anonymous routing and
mix nets (Tor)
Yongdae Kim
Significant fraction of these slides are
borrowed from CS155 at Stanford
1
Anonymous web browsing
 Why?
1.
2.
3.
4.
Discuss health issues or financial matters
anonymously
Bypass Internet censorship in parts of the
world
Conceal interaction with gambling sites
Law enforcement
 Two
goals:
▹ Hide
user identity from target web site: (1),
(4)
▹ Hide browsing pattern from employer or ISP:
(2), (3)
2
Current state of the world I
 ISPs
tracking customer browsing habits:
▹ Sell
information to advertisers
▹ Embed targeted ads in web pages
(1.3%)
» Example: MetroFi (free wireless)
[Web Tripwires: Reis et al. 2008]
 Several
technologies used for tracking at
ISP:
▹ NebuAd,
Phorm, Front Porch
▹ Bring together advertisers, publishers, and
ISPs
» At ISP:
 Tracking
inject targeted ads into non-SSL pages
technologies at enterprise
networks:
3
Current state of the world II
 EU
directive 2006/24/EC:
retention
▹ For
3 year data
ALL traffic, requires EU ISPs to record:
» Sufficient information to identify endpoints
(both legal entities and natural persons)
» Session duration
… but not session contents
▹ Make
available to law enforcement
» … but penalties for transfer or other access to data
 For
4
info on US privacy on the net:
▹ “privacy
on the line” by W. Diffie and S.
Part 1: network-layer
privacy
Goals:
Hide user’s IP address from
target web site
Hide browsing destinations from
network
st
1
attempt: anonymizing
proxy
HTTPS:// anonymizer.com ?
URL=target
User1
User2
User3
6
Web1
anonymizer.com
Web2
Web3
Anonymizing proxy: security
 Monitoring
ONE link: eavesdropper gets
nothing
 Monitoring TWO links:
▹ Eavesdropper
can do traffic analysis
▹ More difficult if lots of traffic through proxy
 Trust:
▹ Can
proxy is a single point of failure
be corrupt or subpoenaed
» Example: The Church of Scientology vs.
anon.penet.fi
 Protocol
7
issues:
▹ Long-lived
cookies make connections to site
How proxy works

Proxy rewrites all links in response from web
site
▹
Updated links point to anonymizer.com
» Ensures all subsequent clicks are anonymized

Proxy rewrites/removes cookies and some
HTTP headers

Proxy IP address:
▹
if a single address, could be blocked by site or ISP
▹ anonymizer.com consists of >20,000 addresses
» Globally distributed, registered to multiple domains
» Note: chinese firewall blocks ALL anonymizer.com
addresses
8
nd
2
Attempt: MIX nets
Goal: no single point of
failure
MIX nets [Chaum’81]
R5
R3
R1
R2
 Every
knows all public keys
send packet:
▹ Pick
random route:
▹ Onion packet:
Epk ( R3,
2
10
R4
router has public/private key pair
▹ Sender
 To
srvr
R6
R2
Epk ( R6,
3
R3
R6
Epk ( srvr , msg)
6
srvr
Eavesdropper’s view at a
single MIX
user1
Ri
batch
user2
user3
 Eavesdropper
observes incoming and
outgoing traffic
 Crypto prevents linking input/output pairs
▹ Assuming
enough packets in incoming batch
▹ If variable length packets then must pad all to
max len
11
Performance
 Main
benefit:
▹ Privacy
as long as at least one honest router
on path
R2
R3
R6
srvr
 Problems:
▹ High
latency (lots of public key ops)
» Inappropriate for interactive sessions
» May be OK for email (e.g. Babel system)
▹ No
12
forward security
rd
3
Attempt:
Tor MIX
circuit-based method
Goals: privacy as long as one honest
router on path,
and reasonable performance
The Tor design
Trusted directory contains list of Tor routers
 User’s machine preemptively creates a circuit

▹ Used
for many TCP streams
▹ New circuit is created once a minute
R3
R1
R2
R5
R4
one minute later
14
srvr1
R6
srvr2
Creating circuits
TLS encrypted
TLS encrypted
R1
R2
Create C1
D-H key exchange
K1
K1
Relay C1
Extend R2
Extend R2
D-H key exchange
K2
15
K2
Once circuit is created
K1, K2, K3, K4
K1
R1
R2
K2
R3
K3
R4
 User
K4
has shared key with each router in
circuit
 Routers only know ID of successor and
16
Sending Data
K1
Relay C1
K
R1
R2
2
Begin site:80
Relay C2
Begin site:80
TCP handshake
Relay C1
data HTTP GET
Relay C2
data HTTP GET
HTTP GET
Relay C1
17
data resp
Relay C2
data resp
resp
Complete View
18
Properties
 Performance:
▹ Fast
connection time: circuit is preestablished
▹ Traffic encrypted with AES:
no pub-key on
traffic
 Tor
crypto:
▹ provides
end-to-end integrity for traffic
▹ Forward secrecy via TLS
 Downside:
▹ Routers
19
must maintain state per circuit
▹ Each router can link multiple streams via
CircuitID
Privoxy
 Tor
only provides network level privacy
▹ No
application-level privacy
»e.g. mail progs add “From: email-addr” to
outgoing mail
 Privoxy:
▹ Web
proxy for browser-level privacy
▹ Removes/modifies cookies
▹ Other web page filtering
20
Anonymity attacks:
watermarking
R1
R2
R3
 Goal:
R1 and R3 want to test if user is
communicating with server
 Basic idea:
and R3 share sequence:
1,
2, … ,
n
{-10,…,10}
▹ R1: introduce inter-packet delay to packets
leaving R1 and bound for R2 . Packet i
delayed by i (ms)
▹ Detect signal at R3
▹ R1
21
Anonymity attacks: congestion
R1
R2
R3
R8
 Main
idea:
R8 can send Tor traffic to R1
and measure load on R1
 Exploit:
malicious server wants to identify
user
▹ Server
22
sends burst of packets to user every 10
seconds
▹ R8 identifies when bursts are received at R1
Follow packets from R to discover user’s ID
Tor: 히든 서비스 (server-side)
HiddenServiceID.onion
ex) facebookcorewwwi.onion
(1) 히든 서비스 ID (HID):
Base32_encode(First 10 bytes of SHA-1(new 1024-bit RSA public key))
IP1
Alice
(Tor Client)
Bob (xyz.onion)
(Tor Hidden Service
via Onion Proxy)
(2) 3개의 Tor relay 임의 선택 하여,
Introduction points 로 사용
IP2
Tor Network
https://www.torproject.org/docs/hidden-services.html.en
IP3
Tor: 히든 서비스 (server-side)
Step 3,4 are done hourly!
(3) Directory authorities 로 부터 Consensus 히든 서비스 디렉토리 (HS Dir) 목록 정보 획득.
(4) Service descriptor 생성
Hidden Service Descriptor: [Descriptor ID + its public key + Introduction Points (IPs) ] signed by its private key
HSDir=1
HSDir=1
Bob
(Tor Hidden Service)
(5) 생성한 Service descriptor를
해당 HSDir 들에 업로드
(to a set of 6 HSDirs via a 3-hop circuit)
자세한 내용은 다음 슬라이드에서 설명
Alice
(Tor Client)
IP1
IP2
IP3
Tor Network
https://www.torproject.org/docs/hidden-services.html.en & Donncha O’Cearbhaill’s blog post (Trawling Tor Hidden Service)
Tor: 히든 서비스 (server-side)
HS descriptor ID (Fingerprint) computation:
hs-descriptor-id =
SHA1( permanent-id || SHA1 ( time-period || replica) )
Permanent-id: first 80 bits (10 bytes) of SHA1 (public key)
Time period:
(current-time + permanent-id-byte * 86400 / 256) / 86400
Permanent-id-byte: first unsigned byte of perm-id
Replica: which set of HSDirs
예제) facebookcorewwwi.onion
descriptor-id =
SHA1( facebookcorewwwi || SHA1(16583 || 0))
SHA1( facebookcorewwwi || SHA1(16583 || 1))
replica 0: ys5pml4c6txpw5hnq5v4zn2htytfejf2
replica 1: fq7r4ki5uwcxdxibdl7b7ndvf2mvw2k2
25
A simple Distributed Hash Table (DHT)
Descriptor ID 위치 (replica 포함) 에서 가장 근접한
3기의 HSDir Tor Relay 에 Service Descriptor를 업로드!
Tor: 히든 서비스 (client-side)
(1) xyz.onion 의 hs-descriptor-id 를 계산하고, 앞 슬라이드에서 설명한 방식과 동일하게
해당 서비스의 Descriptor를 저장하고 있는 HS Dir 들을 파악
(2) 해당 HS Dir 들로 부터 xyz.onion 의 Service descriptor 를 내려받아
히든 서비스의 public key 와 Introduction points (IP) 파악
DB
HSDir=1
Go to
xyz.onion
IP1
Alice
(Tor Client)
IP2
DB
HSDir=1
IP3
Tor Network
Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful
Bob (xyz.onion)
(Tor Hidden Service)
Tor: 히든 서비스 (client-side)
(3) one-time secret (cookie) 생성
(4) 임의의 Tor relay 를 선택하여 rendezvous point (by sending the cookie)로 사용
(5) 해당 rendezvous point 까지 Tor circuit 생성 후,
(6) introduce message (cookie & addr. of RP)를 생성하여 Introduction Points (IP) 들에 전송
Cookie
Bob (xyz.onion)
(Tor Hidden Service)
Rendezvous point
(RP)
Go to
xyz.onion
(7) IP는 Bob 에게 해당 메시지를 전달
Introduce Msg.
IP1
Alice
(Tor Client)
IP2
IP3
Tor Network
Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful
Tor: 히든 서비스 (client-side)
(6) Bob 이 introduce message 를 본인의 public key를 사용해 복호화 하여,
Rendezvous Point (RP) 의 주소와 Cookie 획득
(7) Bob 이 RP까지 Tor Circuit을 생성하여 연결 후,
Rendezvous message (Cookie 포함)를 전송
(8) 인증 후, RP 는 Alice 와 Bob 사이의 메시지들을 단순히 전달. (end-to-end encrypted)
Cookie
Go to
xyz.onion
IP1
Alice
(Tor Client)
Bob (xyz.onion)
(Tor Hidden Service)
Rendezvous point
(RP)
IP2
IP3
Tor Network
Fillippo Valsorda and George Tankersly – Non-Hidden Hidden Services Considered Harmful