tor and un provable privacy
play

Tor and (un)provable privacy Roger Dingledine The Tor Project - PowerPoint PPT Presentation

Feb 18, 2023 •133 likes •663 views

Tor and (un)provable privacy Roger Dingledine The Tor Project https://torproject.org/ 1 Today's plan 0) Crash course on Tor 1) Anonymity attacks 2) Blocking-resistance 2 What is Tor? Online anonymity 1) open source software, 2)

  1. Tor and (un)provable privacy Roger Dingledine The Tor Project https://torproject.org/ 1

  2. Today's plan ● 0) Crash course on Tor ● 1) Anonymity attacks ● 2) Blocking-resistance 2

  3. What is Tor? Online anonymity 1) open source software, 2) network, 3) protocol Community of researchers, developers, users, and relay operators Funding from US DoD, Electronic Frontier Foundation, Voice of America, Google, NLnet, Human Rights Watch, NSF, US State Dept, SIDA, ... 3

  4. The Tor Project, Inc. U.S. 501(c)(3) non-profit organization dedicated to the research and development of tools for online anonymity and privacy 4

  5. Estimated ~400,000? daily Tor users 5

  6. Threat model: what can the attacker do? Alice Anonymity network Bob watch Alice! watch (or be!) Bob! Control part of the network! 6

  7. Anonymity isn't encryption: Encryption just protects contents. “Hi, Bob!” “Hi, Bob!” <gibberish> Alice attacker Bob 7

  8. Anonymity isn't just wishful thinking... “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?” 8

  9. Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!” 9

  10. Anonymity serves different interests for different user groups. Businesses Anonymity “It's network security!” Private citizens “It's privacy!” 10

  11. Anonymity serves different interests for different user groups. “It's traffic-analysis resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 11

  12. Anonymity serves different interests for different user groups. “It's reachability!” Human rights “It's traffic-analysis activists resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 12

  13. The simplest designs use a single relay to hide connections. Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 (example: some commercial proxy providers) 13

  14. But a single relay (or eavesdropper!) is a single point of failure. Bob1 Alice1 E(Bob3,“X”) “Y” Evil Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 14

  15. ... or a single point of bypass. Bob1 Alice1 E(Bob3,“X”) “Y” Irrelevant Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 Timing analysis bridges all connections ⇒ An attractive fat target through relay 15

  16. So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R3 R5 R4 R2 16

  17. A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R3 R5 R4 R2 17

  18. A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R3 R5 R4 R2 18

  19. Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Bob Alice R1 R3 Bob2 R5 R4 R2 19

  20. 20

  21. 21

  22. Today's plan ● 0) Crash course on Tor ● 1) Anonymity attacks ● 2) Blocking-resistance 22

  23. Operational attacks ● You need to use https – correctly. ● Don't use Flash. ● Who runs the relays? ● What local traces does Tor leave on the system? ● ...Different talk. 23

  24. Traffic confirmation ● If you can see the flow into Tor and the flow out of Tor, simple math lets you correlate them. ● Feamster's AS-level attack (2004), Edman's followup (2009), Murdoch's sampled traffic analysis attack (2007). 24

  25. Countermeasures? ● Defensive dropping (2004)? Adaptive padding (2006)? ● Traffic morphing (2009), Johnson (2010) ● Tagging attack, traffic watermarking 25

  26. Congestion attacks (1) ● Murdoch-Danezis attack (2005) sent constant traffic through every relay, and when Alice made her connection, looked for a traffic bump in three relays. ● Couldn't identify Alice – just the relays she picked. 26

  27. Congestion attacks (2) ● Hopper et al (2007) extended this to (maybe) locate Alice based on latency. ● Chakravarty et al (2008) extended this to (maybe) locate Alice via bandwidth tests. ● Evans et al (2009) showed the original attack doesn't work anymore (too many relays, too much noise) – but “infinite length circuit” makes it work again? 27

  28. Throughput fingerprinting ● Mittal et al, CCS 2011 ● Build a test path through the network. See if you picked the same bottleneck node as Alice picked. 28

  29. Anonymity / load balancing ● Give more load to fast relays, but less anonymity ● Client-side network observations, like circuit-build-timeout or congestion- aware path selection 29

  30. Bandwidth measurement ● Bauer et al (WPES 2009) ● Clients used the bandwidth as reported by the relay ● So you could sign up tiny relays, claim huge bandwidth, and get lots of traffic ● Fix is active measurement. (Centralized vs distributed?) 30

  31. Tor gives three anonymity properties ● #1 : A local network attacker can't learn, or influence, your destination. ● #2 : No single router can link you to your destination. ● #3 : The destination, or somebody watching it, can't learn your location. 31

  32. Tor's safety comes from diversity ● #1: Diversity of relays. The more relays we have and the more diverse they, the fewer attackers are in a position to do traffic confirmation. ● #2: Diversity of users and reasons to use it. 60000 users in Iran means almost all of them are normal citizens. 32

  33. Long-term passive attacks ● Matt Wright's predecessor attack ● Overlier and Syverson, Oakland 2006 ● The more circuits you make, the more likely one of them is bad ● The fix: guard relays ● But: guard churn so old guards don't accrue too many users 33

  34. Website fingerprinting ● If you can see an SSL-encrypted link, you can guess what web page is inside it based on size. ● Does this attack work on Tor? Open- world vs closed-world analysis. ● Considering multiple pages (e.g. via hidden Markov models) would probably make the attack even more effective. 34

  35. Denial of service as denial of anonymity ● Borisov et al, CCS 2007 ● If you can't win against a circuit, kill it and see if you win the next one ● Guard relays also a good answer here. 35

  36. Epistemic attacks on route selection ● Danezis/Syverson (PET 2008) ● If the list of relays gets big enough, we'd be tempted to give people random subsets of the relay list ● But, partitioning attacks ● Anonymous lookup? DHT? PIR? 36

  37. Profiling at exit relays ● Tor reuses the same circuit for 10 minutes before rotating to a new one. ● (It used to be 30 seconds, but that put too much CPU load on the relays.) ● If one of your connections identifies you, then the rest lose too. ● What's the right algorithm for allocating connections to circuits safely? 37

  38. Declining to extend ● Tor's directory system prevents an attacker from spoofing the whole Tor network. ● But your first hop can still say “sorry, that relay isn't up. Try again.” ● Or your local network can restrict connections so you only reach relays they like. 38

  39. Attacks on Tor ● Pretty much any Tor bug seems to turn into an anonymity attack. ● Many of the hard research problems are attacks against all low-latency anonymity systems. Tor is still the best that we know of – other than not communicating. ● People find things because of the openness and thoroughness of our design, spec, and code. We'd love to hear from you. 39

  40. Today's plan ● 0) Crash course on Tor ● 1) Anonymity attacks ● 2) Blocking-resistance 40

  41. Attackers can block users from connecting to the Tor network 1) By blocking the directory authorities 2) By blocking all the relay IP addresses in the directory, or the addresses of other Tor services 3) By filtering based on Tor's network fingerprint 4) By preventing users from finding the Tor software (usually by blocking website) 41

  42. Relay versus Discovery There are two pieces to all these “proxying” schemes: a relay component: building circuits, sending traffic over them, getting the crypto right a discovery component: learning what relays are available 42

  43. The basic Tor design uses a simple centralized directory protocol. cache S1 Trusted directory Alice S2 Alice downloads consensus and Trusted directory cache descriptors from anywhere Authorities S3 publish a consensus Servers publish list of all descriptors self-signed descriptors. 43

  44. Alice Alice Alice Blocked Alice Alice User R3 Alice Blocked R4 Bob User Alice Alice R2 Blocked User Alice R1 Alice Blocked Alice User Alice Blocked Alice User Alice Alice 44

  45. How do you find a bridge? 1) https://bridges.torproject.org/ will tell you a few based on time and your IP address 2) Mail bridges@torproject.org from a gmail address and we'll send you a few 3) I mail some to a friend in Shanghai who distributes them via his social network 4) You can set up your own private bridge and tell your target users directly 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira, Ben Smyth, Bogdan Warinschi September 2, 2011 ESORICS 2011 Adapting Helios for Provable Ballot Privacy 1 / 26 Helios Helios is a web-based voting

629 views • 40 slides
Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr egoire, Santiago Zanella-B eguelin 2012.07.10 Provable Privacy Workshop 2012 Privacy for Statistical Databases Privacy for Statistical Databases

721 views • 23 slides
Privacy Preservation through Secure Multi-party Computation: Towards Implementation Paolo

Privacy Preservation through Secure Multi-party Computation: Towards Implementation Paolo

Privacy Preservation through Secure Multi-party Computation: Towards Implementation Paolo Palmieri , Olivier Pereira UCL Crypto Group Universit e Catholique de Louvain (Belgium) Provable Privacy Workshop July 2012 UCL Crypto Group

660 views • 34 slides
Constant-Size Commitments to Polynomials and Their Applications Ian Goldberg Cryptography,

Constant-Size Commitments to Polynomials and Their Applications Ian Goldberg Cryptography,

Constant-Size Commitments to Polynomials and Their Applications Ian Goldberg Cryptography, Security, and Privacy Research Lab University of Waterloo ECRYPT II Provable Privacy Workshop 10 July 2012 Coauthors Aniket Kate (Max Planck

1.4k views • 78 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Wide Strong Private RF IDentification based on Zero-Knowledge Roel Peeters and Jens Hermans

Wide Strong Private RF IDentification based on Zero-Knowledge Roel Peeters and Jens Hermans

Wide Strong Private RF IDentification based on Zero-Knowledge Roel Peeters and Jens Hermans Provable Privacy Workshop, 10 July 2012 RFID Privacy Wig model #4456 (cheap polyester) Replacement hip medical part #459382 Das Kapital and

501 views • 25 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
The Cloud Computations on Encrypted Data and Privacy David Pointcheval CNRS - ENS - INRIA 11th

The Cloud Computations on Encrypted Data and Privacy David Pointcheval CNRS - ENS - INRIA 11th

The Cloud Computations on Encrypted Data and Privacy David Pointcheval CNRS - ENS - INRIA 11th International Conference on Provable Security Xian, China - October 23rd, 2017 David Pointcheval Introduction 2 / 26 Anything from Anywhere

103 views • 7 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Freenet Project: Leap over Censorship The technical part of the solution for freedom of the press

Freenet Project: Leap over Censorship The technical part of the solution for freedom of the press

Freenet Project: Leap over Censorship The technical part of the solution for freedom of the press in the internet Arne Babenhauserheide | 25. September 2014 www.freenetproject.org Freenet Project Outline Why? 1 About 2 3 Applications

701 views • 56 slides
Gregory W. Wornell Dept. Electrical Engineering and Computer Science Massachusetts Institute of

Gregory W. Wornell Dept. Electrical Engineering and Computer Science Massachusetts Institute of

Gregory W. Wornell Dept. Electrical Engineering and Computer Science Massachusetts Institute of Technology June 16, 2010 WITHITS Session International Symposium on Information Theory How can radio-control of torpedoes be made jam-resistant?

432 views • 11 slides
ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he got to the position of being able to leak confidential information from the CIA How Snowden planned and performed the attack The method used

264 views • 24 slides
Resist and Keep Safe Online: From Digital Harassment to Harm Reduction Hosted by: Progressive

Resist and Keep Safe Online: From Digital Harassment to Harm Reduction Hosted by: Progressive

Resist and Keep Safe Online: From Digital Harassment to Harm Reduction Hosted by: Progressive Technology Project &amp; May First / People Link How to Ask a Question Please hold all questions until after presentations are done. Click Here Type

663 views • 38 slides
Applied Information Theory Daniel Bosk Department of Information and Communication Systems, Mid

Applied Information Theory Daniel Bosk Department of Information and Communication Systems, Mid

Introduction Shannon entropy Applications References Applied Information Theory Daniel Bosk Department of Information and Communication Systems, Mid Sweden University, Sundsvall. 14th March 2019 1 Introduction Shannon entropy

775 views • 59 slides
Credential Access with Hashcat Dawid Czagan SECURITY INSTRUCTOR @dawidczagan Creator: Jens

Credential Access with Hashcat Dawid Czagan SECURITY INSTRUCTOR @dawidczagan Creator: Jens

Credential Access with Hashcat Dawid Czagan SECURITY INSTRUCTOR @dawidczagan Creator: Jens Steube Hashcat is the no. 1 offline password cracker. It supports different password cracking techniques and many hash algorithms. What's more it

894 views • 19 slides
Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/

Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/

Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/ 1 Today's plan 0) Crash course on Tor 1) History of Tor censorship attempts 2) Attacks on low-latency anonymity 3) Tor performance

1.36k views • 101 slides
Solar Finance Breakfast Briefing Steven M. Kaplan Anjali Garg Nadav Klugman Partner Associate

Solar Finance Breakfast Briefing Steven M. Kaplan Anjali Garg Nadav Klugman Partner Associate

Solar Finance Breakfast Briefing Steven M. Kaplan Anjali Garg Nadav Klugman Partner Associate Partner 202.263.3005 202.263.3419 312.701.8433 skaplan@mayerbrown.com agarg@mayerbrown.com nklugman@mayerbrown.com April 19, 2017 Roadmap

475 views • 35 slides

More recommend