Tor: The SecondGeneration Onion Router

1
Tor The Second-Generation Onion Router

• Presented by Eric Rozner
• R. Dingledine, N. Mathewson, P. Syverson

2
Roadmap

• Intro
• Design Goals/Assumptions
• Tor Design
• Attacks
• Tor in the Wild
• Conclusions

3
Introduction

• Circuit-based, low-latency anonymous
  communication service
• Onion Routing a distributed overlay network
  designed to anonymize TCP-based applications
• Tor provides benefits over previous onion routing
  protocols

4
Benefits

• Perfect forward secrecy
• Telescoping path-building design, keys refreshed
• Better deployability
• SOCKS
• No mixing, padding, or traffic shaping
• Many TCP streams can share one circuit
• Less overhead
• Leaky-pipe circuit topology
• Traffic can depart anywhere in circuit, traffic
  shaping and volume attacks become harder

5
Benefits Continued

• Congestion Control
• Directory servers
• No more flooding state through network
• Variable exit policies
• Different users comfortable with different levels
  of involvement
• End-to-end integrity checking
• Rendezvous points and hidden services

6
Design Goals

• Deployability
• Usability
• Flexibility
• Test-bed for future research
• Simple Design (well-understood, provable)
• All in an effort to increase participation

7
Assumptions

• Adversary doesnt have global view of network
• Adversary cant observe both ends of
  communication
• If timing and volume patterns of traffic are
  distinct, a passive listener can infer Alice is
  talking to Bob
• Rather than focusing on these traffic
  confirmation attacks, we aim to prevent traffic
  analysis attacks, where the adversaary uses
  traffic patterns to learn which points in the
  network he should attack.

8
Tor Design

• Overlay of Onion Routers routes used to route
  traffic
• Onion Routers (OR) route traffic through the
  overlay
• Maintains long-term identity key
• Short term onion key
• Onion Proxy (OP) on client multiplex TCP
  connections across circuits in overlay
• Creates cells for communication over circuits

9
Tor in a nutshell
10
Nutshell
11
Nutshell
12
Cells

• Control Cells
• Creating and destroy a circuit
• Relay Cells
• Carry end-to-end stream data
• Control stream, data, open/close stream, extend
  circuits, etc.

13
Circuit construction

• Constructed incrementally
• OP negotiates a symmetric key with each OR on the
  circuit, one hop at a time
• ORs only know previous and next hop
• Authentication, forward secrecy, key freshness

14
Example

• Encryption using Onion keys

15
Relay Cells

• Sending to an OR Alice assigns a digest,
  iteratively encrypts the cell payload with the
  symmetric key of each hop up to that OR
• ORs decrypt payload and either forward or
  process (if digest suceeds)
• Leaky pipe
• ORs reply Encrypts cell with session key and
  sends back toward Alice along the circuit.
  Subsequent ORs add further layers of encryption.
• OP at Alice will unwrap each level of encryption

16
Integrity Checking

• At each end-point of circuit
• SHA-1 digest is derivative of key that Alice
  negotiates with each new hop
• Only those two know it
• Prevents and adversary from modifying data

17
Rate limiting

• Tor uses a token bucket approach to enforce a
  long-term average of incoming bytes
• Volunteers dont have to give up all their
  bandwidth to run Tor

18
Congestion Control

• Circuit-level throttling
• Packaging window how many cells the OR can
  package back to OP
• Delivery window how many data cells can be
  forwarded to outside of network
• Stream-level throttling
• Similar to above, end-to-end
• Both relay on acknowledgement scheme to move
  window

19
Rendezvous Points and Hidden Services

• Allows some user to provide a service anonymously
• Both end-points remain anonymous
• Both parties connect via a third party, the
  rendezvous point

20
Hidden Services
21
Hidden Services
22
User Participation

• Exit policies
• Open exit
• Middleman exit
• Private exit
• Restricted exit
• Abuse of open exit nodes a problem

23
Directory Servers

• Maintain state about whole network (doesnt
  scale)
• New nodes manually approved by system
  administrators
• Need to be trusted
• A compromised server breaks Tor

24
Attacks

• Passive attacks
• Probably not hard to tell a node is running Tor
• Active attacks
• DDoS, running an onion proxy, router
• Directory attacks
• Destroy or subvert directory servers
• Rendezvous points
• Attack RP or introduction points

25
DOS

• DOS against induction points
• DOS against a circuit
• Circuit failure breaks all streams passing
  through that circuit

26
Tor in the Wild

• 32 nodes
• Small, can still experiment and change
• Lookup of cnn.com (normally 0.3sec)
• Median 2.8 sec, 90 finished in 5.3 sec
• Will have to ensure scalability

27
Conclusions

• A lot of future work needed
• Still a lot of open questions
• Routing questions
• Padding needed?
• Too brittle?