inside your onion

Jose-Paul Dominguez – timideconcat [first :: String, “.”, last :: String, “@e.ujf-grenoble.fr”]

securimag

March 10, 2016

1 / 19

Briefly

“The Second-Generation Onion Router”paper by Roger Dingledine, Nick Mathewson, Paul Syverson

Usenix Security 2004awarded at Usenix Security 2014

2 / 19

Key actors

Figure: Roger DingledineImage: Wikipedia / Tobias Klenze / CC-BY-SA 3.0

3 / 19

Key actors

Figure: Jacob AppelbaumImage: Wikipedia / Tobias Klenze / CC-BY-SA 3.0

3 / 19

Key actors

Many others:

I Nick Mathewson

I Paul Syverson

I https://www.torproject.org/about/corepeople.html

3 / 19

Basically

I anonymity system

I decentralized

I free in code, free to use

4 / 19

“Features”

I user anonymization

I hidden services

5 / 19

Anonymous? You don’t say.

At least improve you privacy and security on the Internet:

I hide you behind a node which will execute requests for you

I hide you from this very node

I without being in control of these

Using one node:

Client Proxy Server

Client message Proxy Server

Client 3 3 3 3

Proxy 3 3 3 3

Server 7 3 3 3

6 / 19

Anonymous? You don’t say.

At least improve you privacy and security on the Internet:

I hide you behind a node which will execute requests for you

I hide you from this very node

I without being in control of these

Using one node:

Client Proxy Server

Client message Proxy Server

Client 3 3 3 3

Proxy 3 3 3 3

Server 7 3 3 3

6 / 19

Anonymous? You don’t say.

At least improve you privacy and security on the Internet:

I hide you behind a node which will execute requests for you

I hide you from this very node

I without being in control of these

Using one node:

Client Proxy Server

Client message Proxy Server

Client 3 3 3 3

Proxy 3 3 3 3

Server 7 3 3 3

6 / 19

Let’s see with 2 nodes

Client R1 R2 Server

Client message R1 R2 Server

Client – 3 3 3 3

R1 3 7 – 3 7

R2 7 3 3 – 3

Server 7 3 7 3 –

This pattern becomes interesting but what if an entity is in controlof R1 and/or R2?

7 / 19

Let’s see with 2 nodes

Client R1 R2 Server

Client message R1 R2 Server

Client – 3 3 3 3

R1 3 7 – 3 7

R2 7 3 3 – 3

Server 7 3 7 3 –

This pattern becomes interesting but what if an entity is in controlof R1 and/or R2?

7 / 19

Let’s see with 2 nodes

Client R1 R2 Server

Client message R1 R2 Server

Client – 3 3 3 3

R1 3 7 – 3 7

R2 7 3 3 – 3

Server 7 3 7 3 –

This pattern becomes interesting but what if an entity is in controlof R1 and/or R2?

7 / 19

Key exchange and layered encryptionClient R1 R2 R3 Server

key exchange: K1

key exchange: K2

key exchange: K3

EK1( EK2

( EK3( request ) ) )

EK2( EK3

( request ) )

EK3( request )

request

response

EK3( response )

EK2( EK3

( response ) )

EK1( EK2

( EK3( response ) ) )

8 / 19

Key exchange and layered encryptionClient R1 R2 R3 Server

key exchange: K1

key exchange: K2

key exchange: K3

EK1( EK2

( EK3( request ) ) )

EK2( EK3

( request ) )

EK3( request )

request

response

EK3( response )

EK2( EK3

( response ) )

EK1( EK2

( EK3( response ) ) )

8 / 19

Key exchange and layered encryptionClient R1 R2 R3 Server

key exchange: K1

key exchange: K2

key exchange: K3

EK1( EK2

( EK3( request ) ) )

EK2( EK3

( request ) )

EK3( request )

request

response

EK3( response )

EK2( EK3

( response ) )

EK1( EK2

( EK3( response ) ) )

8 / 19

Network overview

9 / 19

Network overview

9 / 19

Terminology

I R1: entry relay / guard node

I R2: relay

I R3: exit relay

I (R1, R2, R3): path

I family: common organization, group

10 / 19

How the hell find a path?

Directory Authorities:

I hardcoded

I maintain a list of running relays

I publish a consensus once per hour containing Tor relays

I assign flags to relays

I client path: entry guard, relay and exit node of differentfamilies

11 / 19

How the hell find a path?

Directory Authorities:

I hardcodedI currently 10 DA hardcodedI defined in src/or/config.c1:

static const char ∗ default authorities []

I maintain a list of running relays

I publish a consensus once per hour containing Tor relays

I assign flags to relays

I client path: entry guard, relay and exit node of differentfamilies

1https://gitweb.torproject.org/tor.git/tree/src/or/config.c11 / 19

How the hell find a path?

Directory Authorities:

I hardcoded

I maintain a list of running relays

I publish a consensus once per hour containing Tor relaysI assign flags to relays1

I RunningI position: {Guard, Exit, BadExit}I etc.

I client path: entry guard, relay and exit node of differentfamilies

1https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt11 / 19

How the hell find a path?

Directory Authorities:

I hardcoded

I maintain a list of running relays

I publish a consensus once per hour containing Tor relays

I assign flags to relaysI client path: entry guard, relay and exit node of different

familiesI kept while TCP stream is up: avoid profilingI reuse path for new TCP streams for 10 minutesI build another one in case of circuit failure

11 / 19

How the hell find a path?

Directory Authorities:

I hardcoded

I maintain a list of running relays

I publish a consensus once per hour containing Tor relays

I assign flags to relaysI client path: entry guard, relay and exit node of different

familiesI Guard flag given by DAsI election based on different properties: bandwidth, uptime,

total time etc.I no longer a middle relay

11 / 19

Tor bridges and pluggable transports

I can be used in case of relays or DAs censorship

I basically encapsulate Tor protocol between client and first hop

I FTE(-IPv6), SSH, meek etc.

I publically distributed bridges

I secret bridges

I very easy to set up

12 / 19

DNS leaks

I applications try to resolve hostnames

I client IP and requested service leakage

I SOCKS4, SOCKS5 use IP adresses

I SOCKS4a uses hostnames

Solutions:

I resolve manually using tor-resolve

I “use remote DNS”

I use a wrapper

I use a Transparent Proxy

I use an Isolating Proxy

13 / 19

DNS leaks

I applications try to resolve hostnames

I client IP and requested service leakage

I SOCKS4, SOCKS5 use IP adresses

I SOCKS4a uses hostnames

Solutions:

I resolve manually using tor-resolve

I “use remote DNS”

I use a wrapper

I use a Transparent Proxy

I use an Isolating Proxy

13 / 19

DNS leaks

I applications try to resolve hostnames

I client IP and requested service leakage

I SOCKS4, SOCKS5 use IP adresses

I SOCKS4a uses hostnames

Solutions:

I resolve manually using tor-resolve

I “use remote DNS”

I use a wrapper

I use a Transparent Proxy

I use an Isolating Proxy

13 / 19

Hidden services

I services accessibles via a .onion URL

I Let’s Encrypt is trying to provide VALID certsfor .onions

I Facebook now have a hidden service

I .onion hostname = hash of hidden service public key

14 / 19

Rendezvous points

15 / 19

Rendezvous points

15 / 19

Rendezvous points

15 / 19

Rendezvous points

15 / 19

Rendezvous points

15 / 19

Rendezvous points

15 / 19

Tools

I torify

I Tor Browser Bundle

I Tor Messenger

I Ricochet

I Orbot

16 / 19

Security concerns

I Tor does not protect against traffic analysis

I correlations may be found

I “Using BGP to Compromise Tor” paper

17 / 19

’kthx

References

I Tor 2004 paper: https://svn.torproject.org/svn/

projects/design-paper/tor-design.pdf

I Tor’s protocol specifications:https://gitweb.torproject.org/torspec.git/tree/

19 / 19