Tor Anonymity Network & Traffic Analysis
Tor AnonymityNetwork & TrafficAnalysisPresented by Peter Likarish
This is NOT the presenter’s original work. This talk reviews:Tor: The SecondGeneration OnionRouterDingledine, Mathewson, SyversonProceedings of USENIX Security ‘04Available at: ings/sec04/tech/full papers/dingledine/dingledine.pdf!
What is Tor? Sender/Responder anonymity network Circuit-based overlay network Low-latency 2nd gen aims: Perfect forward secrecy, congestioncontrol, directory servers, integritychecking, location hidden servers.
Overlay Networks computer link
Overlay Networks Overlay (Tor) nodes link
Overlay Networks Tor node secure link
Tor TerminologyDirectory ServerOnion ProxyInitiatorAttackerIntroduction Onion RouterpointRendezvous PointResponder
Basic Tor ideas Each OR maintains TLS connection with theother ORs OPs get directory of ORs from TrustedDirectory Server OP builds circuit of ORs. Default length: 3ORs.
Tor Threat Model What type of adversary does Tor attemptto protect users against? Typical threat: Global Passive Adversary Tor’s threat: Partial-view passive adversary
Partial-View Adversary Goal: Identify Initiator and Responder Can observe a portion of entire traffic Can generate, modify and delete traffic Can operate Onion routers (ORs) orcompromise a % of ORs
Threat ModelControversy Weaker adversary, truly guaranteeanonymity? Is this adversary realistic and dangerous? Does it matter?
1st Goal: InitiatorAnonymity Initiator wants to contact Responder(website, etc) without Responder or anyattacker knowing their identity.
Building a Circuit 1. I Gets list of ORs fromDirectory Server2. I Randomly selects anOR (entry point)3. I Randomly selects anOR, extends circuit4. I Randomly selects afinal OR, (exit point)5. I Contacts RIRExternal attacker
Circuit Details Tor uses SOCKS proxy Creating & extending circuit requires PublicKey Crypto Communicating over circuit DiffieHelman (symmetric crypto) Can multiplex TCP connections overcircuit, amortize cost of Public Key Crypto Rotate circuit to prevent linkability
Circuit Details Cont’dFigure 1 from Dingledine et al.
Cells: Transport over Circuits 512 bytes Header: Circuit ID Command Create, extend, destroy circuit relay data, relay begin, relay teardown Payload: encrypted payload
Onion Rk,3}ORk,2OR2{payload}ORk,3OR3payloadORk,i Ephemeral DH key for circuit
Malicious Onion RoutersIn general, circuitsare secure if thereis one nonmalicious OR inthe circuitIR
Malicious Entry/Exit PointsIf entry/exit pointscollude, they knowthat I and R are using ITor. Can conducttiming analysis to tryand link I/RA colluding cliqueof size m canobserve (m/N)2of the trafficR
“Leaky-pipe” CircuitsIR1R2Multiple possible exit points from circuit
2nd Goal: ResponderAnonymity Also known as Location Hidden Servers High-level view: Responders publish Introduction Points(IPs) Users contact IPs and select RendezvousPoint (RP) User and Responder establish circuitthrough RP
2nd Goal: ResponderAnonymityRPIPIP
What Tor is/does Stream integrity checking (TLS) Forward Secrecy after circuit demolished, trafficunreadable Rate limiting/fairness Application transparent
What Tor isn’t/doesn’t Steganographic Does not conceal who is connected Prevent end-to-end timing attacks Do protocol normalization. No app-levelanonymization (cookies/http info)
This is NOT the presenter’s original work. This talk reviews:Low-Cost TrafficAnalysis of TorMurdoch and DanezisIEEE Symp. on Security and Privacy ‘05Available at: s/abs all.jsp?arnumber 1425067!
Goal Show that even within Tor’s limited threatmodel, traffic analysis/timing attacks arepossible. Intuition: Use the anonymity network as anoracle to infer network load. Assume encrypted tunnels effectively hidebit patterns.
How: Covert SideChannels Covert side-channels Extra sources of information, does not“break” security used in algorithm. In this case, timing attack
Idea behind attack Use the timing signature of an anonymousstream to track the stream through Tor. Because Tor is low-latency, it does notengage in traffic-shaping or “mixing” (reordering packets from different streams). Streams pass through Tor more or lessunaltered.
Incoming streamsMultiplexed over circuitXXXXXXXXXXXXXXXXXXXXXX
Why it works Tor nodes select which cell to route usinga round robin of all streams rather thanexplicit mixing. Key: Load on a Tor node affects the latencyof all connection streams through thenode. Compare change in latencies to knowntraffic patterns
Attack Set-up1. MaliciousOR joins TorOR1.networkWewant to2. Attacker3. Userobservewho2.controls/IDestcorrupts aI establishesis talking to3.linkwith(dotted server thatcorrupthiddenTor usersservercircuit)talk to4. Dest returnstraffic to I5. OR sends probe traffic to eachaccording to legitimate OR, if latency is correlated withselectedsignal, I is using that routerpattern
Details Signal bursty Corrupt server transmits for 10-25 sec Corrupt server is quiet for 30-75 Corrupt OR measures latency of probetraffic. If it is monitoring an OR throughwhich stream passes, latency shouldincrease in correlation with victim signal.
Measuring Correlation S(t) Indicator variable. 1 if corrupt server is submitting, 0otherwise. L’(t) normalized latency at time t Normalized by median latency
Experimental evaluation Tested 13 Tor nodes (out of 50 available)11 of 13 cases: correctly identified case in whichnode was carrying victim traffic compared tostream flowing through other nodesSuggest increasing time of test to improveresults.Also tested for FPs: no ‘echoes’ of stream atother nodes
Good correlation
No echoes
Bad Correlation
Results for 13 nodes
Analysis of Attack What is the actual reduction in security? Is it doable? Are there countermeasures?
stream to track the stream through Tor. ! Because Tor is low-latency, it does not engage in traffic-shaping or “mixing” (re-ordering packe
A separate privacy principle dealing with consent? 686 20. Anonymity and Pseudonymity 689 Introduction 689 Expanding the anonymity principle 690 Application of the 'Anonymity and Pseudonymity' principle 696 Guidance on the 'Anonymity and Pseudonymity' principle 706 Summary of 'Anonymity and Pseudonymity' principle 708 21.
Oct 10, 2013 · Anonymity and encryption are not new phenomena: anonymity has long facilitated the expression of controversial ideas and enabled dissent in many countries of the world; the use of ciphers and codes to protect the privacy of communications has The protection of anonymity
anonymity unless accompanying policies are respected. The k-anonymity protection model is important because it forms the basis on which the real-world systems known as Datafly, µ-Argus and k-Similar provide guarantees of privacy protection. Keywords: data anonymity, data privacy,
actor or actress, or the local chief of police?” A.“Like everyone else, public figures should have the protection of anonymity to the extent that they desire it.” (“Understanding Anonymity,” p. 9) Q. “I saw an ad in the paper for an A.A. group. It t
Traf-Sys' people counting software provides near real-time access to reliable and accurate pedestrian traffic data via an intuitive online platform. Through a single, easy-to-use interface, clients can access traffic data on any computer with a network connection. Traf-Sys can also host the data from your retail traffic counters and
Tor On Maemo And The Nokia N900 Orbot: Tor On Android Mobile Tor: Tor On The iPhone. Mobile Phones (In)Security. Mobile Phones Growth Computational power High speed data networks “Real” operating system. Phones Are Personal Raise hand who
P-47 Understanding Anonymity “Anonymity is the spiritual foundation of all our traditions, ever reminding us to place principles before personalities.” P-47_Understanding_Anonymity.indd 2 6/17/19 11:23 AM
1 P a g e An Idiot's Guide to Lust Epidemic by cooperlee77 This guide follows the Normal version but {Hard} options are included. Maps are included and pictures of locations can be found at the end of this
