Anonymous networks and timing attacks: Tor
Introduction | Tor | Tarzan and MorphMix | Low-cost attack | Low-cost attack on Tarzan and Morphmix | Principles of building secure systems (conclusion)
I present to you the second part of the translation of the remarkable article Principles of building anonymizing systems with low latency opposing timing attacks . This chapter is entirely devoted to the currently most popular anonymizing Tor network .
Do not be lazy to read the introduction .
Tor, the second generation of Onion Routing, is a system of anonymous communication with low latency * based on chains of transmission nodes. This is an improved version of Onion Routing. Onion Routing (OR) is an anonymous communication system for tasks such as browsing the Internet, instant messaging and SSH. To avoid the drawbacks and limitations of OR, the Tor developers have included several new features. Here are some of them: perfect forward secrecy, congestion control, directory services, integrity checkin, configurable exit policies, rendezvous point, and hidden services. Something that has been removed: mixing * and alignment of flows by traffic volume 6 .
')
There are three main actors in Tor: the Tor client, the Tor servers (nodes) and the stream receiver. Logically, the Tor client is a sender who wants to anonymously contact the recipient. In OR it was called Onion Proxy. Tor servers are transfer nodes (Onion Routers in OR). They transmit streams to the following nodes, following the instructions of the Tor client. As in OR, the last node in the chain before the receiver is called the output node. The recipient does not have to be part of the Tor network. The output node acts as a transmission link between the open world (recipients) and the Tor network.
As in OR, the Tor client chooses which Tor servers to include in the chain (the path in Tor is called the chain). In OR, one chain can be used for only one TCP connection, Tor allows you to conduct many TCP connections on one chain. Chains are determined in advance. The main function of the Tor client is to define a chain and establish shared keys between the client and all intermediate nodes. The keys will be needed later when the client starts sending network packets to the recipient and vice versa. In Tor, the size of the chain is fixed and is 3 knots.
When a client wants to anonymously send data to a recipient, for example, when a user opens a web site, the packet stream is divided into segments of fixed size - 512 bytes. Then, with the help of predefined shared session keys, the segments are wrapped in encryption layers - for each transfer node (Tor server) its own layer. This is done in such a way that when the Tor server expands its layer, it recognizes only the predecessor node and the next node in the chain. Unlike OR, which provides for mixing, the Tor-packets entering the node (the ones with 512 bytes) are simply lined up and processed and sent in the “first in, first out” mode.
Figure 1. Tor Architecture
The attacker's goal is to establish both the sender and the recipient. Like all other real-life anonymizing networks with low latencies, Tor cannot protect against a global observer. However, he successfully confronts the attacker who:
Attacks using traffic can be divided into two categories: traffic confirmation attacks (traffic confirmation attacks) and traffic analysis attacks. In each category, attacks are divided into active and passive.
Traffic confirmation attacks (attacks confirmation attacks) are attacks in which the attacker already has an assumption about the connection between the sender and the recipient, and he tests his guess using the traffic pattern * . Suppose the attacker suspects that Alice is talking to Bob and wants to make sure of it. As an example of a passive attack, you can give a situation where an attacker
If the attacker acts more actively, and not only observes, but also brings distinctive features to the traffic - marks the traffic (for example, creating artificial delays or otherwise changing its characteristics) - then this will be an example of an active attack.
Traffic analysis attacks are attacks by which an attacker detects network nodes, to which traffic he should look at and try to use traffic identification attacks. 7 For example, a passive attacker can monitor the edges of the network and try to find the relationship between the incoming and outgoing flows, relying in their guesses on the time of entry / exit of packets or their sizes. Or, to act more actively - to introduce the characteristics of the stream, trying to simplify its identification at the exit from the network.
The Tor developers decided not to waste their forces on traffic detection attacks and focused only on traffic analysis attacks. Due to the fact that the global observer is not part of the Tor threat model, some traffic analysis attacks may be ignored. More information about how Tor is opposed to traffic analysis attacks can be found in Dingledine and Mathewson (Dingledine et al. 2004). Also in (Dingledine et al. 2004), other attacks that are beyond the scope of this article, for example, attacks on directory services and meeting points (rendezvous point), are considered.
Translator's Note
6 Align traffic to traffic volume.
For example, a user created five sharp bursts of traffic per second. So that its stream does not stand out on load, traffic from empty packets is mixed into other streams.
7 Attacks to traffic identification are a special case of a traffic analysis attack.
* See “Anonymous Low-latency Communication System”, “Traffic Blending” and “Traffic Pattern” in the introduction .
I present to you the second part of the translation of the remarkable article Principles of building anonymizing systems with low latency opposing timing attacks . This chapter is entirely devoted to the currently most popular anonymizing Tor network .
Do not be lazy to read the introduction .
Tor
Tor, the second generation of Onion Routing, is a system of anonymous communication with low latency * based on chains of transmission nodes. This is an improved version of Onion Routing. Onion Routing (OR) is an anonymous communication system for tasks such as browsing the Internet, instant messaging and SSH. To avoid the drawbacks and limitations of OR, the Tor developers have included several new features. Here are some of them: perfect forward secrecy, congestion control, directory services, integrity checkin, configurable exit policies, rendezvous point, and hidden services. Something that has been removed: mixing * and alignment of flows by traffic volume 6 .
')
There are three main actors in Tor: the Tor client, the Tor servers (nodes) and the stream receiver. Logically, the Tor client is a sender who wants to anonymously contact the recipient. In OR it was called Onion Proxy. Tor servers are transfer nodes (Onion Routers in OR). They transmit streams to the following nodes, following the instructions of the Tor client. As in OR, the last node in the chain before the receiver is called the output node. The recipient does not have to be part of the Tor network. The output node acts as a transmission link between the open world (recipients) and the Tor network.
As in OR, the Tor client chooses which Tor servers to include in the chain (the path in Tor is called the chain). In OR, one chain can be used for only one TCP connection, Tor allows you to conduct many TCP connections on one chain. Chains are determined in advance. The main function of the Tor client is to define a chain and establish shared keys between the client and all intermediate nodes. The keys will be needed later when the client starts sending network packets to the recipient and vice versa. In Tor, the size of the chain is fixed and is 3 knots.
When a client wants to anonymously send data to a recipient, for example, when a user opens a web site, the packet stream is divided into segments of fixed size - 512 bytes. Then, with the help of predefined shared session keys, the segments are wrapped in encryption layers - for each transfer node (Tor server) its own layer. This is done in such a way that when the Tor server expands its layer, it recognizes only the predecessor node and the next node in the chain. Unlike OR, which provides for mixing, the Tor-packets entering the node (the ones with 512 bytes) are simply lined up and processed and sent in the “first in, first out” mode.
Figure 1. Tor Architecture
Tor Threat Model
The attacker's goal is to establish both the sender and the recipient. Like all other real-life anonymizing networks with low latencies, Tor cannot protect against a global observer. However, he successfully confronts the attacker who:
- can observe part of the traffic between network nodes;
- can create, modify, delete or delay traffic;
- can create several own transmission nodes;
- may compromise (capture) several transmission units.
Attacks using traffic can be divided into two categories: traffic confirmation attacks (traffic confirmation attacks) and traffic analysis attacks. In each category, attacks are divided into active and passive.
Traffic confirmation attacks (attacks confirmation attacks) are attacks in which the attacker already has an assumption about the connection between the sender and the recipient, and he tests his guess using the traffic pattern * . Suppose the attacker suspects that Alice is talking to Bob and wants to make sure of it. As an example of a passive attack, you can give a situation where an attacker
- monitors traffic at the two ends of the intended connection — both on Alice’s side and Bob’s,
- and using measurements of the send / receive time or packet sizes at both ends, it checks its assumption.
If the attacker acts more actively, and not only observes, but also brings distinctive features to the traffic - marks the traffic (for example, creating artificial delays or otherwise changing its characteristics) - then this will be an example of an active attack.
Traffic analysis attacks are attacks by which an attacker detects network nodes, to which traffic he should look at and try to use traffic identification attacks. 7 For example, a passive attacker can monitor the edges of the network and try to find the relationship between the incoming and outgoing flows, relying in their guesses on the time of entry / exit of packets or their sizes. Or, to act more actively - to introduce the characteristics of the stream, trying to simplify its identification at the exit from the network.
Tor and traffic analysis attacks
The Tor developers decided not to waste their forces on traffic detection attacks and focused only on traffic analysis attacks. Due to the fact that the global observer is not part of the Tor threat model, some traffic analysis attacks may be ignored. More information about how Tor is opposed to traffic analysis attacks can be found in Dingledine and Mathewson (Dingledine et al. 2004). Also in (Dingledine et al. 2004), other attacks that are beyond the scope of this article, for example, attacks on directory services and meeting points (rendezvous point), are considered.
Translator's Note
6 Align traffic to traffic volume.
For example, a user created five sharp bursts of traffic per second. So that its stream does not stand out on load, traffic from empty packets is mixed into other streams.
7 Attacks to traffic identification are a special case of a traffic analysis attack.
* See “Anonymous Low-latency Communication System”, “Traffic Blending” and “Traffic Pattern” in the introduction .
Source: https://habr.com/ru/post/114974/
All Articles