T h e T o r P r o j e c t Our mission is to advance - - PowerPoint PPT Presentation

1

T h e T

• r

P r

• j

e c t

Our mission is to advance human rights and freedoms by creating and deploying free and open privacy and anonymity technologies, supporting their unrestricted availability and use, and furthering their scientifjc and popular understanding.

2

• O

n l i n e A n

• n

y mi t y

– O

p e n S

• u

r c e

– O

p e n N e t w

• r

k

• C
• mmu

n i t y

• f

r e s e a r c h e r s , d e v e l

• p

e r s , u s e r s a n d r e l a y

• p

e r a t

• r

s .

• U

. S . 5 1 ( c ) ( 3 ) n

• n
• p

r

• fj

t

• r

g a n i z a t i

• n

4

Estimated 2,000,000+ daily Tor users

5

Threat model: what can the attacker do?

Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network!

6

Anonymity isn't encryption: Encryption just protects contents.

Alice Bob “Hi, Bob!” “Hi, Bob!” <gibberish> attacker

7

Privacy by promise, privacy by design

“You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”

8

Anonymity serves different interests for different user groups.

Anonymity

Private citizens “It's privacy!”

9

Anonymity serves different interests for different user groups.

Anonymity

Private citizens Businesses “It's network security!” “It's privacy!”

10

Anonymity serves different interests for different user groups.

Anonymity

Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!”

11

Anonymity serves different interests for different user groups.

Anonymity

Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!” Human rights activists “It's reachability!”

12

Current situation: Bad people on the Internet are doing fine

Trojans Viruses Exploits Phishing Spam Botnets Zombies Espionage DDoS Extortion

13

The simplest designs use a single relay to hide connections.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,“X”) E(Bob1, “Y”) E ( B

• b

2 , “ Z ” ) “Y” “Z” “X”

(example: some commercial proxy providers)

14

But a single relay (or eavesdropper!) is a single point of failure.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,“X”) E(Bob1, “Y”) E ( B

• b

2 , “ Z ” ) “Y” “Z” “X”

15

... or a single point of bypass.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Irrelevant Relay E(Bob3,“X”) E(Bob1, “Y”) E ( B

• b

2 , “ Z ” ) “Y” “Z” “X”

Timing analysis bridges all connections through relay ⇒ An attractive fat target

16

So, add multiple relays so that no single one can betray Alice.

Bob Alice R1 R2 R3 R4 R5

17

Alice makes a session key with R1 ...And then tunnels to R2...and to R3

Bob Alice R1 R2 R3 R4 R5 Bob2

18

19

Tor's safety comes from diversity

• #1: Diversity of relays. The more relays

we have and the more diverse they are, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time)

• #2: Diversity of users and reasons to use
• it. 50000 users in Iran means almost all of

them are normal citizens.

20

21

Orbot

22

Tails LiveCD

23

24

25

Pluggable transports

26

Pluggable transports

• Flashproxy (Stanford), websocket
• FTEProxy (Portland St), http via regex
• Stegotorus (SRI/CMU), http
• Skypemorph (Waterloo), Skype video
• uProxy (Google), webrtc
• Lantern (BNS), social network based
• ScrambleSuit (Karlstad), obfs-based
• Telex (Michigan/Waterloo), traffic divert

27

O n i

• n

S e r v i c e

28

H i d d e n S e r v i c e s

• T

h e “ .

• n

i

• n

” a d d r e s s e s

– 1

6 c h a r a c t e r s l

• n

g ( b a s e 3 2 )

– E

. g : n z h 3 f v 6 j c 6 j s k k i 3 .

• n

i

• n
• C

l i e n t a n d S e r v e r h i d e t h e i r l

• c

a t i

• n
• C

a n b e u s e d f

• r

v a r i

• u

s k i n d s

• f

T C P t r a ffjc

• E

v e r y t h i n g s t a y s i n s i d e t h e T

• r

n e t w

• r

k

29

30

31

32

33

34

O n i

• n

S e r v i c e P r

• p

e r t i e s

• S

e l f a u t h e n t i c a t e d

( s e l f

• v

e r i f y i n g ? )

• E

n d

• t
• e

n d e n c r y p t e d

• N

A T p u n c h i n g

• L

i mi t e d s u r f a c e a r e a

T a k e a w a y s

More variation in onion services than people think. Still a tiny fraction of overall T

• r traffjc.

Upcoming technical work to make them harder / better / stronger / faster. Please deploy an onion address for your website/service

C u r r e n t S e c u r i t y P r

• b

l e m s

• O

n i

• n

i d e n t i t y k e y s a r e t

• s

h

• r

t !

• Y
• u

c a n c h

• s

e r e l a y i d e n t i t y k e y s t

• t

a r g e t a p a r t i c u l a r

• n

i

• n

s e r v i c e

• Y
• u

c a n r u n r e l a y s t

• h

a r v e s t

• n

i

• n

a d d r e s s e s

• S

y b i l a t t a c k s r e ma i n a n i s s u e f

• r

T

• r

i n g e n e r a l

• G

u a r d d i s c

• v

e r y a t t a c k ( p r

• p
• s

a l 2 4 7 )

• We

b s i t e fj n g e r p r i n t i n g f

• r
• n

i

• n

s e r v i c e s ?

H S D i r e c t

• r

y

Hashring

HSDirn

Desc IDrep0 Desc IDrep1

HSDirn+1 HSDirn+2 HSDirn HSDirn+1 HSDirn+2

Desc ID = H(onion-address | H(time-period | descriptor-cookie | replica))

H S D i r P r e d i c t i b i l i t y

Desc ID = H(onion-address | H( time-period | descriptor-cookie | replica)) Invariant

11:00 UTC 11:00 UTC

+24

time-period span

DescID k1 DescID k2

11:00 UTC

+48

...

S h a r e d R a n d

• m

n e s s

Proposal 250

Desc ID = H(onion-address | H( time-period | random-value | descriptor-cookie | replica))

Invariant

longclaw urras Faravahar moria1 dannenberg tor26 maatuska gabelmoo dizum

random-value

(new every 24h)

S h a r e d

• R

a n d

• m
• V

a l u e p h a s e s

00:00 UTC 12:00 UTC

SRV0

Commit2 Reveal1

00:00 UTC

Agree1

12:00 UTC

Commit1 Reveal2

00:00 UTC

...

SRV1

Agree0

G u i d e l i n e s f

• r

d

• i

n g y

• u

r T

• r

r e s e a r c h s a f e l y / e t h i c a l l y

• T

r y t

• a

t t a c k

• n

l y y

• u

r s e l f / y

• u

r

• w

n t r a ffjc

• O

n l y c

• l

l e c t d a t a t h a t i s a c c e p t a b l e t

• ma

k e p u b l i c

• D
• n

' t c

• l

l e c t d a t a y

• u

d

• n

' t n e e d ( mi n i mi z a t i

• n

)

• L

i mi t t h e g r a n u l a r i t y

• f

d a t a ( e . g . a d d n

• i

s e )

• D

e s c r i b e b e n e fj t s a n d r i s k s , a n d e x p l a i n w h y b e n e fj t s

• u

t w e i g h r i s k s

• C
• n

s i d e r a u x i l i a r y d a t a w h e n a s s e s s i n g t h e r i s k s

• U

s e a T e s t n e t w

• r

k w h e n e v e r p

• s

s i b l e

T r i c k y E d g e C a s e s O n i

• n

a d d r e s s h a r v e s t i n g

• G

e t t h e m b y g

• g

l i n g f

• r

.

• n

i

• n

? O k .

• G

e t t h e m b y b e i n g V e r i s i g n a n d l

• k

i n g a t t h e r

• t

n a me s e r v e r s ? H m. O k ?

• G

e t t h e m b y b e i n g C

• mc

a s t a n d l

• k

i n g a t y

• u

r D N S l

• g

s ? H m. O k ?

• G

e t t h e m b y r u n n i n g a T

• r

r e l a y , g e t t i n g t h e H S D i r fm a g , a n d l

• g

g i n g w h a t y

• u

s e e ? H m. N

• t

O k .

B e t t e r C r y p t

B i g g e r O n i

• n

A d d r e s s nzh3fv6jc6jskki3.onion

From 16 characters: ... to 52 characters:

a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rfgdw9jmntwkdsd.onion

(ed25519 public key base32 encoded)

R e n d e z v

• u

s S i n g l e O n i

• n

S e r v i c e s ( R S O S )

Rendezvous Point Proposal 260

S i n g l e O n i

• n

S e r v i c e s ( S O S )

The circuit is extended to the service. No Introduction nor Rendezvous.

Proposal 252

O n i

• n

B a l a n c e

• T

S

• P

https://onionbalance.readthedocs.org

L

• a

d B a l a n c i n g

Hidden Service

Introduction Rendezvous

HS1 HS2 HS3 HS4

Proposal 255

...

52

53

“Still the King of high secure, low latency Internet Anonymity” Contenders for the throne:

• None

54

55