T h e T o r P r o j e c t Our mission is to advance - PowerPoint PPT Presentation

T h e T o r P r o j e c t Our mission is to advance human rights and freedoms by creating and deploying free and open privacy and anonymity technologies, supporting their unrestricted availability and use, and furthering their scientifjc and popular understanding. 1

2

● O n l i n e A n o n y mi t y – O p e n S o u r c e – O p e n N e t w o r k ● C o mmu n i t y o f r e s e a r c h e r s , d e v e l o p e r s , u s e r s a n d r e l a y o p e r a t o r s . ● U . S . 5 0 1 ( c ) ( 3 ) n o n - p r o fj t o r g a n i z a t i o n

Estimated 2,000,000+ daily Tor users 4

Threat model: what can the attacker do? Alice Anonymity network Bob watch Alice! watch (or be!) Bob! Control part of the network! 5

Anonymity isn't encryption: Encryption just protects contents. “Hi, Bob!” “Hi, Bob!” <gibberish> Alice attacker Bob 6

Privacy by promise, privacy by design “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?” 7

Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!” 8

Anonymity serves different interests for different user groups. Businesses Anonymity “It's network security!” Private citizens “It's privacy!” 9

Anonymity serves different interests for different user groups. “It's traffic-analysis resistance!” Businesses Anonymity Governments “It's network security!” Private citizens “It's privacy!” 10

Anonymity serves different interests for different user groups. “It's reachability!” Human rights “It's traffic-analysis activists resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 11

Current situation: Bad people on the Internet are doing fine Trojans Viruses Exploits Botnets Zombies Espionage Phishing DDoS Spam Extortion 12

The simplest designs use a single relay to hide connections. Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 (example: some commercial proxy providers) 13

But a single relay (or eavesdropper!) is a single point of failure. Bob1 Alice1 E(Bob3,“X”) “Y” Evil Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 14

... or a single point of bypass. Bob1 Alice1 E(Bob3,“X”) “Y” Irrelevant Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 Timing analysis bridges all connections ⇒ An attractive fat target through relay 15

So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R3 R5 R4 R2 16

Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Bob Alice R1 R3 Bob2 R5 R4 R2 17

18

Tor's safety comes from diversity ● #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time) ● #2: Diversity of users and reasons to use it. 50000 users in Iran means almost all of them are normal citizens. 19

20

Orbot 21

Tails LiveCD 22

23

24

Pluggable transports 25

Pluggable transports ● Flashproxy (Stanford), websocket ● FTEProxy (Portland St), http via regex ● Stegotorus (SRI/CMU), http ● Skypemorph (Waterloo), Skype video ● uProxy (Google), webrtc ● Lantern (BNS), social network based ● ScrambleSuit (Karlstad), obfs-based ● Telex (Michigan/Waterloo), traffic divert 26

O n i o n S e r v i c e 27

H i d d e n S e r v i c e s ● T h e “ . o n i o n ” a d d r e s s e s – 1 6 c h a r a c t e r s l o n g ( b a s e 3 2 ) – E . g : n z h 3 f v 6 j c 6 j s k k i 3 . o n i o n ● C l i e n t a n d S e r v e r h i d e t h e i r l o c a t i o n ● C a n b e u s e d f o r v a r i o u s k i n d s o f T C P t r a ffjc ● E v e r y t h i n g s t a y s i n s i d e t h e T o r n e t w o r k 28

29

30

31

32

33

34

O n i o n S e r v i c e P r o p e r t i e s ● S e l f a u t h e n t i c a t e d ( s e l f - v e r i f y i n g ? ) ● E n d - t o - e n d e n c r y p t e d ● N A T p u n c h i n g ● L i mi t e d s u r f a c e a r e a

T a k e a w a y s More variation in onion services than people think. Still a tiny fraction of overall T or traffjc. Upcoming technical work to make them harder / better / stronger / faster . Please deploy an onion address for your website/service

C u r r e n t S e c u r i t y P r o b l e m s ● O n i o n i d e n t i t y k e y s a r e t o o s h o r t ! ● Y o u c a n c h o o s e r e l a y i d e n t i t y k e y s t o t a r g e t a p a r t i c u l a r o n i o n s e r v i c e ● Y o u c a n r u n r e l a y s t o h a r v e s t o n i o n a d d r e s s e s ● S y b i l a t t a c k s r e ma i n a n i s s u e f o r T o r i n g e n e r a l ● G u a r d d i s c o v e r y a t t a c k ( p r o p o s a l 2 4 7 ) ● We b s i t e fj n g e r p r i n t i n g f o r o n i o n s e r v i c e s ?

H S D i r e c t o r y Desc ID = H(onion-address | H(time-period | descriptor-cookie | replica)) Desc ID rep1 HSDir n HSDir n+1 HSDir n+2 Hashring HSDir n+2 HSDir n+1 HSDir n Desc ID rep0

H S D i r P r e d i c t i b i l i t y Desc ID = H(onion-address | H( time-period | descriptor-cookie | replica)) Invariant time-period span 11:00 UTC 11:00 UTC 11:00 UTC +48 +24 DescID k 2 ... DescID k 1

S h a r e d R a n d o m n e s s Proposal 250 Desc ID = H(onion-address | H( time-period | random-value | descriptor-cookie | replica)) Invariant gabelmoo longclaw urras Faravahar moria1 dannenberg tor26 maatuska dizum random-value (new every 24h)

S h a r e d - R a n d o m - V a l u e p h a s e s SRV0 SRV1 00:00 UTC 12:00 UTC 00:00 UTC 00:00 UTC 12:00 UTC Agree0 Commit1 Reveal1 Agree1 ... Reveal2 Commit2

G u i d e l i n e s f o r d o i n g y o u r T o r r e s e a r c h s a f e l y / e t h i c a l l y ● T r y t o a t t a c k o n l y y o u r s e l f / y o u r o w n t r a ffjc ● O n l y c o l l e c t d a t a t h a t i s t o ma k e p u b l i c a c c e p t a b l e ● D o n ' t c o l l e c t d a t a y o u d o n ' t n e e d ( mi n i mi z a t i o n ) ● L i mi t t h e g r a n u l a r i t y o f d a t a ( e . g . a d d n o i s e ) ● D e s c r i b e b e n e fj t s a n d r i s k s , a n d e x p l a i n w h y b e n e fj t s o u t w e i g h r i s k s ● C o n s i d e r a u x i l i a r y d a t a w h e n a s s e s s i n g t h e r i s k s ● U s e a T e s t n e t w o r k w h e n e v e r p o s s i b l e

T r i c k y E d g e C a s e s O n i o n a d d r e s s h a r v e s t i n g ● G e t t h e m b y g o o g l i n g f o r . o n i o n ? O k . ● G e t t h e m b y b e i n g V e r i s i g n a n d l o o k i n g a t t h e r o o t n a me s e r v e r s ? H m. O k ? ● G e t t h e m b y b e i n g C o mc a s t a n d l o o k i n g a t y o u r D N S l o g s ? H m. O k ? ● G e t t h e m b y r u n n i n g a T o r r e l a y , g e t t i n g t h e H S D i r fm a g , a n d l o g g i n g w h a t y o u s e e ? H m. N o t O k .

B e t t e r C r y p t o

B i g g e r O n i o n A d d r e s s From 16 characters: nzh3fv6jc6jskki3.onion ... to 52 characters: a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rfgdw9jmntwkdsd.onion (ed25519 public key base32 encoded)

R e n d e z v o u s S i n g l e O n i o n S e r v i c e s ( R S O S ) Proposal 260 Rendezvous Point

S i n g l e O n i o n S e r v i c e s ( S O S ) Proposal 252 The circuit is extended to the service. No Introduction nor Rendezvous.