CPSC 257: Information Security in the Real World Ewa Syta April 21, 2016 CPSC 257 April 21, 2016 1 / 67 1 Anonymous Communication 2 Attacks on Anonymity CPSC 257 Outline April 21, 2016 2 / 67 Anonymous Communication CPSC 257 Anonymous Communication April 21, 2016 3 / 67 Properties of Tor No individual relay ever knows the complete path. • The random path packets take is extended one hop at a time, and each relay along the way knows only the previous and the next relay. Neither an eavesdropper nor a compromised relay can link the connection's source and destination. However, Tor cannot (and does not attempt to) protect the traffic entering and exiting the network. Nor it protects users from \giving away" their identity. CPSC 257 Anonymous Communication April 21, 2016 4 / 67 How Tor works? Source: Tor Overview CPSC 257 Anonymous Communication April 21, 2016 5 / 67 How Tor works? CPSC 257 Anonymous Communication April 21, 2016 6 / 67 How Tor works? CPSC 257 Anonymous Communication April 21, 2016 7 / 67 How Tor works? CPSC 257 Anonymous Communication April 21, 2016 8 / 67 Tor User Statistics \Mevade botnet responsible for the spike in Tor traffic”, Pierluigi Paganini, September 8, 2013 CPSC 257 Anonymous Communication April 21, 2016 9 / 67 Tor Relay Statistics CPSC 257 Anonymous Communication April 21, 2016 10 / 67 Visualization of Tor traffic https://torflow.uncharted.software/ CPSC 257 Anonymous Communication April 21, 2016 11 / 67 Benefits of Tor https://www.eff.org/pages/tor-and-https CPSC 257 Anonymous Communication April 21, 2016 12 / 67 Tor Hidden Services Source: TOR Hidden Service Protocol Tor Hidden Services - Tor also offers protection to servers offering various services (websites, instant messaging) by hiding their location. • Servers are configured to receive inbound connections through Tor only. • Servers do not have to reveal their IP address. • Servers are accessible only through .onion address. • Tor understands .onion addresses and can properly route data to and from hidden services. CPSC 257 Anonymous Communication April 21, 2016 13 / 67 Step 1: Service Setup Bob chooses some relays, asks them to be his IPs, and tells them his new public key. CPSC 257 Anonymous Communication April 21, 2016 14 / 67 Step 2: Hidden Service Descriptor HSD contains the public key, a summary of IPs, and is signed by Bob. DB returns a HSD for a specific XYZ.onion. CPSC 257 Anonymous Communication April 21, 2016 15 / 67 Step 3: Client Setup Alice gets Bob's HSD, chooses a rendezvous point and gives it a one-time \rendezvous cookie" to authenticate Bob. CPSC 257 Anonymous Communication April 21, 2016 16 / 67 Step 4: Client Introduction Alice encrypts with Bob's key an introduction message that includes her RP, Bob's cookie, and her half of DH handshake, then asks Bob's IP to deliver it to him. CPSC 257 Anonymous Communication April 21, 2016 17 / 67 Step 5: Server Response Bob decrypts Alice's message and creates a circuit to RP. He sends the cookie and completes the DH handshake. RP notifies Alice. CPSC 257 Anonymous Communication April 21, 2016 18 / 67 Step 6: Connection Established Alice and Bob have an end-to-end encrypted 6 hop circuit. CPSC 257 Anonymous Communication April 21, 2016 19 / 67 Attacks on Anonymity CPSC 257 Attacks on Anonymity April 21, 2016 20 / 67 Limitations of existing schemes There's a whole array of attacks on anonymity ranging from exploiting flaws of the anonymous system, leveraging network level information, to exploiting vulnerabilities of the client-side machines. Method Weakness Mix Nets, Tor (Active) traffic analysis attacks DC Nets Anonymous DoS attacks CPSC 257 Attacks on Anonymity April 21, 2016 21 / 67 Understanding the Adversary Many attacks assume a powerful adversary who can see large chunks of the network at the same time or can obtain large amounts of traffic data. Q: Is an existence of a global adversary a reasonable assumption? CPSC 257 Attacks on Anonymity April 21, 2016 22 / 67 PRISM1 Perhaps the most infamous but not the most comprehensive NSA mass surveillance program established in 2007. Geared towards collecting the Internet data stored by nine major companies: Facebook, Google, Yahoo, Microsoft, PalTalk, Skype, YouTube, Apple, and AOL. The program operates through a secretive judiciary body called the Foreign Intelligence Surveillance Court. 1 The definitive guide to NSA spy programs, Joe Kloc, August 14, 2013 CPSC 257 Attacks on Anonymity April 21, 2016 23 / 67 CPSC 257 Attacks on Anonymity April 21, 2016 24 / 67 CPSC 257 Attacks on Anonymity April 21, 2016 25 / 67 XKEYSCORE1 NSA's \widest-reaching" program. • It collects nearly everything a typical user does on the Internet, including the content of emails and chats, visible in real time. • It builds a searchable database of both metadata and communications content collected from around the world. • Metadata is stored for 30 days, while the content for as little as a day. • According to a leaked NSA slide, XKEYSCORE database held 41 billion Internet records over a 30 day period. CPSC 257 Attacks on Anonymity April 21, 2016 26 / 67 XKEYSCORE: Search Capabilities4 Queries using \strong selectors" (e-mail addresses) or \soft selectors" (keywords). • Users of Tor and people who search for privacy-enhancing software.2 • Extremists aka the readers of Linux Journal.3 2 NSA targets the privacy-conscious, J. Appelbaum, July 3, 2014 3 NSA: Linux Journal is an \extremist forum" and its readers get flagged for extra surveillance, Kyle Rankin, July 3, 2014 4 XKEYSCORE Rules CPSC 257 Attacks on Anonymity April 21, 2016 27 / 67 Where is X-KEYSCORE?5 Approximately 150 sites and over 700 servers. 5 XKEYSCORE: NSA's Google for the World's Private Communications, The Intercept, M. Marquis-Boire, G. Greenwald, and M. Lee, July 1, 2015 CPSC 257 Attacks on Anonymity April 21, 2016 28 / 67 Practical Evidence of Traffic Hijacking789 Researchers from network intelligence firm Dyn Research observed numerous live Man-In-the-Middle (MITM) hijacks last year. • Events lasted from minutes to days by attackers from various countries. • Traffic improperly redirected by exploiting implicit trust placed in BGP (border gateway protocol).6 • Huge chunks of Internet traffic of financial institutions, government agencies, and network service providers have repeatedly been diverted. 6 Protocol to exchange routing and reachability information between autonomous systems (AS) 7 The New Threat: Targeted Internet Traffic Misdirection, Jim Cowie, Renesys, November 19, 2013 8 Repeated attacks hijack huge chunks of Internet traffic, researchers warn, Dan Goodin, November 20, 2013 9 Strange snafu hijacks UK nuke maker's traffic, routes it through Ukraine, Dan Goodin, March 13, 2015 CPSC 257 Attacks on Anonymity April 21, 2016 29 / 67 CPSC 257 Attacks on Anonymity April 21, 2016 30 / 67 CPSC 257 Attacks on Anonymity April 21, 2016 31 / 67 CPSC 257 Attacks on Anonymity April 21, 2016 32 / 67 Traffic Analysis Attack Traffic analysis10 is the process of analyzing patterns in communication in order to learn some information, frequently the sender's identity. • Passive traffic analysis - an adversary monitors the frequency, timing and other properties of communications. • Passive traffic analysis - an adversary affects the communications by performing DoS attacks on chosen nodes, overloading the network on certain links, etc. 10 Sometimes the term is used to describe an adversary simply analyzing one's network activities. CPSC 257 Attacks on Anonymity April 21, 2016 33 / 67 Traffic Analysis CPSC 257 Attacks on Anonymity April 21, 2016 34 / 67 Traffic Analysis CPSC 257 Attacks on Anonymity April 21, 2016 35 / 67 Traffic Analysis It is very difficult to protect against traffic analysis given a powerful adversary. All communication links must appear identical. • Everyone transmits at the same rate. • Very inefficient. CPSC 257 Attacks on Anonymity April 21, 2016 36 / 67 Aqua11 Aqua is an alternative high-bandwidth anonymity system that resists traffic analysis. • Architecture similar to Tor: the core consists of Aqua servers that clients connect to. • Traffic entering and exiting an Aqua network is made indistinguishable through a combination of chaffing and delayed flow start up. • Traffic from a set of k-clients look indistinguishable and consequently the clients themselves. 11 Towards Efficient Traffic-analysis Resistant Anonymity Networks S. Le Blond et al., ACM SIGCOMM 2013 CPSC 257 Attacks on Anonymity April 21, 2016 37 / 67 Intersection Attack An intersection attack is a type of a traffic analysis attack that focuses on the relation between online availability of users and certain actions. • Assume that a series of anonymous blog posts consistently appears every Monday around 10am. • Then, the set of users who have been online each time a post appears contains the blog owner, as opposed to the much bigger set of users who have been online when some posts appeared. • An adversary can take snapshots of users available during specific times and intersect them. CPSC 257 Attacks on Anonymity April 21, 2016 38 / 67 Intersection Attack CPSC 257 Attacks on Anonymity April 21, 2016 39 / 67 Intersection Attack CPSC 257 Attacks on Anonymity April 21, 2016 40 / 67 Petraeus-Broadwell Debacle12 Jill Kelly complains about receiving a series of anonymous stalking emails which seem to involve Gen. Petraeus (CIA Director). Mrs. Broadwell was identified as the sender of the emails by comparing times when emails were sent, locations where the emails were sent from, and the lists of all people who were at those locations The investigation reveals an extramarital affair between Gen. Petraeus and Mrs. Broadwell 12 Online PrivacySurveillance and Security Lessons From the Petraeus Scandal, C. Soghoian, November 13, 2012 CPSC 257 Attacks on Anonymity April 21, 2016 41 / 67 Catching the High Country Bandits13 Two men known as \the High Country Bandits" robbed 16 banks.