cryptographic challenges in and around tor
play

Cryptographic Challenges in and around Tor Nick Mathewson The Tor - PowerPoint PPT Presentation

Jan 20, 2024 •268 likes •601 views

Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013 Summary Very quick Tor overview Tor's cryptography, and how it's evolving Various opportunities for more Tor crypto work Disclaimer: This is

  1. Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013

  2. Summary ● Very quick Tor overview ● Tor's cryptography, and how it's evolving ● Various opportunities for more Tor crypto work Disclaimer: This is not exhaustive; these are only our most interesting crypto needs, not all of them; these are not our most urgent needs in general.

  3. Part 1: Tor overview

  4. Ordinarily, traffic analysis and censorship are easy. User Server Server Server User Server Server User +

  5. Ordinarily, traffic analysis and censorship are easy. User Server Server Server k n i L l i v User Server E Evil User Server Evil ISP

  6. Tor makes traffic analysis and censorship harder... User Server Server Server Tor Network User Server (abstract) Server User

  7. ...by using a network of relays to anonymize traffic. Tor User Server Server Server Tor Relay Exit Tor Relay Tor User Server Relay Tor Relay Tor Tor Server User Exit Relay (Use non-public entry relays to resist censorship.)

  8. (But an end-to-end traffic correlation attack still works.) User Server Server Server X xx Tor Network User Server (abstract) X xx Server User

  9. Tor is the largest deployed network of its kind ● 3000 relays ● 1000 public bridges ● > 2 GiB/sec ● > 500,000 users each day (estimated) – (With a pretty broad diversity of interest)

  10. Part 2: Tor could use better crypto

  11. Tor uses TLS for its link protocol... Tor TLS User Relay Tor Tor TLS Relay Relay

  12. … with all the problems that entails. ● Easy to detect TLS variants based on: – Cipher choice – Certificate structure – List of extensions ● More secure: less common. Can't use any unpopular TLS feature. (Did you know I have an effective veto over any new TLS features?)

  13. Maybe other link protocols are better for anticensorship? Tor User Relay Plugin Plugin There are a number of these “Pluggable Transports” in development, but we need even more. Even weak stego can help . ...Do we still need “normal-looking” TLS?

  14. Tor needs a one-way-authenticated handshake to build circuits Relay Relay User A B E(PK_A, g^x1) H 1 ( g ^ x 1 y 1 ) g ^ y 1 , (Now have K1= KDF(g^xy) +

  15. Tor needs a one-way-authenticated key exchange to build circuits Relay Relay User A B Enc(PK_A, g^x1) H 1 ( g ^ x 1 y 1 ) g ^ y 1 , (Now have K1= KDF(g^x1y1) E_K1(Enc(PK_B,g^x2)) Enc(PK_B,g^x2) g^y2, H1(g^x2y2) E_K1(g^y2, H1(g^x2y2)) (Now have K2= KDF(g^x2y2)

  16. We're replacing this protocol... ● Original protocol (“TAP”) did hybrid encryption with RSA,DH-1024, badly. [Goldberg 2006] ● Replacement (“ntor”) does approximately C->S: g^x S->C: g^y, H1(inp=H( g^x g^y g^xb g^xy ...)) K = KDF(H2(inp)) [Goldberg, Stebila, Ustaoglu 2011] (We're using DJB's curve25519 for DH group)

  17. ...and might replace it again ● Alternative (“ace”) does approximately: C->S: g^x1, g^x2 S->C: g^y K = KDF(g^[bx1 + yx2]) [Backes, Kate, Mohammedi 2012] ● Best choices will depend on implementation tweaks. ● Can you do better?

  18. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (503) (4) +

  19. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) +

  20. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) To handle a cell: ● Remove a layer of encryption. ● If Zeros == 0, and “MAC” = H(Key3_M, Previous cells | Payload): + This cells is for us! ● Else, relay the cell

  21. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Zeros Bad “MAC” Payload (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) But this is malleable!

  22. Hang on, does it matter that it's malleable? User M Evil Altered M' Tor Altered M'' Tor Relay Relay Exit ● Honest exit (probably) rejects M'' ● Evil exit detects tag, but could just as easily do traffic correlation, for same result at less risk of detection. ● So, don't worry? (Dingledine, Mathewson, Syverson 2004) +

  23. Hang on, does it matter that it's malleable? User M Evil Altered M' Tor Altered M'' Tor Relay Relay Exit ● Honest exit (probably) rejects M'' ● Evil exit detects tag, but could just as easily ///////////////////// do traffic correlation, for same result //////////////////////// at less risk of detection. ● Actually, it's not so clear-cut.

  24. We could use an encrypt-and-mac structure ENC(Payload,K1) MAC1 MAC3 ENC(... , K2) ENC(... , K3) +

  25. We could use an encrypt-and-mac structure ENC(Payload,K1) MAC1 MAC3 ENC(... , K2) ENC(... , K3) But that requires one MAC per hop, and leaks path length.

  26. A chained wide-block cipher seems like a much better idea! Zeros Payload WideBlock(Key1) WideBlock(Key2) WideBlock(Key3) +

  27. A chained wide-block cipher seems like a much better idea! Zeros Payload WideBlock(Key1) WideBlock(Key2) WideBlock(Key3) Any attempt to change the block renders the whole circuit unrecoverable.

  28. What wide-block cipher to use? ● Not enough time to discuss all of them (LIONESS, CMC, XCB, HCTR, XTS, XEX, HCH, TET) ● Needs to be fast, proven, secure, easy-to- implement, non-patent-encumbered, side- channel-free,... ● One promising approach in progress by Bernstein, Sarkar, and Nandi – HFFH Feistel structure, fast, not yet finished. ● Other ideas?

  29. Tor gets blocked too much. ● Some services mistake Tor for abuse ● Some services use IP blocking as a proxy for people-blocking, and can't not block Tor. (Wikipedia edits, some IRC nets.) Can we do better?

  30. Provide a way for users to make themselves blockable. ● Slightly expensive pseudonyms? – (Expensive how? SA model?) ● Anonymous blacklistable credentials? (Nymble, BNymble, BLACR, VERBS, Jack...) – Time to try this out in the wild? – What will we learn about their usability? Are they right?

  31. There are more crypto issues in Tor ● Directory protocol ● Hidden service protocol ● Better DOS resistance ● SHA1, RSA1024 for node identity

  32. Questions? ● See https://www.torproject.org/ for links to documentation, specifications, and more info about various Tor issues. ● See http://freehaven.net/anonbib/ for an incomplete but nonetheless useful anonymity bibliography. ● Grab me during a break for non-crypto Tor questions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC20 New York, Jan 10 th 2020 @pedrorechez Scalability

1.27k views • 84 slides
Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew Regenscheid Cryptographic Technology Group Cryptographic Technology Group Mission: Research, develop, engineer, and standardize cryptographic

321 views • 28 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May 27 th , 2008 A cryptographic hash function produces cryptographic checksums or fingerprints cryptographic checksums or fingerprints Fast

716 views • 25 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010

1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010

1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010 2 Thanks Ben Adida (Harvard University) Yuval Kedem (Gallileo) David Movshovitz (IDC Herzlyia) Shimon Schocken (IDC Herzlyia)

1.83k views • 148 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Cryptography This course provides an overview of basic modern cryptographic techniques and covers

Cryptography This course provides an overview of basic modern cryptographic techniques and covers

What is this course about? Aims Cryptography This course provides an overview of basic modern cryptographic techniques and covers essential concepts that users of cryptographic standards need to understand to achieve their intended security

855 views • 58 slides
Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R azvan Ros ie Key-Robustness for Cryptographic

949 views • 48 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram

Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram

Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram Ramjee Bell Labs, Lucent Technologies Murray Hill, NJ Network Architecture for 4G Macro-cell architecture may not have enough capacity and coverage

341 views • 18 slides
Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless

Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless

Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless it is the end of the circuit. Relay Cell Cell Arrives. Control Cell Type? Process Cell Am I the end No Yes of the circuit? Forward to

292 views • 15 slides
The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J. Bernstein Each number in 1 2 represented in binary. Thanks to: University of Illinois at Chicago Output:

786 views • 67 slides
Arrays So far we have been dealing with single data items What if you want to handle

Arrays So far we have been dealing with single data items What if you want to handle

Arrays So far we have been dealing with single data items What if you want to handle multiple related data items of the same type? An array is a container that holds a related group of values of the same type The grades for

681 views • 57 slides
Vulnerabilities in Tor: past, present, future Roger Dingledine The Tor Project

Vulnerabilities in Tor: past, present, future Roger Dingledine The Tor Project

Vulnerabilities in Tor: past, present, future Roger Dingledine The Tor Project https://www.torproject.org/ 1 Outline Crash course on Tor Solved / solvable problems Tough ongoing issues, practical Tough ongoing issues, research

709 views • 49 slides
PWE3 PW/VCCV User Implementa4on Survey Results

PWE3 PW/VCCV User Implementa4on Survey Results

PWE3 PW/VCCV User Implementa4on Survey Results dra<-delregno-pwe3-pw-vccv-impl-survey-results-01 Nick DelRegno IETF 80, Prague

200 views • 19 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New

D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New

D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New CAESAR project: C ompetition for A uthenticated E ncryption: S ecurity, A pplicability, R obustness http://competitions.cr.yp.to NIST has

546 views • 42 slides

More recommend