iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr - - PowerPoint PPT Presentation

ilab
SMART_READER_LITE
LIVE PREVIEW

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr - - PowerPoint PPT Presentation

Dec 01, 2022 401 likes •883 views

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

slide-1
SLIDE 1

iLab

Onion Routing Benjamin Hof hof@in.tum.de

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München

Lab 9 – 16ss

1 / 38

slide-2
SLIDE 2

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

2 / 38

slide-3
SLIDE 3

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

3 / 38

slide-4
SLIDE 4

Anonymity

Anonymity set: set of people indistinguishable to the adversary

◮ size ◮ diversity

This is not enough!

4 / 38

slide-5
SLIDE 5

Separation of network identity and routing

is the service provided by onion routing.

5 / 38

slide-6
SLIDE 6

Overlay network

6 / 38

slide-7
SLIDE 7

Overlay network

6 / 38

slide-8
SLIDE 8

Onion skins

server guard middle exit Circuits: nested encrypted connections via three relays

7 / 38

slide-9
SLIDE 9

Design goals

◮ anonymous routing

non-goals are, e.g.

◮ anonymity ◮ global passive adversary ◮ end to end correlation

attacker power

◮ limited active and passive network attacks ◮ compromised relays 8 / 38

slide-10
SLIDE 10

Attacker model

9 / 38

slide-11
SLIDE 11

Attacker model

9 / 38

slide-12
SLIDE 12

Attacker model

9 / 38

slide-13
SLIDE 13

◮ you are anonymous to the service you visit ◮ your network does not see which services you visit 10 / 38

slide-14
SLIDE 14

Tor

Tor is an implementation of onion routing.

◮ censorship circumvention ◮ open design process ◮ low latency anonymity system

Software

◮ tor ◮ obfsproxy ◮ Tor Browser ◮ . . . lots of ecosystem around it 11 / 38

slide-15
SLIDE 15

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

12 / 38

slide-16
SLIDE 16

Components

  • nion router

◮ identity key ◮ relays traffic

directory authority

◮ authority identity key ◮ manage list of onion routers ◮ agree on unified network view with other DAs

  • nion proxy

◮ build circuit consisting of onion routers ◮ ingest application traffic 13 / 38

slide-17
SLIDE 17

Relationships

DA OR OP OR OP OR OR DA DA

14 / 38

slide-18
SLIDE 18

Relationships

DA OR OP OR OP OR OR DA DA

14 / 38

slide-19
SLIDE 19

Directory authority

directory authority 0 addr, port, pub key addr, port, pub key . . .

  • ther directory authorities

hourly vote

◮ authority identity key ◮ authority signing key 15 / 38

slide-20
SLIDE 20

Descriptor

◮ nickname ◮ IP, port ◮ identity key (long-term KSK) ◮ signing key (medium-term) ◮ onion key ◮ published date ◮ version ◮ lots of other info, e.g. bandwidth ◮ signature

Right now there is a transition from RSA 1024 to ED25519 with cross signatures.

16 / 38

slide-21
SLIDE 21

Joining the network

  • nion router

◮ upload descriptor ◮ retrieve consensus

DA functionality check DA voting

  • nion proxy

◮ retrieve consensus ◮ build circuits 17 / 38

slide-22
SLIDE 22

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

18 / 38

slide-23
SLIDE 23

Overview

OR1 OR2 OR3 stream relay circuit extend TLS + link protocol

19 / 38

slide-24
SLIDE 24

Overview

◮ OR connections protected with combined TLS and cell protocol

handshake

◮ all Tor communication in cells inside TLS ◮ authenticated ECDH handshakes (ntor) to build circuits ◮ “onion skin” layered encryption on the relay subprotocol cells 20 / 38

slide-25
SLIDE 25

Cells

circuit id command length payload 4 octets 1 octet 2 octets may be padded

◮ VERSIONS: version negotiation ◮ CERTS: certificates ◮ CREATE2: ntor handshake DH ◮ CREATED2: ntor handshake DH, authenticator ◮ RELAY: subprotocol (data) ◮ DESTROY: reason for tearing down circuit ◮ and many more

This is the version 4 link protocol. Most cells have fixed size 514

  • ctets.

21 / 38

slide-26
SLIDE 26

Relay subprotocol

relay cmd recognized stream id digest length payload 1 octet 2 octets 2 octets 4 octets 2 octets padded

◮ RELAY_EXTEND2 (control): CREATE2 ◮ RELAY_EXTENDED2 (control): CREATED2 ◮ RELAY_RESOLVE: very simple DNS query ◮ RELAY_RESOLVED: DNS response ◮ RELAY_BEGIN: address, port ◮ RELAY_CONNECTED: address, port ◮ RELAY_DATA: original TCP SDU ◮ RELAY_END: termination reason ◮ and many more

This is where the encryption happens.

22 / 38

slide-27
SLIDE 27

Link handshake

authenticate using TLS info OR1 OR2 TLS VERSION V E R S I O N , C E R T S , N E T I N F O N E T I N F O

◮ version 3 handshake flow ◮ TLS connection reused for all circuits between OR1 and OR2 23 / 38

slide-28
SLIDE 28

Circuit setup

◮ extend circuits by one hop at at time ◮ connect a stream to a TCP/IP destination ◮ then: relay cells with application content

Spare circuits are created ahead of time.

24 / 38

slide-29
SLIDE 29

Relay protocol: circuit extension

OP guard middle CREATE2 CREATED2 EXTEND2(CREATE2) C R E A T E 2 C R E A T E D 2 EXTENDED2(CREATED2)

25 / 38

slide-30
SLIDE 30

ntor handshake

◮ one-way authenticated DH key agreement ◮ no signatures or RSA involved ◮ two DH operations ◮ forward security ◮ responder authenticated ◮ initiator anonymous ◮ security proofs for: key agreement, authentication, anonymity 26 / 38

slide-31
SLIDE 31

ntor (simplified)

  • 1. Bob: (b, B) ← GenDH()
  • 2. Alice learns authentic IDB, B.

3. (x, X) ← GenDH() (y, Y ) ← GenDH() dh := yX||bX (sk′, sk) := H(dh||IDB||X||Y ) tB := Macsk′(IDB||X||Y ) dh := xY ||xB (sk′, sk) := H(dh||IDB||X||Y ) Vrfysk′(tB, (IDB||X||Y )) IDB, X Y , tB

27 / 38

slide-32
SLIDE 32

Processing of a relay cell

cid cmd [encrypted] OR2: Deck2(·) recog ? = 0 → pass along circuit OR3: Deck3(·) recog ? = 0 Vrfyk(MAC, cell) cid cmd cmd recog sid digest len payload

28 / 38

slide-33
SLIDE 33

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

29 / 38

slide-34
SLIDE 34

sslstrip

exit server

30 / 38

slide-35
SLIDE 35

Correlation

server

31 / 38

slide-36
SLIDE 36

Correlation

server → guard nodes

31 / 38

slide-37
SLIDE 37

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

32 / 38

slide-38
SLIDE 38

Censorship circumvention

Bridges

◮ “secret” relays ◮ “pluggable transports” as obfuscation layer 33 / 38

slide-39
SLIDE 39

Onion services

◮ location hidden services / responder anonymity ◮ service offering without disclosing network identity ◮ name/URL: hash of public key ◮ authenticating URL: tunnel TCP connections to an OR

currently not all properties secure

34 / 38

slide-40
SLIDE 40

Circuit setup (conceptual)

DHT OP RP IP OS IP IP

35 / 38

slide-41
SLIDE 41

Circuit setup (conceptual)

DHT OP RP IP OS IP IP descriptor: IPs, kpub

35 / 38

slide-42
SLIDE 42

Circuit setup (conceptual)

DHT OP RP IP OS IP IP

35 / 38

slide-43
SLIDE 43

Circuit setup (conceptual)

DHT OP RP IP OS IP IP RP

35 / 38

slide-44
SLIDE 44

Circuit setup (conceptual)

DHT OP RP IP OS IP IP

35 / 38

slide-45
SLIDE 45

Use cases

◮ responder authentication ◮ break out of NAT ◮ hide server location

Example

◮ Facebook social network: https://facebookcorewwwi.onion ◮ DuckDuckGo search engine: http://3g2upl4pq6kufc4m.onion ◮ Debian GNU/Linux operating system mirror:

http://vwakviie2ienjx6t.onion

◮ Ricochet messenger

Always offer additionally to TLS.

36 / 38

slide-46
SLIDE 46

Outline

Introduction Trust architecture Protocols Attacks Further topics Announcements

37 / 38

slide-47
SLIDE 47

Announcements

◮ tentative dates for oral attestations: July 15-22 ◮ lecture recordings with two audio tracks ◮ additional radio NICs 38 / 38