Onion network architecture
-
Upload
mahdi-ataeyan -
Category
Internet
-
view
603 -
download
1
Transcript of Onion network architecture
![Page 2: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/2.jpg)
Privacy?!
![Page 3: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/3.jpg)
Symmetrickey algorithm
![Page 4: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/4.jpg)
Public key crypto
● An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use by an asymmetric key algorithm.
Alice011010101011011101000011011010
LargeRandomNumber
KeyGenerationProgram
Public Private
![Page 5: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/5.jpg)
Public key encryption
● In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of the private key.
Hello Alice!
Alice's private key
Encrypt
6EB69570 08E03CE4
Hello Alice!
Decrypt
Alice's public key
Bob
Alice
![Page 6: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/6.jpg)
Public key shared secret
● In the Diffie–Hellman key exchange scheme, each party generates a public/private key pair and distributes the public key. After obtaining an authentic copy of each other's public keys, Alice and Bob can compute a shared secret offline. The shared secret can be used, for instance, as the key for a symmetric cipher.
Alice's private key
Combine keys
Bob's public key
751A696C 24D97009
Alice's public key
Bob's private key
Alice
Alice and Bob's shared secret
Bob
Combine keys
751A696C 24D97009
Alice and Bob's shared secret
![Page 7: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/7.jpg)
what's Onion routing?
● OR is a technique for anonymous communication over a computer network
● peeling an onion.
![Page 8: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/8.jpg)
Why onion?
Message
Router C Key
Router B Key
Router A Key
Source
Router ARouter B
Router CDestination
![Page 9: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/9.jpg)
entry node
● First hop into the tor network.
![Page 10: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/10.jpg)
exit node
● last hop before destination.
![Page 11: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/11.jpg)
relay node
● Middle node
![Page 12: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/12.jpg)
bridge node
● nodes not listed in the tor directory to evade filtering
![Page 13: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/13.jpg)
Steps
● The originator picks nodes from the directory node and chose some node.
● the chosen nodes are ordered (chain or circuit)
● Originator encript and send data.
![Page 14: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/14.jpg)
picks nodes from the directory node
![Page 15: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/15.jpg)
Select node
![Page 16: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/16.jpg)
After 10 minute...
![Page 17: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/17.jpg)
Who can see the message?
● the sender● the last intermediary (the exit node)● the recipient
![Page 18: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/18.jpg)
endtoend encryption
![Page 19: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/19.jpg)
Tor off https off
![Page 20: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/20.jpg)
Tor off https on
![Page 21: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/21.jpg)
Tor on https off
![Page 22: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/22.jpg)
Tor on https on
![Page 23: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/23.jpg)
Weaknesses
● Timing analysis● Intersection attacks● Predecessor attacks● Exit node sniffing● Dos nodes● social engineering attacks
![Page 24: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/24.jpg)
Who's using tor?
● Diplomatic mission● Militaries● Normal people● Journalists● Activists & Whistleblowers
![Page 25: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/25.jpg)
Hidden service
● anonymity websites and servers.
● accessed through onion address.
● Abcdefghijklmnop.onion
![Page 26: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/26.jpg)
rendezvous protocol
● computer network protocol.
● Enables network node to find each other.
● require at least one unblocked and unNATed servers.
![Page 27: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/27.jpg)
advertise
● advertise existence● randomly picks some relays● asks them to act as „introduction points“● send public key● introduction points dont know service
location (ip)
![Page 28: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/28.jpg)
introduction points
![Page 29: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/29.jpg)
hidden service descriptor
● the hidden service assembles a hidden service descriptor
● signs descriptor with private key.● uploads descriptor to a distributed hash
table.● 16 character name derived from the service's
public key.onion
![Page 30: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/30.jpg)
hidden service descriptor
![Page 31: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/31.jpg)
Client rendezvous point
● client needs to know onion address.● download the descriptor from the
distributed hash table.● the client knows the introduction points and
the right public key.● Client select and connect to rendezvous
point and telling it a onetime secret.
![Page 32: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/32.jpg)
Client rendezvous point
![Page 33: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/33.jpg)
client introduce message
● the client assembles an „introduce message“ (encrypted to the hidden service's public key) + address of the rendezvous point and the onetime secret.
● The client sends „introduce message“ to one of the introduction points.
● introduction points delivered to the hidden service.● the client and service remains anonymous.
![Page 34: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/34.jpg)
client introduce message
![Page 35: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/35.jpg)
Hidden Service rendezvous point● The hidden service decrypts the client's
introduce message and finds the address of the rendezvous point and the onetime secret in it.
● The service creates a circuit to the rendezvous point and sends the onetime secret to it in a „rendezvous message“.
![Page 36: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/36.jpg)
Hidden Service rendezvous point
![Page 37: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/37.jpg)
the last step
● the rendezvous point notifies the client about successful connection establishment.
● connection between client and hidden service consists of 6 relay.
![Page 38: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/38.jpg)
the last step
![Page 39: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/39.jpg)
Hidden service protocol
![Page 40: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/40.jpg)
Xyz.onion
● SHA1 hash of the public key● the first half of the hash is encoded to
Base32● the suffix „.onion“ is added.● .onion names can only contain the digits 27
and the letters az and are exactly 16 characters long.
![Page 41: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/41.jpg)
Why automaticallygenerated service name?
![Page 42: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/42.jpg)
facebookcorewwwi.onion
![Page 43: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/43.jpg)
Birthday attack
● cryptographic attack● abuse
communication between two or more parties
●
00.10.20.30.40.50.60.70.80.9
1
0 10 20 30 40 50 60 70 80 90 100P
rob
ab
ility o
f a
pa
ir
Number of people
23
![Page 44: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/44.jpg)
Get specific .onion address
● Shallot ● Scallion (GPU hashing)● Eschalot (wordlist search)
![Page 45: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/45.jpg)
test!
![Page 46: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/46.jpg)
shallot
● https://codeload.github.com/katmagic/Shallot/zip/master
● ./configure && make● ./shallot● ./shallot ^onion● Found matching domain after 22204717
tries: onion6r33t2v3sq7.onion
![Page 47: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/47.jpg)
Shallot 1.5 GHZ
● Characters● 1● 3● 5● 7● 9● 11● 14
● Time to generate● Less than 1 sec● Less than 1 sec● 1 min● 7 day● 2,5 years● 640 years● 2.6 milion years
![Page 48: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/48.jpg)
Hidden services
![Page 49: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/49.jpg)
Who's using hidden service
● Hitman network● drugs● Child pornography● Hacking● Political
(anarchism, ...)● Warez
![Page 50: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/50.jpg)
Tor network hacked by FBI?
![Page 51: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/51.jpg)
Plausible deniability
![Page 52: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/52.jpg)
List of most popular onion websites● DuckDuckGo● The Pirate Bay● Facebook● Blockchain.info● Wikileaks● SecureDrop
![Page 53: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/53.jpg)
Graph Relays and bridges
![Page 54: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/54.jpg)
● http://en.wikipedia.org/wiki/Onion_routing● http://en.wikipedia.org/wiki/Tor_%28anony
mity_network%29● http://www.fbi.gov/news/pressrel/pressrele
ases/morethan400.onionaddressesincludingdozensofdarkmarketsitestargetedaspartofglobalenforcementactionontornetwork
● https://www.torproject.org/docs/hiddenservices.html.en
●
![Page 55: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/55.jpg)
● https://www.eff.org/pages/torandhttps● https://metrics.torproject.org/● http://en.wikipedia.org/wiki/Plausible_deniab
ility● http://www.theguardian.com/technology/2014
/oct/31/facebookanonymoustorusersonion●
![Page 56: Onion network architecture](https://reader034.fdocuments.us/reader034/viewer/2022052400/55a205771a28abf3648b465e/html5/thumbnails/56.jpg)
This work is licensed under a Creative Commons AttributionShareAlike 3.0 Unported License.
It makes use of the works of Kelly Loves Whales and Nick Merritt