BRKSEC-2011.Pdf

#CLUS About Garlic and Onions A little journey…

Tobias Mayer, Technical Solutions Architect BRKSEC-2011

#CLUS Me…

CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com”

• How Tor works • Introduction to Onion Routing • Obfuscation within Tor

• Domain Fronting

• Detect Tor

• I2P – Invisible Internet Project • Introduction to Garlic Routing

• Conclusion

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2011 by the speaker until June 18, 2018.

Hide me from Government! Hide me from ISP! Hide me from tracking!

Bypass Corporate Bypass Country Access Hidden policies restrictions (Videos…) Services

Tracking does not require a “Name” Tracking is done by examining parameters your browser reveals https://panopticlick.eff.org

Traffic to external Proxy detected

Combine VPN Service with Proxies Provides additional anonymization Layer You have to have trust in the VPN Provider that they do not log… 

https://thatoneprivacysite.net/vpn-section/

• Statement from “Hide- my-Ass”

• “If you do illegal things, we cooperate with Law Enforcement”

• They track the User…

• Chrome Browser leaking real IP because of DNS Prefetching • Despite using a VPN Service…

Open source SW / public design specs Data is constantly encrypted at multiple layers Sent through multiple routers. Each router decrypts the outer layer and finds routing instructions Sends the data to the next router Result is a completely encrypted path using random routers

• The Tor network consists of relays

• Relays are just nodes where the Tor software is installed

• They build encrypted connections to other relays, forming an overlay network

• Everyone can run a Tor relay and contribute to the network…

• Goal: Provide anonymity and access to censored and/or hidden resources

• Special browser based on mozilla firefox to establish a circuit through the Tor network

• Can connect directly or through proxies

• Often used in combination with VPNs

OR2

OR3 PK OR1

PK OR2

PK OR3

Tor Client selects 3 random Routers out of all Tor Relays and get their public keys

OR2

OR3 PK OR1

PK OR2

PK OR3

Tor Client sends DH Handshake to OR1, encrypted with public key of OR1, called “relay_create”

OR2

OR3 PK OR1 SK1

PK OR2

PK OR3

OR1 completes handshake, symmetric key is created

OR2

OR3 PK OR1 SK1

PK OR2

PK OR3

Tor Client sends “relay_extend” to OR1, requesting to extend the circuit to OR2. Keyshare for OR2 is protected by the public key of OR2

OR2

OR3 PK OR1 SK1

PK OR2 SK2

PK OR3

OR1 send “relay_create” to OR2, OR2 responds and circuit with symmetric key is created to OR2

OR2

OR3 PK OR1 SK1

PK OR2 SK2

PK OR3 SK3

“relay_extend” to OR3, create a circuit

OR2

OR3 PK OR1 SK1

PK OR2 SK2

PK OR3 SK3

Web Request follow the circuits

Every hour all Authorities calculate a common status document called the “consensus”

Very trusted servers that hold the list of all active Tor relays Tor client comes with this predefined list and the corresponding public keys Every hour they agree on the most recent list of relays (“voting”) They create a document called “consensus”. Each DirAuth publishes and signs its own relay list to all other DirAuth Tor client downloads the consenus at first start Client receives consenus plus hashes of the consenus of all other authorities. Will only trust the consensus if more than half of the hashes match. Tor relays can be “Directory caches” where clients can get an updated version of the consensus without the directory authorities

Flags

OR2

OR3

“torrc” = config file

Also use IPv6 relays

Define Geolocation of your ExitNodes

ExitNode from Germany

ClientOnly 1 #never, ever act as an exitNode ExcludeNodes #avoid the nodes / countries listed StrictNodes #if set to 1, Tor will strictly avoid #ExcludeNodes settings EnforceDistinctSubnets #Don‘t select two nodes that are close FascistFirewall 1 #only 80/443 entry & exit nodes EntryNodes # only use those entry node ExitNodes # only use those exit nodes ExcludeExitNodes

DNS Server OR2

OR3

Tor Exit Relay is responsible for the DNS Resolution

• ISP Resolver • Traversing the least amount of AS • Own Resolver • QNAME Minimization

Bridges are relays that are not announced in the directory servers You can request bridges but will not get the full list 3 bridges are provided

Fingerprint

IP & Port

#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Hidden Websites - ”.onion” links FIRST 80 bits of the SHA1 of the 1024 bit Public Key http://xmh57jrzrnw6insl.onion/

• Tor Mailbox http://torbox3uiot6wchz.onion/

• Torch http://xmh57jrzrnw6insl.onion/

• The Hidden Wiki http://zqktlwi4fecvo6ri.onion/wiki/Main_Page

• Imperial Library of Trantor http://xfmro77i3lixucja.onion/

• DuckDuckGoGo https://3g2upl4pq6kufc4m.onion/

• The Federalist Paper (Onion v3 Service) http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/

Onion server

Introduction point

Rendezvous point Directory server

Client

Setup hidden service (create public and private key) and create a circuit to chosen Introduction point(s)

IP, Pk Onion server

Introduction point (IP)

Rendezvous point Directory server

Client Publish hidden service in six of the directory servers. The servers are calculated based on a function including the consensus status document and the “.onion” address. Repeat once a day (different HSDirs…)

Onion server

Introduction point

Rendezvous point Directory server

Client

Client asks one of the directory server for the hidden service. Client gets the public key and the Introduction Points for that service.

Onion server

Introduction point

Rendezvous point Directory server

Client

Client selects a random relay node as a rendezvous point

Onion server

Introduction point

message Rendezvous point Directory server secret

Client Client contacts the introduction point, requesting to forward the information about the rendezvous point to the hidden server. Message includes a one- time secret

message secret Onion server

Introduction point

Rendezvous point Directory server

Client

IP contacts the hidden server, telling him about the RP

Onion server secret

Introduction point

Rendezvous point Directory server

Client

Server builds a circuit to the RP, providing the one-time secret from the client

Onion server

Introduction point

Rendezvous point Directory server

3 relays from client, 3 relays from server Client

Client communicates to the hidden server via the rendezvous point

SearX with v3 .onion address (52 characters vs. 16 characters) http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/

a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519) b) Improved directory protocol leaking less to directory servers. c) Improved directory protocol with smaller surface for targeted attacks. d) Better onion address security against impersonation.e) e) More extensible introduction/rendezvous protocol.f) f) A cleaner and more modular code base

loopback Client App PT Client (Socks)

Obfuscated traffic

loopback Server App PT Client (Socks)

• Obfs2 • Use a additional encryption layer to obfuscate. Key is exchanged in cleartext.

• Obfs3 • Negotiation of a DH Key for obfuscation. Not resistant for active probing.

• Obfs4 • Authenticate with a pre-shared key, distributed out-of-band. Resistant against active probing. Obfuscate with DHE.

• Meek • Obfuscate in http and TLS, leveraging domain fronting

#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Domain Fronting Domain Fronting – the concept https://www.bamsoftware.com/papers/fronting/ Using different domain names at different levels Leveraging the fact that CDN Network can forward requests that are not in their own domain DNS TLS A www.google.com SNI: www.google.com

HTTP ….. Host: www.evilrats.com

Hidden domain Front Domain

• https://arstechnica.com/information-technology/2018/05/amazon- blocks-domain-fronting-threatens-to-shut-down-signals-account/

• Reason: • Signal IM uses Domain Fronting…. • Certain countries blocking Signal because they can’t stop it…. • Hard times for people in severely restrictive countries…

• Broker Access via different methods • Domain- fronted • DNS over HTTPS 

First relay, located in russia

SNI Name not really matching the website

CN Name different from SNI String

Issuer, yet another generated domain

Port 9001

Generated strings for common name

Self-signed….

This is another proof that Tor does not really care about the content of the TLS certificates 

• SNI String , CN-Name and Issuer are just generated strings…

• Certificates are self-signed

• Purpose of certificates is simply to provide a common method to exchange the keys using the TLS Protocol

• Tor client and relays do not care much about the certificate values

Categories “Pass Through” will still check for certificate errors! Invalid certificate or expired certificate on the server will fail the “Pass through”

Custom URLs (best used for making an exception for decryption) “Pass Through” will bypass all certificate check -> true Pass Through “Decrypt” -> certificates will be checked and the user will get a prompt (“untrusted CA”) Custom categories take precedence over predefined categories!

Default Values provide a good balance between Security and User Experience Remember: EUN in case of a “Drop” requires “Decryption for EUN”! “Drop” : log the certificate error in the access log, decrypt and display EUN “Decrypt” : log the certificate error in the access log, decrypt with a purposely “invalid” certificate and let the client decide if he accepts the connection. “Monitor” : don’t do anything, it’s all on the client to decide…

1513893450.780 65269 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.98:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.98 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 85.31.186.98 UAG: - REF: - AUTH: 0 DNS: 0 REP: 925 SFBR: 0 CFBWR: 1176

1513893461.688 76177 192.168.178.55 NONE/504 0 CONNECT tunnel://192.99.11.54:443/ "tmayer@TOBYLAB" DIRECT/192.99.11.54 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 192.99.11.54 UAG: - REF: - AUTH: 0 DNS: 0 REP: 1076 SFBR: 0 CFBWR: 0

1513893461.688 76178 192.168.178.55 NONE/504 0 CONNECT tunnel://154.35.22.9:443/ "tmayer@TOBYLAB" DIRECT/154.35.22.9 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 154.35.22.9 UAG: - REF: - AUTH: 0 DNS: 0 REP: 729 SFBR: 0 CFBWR: 0

1513893471.762 86252 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.26:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.26 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 85.31.186.26 UAG: - REF: - AUTH: 0 DNS: 0 REP: 729 SFBR: 0 CFBWR: 1176

1513893509.387 584 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://193.23.244.244:443/ "tmayer@TOBYLAB" DIRECT/193.23.244.244 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 193.23.244.244 UAG: - REF: - AUTH: 0 DNS: 0 REP: 106 SFBR: 0 CFBWR: 138

1513893509.479 766 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.96.180.29:443/ "tmayer@TOBYLAB" DIRECT/185.96.180.29 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 185.96.180.29 UAG: - REF: - AUTH: 0 DNS: 0 REP: 195 SFBR: 0 CFBWR: 227 1513893509.761 68 192.168.178.55 NONE/504 0 CONNECT tunnel://37.187.7.74:443/ "tmayer@TOBYLAB" DIRECT/37.187.7.74 - DECRYPT_WBRS_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 37.187.7.74 UAG: - REF: - AUTH: 0 DNS: 0 REP: 0 SFBR: 0 CFBWR: 0

1515881089.066 605 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://149.56.233.142:443/ "tmayer@TOBYLAB" DIRECT/149.56.233.142 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 149.56.233.142 UAG: - REF: - AUTH: 0 DNS: 0 REP: 31 SFBR: 0 CFBWR: 136

1515881089.815 356 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://89.163.224.250:443/ "tmayer@TOBYLAB" DIRECT/89.163.224.250 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 89.163.224.250 UAG: - REF: - AUTH: 0 DNS: 0 REP: 22 SFBR: 0 CFBWR: 46

1515881090.876 419 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.125.33.58:443/ "tmayer@TOBYLAB" DIRECT/185.125.33.58 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE - AUTHM: BASIC DestIP: 185.125.33.58 UAG: - REF: - AUTH: 0 DNS: 0 REP: 21 SFBR: 0 CFBWR: 78

• Activate HTTPS Proxy

• Tune WSA to handle crypto errors in the log

• Block category “Anonymizers and Filters” • Will not block all connections, but some

• Check logs for a combination of • Reputation blocks and Category blocks • Errors on hostname mismatch • Errors on unrecognized root • Connections to IP • Connections to non-web ports

Block

Self- signed Certificate Certificate Errors Errors

..and some are not

Detecting Tor as Application

obfs4 obfuscated traffic Tor relay No App Detected tcp/80

As users go through a web proxy, access logs are generated

Cisco Cognitive Threat Analytics (CTA) Time | IP | URL | User Agent | … 2:45 | 54.62.37.10 | www.google.com | Mozilla (… 2:45 | 68.62.37.10 | www.yahoo.com | Mozilla (… 2:45 | 22.62.37.10 | www.cnn.com | Chrome (… Proxy 2:45 | 59.62.37.10 | www.seznam.com | Mozilla (… HTTP/HTTPS Headers (meta data) HTTP/HTTPS

• Stealthwatch downloads Tor directory list of entry and exit nodes every hour

• CTA downloads the Tor directory list every hour

• CTA analyzes connections on a global basis and tries to identify potential Tor relays • Analyzing certificate details from the TLS Handshake (via Stealthwatch ETA netflow) • Correlating requests globally • Detection of new relays can come in retrospectively • No complete list of discovered gateways is being kept or exported

Obvious search for the Tor browser EXE

Deeper Analysis of the connections being made

• Packet-switched anonymous network layer (ard. 70K users)

• Distributed Network database of routers (no Directory Servers)

• Provides anonymous web browsing, chat, email, IM, file sharing, …

• Opensource

• Built as its own hidden network, not as an anonymization tool

• Using UDP for transport

• Java based

• Every routers has one or more inbound and outbound tunnels

• Lifetime of 10 min

• Routers are both relays and nodes • Relay: forward other message to other routers • Nodes: sending or receiving messages for themselves

• Inbound tunnels require port forwarding for optimizing throughput • Cumbersome to use within corporate networks (but not impossible ;) )

NetDB 3 Alice: 1,2 4 Simon: 3,4 InboundTunnels Bob: 5,6 1 Simon 2

Alice 5 6 Outbound Tunnels Bob

• Super-Peers (aka floodfill peers) hold a network database (distributed hashtable)

• This contains two informations : “routerInfo” and “leaseSets”

• routerInfo – stores information on specific I2P routers and how to contact them (public key, identifier, contact information)

• leaseSets – stores information on a offered service (i.e. I2P websites, email servers, etc.); entry point of a specific tunnel

• Initial set of active peers is loaded from some public sources • Hardcoded into the software

• Every router collects a local statistic of other active peers

• When a router is successfully selected for establishing a tunnel, key exchange is happening

• Each message sent can be sent through any other router

• Several different messages can be sent within one encrypted packet

• Similar to Garlic that can hold several cloves Many cloves inside the “head”

Garlic Cloves

Alice Peter Jan

NetDB

Build tunnel Build tunnel

Alice Peter Jan

NetDB

CONNECT Tunnel

Alice Peter Jan Clara Simon Bob

NetDB

Garlic

Outbound Tunnel Inbound Tunnel

Alice Peter Jan Harry Eve Clara Simon Bob

Tunnel Encryption: AES Transport Encryption: DH + AES

Garlic Encryption: El Gamal + AES

All nodes act as a router

Point your browser to your local I2P router

Accessing hidden websites within the I2P network I2P is mainly about hidden websites, NOT so much about reaching the cleartext internet

#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 I2P Can be defined on ANY Port! I2P recommends to poke a hole in your firewall for incoming traffic udp/23852 tcp/23852 Will dramatically improve performance

Lot of requests for udp/23852…(but remember, port defineable…)

Classified as P2P File Traffic

I2P is java based….

• https://www.cdc.informatik.tu- darmstadt.de/fileadmin/user_upload/Group_CDC/Documents/Lehre /SS13/Seminar/CPS/cps2014_submission_4.pdf

• https://geti2p.net/en/docs/how/tech-intro

• http://hor6372x6soyyts2.onion/mirrors/HiddenWikiClean/A_Radical' s_Introduction_to_Anonymity.html#Weaknesses

• Blocking Tor completely is very hard, but a check on TLS certificate errors can provide some decent blocking & visibility for enterprises

• Combination of netflow analysis, anomaly detection & certificate checking on the gateways is probably your best bet • Leveraging Stealthwatch with CTA and ETA • Combine it with AMP for Endpoints for further analysis and visibility

• Other Tools like I2P exist, but purpose is to exchange information, not so much for anonymizing your browsing • I2P optimizing performance over special ports that need to be open • No support over web proxies • Port-forwarding on firewalls is recommended -> cumbersome to use within corporate environments

Hide me from Government! Hide me from ISP! Hide me from tracking!

Bypass Corporate Bypass Country Access Hidden policies restrictions Services

Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings

#CLUS #CLUS