The Second-Generation Onion Router - PowerPoint PPT Presentation

About This Presentation
Title:

The Second-Generation Onion Router

Description:

Leaky-pipe circuit topology. Tor initiators can direct traffic to nodes partway down circuit ... Leaky Pipe Circuits. The leaky pipe circuit topology allows ... – PowerPoint PPT presentation

Number of Views:896
Avg rating:3.0/5.0
Slides: 49
Provided by: Neta175
Category:

less

Transcript and Presenter's Notes

Title: The Second-Generation Onion Router


1
The Second-Generation Onion Router
  • R. Dingledine, N. Mathewson, P. Syverson
  • Presented By
  • Enrico Chandler
  • Maryam Jafari-Lafti

2
Presentation Outline
  • What is anonymity?
  • Modern Anonymity Systems
  • The original Onion Routing
  • Tors goals and improvements
  • Tor implementation
  • Threat Model
  • Tor in the wild
  • Future directions
  • Conclusions

3
What is Anonymity?
  • Anonymity can be defined as maintaining
    (real-world) identifying information about a
    transaction and/or the communicating parties
    hidden
  • Why do we need anonymity?
  • Protecting sensitive activities, censorship
    resistant publishing, protecting against
    profiling, whistleblowing, etc.
  • Common types of anonymity sender anonymity,
    receiver anonymity, unlinkability of the sender
    and receiver, unlinkability of transactions
  • Various levels of anonymity (application and/or
    network layer)

4
Anonymity or Pseudonymity?
  • Anonymity vs. Pseudonymity
  • Full anonymity conflicts with accountability
  • Pseudonymity allows for authentication and
    establishment of trust
  • Actions could be linked back to a pseudonym
    (virtual identity) but most often not to the
    real-world identity

5
Modern Anonymity Systems
  • Date back to Chaums Mix-Net design
  • Suggested hiding correspondence between sender
    and receiver by wrapping messages in layers of
    public key encryption
  • These messages would traverse a series of mixes
    en route to the receiver
  • Mixes decrypt, delay, and re-order messages
    before passing them onward

6
Basic Mix-Net Concept
Server 2
Server 1
Server 3
Ciphertext EPK1EPK2EPK3m
7
Relay Based Systems
  • High Latency
  • Babel, Mixmaster, Mixminion
  • Maximizes anonymity and the cost of large
    latencies
  • Networks resist strong global adversaries
  • Introduces too much lag for some TCP applications
  • Low Latency
  • Tor, Anonymizer, Pipenet
  • Attempt to anonymize interactive traffic which
    contain more packets that are time dependent
  • Handles a variety of bidirectional protocols
  • Time dependency of communications is a design
    concern

8
The Original Onion Routing
  • Distributed overlay network to anonymize
    TCP-based applications
  • Client-side Onion Proxy (OP) chooses circuit of
    onion routers
  • An Onion Router (OR) is a server which receives
    messages from end nodes, batches and reorders
    them, and forwards them towards the destination
  • Messages are broken into fixed size cells and
    packaged into a data object called the onion
    via successive layers of encryption
  • As the onion traverses the circuit, the
    encryption layers are peeled off and the
    message is passed down to the next OR in the
    circuit

9
The Original Onion Routing
10
Onion Routing Deployment
  • Deployed briefly
  • Fragile proof of concept on a single machine
  • Processed connections from over 60,000 IPs
  • Many critical design and deployment issues never
    resolved
  • Tor incorporates improvements over old onion
    routing

11
Tor Design Goals Non-Goals
  • Goals
  • Deployability
  • Usability
  • Flexibility
  • Simple Design
  • Non-Goals
  • Not peer-to-peer
  • Not secure against end-to-end attacks
  • No protocol normalization
  • Not designed to prevent traffic confirmation
    attacks
  • Design is aimed to prevent traffic analysis
    attacks

12
Deployment Usability
  • Deployment
  • Must be deployed and used in the real world
  • Not expensive to run
  • Not place a heavy burden on operators
  • Must not be difficult or expensive to implement
  • Cant require non-anonymous parties to run
    software
  • Usability
  • Hard to use system equal fewer users which
    provides less anonymity
  • Should not require to modify familiar
    applications
  • Easily implementable on all platforms

13
Flexibility and Simple Design
  • Must be flexible to serve as a test bed for
    future research
  • Design and security parameter must be well
    understood
  • Aim to deploy a simple and stable system that
    integrates the best accepted approaches to
    protecting anonymity

14
Tor Improvements
  • Perfect forward secrecy
  • Separation of protocol cleaning from anonymity
  • Many TCP streams can share one circuit
  • Leaky-pipe circuit topology
  • Congestion control
  • Directory servers
  • Variable exit policies
  • End-to-end integrity checking
  • Rendezvous points and hidden services

15
Improvements
  • Perfect forward secrecy
  • Original routing allowed recording of traffic
  • Tor uses incremental or telescoping path-building
    design
  • Onion replay detection is no longer necessary
  • Protocol cleaning from anonymity
  • Original routing required separate application
    proxy
  • Tor uses standard SOCKS proxy

16
Improvements
  • Many TCP streams
  • Original routing built separate circuits
  • Multiple key operations
  • Threats to anonymity
  • Tor multiplexes multiple TCP streams
  • Leaky-pipe circuit topology
  • Tor initiators can direct traffic to nodes
    partway down circuit
  • This can possibly frustrate traffic shape and
    volume based on observing the end of circuit

17
Improvements
  • Congestion control
  • Earlier anonymity designs do not address
  • Tor decentralizes congestion control with
    end-to-end ACKs
  • This maintain anonymity while allowing edge nodes
    to detect congestion or flooding
  • Directory servers
  • Original routing planned to flood state
    information through the network
  • Tor uses trusted nodes that act as directory
    servers to provide network state

18
Improvements
  • Variable exit policies
  • Tor provides a mechanism for nodes to advertise
    host and ports to which it will connect
  • End-to-end integrity checking
  • Original routing did no integrity checking
  • Tor verifies data integrity before it leaves the
    network

19
Improvements
  • Rendezvous points and hidden services
  • Original routing provided long lived reply onions
  • Did not provide forward security
  • Became useless if any node went down or rotated
    its key
  • Tor clients negotiate rendezvous points to
    connect to hidden servers
  • No reply onions are required

20
Tors Design
OR 1
OR 3
OR 2
OP
Server
Circuit
21
Onion Routers Proxies
  • Onion routers connect to destinations and relay
    user data
  • Onion router keys
  • Identity key long-term, signs TLS certificates,
    OR router descriptors, and directories if
    applicable
  • Onion key Used with circuit establishment
    requests
  • TLS key short-term, link level between ORs
  • Client-side OP is responsible for
  • Fetching OR directories
  • Establishing circuits
  • Handling connections from applications

22
Circuits Streams
  • Circuits Streams
  • A circuit is a set of intermediaries (ORs) for
    traffic indirection
  • One circuit for multiple TCP streams
  • Periodic background circuit set-up and expiration
  • Circuits built in increments (one hop at a time)
  • Question What are the pros and cons of several
    cryptographic layers?

23
Cells
  • Control cells
  • Always interpreted, contains circID
  • Possible commands are padding, create, destroy
  • Relay cells
  • Include additional header, used to control
    various aspects of stream set-up and data
    transmission
  • Possible commands are relay data, relay begin,
    relay end, relay teardown, relay connected, relay
    extend extended, relay truncate truncated,
    relay sendme, and relay drop

24
Opening Closing Circuits
  • Circuits are built preemptively and periodically
    to avoid delays and limit linkability
  • Circuits are build incrementally, negotiating a
    symmetric key with each OR in the circuit one hop
    at a time
  • Circuits can be closed incrementally by sending a
    relay truncate cell to a single OR and having it
    pass forward a relay destroy cell
  • Truncated circuits can be re-extended
  • Question How can the circuit building/closing
    processes be exploited by malicious ORs?
  • Question How long should circuits be? Fixed
    length or dynamic length?

25
Opening Closing a Circuit
Alice builds a two-hop circuit
Alice
OR 1
OR 2
Relay c1Truncate
Relay c2Destroy
Relay c1Truncated
Alice truncates its circuit to include only OR 1
26
Leaky Pipe Circuits
  • The leaky pipe circuit topology allows client
    streams to exit at different ORs on a single
    circuit
  • The client may select different exit points based
    on their exit policies or to reduce linkability

OR 1
OR 3 (exit)
OR 2 (exit)
OP
Server
Server
27
Opening and Closing Streams
  • Given that the OP has a set of open circuits and
    it receives an application request for a TCP
    connection
  • The OP chooses the newest open circuit (or
    creates a new one)
  • It chooses an appropriate OR on the selected
    circuit as the exit point
  • It opens a stream by sending a relay begin cell
    to the exit node using a new streamID
  • The exit node sends back a relay connected cell
    once it connects to the destination host
  • The OP notifies the application of the connection
    and begins accepting data on the applications
    TCP stream
  • The OP packages the data and sends it using relay
    data cells
  • Closing streams
  • The exit node sends a relay end cell towards the
    OP
  • Each OR in the circuit responds with its own
    relay end cell

28
Opening and Closing Streams
Alice opens a stream and begins fetching a web
page
Relay c1 End
Relay c2End
(TCP Close)
Relay c2End
Relay c1 End
Alice closes the stream
29
Integrity Checking
  • Traffic could be compromised if only encryption
    is used
  • Adversary could guess encrypted content and alter
    it to achieve desired effect
  • Per-hop integrity checking
  • Check integrity of relay cells using hashes or an
    authenticating cipher at every hop
  • Drawbacks of per-hop integrity checking
  • The approach imposes message-expansion overhead
  • ORs would not be able to produce suitable hashes
    for intermediate hops
  • Provides no additional information to the
    attacker since end-to-end timing attacks are
    possible

30
Tors Integrity Checking
  • Tors integrity checking approach
  • Check integrity at the edges of each stream
  • Initial SHA-1 digest set at the time of key
    negotiation as a derivative of negotiated key
  • Digest added incrementally to all relay cells
    exchanged
  • First 4 bytes of current digest added to each
    cell
  • Digest is encrypted as a part of the relay header

31
Rate Limiting Fairness
  • Volunteers are more willing to run services that
    can limit their bandwidth usage
  • Limit number of incoming bytes not to overwhelm
    volunteer ORs
  • Preferential treatment of interactive streams
  • Preferential treatment presents a possible
    end-to-end attack

32
Congestion Control
  • Needed in addition to bandwidth rate limiting to
    prevent circuit congestion
  • Additional to TCP congestion control
  • Two-fold congestion control circuit-level
    throttling stream-level throttling
  • Throttling uses two windows
  • Packaging tracks number of cells packaged by the
    OR and directed towards the OP
  • Delivery tracks number of cells OR is willing to
    deliver outside the network
  • Each window is initialized to maximum allowable
    value (e.g. 1000)
  • When a certain block of cells (e.g. 100) is
    packaged or delivered, the window size is
    decremented
  • The OR sends a relay sendme cell towards the
    clients OP
  • The receiving OR increments its window size by
    the block size (100 in this case)

33
Congestion Control
w window size
34
Rendezvous Points Hidden Services
  • Rendezvous points are a building block for
    location-hidden services which aim to achieve
    responder anonymity
  • They allow clients to connect to service
    providers without revealing the latters IP
    addresses
  • Goals
  • Access control
  • Robustness
  • Smear-resistance
  • Application-transparency

35
Rendezvous Points Hidden Services
  • Providing location-hidden services is achieved
    by
  • The server advertises a set of ORs as
    introduction points (IP)
  • The client chooses an OR as a rendezvous point
    (RP) and builds a circuit to it
  • The client contacts one of service providers
    introduction points and informs it of its RP
  • If the service provider wants to respond to the
    client, it builds a circuit to the clients RP
  • The RP connects the clients circuit to the
    service providers circuit
  • The client send an relay begin cell to the
    service provider over the established circuit
  • The communication resumes as before

36
Distributed Hashing Concept (e.g. Chord)
  • Keys assigned to nodes with consistent hashing
  • SHA-1 is used as the base hash function
  • Consistent hashing has desirable load balancing
    properties
  • Question What is used as the indexing criteria
    for hidden services?

37
Requesting Service
Lookup Service
Bob IP1 IP2 IP3
IP1
RP
Bobs OP
Alices OP
IP2
IP3
1 Request Bobs information 2 Bobs
information 3 Build a circuit to RP 4 Contact
Bobs introduction point to request service 5
Relay Alices service request to Bob 6 Bob build
a circuit to Alices RP
38
Exit Policies Abuse
  • Anonymity permits abusers to hide the origins of
    their activity
  • Attackers can implicate exit nodes for their
    abuse
  • When a systems public image suffers, it can
    reduce the number and diversity of the systems
    users ? in this case, the anonymity group
  • Tor allows each OR to specify an exit policy that
    describes to which external addresses and ports
    it will connect
  • Open exit nodes will connect to anywhere
  • Middleman nodes only relay traffic to other Tor
    nodes
  • Private exit nodes only connect to a local host
    or network
  • Restricted exit nodes prevent access to
    abuse-prone addresses and services

39
Exit Policies Abuse
  • Additional mechanisms
  • Port restriction
  • Use proxies to clean outgoing traffic
  • Rewrite outgoing traffic to indicate that it
    passes through an anonymizing network
  • Question Can static exit policies introduce
    potential for exploitation?

40
Directory Servers
  • Directories in Tor are a small group of
    redundant, well-known onion routers to track
    changes in network topology and node state
  • Each directory acts as an HTTP server, clients
    fetch network info
  • ORs post signed statements to the directories
  • Directories must be synchronized
  • Tor assumes that a threshold of participants
    agree on the set of directory servers, with human
    administrators resolving problems when consensus
    cannot be reached
  • Question Why use directories instead of flooding
    or gossiping updates?

41
Passive Attacks
  • Observing user traffic patterns
  • Observing user content
  • Option distinguishability
  • End-to-end timing correlation
  • End-to-end size correlation
  • Website fingerprinting

42
Active Attacks
  • Compromise keys
  • Iterated compromise
  • Run a recipient
  • Run an OR
  • DoS non-observed nodes
  • Run a hostile OR
  • Replace contents of unauthenticated protocols
  • Replay attacks
  • Smear attacks
  • Distribute hostile code

43
Directory Attacks
  • Destroy directory servers
  • Subvert a directory server
  • Subvert a majority of directory servers
  • Encourage directory server dissent
  • Trick the directory servers into listing a
    hostile OR
  • Convince the directories that a malfunctioning OR
    is working

44
Attacks Against Rendezvous Points
  • Make many introduction requests
  • Attack an introduction point
  • Compromise an introduction point
  • Compromise a rendezvous point

45
Tor in the Wild
  • As of Mid-May 2004
  • 32 nodes (more joining each week)
  • Each nodes has at least 768Kb/768Kb connection
  • Several companies have taken use of Tor
  • Processed 800,000 relay cells per week
  • All of CPU time in AES
  • Current latency (network latency, end to end
    congestion control)

46
Tor in the Wild
  • As of Jan. 2006 Tor developers are looking for
    more sponsors
  • As of Feb. 2006 Tor has grown to hundreds of
    thousands of users
  • Pushing for more users to run servers to expand
    the Tor network
  • Looking for help to improve the system and fix
    some critical bugs

47
Future Directions
  • Scalability
  • Bandwidth classes
  • Incentives
  • Cover traffic
  • Caching at exit nodes
  • Better directory distribution
  • Wider-scale deployment

48
Conclusions
  • When designing anonymity preserving systems, the
    main challenge is striking a balance between
    scalability, decentralization, and privacy
  • Tor adds several enhancements to the original
    Onion Routing system, but there are still many
    open issues, vulnerabilities, and areas of future
    work
  • More information is needed about the selection of
    volunteer ORs and circuit establishment
Write a Comment
User Comments (0)
About PowerShow.com