2 with server S2

S1

S2

Client

Exchange

KS2


I Client encrypts m as KS1(KS2(m)) and sends to S1

S1

S2

Client

(KS2

KS1

(m))


I S1 decrypts, sends on to S2, S2 decrypts, revealing m

S1

S2

Client

(KS2

KS1

(m))KS

2(m)

Tor - How it Works

I Low latency P2P Network of mix servers

I Designed for interactive traffic (https, ssh, etc.)I ”Directory Servers“ store list of participating servers

I Contact information, public keys, statisticsI Directory servers are replicated for security

I Clients choose servers randomly with bias towards highBW/uptime

I Clients build long lived Onion routes ”circuits“ using theseservers

I Circuits are bi-directional

I Circuits are hard coded at length three

Tor - How it Works - Example

I Example of Tor client circuit

Client

Server

Tor Node 1 Tor Node 2 Tor Node 3



Tor - How it Works - Servers

I Servers connected in ”full mesh“I All servers exchange symmetric keysI Allows fast sending between servers, regardless of which

circuitsI Allows combining of multiple messages with same next-hop

I New servers publish information to directory servers

I Once online for a certain period, they are added to the ”live“list

I They are then available for use by clients

Tor - How it Works - Servers

I Servers are classified into three categories for usability,security and operator preference

I Entry nodes (aka guards) - chosen for first hop in circuitI Generally long lived ”good“ nodesI Small set chosen by client which are used for client lifetime

(security)

I Middle nodes - chosen for second hop in circuit, leastrestricted set

I Exit nodes - last hop in circuitI Visible to outside destinationI Support filtering of outgoing trafficI Most vulerable position of nodes

Hidden Services in Tor

I Hidden services allow Tor servers to receive incomingconnections anonymously

I Can provide access to services available only via TorI Web, IRC, etc.I For example, host a website without your ISP knowing

I Uses a ”Rendezvous point“ to connect two Tor circuits

I Uses ”Introduction points“, which allow outside peers tocontact hidden server (while keeping it hidden)

I Publishes Intro. point addresses to ”Lookup server“

I Client gets Introduction point address from lookup server,sends random rendezvous point to hidden server

I Data travels a total of 7 hops (once established)

Hidden Services Example 1

Types of Attacks on Tor

I Exit Relay Snooping

I Website fingerprinting

I Traffic Analysis

I Intersection Attack

I DoS

Why attack Tor?

I Tor is the most popular and widely used free software P2Pnetwork used to achieve anonymity on the Internet:

I Tor has a large user baseI The project is well supportedI Generally assumed to give users strong anonymity

Our results:

All the Tor nodes involved in a circuit can be discovered, reducingTor users level of anonymity and revealing a problem with Tor’s

protocol

Key Tor Properties

I Data is forwarded through the network

I Each node knows only the previous hop and the next hop

I Only the originator knows all the hops

I Number of hops is hard coded (currently set to three)

Key security goal: No node in the path can discover the full path

Our Basis for Deanonymization

I Target user is running Tor from 2009 with default settingsI Three design issues enable users to be deanonymized

1. No artificial delays induced on connections2. Path length is set at a small finite number (3)3. Paths of arbitrary length through the network can be

constructed

Regular Path Example

Client

Server

Tor Node 1 Tor Node 2

Tor Node 3

Circular Path Example 1/5

Client

Server


Tor Node 3


Client

Server


Tor Node 3

Attack Implementation

I Exit node “injects” JavaScript “ping” code into HTMLresponse

I Client browses as usual, while JavaScript continues to “phonehome”

I Exit node measures variance in latencyI While continuing to measure, attack strains possible first

hop(s)I If no significant variance observed, pick another node from

candidates and start overI Once sufficient change is observed in repeated measurements,

initial node has been found

Attack Example

Client

Tor Node 3 - Our Exit Node

Server

Tor Node 1 - Unknown Node Malicious Client

Tor Node 2 - Known High BW Tor Node 1

High BW Tor Node 2 Malicious Server

Queue example 1 (3 circuits)

A

A0

B

B0

B1

B2

B3

B4

B5

C

C1

C0

t = 0Output Queue


A B

B0

B1

B2

B3

B4

B5

C

C1

C0

t = 0

A0

t = 1Output Queue


A B

B1

B2

B3

B4

B5

C

C1

C0

t = 0

A0

t = 1

B0

t = 2Output Queue


A B

B1

B2

B3

B4

B5

C

C0

t = 0

A0

t = 1

B0

t = 2

C1

t = 3Output Queue


A B

B2

B3

B4

B5

C

C0

t = 0

A0

t = 1

B0

t = 2

C1

t = 3

B1

t = 4Output Queue


A B

B3

B4

B5

C

C0

t = 0

A0

t = 1

B0

t = 2

C1

t = 3

B1

t = 4

B2

t = 5Output Queue


A B

B4

B5

C

C0

t = 0

A0

t = 1

B0

t = 2

C1

t = 3

B1

t = 4

B2

t = 5

B3

t = 6Output Queue


A B

B5

C

C0

t = 0

A0

t = 1

B0

t = 2

C1

t = 3

B1

t = 4

B2

t = 5

B3

t = 6

B4

t = 7Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D0

D1

D2

D3

D4

D5

E

E0

E1

E2

E3

E4

F G

G0

G1

H

H0

H1

I

I0

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E0

E1

E2

E3

E4

F G

G0

G1

H

H0

H1

I

I0

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G0

G1

H

H0

H1

I

I0

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H0

H1

I

I0

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I0

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I1

I2

I3

I4

J

J0

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4

I0

t = 5Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I1

I2

I3

I4

J

J1

K

K0

L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4

I0

t = 5

J0

t = 6Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I1

I2

I3

I4

J

J1

K L

L0

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4

I0

t = 5

J0

t = 6

K0

t = 7Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I1

I2

I3

I4

J

J1

K L

L1

L2

L3

M

M0

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4

I0

t = 5

J0

t = 6

K0

t = 7

L0

t = 8Output Queue


A

A0

A1

A2

A3

B

B0

B1

B2

B3

C

C1

C2

C3

C4

D

D1

D2

D3

D4

D5

E

E1

E2

E3

E4

F G

G1

H

H1

I

I1

I2

I3

I4

J

J1

K L

L1

L2

L3

M

M1

N

N0

N1

N2

N3

N4

N5

N6

O

O0

O1

O2

O3

O4

O5

C0

t = 0

D0

t = 1

E0

t = 2

G0

t = 3

H0

t = 4

I0

t = 5

J0

t = 6

K0

t = 7

L0

t = 8

M0

t = 9Output Queue

Attack Example

Client

Tor Node 3 - Our Exit Node

Server

Tor Node 1 - Unknown Node Malicious Client

Tor Node 2 - Known High BW Tor Node 1

High BW Tor Node 2 Malicious Server

Attack Implementation

I Modified exit node

I Modified malicious client node

I Lightweight malicious web server running on GNUlibmicrohttpd

I Client side JavaScript for latency measurements

I Instrumentation client to receive data

Gathered Data Example (1/8)

1

2

3

4

5

6

7

0 200 400 600 800 1000 1200

10

20

30

40

50

60

70

80

90

100

110

120

130

140

150

160

Late

ncy

varia

nce

(in s

econ

ds)

Byt

es e

xpen

ded

by a

ttack

er (

in k

B)

Sample number

Latency measurement graph freedomsurfers

Control RunAttack Run

Downloaded Data


1

5

10

15

20

25

3031

0 200 400 600 800 1000 1200

10

20

30

40

50

Late

ncy

varia

nce

(in s

econ

ds)

Byt

es e

xpen

ded

by a

ttack

er (

in k

B)

Sample number

Latency measurement graph bloxortsipt41


Downloaded Data


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

0 200 400 600 800 1000 1200

10

20

30

40

Late

ncy

varia

nce

(in s

econ

ds)

Byt

es e

xpen

ded

by a

ttack

er (

in k

B)

Sample number

Latency measurement graph carini


Downloaded Data


1

2

3

4

5

6

7

8

9

10

11

12

13

0 200 400 600 800 1000 1200

10

20

30

40

Late

ncy

varia

nce

(in s

econ

ds)

Byt

es e

xpen

ded

by a

ttack

er (

in k

B)

Sample number

Latency measurement graph carini


Downloaded Data


0

100

200

300

400

500

600

1 2 3 4 5 6 7

Num

ber o

f mea

sure

men

ts in

rang

e

Range of measurements (in seconds)

Histogram of latency measurements for freedomsurfers


Control Run Regression LineAttack Run Regression Line


0

100

200

300

400

500

600

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Num

ber o

f mea

sure

men

ts in

rang

e


Histogram of latency measurements for bloxortsipt41




0

100

200

300

400

500

600

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Num

ber o

f mea

sure

men

ts in

rang

e


Histogram of latency measurements for carini




0

100

200

300

400

500

600

1 2 3 4 5 6 7 8 9 10 11 12 13

Num

ber o

f mea

sure

men

ts in

rang

e


Histogram of latency measurements for carini



Statistical Analysis

I Use modified χ2 test

I Compare baseline distribution to attack distribution

I High χ2 value indicates distribution changed in the rightdirection

I Product of χ2 confidence values over multiple runs

I Iterate over suspect routers until single node stands out

Cumulative Product of χ2 p-values

1-1x10-20

1-1x10-10

.99999

.99.9

0 0 5 10 15 20 25 30

Pro

duct

of C

onfid

ence

Val

ues

Number of Runs

RattensalatSEC

wie6ud6Bhamakor

yavsauk

dontmesswithmecThor

Raccooneponymousraga

BlueStar88awranglerrutgersedu

conf555nickmf62525

miskatonicWeAreAHedge

anon1984n2c64177124055

bondserver3

1-1x10-10

.99999

.99

.9

0 0 2 4 6 8 10 12 14

Pro

duct

of C

onfid

ence

Val

ues

Number of Runs

Privacyhostingc64177124055

DieYouRebelScum1ArikaYumemiya

aukmrkoolltor

TorSchleimmyrnaloy

judasDoodles123

tin0baphomet

kalliodiora

aquatoriusEinlauf

dontmesswithmeaskatasuna

century

What We Actually Achieve

I We do identify the entire path through the Tor network

I We do achieve this on the 2009 Tor network

I Attack works on routers with differing bandwidths

I This means that if someone were performing this attack froman exit node, Tor becomes as effective as a network ofone-hop proxies

Why Our Attack is Effective

I Since we run the exit router, only a single node needs to befound

I Our multiplication of bandwidth technique allows lowbandwidth connections to DoS high bandwidth connections(solves common DoS limitation)

Fixes

I Don’t use a fixed path length (or at least make it longer)

I Don’t allow infinite path lengths (this is fixed in Tor now!)

I Induce delays into connections (probably not going to happen)

I Monitor exit nodes for strange behavior (been donesomewhat)

I Disable JavaScript in clients

I Use end-to-end encryption

Attack Improvements/Variants

I Use meta refresh tags for measurements instead of JavaScript

I Parallelize testing (rule out multiple possible first nodes atonce)

I Improved latency measures for first hop to further narrowpossible first hops

Conclusion

I Initial Tor implementation allowed arbitrary length paths

I Arbitrary path lengths allow latency altering attack

I Latency altering attack allows detection of significant changesin latency

I Significant changes in latency reveal paths used

Questions?

Anonymity With Tor

Documents

Transcript of Anonymity With Tor