iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 9 – 16ss 1 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 2 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 3 / 38
Anonymity Anonymity set: set of people indistinguishable to the adversary ◮ size ◮ diversity This is not enough! 4 / 38
Separation of network identity and routing is the service provided by onion routing. 5 / 38
Overlay network 6 / 38
Overlay network 6 / 38
Onion skins server guard middle exit Circuits: nested encrypted connections via three relays 7 / 38
Design goals ◮ anonymous routing non-goals are, e.g. ◮ anonymity ◮ global passive adversary ◮ end to end correlation attacker power ◮ limited active and passive network attacks ◮ compromised relays 8 / 38
Attacker model 9 / 38
Attacker model 9 / 38
Attacker model 9 / 38
◮ you are anonymous to the service you visit ◮ your network does not see which services you visit 10 / 38
Tor Tor is an implementation of onion routing. ◮ censorship circumvention ◮ open design process ◮ low latency anonymity system Software ◮ tor ◮ obfsproxy ◮ Tor Browser ◮ . . . lots of ecosystem around it 11 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 12 / 38
Components onion router ◮ identity key ◮ relays traffic directory authority ◮ authority identity key ◮ manage list of onion routers ◮ agree on unified network view with other DAs onion proxy ◮ build circuit consisting of onion routers ◮ ingest application traffic 13 / 38
Relationships DA DA DA OR OP OR OP OR OR 14 / 38
Relationships DA DA DA OR OP OR OP OR OR 14 / 38
Directory authority directory authority 0 addr, port, pub key hourly vote addr, port, pub key other directory authorities . . . ◮ authority identity key ◮ authority signing key 15 / 38
Descriptor ◮ nickname ◮ IP, port ◮ identity key (long-term KSK) ◮ signing key (medium-term) ◮ onion key ◮ published date ◮ version ◮ lots of other info, e.g. bandwidth ◮ signature Right now there is a transition from RSA 1024 to ED25519 with cross signatures. 16 / 38
Joining the network onion router ◮ upload descriptor ◮ retrieve consensus DA functionality check DA voting onion proxy ◮ retrieve consensus ◮ build circuits 17 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 18 / 38
Overview stream relay circuit extend OR1 OR2 OR3 TLS + link protocol 19 / 38
Overview ◮ OR connections protected with combined TLS and cell protocol handshake ◮ all Tor communication in cells inside TLS ◮ authenticated ECDH handshakes (ntor) to build circuits ◮ “onion skin” layered encryption on the relay subprotocol cells 20 / 38
Cells circuit id command length payload 4 octets 1 octet 2 octets may be padded ◮ VERSIONS: version negotiation ◮ CERTS: certificates ◮ CREATE2: ntor handshake DH ◮ CREATED2: ntor handshake DH, authenticator ◮ RELAY: subprotocol (data) ◮ DESTROY: reason for tearing down circuit ◮ and many more This is the version 4 link protocol. Most cells have fixed size 514 octets. 21 / 38
Relay subprotocol relay cmd recognized stream id digest length payload 1 octet 2 octets 2 octets 4 octets 2 octets padded ◮ RELAY_EXTEND2 (control): CREATE2 ◮ RELAY_EXTENDED2 (control): CREATED2 ◮ RELAY_RESOLVE: very simple DNS query ◮ RELAY_RESOLVED: DNS response ◮ RELAY_BEGIN: address, port ◮ RELAY_CONNECTED: address, port ◮ RELAY_DATA: original TCP SDU ◮ RELAY_END: termination reason ◮ and many more This is where the encryption happens. 22 / 38
Link handshake OR1 OR2 TLS VERSION T I N F O R T S , N E O N , C E V E R S I authenticate using TLS info N E T I N F O ◮ version 3 handshake flow ◮ TLS connection reused for all circuits between OR1 and OR2 23 / 38
Circuit setup ◮ extend circuits by one hop at at time ◮ connect a stream to a TCP/IP destination ◮ then: relay cells with application content Spare circuits are created ahead of time. 24 / 38
Relay protocol: circuit extension OP guard middle CREATE2 CREATED2 EXTEND2(CREATE2) C R E A T E 2 2 A T E D C R E EXTENDED2(CREATED2) 25 / 38
ntor handshake ◮ one-way authenticated DH key agreement ◮ no signatures or RSA involved ◮ two DH operations ◮ forward security ◮ responder authenticated ◮ initiator anonymous ◮ security proofs for: key agreement, authentication, anonymity 26 / 38
ntor (simplified) 1. Bob: ( b , B ) ← GenDH () 2. Alice learns authentic ID B , B . 3. ( x , X ) ← GenDH () ID B , X ( y , Y ) ← GenDH () dh := yX || bX ( sk ′ , sk ) := H ( dh || ID B || X || Y ) t B := Mac sk ′ ( ID B || X || Y ) t B Y , dh := xY || xB ( sk ′ , sk ) := H ( dh || ID B || X || Y ) Vrfy sk ′ ( t B , ( ID B || X || Y )) 27 / 38
Processing of a relay cell cid cmd [encrypted] OR2: Dec k 2 ( · ) recog ? → pass along circuit = 0 OR3: Dec k 3 ( · ) recog ? = 0 Vrfy k ( MAC , cell ) cid cmd cmd recog sid digest len payload 28 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 29 / 38
sslstrip exit server 30 / 38
Correlation server 31 / 38
Correlation server → guard nodes 31 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 32 / 38
Censorship circumvention Bridges ◮ “secret” relays ◮ “pluggable transports” as obfuscation layer 33 / 38
Onion services ◮ location hidden services / responder anonymity ◮ service offering without disclosing network identity ◮ name/URL: hash of public key ◮ authenticating URL: tunnel TCP connections to an OR currently not all properties secure 34 / 38
Circuit setup (conceptual) DHT OP RP IP OS IP IP 35 / 38
Circuit setup (conceptual) DHT descriptor: IPs, k pub OP RP IP OS IP IP 35 / 38
Circuit setup (conceptual) DHT OP RP IP OS IP IP 35 / 38
Circuit setup (conceptual) DHT OP RP IP OS RP IP IP 35 / 38
Circuit setup (conceptual) DHT OP RP IP OS IP IP 35 / 38
Use cases ◮ responder authentication ◮ break out of NAT ◮ hide server location Example ◮ Facebook social network: https://facebookcorewwwi.onion ◮ DuckDuckGo search engine: http://3g2upl4pq6kufc4m.onion ◮ Debian GNU/Linux operating system mirror: http://vwakviie2ienjx6t.onion ◮ Ricochet messenger Always offer additionally to TLS. 36 / 38
Outline Introduction Trust architecture Protocols Attacks Further topics Announcements 37 / 38
Announcements ◮ tentative dates for oral attestations: July 15-22 ◮ lecture recordings with two audio tracks ◮ additional radio NICs 38 / 38
Recommend
More recommend