PhD-FSTC-2015-31 The Faculty of Sciences, Technology and Communication DISSERTATION Presented on 12/06/2015 in Luxembourg to obtain the degree of DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE by Ivan Pustogarov Born on 4 February 1986 in Moscow (Russia) Deanonymisation techniques for Tor and Bitcoin Dissertation defense committee: Dr. Alex Biryukov, dissertation supervisor Professor, Université du Luxembourg Dr. Aaron Johnson, Computer Scientist, U.S. Naval Research Laboratory, U.S. Dr. Jean-Sébastien Coron, Chairman Assistant Professor, Université du Luxembourg Dr. Thorsten Holz, Professor, Ruhr-University Bochum, Germany Dr. Ralf-Philipp Weinmann, Vice Chairman Director, Comsecuris, Germany ii iii Abstract This thesis is devoted to low-resource off-path deanonymisation techniques for two popular systems, Tor and Bitcoin. Tor is a software and an anonymity network which in order to confuse an observer encrypts and re-routes traffic over random pathways through several relays before it reaches the destination. Bitcoin is a distributed payment system in which payers and payees can hide their identities behind pseudonyms (public keys) of their choice. The estimated number of daily Tor users is 2,000,000 which makes it arguable the most used anonymity network. Bitcoin is the most popular cryptocurrency with market capitalization about 3.5 billion USD. In the first part of the thesis we study the Tor network. At the beginning we show how to remotely find out which Tor relays are connected. This effectively allows for an attacker to reduce Tor users’ anonymity by ruling out impossible paths in the network. Later we analyze the security of Tor Hidden Services. We look at them from different attack perspectives and provide a systematic picture of what information can be obtained with very inexpensive means. We expose flaws both in the design and implementation of Tor Hidden Services that allow an attacker to measure the popularity of arbitrary hidden services, efficiently collect hidden service descriptors (and thus get a global picture of all hidden services in Tor), take down hidden services and deanonymize hidden services. In the second part we study Bitcoin anonymity. We describe a generic method to deanonymize a significant fraction of Bitcoin users and correlate their pseudonyms with their public IP addresses. We discover that using Bitcoin through Tor not only provides limited level of anonymity but also exposes the user to man-in-the middle attacks in which an attacker controls which Bitcoin blocks and transactions the user is aware of. We show how to fingerprint Bitcoin users by setting an “address cookie” on their computers. This can be used to correlate the same user across different sessions, even if he uses Tor, hidden-services or multiple proxies. Finally, we describe a new anonymous decentralized micropayments scheme in which clients do not pay services with electronic cash directly but submit proof of work shares which the services can resubmit to a crypto-currency mining pool. Services credit users with tickets that can later be used to purchases enhanced services. iv To my parents. vii Acknowledgements It is a pleasure for me to thank all people from whom I received support and en- couragement over the past four years. I am deeply grateful to my adviser Prof. Alex Biryukov for his wisdom, patience, and guidance. I would like to express my sincere gratitude to Dr. Aaron Johnson and Dr. Thorsten Holz for agreeing to serve as jury members, and to A.-Prof. Jean-Sébastien Coron for charing the jury. I am grateful to my co-authors and friends: Ralf-Philipp Weinmann and Dmitry Khovratovich. It was really great to work with you. I very much appreciate the help of LACS secretaries Fabienne Schmitz and Isabelle Schroeder with administrative matters. Finally I would like to express my gratitude to the University of Luxembourg for outstanding research conditions. Ivan Pustogarov, May 2015 viii Contents 1 Introduction 1 1.1 Foreword . .1 1.2 Historical overview . .2 1.2.1 Anonymous communications . .3 1.2.2 Cryptocurrencies: from blind signatures to Bitcoin . .6 1.2.3 Examples of centralized anonymous digital currencies. .7 1.2.4 The synergy: Silkroad marketplace . .8 1.3 Thesis structure . .9 1.4 Remarks on methodology . 10 1.5 Ethical considerations . 10 2 Tor and Bitcoin 11 2.1 Tor anonymity network . 11 2.1.1 Architecture . 11 2.1.2 Tor Circuits . 13 2.1.3 Hidden services . 16 2.2 Bitcoin . 19 2.2.1 Architecture . 19 2.2.2 Transactions and Blockchain . 20 2.2.3 Bitcoin P2P network . 22 2.2.4 Mining-pools and altcoins . 26 2.2.5 Bitcoin Testnet . 27 3 Deanonymizing Tor Connections Using Topology Leaks 29 3.1 Revealing Tor connectivity dynamics . 30 3.1.1 Canonical Connectivity Scanning . 30 3.1.2 Connectivity probing via timing attacks . 31 3.2 Attacking Tor using connectivity dynamics . 32 3.2.1 Tracing long-lived streams . 32 3.2.2 Differential scan attack . 35 3.3 Analysis of the attacks . 38 3.3.1 Long-lived connections . 38 3.3.2 Differential scanning attack . 42 3.4 Potential countermeasures and conclusion . 43 x Contents 4 Anonymity Analysis of Tor Hidden Services 45 4.1 Shadowing . 46 4.2 Bandwidth inflation . 46 4.3 Catching and tracking hidden service descriptors . 47 4.3.1 Examples of hidden services analyzed . 47 4.3.2 Controlling hidden service directories . 48 4.3.3 Efficient harvesting of Tor HS descriptors . 50 4.3.4 Experimental results . 52 4.3.5 The Influence of Shadow Relays on the Flag Assignment . 53 4.4 Content and popularity analysis . 54 4.4.1 Port scanning hidden services . 54 4.4.2 Content analysis . 55 4.4.3 Popularity measurement . 57 4.5 Opportunistic deanonymisation of hidden services . 59 4.5.1 Unencrypted descriptors . 60 4.5.2 Encrypted descriptors . 61 4.5.3 Success rate and pricing for targeted deanonymizations . 62 4.5.4 Tracking clients . 62 4.6 Revealing Guard nodes of hidden services . 63 4.6.1 Unencrypted descriptors . 64 4.6.2 Encrypted descriptors . 65 4.7 Potential countermeasures . 70 5 Anonymity Analysis of Bitcoin P2P Network 71 5.1 Deanonymization of client in Bitcoin P2P network . 72 5.1.1 Learning entry nodes . 72 5.1.2 Deanonymizing clients . 73 5.1.3 Experimental results . 77 5.1.4 Analysis . 78 5.1.5 Countermeasures . 87 5.2 Bitcoin over Tor . 87 5.2.1 Disconnecting from Tor . 87 5.2.2 Getting in the middle . 88 5.2.3 Attack vectors . 90 5.2.4 Analysis . 91 5.2.5 Countermeasures . 96 5.3 User fingerprinting . 97 5.3.1 Setting cookie . 97 5.3.2 Extracting cookie . 98 5.3.3 Low-resource Sybil attacks on Bitcoin . 98 5.3.4 Attack vectors . 99 5.3.5 Analysis. Stability of Cookie . 100 5.3.6 Countermeasures . 102 Contents xi 6 Proof-of-Work as Anonymous Micropayment 103 6.1 Proof-of-Work as payment for service . 103 6.1.1 Design goals . 103 6.1.2 System design . 104 6.2 Analysis . 108 6.2.1 Profitability . 108 6.2.2 Anonymity . 112 Bibliography 113 Publications 118 xii Contents List of Tables 4.1 Popularity of the discovered botnet . 50 4.2 Popularity of Silk Road and DuckDuckGo . 50 4.3 HTTP and HTTPS access . 56 4.4 Ranking of most popular hidden services, February 2013 . 58 5.1 Probability that L entry nodes (out of 8) appear in the top-10 of those that forward the transaction to adversary’s client. 83 5.2 Complementary Cumulative distribution function for addresses times- tamps, November 2014 . 101 5.3 Address cookie decay rate (example) . 102 6.1 Proof-of-work algorithms and corresponding crypto-currencies . 109 6.2 Hash rates of the proof-of-work algorithms on Intel Core i7-2760QM 110 xiv List of Tables List of Figures 2.1 Tor anonymity network . 12 2.2 Layered encryption . 13 2.3 Circuit creation. First step . 13 2.4 Circuit creation. Second step . 14 2.5 Circuits and streams multiplexing . 14 2.6 Tor hidden services architecture . 17 2.7 Tor hidden services fingerprints circular list . 19 2.8 How Bitcoin works . 20 2.9 Bitcoin blockchain . 21 2.10 Bitcoin P2P network . 22 2.11 Trickling of ADDR messages . 25 3.1 Tor circuit setup . 31 3.2 One-hop attack against long-lived connections . 33 3.3 Differential scanning attack . 33 3.4 Decay rate of Persistent connections . 35 3.5 Persistent connections decay rate for a random router . 35 3.6 Circuit duration probability density function between two high band- width routers . 39 3.7 Circuit duration distribution function between two high bandwidth routers . 39 3.8 Circuit duration probability density function between a high band- width and non-high-bandwidth routers . 39 3.9 Circuit duration distribution function between a high bandwidth and non-high-bandwidth routers . 39 3.10 Circuit arrival rate for an active high bandwidth router . 40 3.11 Probability for a node to be chosen as a guard and a middle node . 40 3.12 Connection duration distribution . 42 3.13 Tor bandwidth distribution and share of immortal connections . 42 3.14 Signal and Noise for differential scan . 43 4.1 Distances between HS directories fingerprints, log10 scale . 49 4.2 Hidden service descriptor request rate during one day (Summer 2012) 50 4.3 Increase in.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages135 Page
-
File Size-