Tor: The SecondGeneration Onion Router Authors: Roger Dingledine, Nick Mathewson, Paul Syverson Presented by: Alexander Truong Anonymous Communication Systems Relay based (Chaums Mix-Net) High-latency Babel, Mix-master, Mixminion Resistant to global adversary E-mail Low-latency
Tor, Anonymizer, Java Anon Proxy, PipeNet, Freedom Vulnerable to timing attacks and volume analysis E-mail, chat, SSH, web browsing Onion Routing Onion routing dates back to 1996 Anonymizes TCP applications Volunteer-based Onion Routers (OR) Security Objective: Relationship Unlinkability, Message Unlinkability w.r.t. subject PKA(PKB(PKC(M) + C) + AB) PKB(PKC(M) + AC) PKC(M) Message M
S A B C Tor design improvements Security Perfect forward secrecy; Removed mixing, padding, traffic shaping; Hidden services via rendezvous points; End-to-end integrity checking;
Leaky-pipe circuit topology Efficiency TCP stream multiplexing; Congestion control; Directory servers Usability SOCKS proxy interface; Exit policies Design Goals of Tor Practical to deploy: low bandwidth, smear-resistant, easy to implement Easy to use: Minimal application modification, configuration, delay Security requirement: Difficult to use Less users Less anonymity
Well-understood, simple design to facilitate implementation and security analysis Flexible for future testing and research Threat Model Tor does not protect against a strong global adversary Focus on traffic analysis attacks We assume the adversary can observe a fraction of network traffic generate, modify, delete, delay traffic operate onion routers compromise onion routers Tor
Overlay network: operates in user space without elevated privileges Operators deploy Onion Routers (OR) maintains a TLS connection to every other OR Users run Onion Proxies (OP) fetch directories, create circuits across network, multiplexes TCP streams to circuits Directory servers Cells (packets) Circuits and streams Directory Servers Trusted servers called directory servers maintain a directory of ORs and their
identity key. Clients fetch a trusted directory if it is signed by threshold of directory servers In previous onion routing designs, ORs flooded the network to update network status Adversary can exploit differences in network views caused by delays Onion Router Long-term identity key Sign TLS certs, router descriptor, sign directories Short-term onion key Decrypt user circuit requests Negotiate short-term keys
Rotated periodically Cells 512 bytes of header + payload Control Cells padding, create[d], destroy Relay Cells data, begin/connected, end, teardown, extend[ed], truncate[d], sendme, drop 128-bit AES counter mode, stream cipher
Relay Cells Sending a relay cell to OR3 1. OP assigns a digest, then encrypts the relay cell K1(K2(K3(Relay Cell))) 2. OR1 and OR2 decrypts, checks the digest, finds an invalid digest, and passes the cell onto the next OR 3. OR3 decrypts and finds a valid digest and processes the cell OP can send to any OR on the circuit, enabling a leaky pipe topology Circuits Efficient circuit usage: circuits are shared by multiple TCP streams Low delay: circuits are constructed
preemptively Minimal user impact: circuits are created in the background Reduce linkability periodically create new circuits expire unused or old circuits TCP streams Circuits HTTP1
C1 HTTP2 C2 SSH1 IRC1 XYZ1 Circuit Construction Negotiate symmetric key using Diffie-Hellman with each OR in the circuit OP uses create, created, relay extend, relay extended cells to create a
circuit. OP OR1 OR2 (create, ) (created, ) (relay extend, ) (create, ) (created, ) (relay extended, )
TCP connections An application requests the OPs SOCKS interface to create a TCP connection OP uses relay commands to open TCP streams and exit nodes Some applications resolve a hostname before connecting to Tor Privoxy filters HTTP requests and skips DNS resolution Application TCP traffic
SOCKS proxy interface Onion Proxy Relay cells Circuit Location-hidden service Service can be offered without revealing IP address Filter incoming requests Protect against DDoS Maintain pseudonymity HS able to migrate IPs
Smear-resistance for rendezvous points Users are not required to modify applications Introduction points A hidden service (HS) advertises introduction points (IP) on a lookup service, signed with the owners public key. HS Many IPs must be created to resist DoS attacks
IP IP Tor network IP Rendezvous Point Set Up 1. OP sets up a circuit with Rendezvous Point (RP) with a rendezvous cookie OP
(2) IP HS (1) 2. OP contacts IP with RP, rendezvous cookie, and DH handshake half
RP 3. IP sends to HS 4. HS creates circuit to RP with cookie and completed DH handshake (3) OP RP
(4) HS Integrity checking TLS protects against external adversary OP creates a SHA-1 digest with each node in the circuit to protect against internal adversary Initial digest of shared key Incrementally add to digest Contents of all relay cells each node created First 4 bytes of the current digest
To modify a cell, adversary must deduce digest from all traffic and shared key Limiting bandwidth Tor limits incoming bytes over a long-term average Uses the token bucket algorithm Circuit-level throttling Uses a packaging window and delivery window Packaging or delivering a cell decrements the corresponding window Relay sendme increments a window When packaging window is 0, OR stops reading until receiving a relay sendme Stream-level throttling
Similar to circuit-level throttling, has a packaging window and delivery window Sends relay sendme only when bytes are flushed to TCP stream Exit policies Potential abuse of the Tor network deters deployment Onion Router operators may be mistaken for users abusing the network Exit policies allow operators to restrict/filter traffic to prevent abuse Attacks Passive Observe network edges for entering and exiting traffic to analyze timing, volume, userselected options
Active attacks Attack trustworthy routers; Perform illegal activities (smear) on reliable routers Deny service to users, then observe effect on network Directory attacks Subvert directory servers; Trick servers to list a compromised OR Rendezvous attacks Attack/flood introduction points Future Research More scalable design, more anonymity and supports more users Effectiveness of padding links
Incremental updates from directory servers Questions?
