cryptographic challenges in and around tor
play

Cryptographic Challenges in and around Tor Nick Mathewson The Tor - PowerPoint PPT Presentation

Jan 20, 2024 •268 likes •601 views

Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013 Summary Very quick Tor overview Tor's cryptography, and how it's evolving Various opportunities for more Tor crypto work Disclaimer: This is

  1. Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013

  2. Summary ● Very quick Tor overview ● Tor's cryptography, and how it's evolving ● Various opportunities for more Tor crypto work Disclaimer: This is not exhaustive; these are only our most interesting crypto needs, not all of them; these are not our most urgent needs in general.

  3. Part 1: Tor overview

  4. Ordinarily, traffic analysis and censorship are easy. User Server Server Server User Server Server User +

  5. Ordinarily, traffic analysis and censorship are easy. User Server Server Server k n i L l i v User Server E Evil User Server Evil ISP

  6. Tor makes traffic analysis and censorship harder... User Server Server Server Tor Network User Server (abstract) Server User

  7. ...by using a network of relays to anonymize traffic. Tor User Server Server Server Tor Relay Exit Tor Relay Tor User Server Relay Tor Relay Tor Tor Server User Exit Relay (Use non-public entry relays to resist censorship.)

  8. (But an end-to-end traffic correlation attack still works.) User Server Server Server X xx Tor Network User Server (abstract) X xx Server User

  9. Tor is the largest deployed network of its kind ● 3000 relays ● 1000 public bridges ● > 2 GiB/sec ● > 500,000 users each day (estimated) – (With a pretty broad diversity of interest)

  10. Part 2: Tor could use better crypto

  11. Tor uses TLS for its link protocol... Tor TLS User Relay Tor Tor TLS Relay Relay

  12. … with all the problems that entails. ● Easy to detect TLS variants based on: – Cipher choice – Certificate structure – List of extensions ● More secure: less common. Can't use any unpopular TLS feature. (Did you know I have an effective veto over any new TLS features?)

  13. Maybe other link protocols are better for anticensorship? Tor User Relay Plugin Plugin There are a number of these “Pluggable Transports” in development, but we need even more. Even weak stego can help . ...Do we still need “normal-looking” TLS?

  14. Tor needs a one-way-authenticated handshake to build circuits Relay Relay User A B E(PK_A, g^x1) H 1 ( g ^ x 1 y 1 ) g ^ y 1 , (Now have K1= KDF(g^xy) +

  15. Tor needs a one-way-authenticated key exchange to build circuits Relay Relay User A B Enc(PK_A, g^x1) H 1 ( g ^ x 1 y 1 ) g ^ y 1 , (Now have K1= KDF(g^x1y1) E_K1(Enc(PK_B,g^x2)) Enc(PK_B,g^x2) g^y2, H1(g^x2y2) E_K1(g^y2, H1(g^x2y2)) (Now have K2= KDF(g^x2y2)

  16. We're replacing this protocol... ● Original protocol (“TAP”) did hybrid encryption with RSA,DH-1024, badly. [Goldberg 2006] ● Replacement (“ntor”) does approximately C->S: g^x S->C: g^y, H1(inp=H( g^x g^y g^xb g^xy ...)) K = KDF(H2(inp)) [Goldberg, Stebila, Ustaoglu 2011] (We're using DJB's curve25519 for DH group)

  17. ...and might replace it again ● Alternative (“ace”) does approximately: C->S: g^x1, g^x2 S->C: g^y K = KDF(g^[bx1 + yx2]) [Backes, Kate, Mohammedi 2012] ● Best choices will depend on implementation tweaks. ● Can you do better?

  18. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (503) (4) +

  19. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) +

  20. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Payload Zeros (2) Bad “MAC” (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) To handle a cell: ● Remove a layer of encryption. ● If Zeros == 0, and “MAC” = H(Key3_M, Previous cells | Payload): + This cells is for us! ● Else, relay the cell

  21. We should replace our old relay cell protocol... ● Used for symmetric crypto once we have shared keys. Zeros Bad “MAC” Payload (4) AES_CTR(Key1) AES_CTR(Key2) AES_CTR(Key3) But this is malleable!

  22. Hang on, does it matter that it's malleable? User M Evil Altered M' Tor Altered M'' Tor Relay Relay Exit ● Honest exit (probably) rejects M'' ● Evil exit detects tag, but could just as easily do traffic correlation, for same result at less risk of detection. ● So, don't worry? (Dingledine, Mathewson, Syverson 2004) +

  23. Hang on, does it matter that it's malleable? User M Evil Altered M' Tor Altered M'' Tor Relay Relay Exit ● Honest exit (probably) rejects M'' ● Evil exit detects tag, but could just as easily ///////////////////// do traffic correlation, for same result //////////////////////// at less risk of detection. ● Actually, it's not so clear-cut.

  24. We could use an encrypt-and-mac structure ENC(Payload,K1) MAC1 MAC3 ENC(... , K2) ENC(... , K3) +

  25. We could use an encrypt-and-mac structure ENC(Payload,K1) MAC1 MAC3 ENC(... , K2) ENC(... , K3) But that requires one MAC per hop, and leaks path length.

  26. A chained wide-block cipher seems like a much better idea! Zeros Payload WideBlock(Key1) WideBlock(Key2) WideBlock(Key3) +

  27. A chained wide-block cipher seems like a much better idea! Zeros Payload WideBlock(Key1) WideBlock(Key2) WideBlock(Key3) Any attempt to change the block renders the whole circuit unrecoverable.

  28. What wide-block cipher to use? ● Not enough time to discuss all of them (LIONESS, CMC, XCB, HCTR, XTS, XEX, HCH, TET) ● Needs to be fast, proven, secure, easy-to- implement, non-patent-encumbered, side- channel-free,... ● One promising approach in progress by Bernstein, Sarkar, and Nandi – HFFH Feistel structure, fast, not yet finished. ● Other ideas?

  29. Tor gets blocked too much. ● Some services mistake Tor for abuse ● Some services use IP blocking as a proxy for people-blocking, and can't not block Tor. (Wikipedia edits, some IRC nets.) Can we do better?

  30. Provide a way for users to make themselves blockable. ● Slightly expensive pseudonyms? – (Expensive how? SA model?) ● Anonymous blacklistable credentials? (Nymble, BNymble, BLACR, VERBS, Jack...) – Time to try this out in the wild? – What will we learn about their usability? Are they right?

  31. There are more crypto issues in Tor ● Directory protocol ● Hidden service protocol ● Better DOS resistance ● SHA1, RSA1024 for node identity

  32. Questions? ● See https://www.torproject.org/ for links to documentation, specifications, and more info about various Tor issues. ● See http://freehaven.net/anonbib/ for an incomplete but nonetheless useful anonymity bibliography. ● Grab me during a break for non-crypto Tor questions

Recommend

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC20 New York, Jan 10 th 2020 @pedrorechez Scalability

1.27k views • 84 slides
Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew Regenscheid Cryptographic Technology Group Cryptographic Technology Group Mission: Research, develop, engineer, and standardize cryptographic

321 views • 28 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May 27 th , 2008 A cryptographic hash function produces cryptographic checksums or fingerprints cryptographic checksums or fingerprints Fast

716 views • 25 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010

1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010

1 Cryptographic Elections: Challenges and Opportunities Alon Rosen IDC Herzliya June 9, 2010 2 Thanks Ben Adida (Harvard University) Yuval Kedem (Gallileo) David Movshovitz (IDC Herzlyia) Shimon Schocken (IDC Herzlyia)

1.83k views • 148 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Cryptography This course provides an overview of basic modern cryptographic techniques and covers

Cryptography This course provides an overview of basic modern cryptographic techniques and covers

What is this course about? Aims Cryptography This course provides an overview of basic modern cryptographic techniques and covers essential concepts that users of cryptographic standards need to understand to achieve their intended security

855 views • 58 slides
Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R azvan Ros ie Key-Robustness for Cryptographic

949 views • 48 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
outline development of cryptographic algorithms for a real life application introduction

outline development of cryptographic algorithms for a real life application introduction

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} research & development outline development of cryptographic algorithms for a real life

486 views • 12 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
Everything you need to know about Cryptography (unless youre a mathematician) Dont try

Everything you need to know about Cryptography (unless youre a mathematician) Dont try

Everything you need to know about Cryptography (unless youre a mathematician) Dont try this at home. Get an expert. Basic Cryptographic Tools Seriously though. Bad crypto ruins lives. Basic Cryptographic Tools Cryptographic Hash

177 views • 17 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020 What is Formal Verification? Using software tools in order to obtain guarantees on the security of cryptographic components.

319 views • 21 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides

More recommend