Recent Changes and Advances in Tor Tran, Tuan Tu Technische - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Tran, Tuan Tu Technische Universität München Seminar Future Internet SS2018 Departments of Informatics München, 06. April 2018

Recent Changes and Advances in Tor

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Imagine a dystopia … A oppressive regime … A world where …

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

…CAT PICTURES ARE BANNED

CAT

But there is hope: The Tor Network

Intro joke do not take seriously

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Tor network: Basic structure and function

• communicating through circuit
• hidden service

Threats/Attack taxonomy

• fingerprinting
• correlation (In particular: Asymmetric Traffic Analysis)
• censorship

Countermeasures Some unsolved issues of the Tor network

Overview

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Tor Network: Basic structure and function

Client/ Onion proxy Server Onion router Onion router Onion router TLS Connection TLS Connection

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Basic structure and function

Client/ Onion proxy Server Entry node Middle node Exits node

The data is transported in cells through the circuit

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Circuits construction: Key negotiation

Client Entry node n1

Create cell: E(g^x1, n1 onion key)

• C. choose secret x1

n1 choose secret y1 Created cell: g^y1; H((g^x1)^y1) Compute: (g^x1)^y1 Compute: (g^y1)^x1 Common key k1: (g^y1)^x1 = (g^x1)^y1 = g^(x1*y2)

(E (object, key) = Encrypted)

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Circuits construction: Extending circuit

Client Entry node n1

Middle node n2

E(Extend cell: E(g^x2, o.key n2), k1 ) Repackage Extend Cell in a Create cell Created cell: g^y2; H((g^x2)^y2) Repackage Created Cell Extended cell Only client and n2 now knows common key k2

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Circuits construction: relaying data

Client Entry node n1

Exit node n3

Server

Pay Load

K3 K2 K1

Pay Load

K3 K2

….

Pay Load

Encrypted with k1

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Circuits construction: relaying data

Client Entry node n1

Exit node n3

Server ….

Pay Load

K3

Pay Load

K3 K2 K1

Pay Load

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Basic structure and function

Client Server Onion router Onion router Onion router

Directory Server

Descriptor: Information about the node like the public identity key, addresses

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Basic structure and function

Client Server Onion router Onion router Onion router Directory Server Information about the network like addresses of the nodes

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Hidden service

Client Server Onion router Introduction Point Onion router

Distributed Hash table Distributed Hash table

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Hidden service

Client Server Onion router Introduction Point Onion router

Distributed Hash table Distributed Hash table

Descriptor: Introduction point , public key

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Hidden service

Client Server Onion router Introduction Point Onion router

Distributed Hash table Distributed Hash table

Out of Band : .onion address of Service retrieve descriptor

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Hidden service

Client Server rendezvous point Introduction Point Onion router

Distributed Hash table Distributed Hash table Connect to introduction point Choose rendezvous point

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Hidden service

Client Server rendezvous point Introduction Point Onion router

Distributed Hash table Distributed Hash table

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Different type of attacks against the Tor network:

• Fingerprinting Attacks

− Website Fingerprinting − Keyword Fingerprinting

• Asymmetric Traffic Analysis
• Attacks against censorship circumvention

Threats/Attack taxonomy

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Website Fingerprinting

Client Entry node Tor Adversary TLS encrypted connection

Analysing traffic pattern, like number of packets send/receive

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Website Fingerprinting: Pattern

Client Image 1

Image file of webpage send in a specific number of packets

Html file … Webpage

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Website Fingerprinting

Client Tor Adversary Server Packets Samples Analysing

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

(according to Analysis of Fingerprinting Techniques for Tor Hidden Service ) Do not scale well to increasing number of websites With the growing numbers of hidden services, attack may be less effective

Website Fingerprinting: Test Results

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Search engine like Google are an essential part of Internet Search queries also contain a lot of information about us Adversary maintains list of monitored phrases (keywords) Finding the Tor connections carry the search result traces The goal of this attack is to learn about the search queries of a user

Keyword Fingerprinting

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Keyword Fingerprinting: Attack Scenario

Client

Tor

Adversary

TLS encrypted connection

Search Engine

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Keyword Fingerprinting

Client Tor Adversary Search Engine Monitored Keyword List Analysing

Cat picture Cat video

…

Searching cat video

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

(according to Fingerprinting Keywords in Search Queries over Tor) Precision decreased with the increase of possible unwanted search queries Incremental search (JavaScript enabled) carries more information for the adversary Keyword fingerprinting attacks in all his variants showed reasonable result and resemble a new threat against Tor

Keyword fingerprinting: Test Result

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Conventional attacks often only assume:

• the adversary can monitor the traffic entering Tor and existing Tor in the same direction

New attack :

• identify the correlation traffic, if adversary is able to monitor any direction of the traffic

Possible adversary: Autonomous Systems (ISP,…)

Asymmetric Traffic Analysis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Asymmetric Traffic Analysis: Attack Scenario

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Asymmetric Traffic Analysis: Test Results

• Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. RAPTOR: Routing attacks on privacy in Tor.

In Proceedings of the 24th USENIX Security Symposium August 2015

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Attacks against censorship circumvention

Prevent clients to use Tor is to block access to Tor network entirely Client

Tor Address Blocking Directory Server

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Attacks against censorship circumvention

Alternatively the adversary can block any Tor traffic regardless of source or destination Possible through easy distinguishable Tor certificate used for the TLS connection

• SubjectCN=www.[random].com
• IssuerCN=www.[random].net
• [random] : random string with a length of 8 to 20 characters

Client ….

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Defences against Traffic analysis

• Application Layer Padding Concerns Adversaries (ALPaCA)
• Lightweight application-Layer Masquerading Add-on (LLaMA)

Measure against hindrance of censorship circumvention

• Bridges
• Pluggable Transports

Possible countermeasures

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Defense implementation on the application-layer of the OSI-model ALPaCA aims to morph the objects of webpages to hide it traffic pattern For example: add in object like HTML file random data as comment

Application Layer Padding Concerns Adversaries

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

In order to know, how the object must be morph:

• P-ALPaCA (Probabilistic-ALPaCA)

− collect sample data from other hidden service website

• D-ALPaCA (Deterministic-ALPaCA)

− use input parameter from the service provider/administrator and data from the page itself

• Computing from the collected data the target sizes

Choosing Target sizes

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

ALPaCA Algorithm: Basic Idea

Target Original Webpage Morphed

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Input:

• List O of objects from the original unmorphed webpage ordered from smallest to biggest
• List T of Target sizes ordered from smallest to biggest
• List M with the morphed objects (initially empty)
• List P with the unused Target sizes (initially empty)

ALPaCA Algorithm

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Procedure :

• Take first (smallest object) object o from list O and search through list T until you find a t

(target size) with size(o) < t

• Pad object o to size t and add to list M
• Remove every target size from list T smaller then t and add it to list P
• Repeat for all object in list O
• After all object in list O is morphed: Create dummy objects for all target sizes in list P and

remaining target sizes in T

• Append dummy objects (padding object) to list M

ALPaCA Algorithm

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Possible Deployment

Client 1 Client 2 Client 1

Tor

Directory with pre-morphed Webpage

Every client get the same page differently morphed

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Obscure the order and timing of request the client sends Adds a random delay to every request.

• the delays can range from zero to half of the page load time

Lightweight application-Layer Masquerading Add-

• n

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Application layer defense does not require a change of the source code of the tor protocol The padding is added directly to the objects of the webservice

• the padding is not distinguishable from real traffic

Advantages

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Bridges

Client

Tor

Bridge BridgDB/Bridge authority

Address Blocking

Descriptor: Address, Port number… Descriptor via E-mail

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Pluggable Transports transform the Tor traffic to look like other traffic Example:

• bfs4: add additionally layer of encryption to obscure the traffic
• fte (Format-Transforming Encryption): obscure the Tor traffic to look like HTTP traffic
• meek: redirect connection to a intermediate HTTPS server (Amazon cloud, the Microsoft

Azure cloud), and from there to the actual bridge

Pluggable Transports

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Public bridges often do not offer Pluggable Transports support and some bridges offer out dated transports Common use of default bridges hard coded in the tor browser bundle

Issues of the Tor network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

• G. Cherubin, J. Hayes, and M. Juarez. Website fingerprinting defenses at the application layer. Proceedings on Privacy Enhancing

Technologies ,2017(2), April 2017.

• R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security

Symposium, August 2004.

• S. Matic, C. Troncoso, and J. Caballero. Dissecting tor bridges: a security evaluation of their private and public infrastructures. In

Proceedings of the Network and Distributed Security Symposium - NDSS ’17. Internet Society, February 2017.

• S. E. Oh, S. Li, and N. Hopper. Fingerprinting past
• the front page: Identifying keywords in search engine queries over tor. Proceedings on Privacy Enhancing Technologies, 2017(4),

October 2017.

• A. Panchenko, A. Mitseva, M. Henze, F. Lanze, K. Wehrle, and T. Engel. Analysis of fingerprinting techniques for tor hidden services.

In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2017), November 2017.

• Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. RAPTOR: Routing attacks on privacy in Tor. In

Proceedings of the 24th USENIX Security Symposium, August 2015

• Bridgedb. https://bridges.torproject.org/options. Accessed: 15.03.2018.
• Top changes in tor since the 2004 design paper (part1). https://blog.torproject.org/ top-changes-tor-2004-design-paper-part-1.

Accessed: 16.03.2018.

• Tor at the heart: Bridges and pluggable transports. https://blog.torproject.org/tor-heart-bridges-and-pluggable-transports. Accessed:

15.03.2018.

• Tor: Onion service protocol. https://www.torproject.org/docs/onion-services.html.en. Accessed: 16.03.2018.

References