Basic Course on Onion Routing Paul Syverson a U.S. Naval Research Laboratory f [email protected] p SAC Summer School Mount Allison University Aug 10, 2015 Course Outline ● Lecture 1: Basics and Formalization • Usage examples, basic notions of traffic-secure communications, mixes and onion routers • Onion routing design basics: circuit construction protocols, network discovery • Formalization and analysis, possibilistic and probabilistic definitions of anonymity ● Lecture 2: Security for the real world • Simple demo of obtaining/using Tor • Security of obtain/using Tor • Adding network link awareness • Importance of modeling users • Importance of realistic and practical • Adversary models Security definitions 2 3 4 5 6 7 How do we know I’m installing Tor? ● Known cases of bogus sites offering not-Tor ● HTTPS isn’t enough here – Browser-recognized authorities have issued bogus certificates for torproject.org 8 9 10 11 How do we know I’m installing Tor? ● Known cases of bogus sites offering not-Tor ● HTTPS isn’t enough here – Browser-recognized authorities have issued bogus certificates for torproject.org 12 How do we know the Tor from the Tor Project Inc. is OK? ● It’s baked into our approach to offering onion routing to the public R1 Alice R5 Bob R3 R4 R2 13 How do we know the Tor from the Tor Project Inc. is OK? ● It’s baked into our approach to offering onion routing to the public Alice Bob 14 How do we know the Tor from the Tor Project Inc. is OK? ● It’s baked into our approach to offering onion routing to the public • Carry traffic for a diverse user population - not just Navy or U.S. govt. - cannot have single point of failure/trust for any type of user • Diversely managed infrastructure • Open source 15 How do we know the Tor from the Tor Project Inc. is OK? ● Design, Specifications, and Software amongst most scrutinized on the planet ● Can download (signed) source code and build the binaries yourself. 16 How do we know the Tor from the Tor Project Inc. is OK? ● Design, Specifications, and Software amongst most scrutinized on the planet ● Can download (signed) source code and build the binaries yourself. But we’re not done yet! 17 How do we know the Tor from the Tor Project Inc. is OK? ● “Reflections on Trusting Trust” Thompson, Turing award lecture, 1984 ● Problem: Creation of signed Tor binaries might have been attacked: compiler, libraries, etc. 18 How do we know the Tor from the Tor Project Inc. is OK? ● “Reflections on Trusting Trust” Thompson, Turing award lecture, 1984 ● Problem: Creation of signed Tor binaries might have been attacked: compiler, libraries, etc. ● Why should you care if you verify source and compile yourself on a trusted system? 19 How do we know the Tor from the Tor Project Inc. is OK? ● Most users will be running TPI compiled binaries ● It would be good to protect them. ● What if you’re purely self-interested? 20 How do we know the Tor from the Tor Project Inc. is OK? ● Most users will be running TPI compiled binaries ● It would be good to protect them ● What if you’re purely self-interested? ● Relatively small handful of users with self- compiled Tor will stick out significantly ● Many relay operators may also run TPI compiled code 21 How do we know the Tor from the Tor Project Inc. is OK? ● “Reflections on Trusting Trust” Thompson, Turing award lecture, 1984 ● Problem: Creation of signed Tor binaries might have been attacked: compiler, libraries, etc. ● Solution: Deterministic builds – Packages identical across software, hardware platforms – Distributes the trust in Tor binaries – Available for Tor Browser Bundle since 2013 22 23 24 25 26 27 28 29 End: obtaining/using Tor ● Lecture 2: Security for the real world • Simple demo of obtaining/using Tor • Security of obtain/using Tor • Adding network link awareness • Importance of modeling users • Importance of realistic and practical • Adversary models Security definitions 30 Adversary observing all traffic entering and leaving network breaks onion routing ● “Towards an Analysis of Onion Routing Security” Syverson et al. PETS 2000 ● Presented and analyzed adversary model assumed in prior onion routing work – Network of n onion routers, c compromised onion routers – Security approx. c2 / n2 Alice Bob R3 R4 31 R2 Adversary observing all traffic entering and leaving network? ● “Location diversity in anonymity networks” Feamster-Dingledine. WPES 2004 ● Adversaries live on network links as well as onion routers R1 Alice R5 Bob R3 R4 32 R2 Onion Routers (Tor Relays) overlay underlying Internet R1 R5 R3 R4 R2 33 Adversaries can live on network links to/from onion routers too R1 R5 R3 R4 R2 34 Adversaries can live on network links to/from onion routers too R1 Alice R5 R3 R4 R2 35 Link Adversary AS8 AS6 AS6 AS7 AS1 AS2 AS3 AS4 AS5 1. Autonomous Systems (ASes) 36 Adversary observing all traffic entering and leaving network breaks onion routing • Recall Onion Routing security approach: Large, Diverse Network so adversary has to expend much resources in many places R1 Alice R5 Bob R3 R4 37 R2 Adversaries can live on network links to/ from onion routers too ● “Location diversity in anonymity networks” Feamster-Dingledine. WPES 2004 ● Model adversaries at Autonomous Systems (ASes) – Path Independence: No AS on both client and destination end of circuit R1 Alice R5 Bob R3 R4 38 R2 Adversaries can live on network links to/ from onion routers too ● “Location diversity in anonymity networks” Feamster-Dingledine. WPES 2004 ● Model adversaries at Autonomous Systems (ASes) – Path Independence: No AS is on both client and destination end of circuit ● How bad is it? ● What can we do? 39 First pass look at link attacks ● “AS-awareness in Tor Path Selection” Edman-Syverson. CCS 2009 ● Background ● AS Path Inference ● Analysis of Tor network growth ● Tor AS statistics ● Proposed path selection heuristics 40 AS Path Inference ● Tries to predict route packets will take on the Internet ● We do not have access to routing tables for the entire Internet ● We cannot traceroute from arbitrary hosts ● AS relationships are not often publicized for contractual reasons 41 AS Path Inference Deriving AS Paths from Known Paths (Qiu & Gao 2006) AS 2 1 1 1 AS 4 2 AS 5 AS 1 1 AS 3 {1,2,3}, {2,4,5} and {3,4,5} are known paths {1,2,4,5} is a derived path (must satisfy valley-free property) 42 AS Path Inference ● Used input routing tables from multiple Internet vantage points – OIX, Equinix, PAIX, KIXP, LINX, DIXIE – 1.47 GB, 15.7 million paths, 29,000 ASes, 132,000 edges ● Implementation – Implemented in C – Used Gao’s (2000) algorithm for relationship inference – Modified slightly for better parallelization – All experiments done on a commodity Dell workstation 43 First pass look at link attacks ● Background ● AS Path Inference ● Analysis of Tor network growth ● Tor AS statistics ● Proposed path selection heuristics ● Conclusions & future work 44 Tor Grows Up June 2004 (33 relays) September 2008 (1239–1303 relays) Sender 2914 11643 12182 15130 15169 26101 2914 11643 12182 15130 15169 26101 209 0.49 0.45 0.40 0.39 0.19 0.30 0.17 0.26 0.19 0.51 0.23 0.25 1668 0.39 0.24 0.30 0.30 0.19 0.32 0.18 0.23 0.20 0.25 0.13 0.16 4355 0.38 0.27 0.28 0.27 0.43 0.51 0.13 0.29 0.12 0.20 0.19 0.14 6079 0.62 0.45 0.48 0.24 0.43 0.71 0.12 0.30 0.15 0.22 0.20 0.17 18566 0.39 0.42 0.41 0.32 0.56 0.73 0.18 0.36 0.20 0.31 0.20 0.16 22773 0.56 0.35 0.37 0.21 0.34 0.54 0.21 0.14 0.20 0.20 0.17 0.19 22909 0.21 0.24 0.26 0.22 0.22 0.37 0.19 0.30 0.24 0.25 0.21 0.19 23504 0.39 0.29 0.37 0.33 0.42 0.54 0.49 0.22 0.23 0.19 0.16 0.12 Table 2: Location independence comparison between the Tor network in June 2004 versus an average of three days in● September Used 2008. 3 separate Despite over 1,000 Tor new consensus relays being added snapshots to the network, the from mean probability of asingleASobservingbothendsofacircuitineithertheforward or reverse direction only decreased from 37.74% toSeptember 21.86%. 2008 ● that serversMean operated at Tieroverall 1 ISPs have probability greater bandwidth offer an the forwardAS-level and reverse observer paths between senders and entry available todecreased them than nodes operated from by users37.74% on, say, a tonodes, 21.86% and exit nodes and destinations, resulting in a total of consumer broadband connection. Thus, it is not unreason- 60,000 AS paths to infer. The following are the aggregated able to expect nodes in Tier 1 ISPs to be used more fre- results over all three snapshots: quently● than ≈ if12.5% all nodes were AS chosen pairs uniformly were at random, worse off than before which may in turn actually help increase Tor’s location di- Forward Reverse Total versity. Uniform 12.79% 13.23% 20.49% 45 Distinct /16 Subnets. An easy attack on the Tor net- Weighted (Tor) 10.92% 11.14% 17.81% work would be for an adversary to simply run two relays on the same machine or network. Eventually a client will pick The first row of the above table gives the probability of the attacker’s nodes for their entry and exit nodes, poten- an AS observing both ends of a connection for a uniformly tially allowing the adversary to correlate the sender with her random node selection.