MIT course "Computer Systems Security". Lecture 19: “Anonymous Networks”, part 1 (lecture from the creator of the Tor network)
Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems". Nikolai Zeldovich, James Mykens. year 2014
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.
Nikolai Zeldovich: great guys, let's start! Today we will talk about Tor. Here we have one of the authors of the article you read today, Nick Mathewson. He is also one of the main developers of Tor and is going to tell you in detail about this system. ')
Nick Mathewson: I could start by saying that “please raise your hands if you haven’t read the lecture article,” but it doesn’t work because you’re ashamed to admit that you haven’t read the article. Therefore, I will ask in another way: think about the date of your birth. If the last digit of your date of birth is odd, or if you have not read the article, please raise your hand. Well, almost half the audience. I believe that most still read the article.
So, the means of communication that maintain our confidentiality allows us to communicate more honestly in order to gather better information about the world, because due to justified or unjustified social or other consequences, we are less relaxed in communication.
This leads us to Tor, which is an anonymous network. Together with friends and colleagues, I have been working on this network for the last 10 years. We have a group of volunteers who have provided and managed more than 6,000 working servers to support Tor. First of all, they were our friends, who I and Roger Dungledane knew from my studies at MIT.
After that, we advertised our network, and more people started running servers. Tor is now managed by non-profit organizations, private individuals, some university teams, perhaps some of the people here, and, no doubt, some very dubious individuals. Today we have about 6,000 nodes that serve from hundreds of thousands to hundreds of millions of users, depending on how you count. It is difficult to count all users because they are anonymous, so you must use statistical methods to evaluate. Our traffic is about terabytes per second.
Many people need anonymity for their usual work, and not everyone who needs anonymity thinks of it as anonymity. Some people say that they do not need anonymity, they freely identify themselves.
But there is a widespread understanding that confidentiality is necessary or useful. And when ordinary people use anonymity, they tend to do it because they want privacy in search results or privacy in conducting online research. They want to be able to engage in local politics without offending local politicians and so on. Researchers often use anonymization tools to avoid collecting biased data based on geolocation, because it may be useful to them to develop certain versions of some things.
Companies use anonymity technology to protect sensitive data. For example, if I can track all the movements of a group of employees of a large Internet company, just by watching how they visit their web server from different places around the world, or how different companies around the world visit, then I can find out much about who they work with. Companies prefer to keep such information secret. Companies also use anonymity technology to conduct research.
So, one major manufacturer of routers, I don’t know if it exists now, regularly sent out completely different versions of the technical specifications of its products to the IP addresses associated with its competitors in order to complicate their reverse engineering. Competitors discovered this with the help of our network and said to this manufacturer: “Hey, wait a minute, we got a completely different specification when we went through Tor than the one we received directly from you!”
Law enforcement agencies also need anonymity technologies in order not to intimidate suspects with their observation. You do not want the local police station's IP address to be displayed in the web logs of the suspect’s computer. As I already said, ordinary people need anonymity to avoid harassment due to online activity when learning very sensitive things.
If you live in a country with uncertain health legislation, then you don’t want your diseases to be made public, or others to find out about some of your unsafe hobbies. Many criminals also use anonymity technology. This is not the only option, but if you are ready to buy time on a botnet network, then you can buy pretty good privacy that is inaccessible to people who consider the botnet something immoral.
Tor, as well as the general means of anonymity, is not the only multi-purpose privacy technology. Let's see ... the average graduate age is 20 years. Since you were born, have you ever talked about crypto wars? Not!
Meanwhile, during the 1990s in the United States, the question of how legitimate the civil use of cryptography and to what extent we allow its export to public applications was suspended. This issue was resolved only in the late 90s - early 2000s. And although there are still some debates about anonymity technology, this is nothing more than a debate. And I think they will end in the same - recognition of the legality of anonymity.
So on the board you see a summary of my statement. I have provided you with a little introduction, then we will discuss what anonymity technically means and talk a little about the motivation for using it.
After that, I'm going to take you step by step along the way, at the beginning of which is the idea that we need some anonymity, and at the end what the Tor project should look like according to this idea. I will also mention some of the branch points from this topic, by which you can be “brought” to other projects. I also intend to dwell on some interesting questions that you all sent according to your homework for this lecture.
I'll tell you a little about how node detection works, this is an important topic. After that, I will vote on which of the additional topics mentioned here should be covered.
I think we call them complementary, because they follow the basic material of the lecture, and I cannot cover them all, but these are really cool topics.
I will mention some of the Tor-related systems, the structure of which you should read, if this topic interests you and you want to know more about it.
I will talk about the future work that we want to do with Tor, and I hope that we will sometime have time for this. And if after all this we have time to answer your questions, then I will answer all. I hope that I will not need to take an extra hour of lecture time. My colleague David is sitting there in the audience, he will “hang out” among you during the lecture and talk to anyone who wants to talk on the subject.
So anonymity. What do we mean when we talk about anonymity? There are many informal concepts that are used in informal discussions, on forums, on the Internet, and so on. Some people believe that anonymity simply means "I will not indicate my name on this." Some people believe that anonymity is when "no one can prove that it is me, even if it strongly suspects."
We mean a number of concepts expressing the ability to associate a user or an attacker with any actions on the network. These concepts come from the terminology of Fittsman and Hansen’s article; you will find a link to it in freehaven.net/anonbib/, a bibliography of anonymity, which I help maintain.
This bibliography includes most of the good work in this area. We need to update it to the present, until 2014, but even in its current form it is a rather useful resource.
Therefore, when I say "anonymity", I mean that Alice, Alice is engaged in some kind of activity. Suppose Alice is buying new socks. And here we have some kind of attacker, let's call her Eve, Eve. Eve can say that Alice is doing something. Preventing this is not what we mean by anonymity. This is called nonobservability. Perhaps Eve can also say that someone is buying socks. Again, this is not what we mean by anonymity. But we hope that Eve will not be able to say that Alice is the person who buys new socks.
At the same time, we mean that, at the category level, Eve not only cannot prove with mathematical precision that it is Alice who buys socks, but she also cannot assume that Alice buys socks more likely than any random person. I would also like Eve, watching Alice’s activities, to be able to conclude that Alice sometimes buys socks, even if Eva finds out about Alice’s particular activity in buying socks.
There are other concepts related to ensuring anonymity. One of them is incoherence, or the absence of direct links. Non-binding is like Alice’s temporary profile. For example, Alice writes under the pseudonym "Bob" in a political blog, which can ruin her career if her superiors learn about it. So she writes like bob. So, non-connectivity is the inability of Eve to associate Alice with a specific user profile, in this case with a user profile named Bob.
The final concept is non-observable, when some systems try to make it impossible to even say that Alice is on the Internet, that Alice is connecting to something on the network, and that she is showing network activity.
These systems are quite difficult to build, later I will tell you a little about how useful they are. The ability to hide the fact that Alice uses the anonymity system, rather than the fact that she is on the Internet, can be useful in this area. This is more achievable than the absolute concealment of the fact that Alice is on the Internet.
Why did I start working on this first? Well, partly due to "engineering itch." This is a cool problem, this is an interesting problem, and no one has yet worked on it. In addition, my friend Roger received a contract to complete a stalled research project that was supposed to be completed before the grant expired. He was so good at this job that I said, "Hey, I will join this business too." After some time, we formed a non-profit organization and released our open source project. From the point of view of deeper motivations, I think that mankind has many problems that can be solved only through better and more focused communication, freer self-expression and greater freedom of thought. And I do not know how to solve these problems. The only thing I can do is try to prevent the infringement of freedom of communication, thoughts, conversations.
Student: I know there are many good reasons to use Tor. Please do not take this as criticism, but I am curious how you feel about criminal activity?
Nick Mathewson: What is my opinion on criminal activity? Some laws are good, some are bad. My lawyer would tell me never to advise anyone to break the law. My goal was not to create an opportunity for a criminal to act against most laws with which I agree. But where government criticism is illegal, I am for this kind of criminal activity. So in this case, we can assume that I support such criminal activities.
My position on the use of an anonymous network for criminal activity is that if the existing laws are fair, I would prefer that people do not violate them. In addition, I think that any computer security system that is not used by criminals is a very bad computer security system.
I think that if we prohibit security that works for criminals, we will be brought into the area of completely unsafe systems. This is my opinion, although I am more a programmer than a philosopher. Therefore, I will give very banal answers to philosophical questions and questions of a legal nature. In addition, I am not a lawyer and I cannot give a legal assessment of this problem, so do not take my statements as legal advice.
Nevertheless, many of these research problems, which I will talk about, are far from being resolved. So why are we continuing to research in the same direction? One of the reasons is that we considered it impossible to advance in anonymity research without the existence of the necessary test platform. This view has been fully confirmed, since Tor has become a research platform for working with low-latency anonymity systems and has been of great assistance in this area.
But even now, 10 years later, many major problems are still unresolved. So if we waited 10 years to fix everything, we would wait in vain. We expected the existence of such a system of anonymity to bring long-term results to the world. That is, it is very easy to argue that what does not exist should be prohibited. Arguments against civilian use of cryptography were much easier to use in 1990 than in our time, because at that time there was practically no reliable encryption for civilian use. Opponents of civilian cryptography at that time could argue that if you make something legal stronger than DES, civilization will collapse, criminals will never be caught, and organized crime will prevail in everything.
But in 2000 you could not have argued that the consequences of the spread of cryptography would be a disaster for society, because by that time civil cryptography already existed, and it turned out that this was not the end of the world. In addition, in 2000, it would be much more difficult to advocate for the prohibition of cryptography, because the majority of voters favored its use.
So if someone in 1985 said that “let's ban powerful cryptography,” it could be assumed that banks need it, so an exception could be made for the banking sector. But besides the banks, in the public, civilian sphere of activity there were not those who had an acute need for encryption of information.
But if someone in 2000 demanded to prohibit powerful encryption systems, it would strike at any Internet company, and everyone who launches https pages would start screaming and waving their hands.
Therefore, at present, the ban on powerful cryptography is practically not feasible, although people occasionally return to this idea. But again, I am not a philosopher or a political analyst of this movement.
Some ask me what is your threat model? It's good to think in terms of threat models, but, unfortunately, our threat model is rather strange. We did not start with consideration of the requirements of opposition to the enemy, but with the requirements for usability. We ourselves decided that the first requirement for our product was that it should be useful for browsing web pages and interactive protocols, and for this we intended to ensure maximum security. So our threat model will look rather strange if you try to write into it what an attacker can do, under what circumstances and how. , , .