a first go at section 7

svn:r736
This commit is contained in:
Roger Dingledine 2003-11-03 14:27:00 +00:00
parent 1c493d4893
commit a3a01e85aa

View File

@ -1300,158 +1300,153 @@ design withstands them.
\subsubsection*{Passive attacks} \subsubsection*{Passive attacks}
\begin{tightlist} \begin{tightlist}
\item \emph{Observing user traffic patterns.} Observations of connection \item \emph{Observing user traffic patterns.} Observations of connection
between an end user and a first onion router will not reveal to whom between a user and her first onion router will not reveal to whom
the user is connecting or what information is being sent. It will the user is connecting or what information is being sent. It will
reveal patterns of user traffic (both sent and received). Simple reveal patterns of user traffic (both sent and received). Simple
profiling of user connection patterns is not generally possible, profiling of user connection patterns is not generally possible,
however, because multiple application connections (streams) may be however, because multiple application streams may be operating
operating simultaneously or in series over a single circuit. Thus, simultaneously or in series over a single circuit. Thus, further
further processing is necessary to try to discern even these usage processing is necessary to discern even these usage patterns.
patterns.
\item \emph{Observing user content.} At the user end, content is \item \emph{Observing user content.} At the user end, content is
encrypted; however, connections from the network to arbitrary encrypted; however, connections from the network to arbitrary
websites may not be. Further, a responding website may itself be websites may not be. Further, a responding website may itself be
considered an adversary. Filtering content is not a primary goal of hostile. Filtering content is not a primary goal of
Onion Routing; nonetheless, Tor can directly make use of Privoxy and Onion Routing; nonetheless, Tor can directly make use of Privoxy and
related filtering services via SOCKS and thus anonymize their related filtering services to anonymize application data streams.
application data streams.
\item \emph{Option distinguishability.} Configuration options can be a \item \emph{Option distinguishability.} Configuration options can be a
source of distinguishable patterns. In general there is economic source of distinguishable patterns. In general there is economic
incentive to allow preferential services \cite{econymics}, and some incentive to allow preferential services \cite{econymics}, and some
degree of configuration choice can be a factor in attracting many users degree of configuration choice can attract users, which
to provide anonymity. So far, however, we have provide anonymity. So far, however, we have
not found a compelling use case in Tor for any client-configurable not found a compelling use case in Tor for any client-configurable
options. Thus, clients are currently distinguishable only by their options. Thus, clients are currently distinguishable only by their
behavior. behavior.
%Actually, circuitrebuildperiod is such an option. -RD %XXX Actually, circuitrebuildperiod is such an option. -RD
\item \emph{End-to-end Timing correlation.} Tor only minimally hides \item \emph{End-to-end Timing correlation.} Tor only minimally hides
end-to-end timing correlations. If an attacker can watch patterns of end-to-end timing correlations. An attacker watching patterns of
traffic at the initiator end and the responder end, then he will be traffic at the initiator and the responder will be
able to confirm the correspondence with high probability. The able to confirm the correspondence with high probability. The
greatest protection currently against such confirmation is if the greatest protection currently against such confirmation is to hide
connection between the onion proxy and the first Tor node is hidden, the connection between the onion proxy and the first Tor node,
possibly because it is local or behind a firewall. This approach either because it is local or behind a firewall. This approach
requires an observer to separate traffic originating the onion requires an observer to separate traffic originating at the onion
router from traffic passes through it. We still do not, however, router from traffic passes through it; but because we do not mix
predict this approach to be a large problem for an attacker who can or pad, this does not provide much defense.
observe traffic at both ends of an application connection.
\item \emph{End-to-end Size correlation.} Simple packet counting \item \emph{End-to-end Size correlation.} Simple packet counting
without timing consideration will also be effective in confirming without timing consideration will also be effective in confirming
endpoints of a connection through Onion Routing; although slightly endpoints of a stream. However, even without padding, we have some
less so. This is because, even without padding, the leaky pipe limited protection: the leaky pipe topology means different numbers
topology means different numbers of packets may enter one end of a of packets may enter one end of a circuit than exit at the other.
circuit than exit at the other.
\item \emph{Website fingerprinting.} All the above passive \item \emph{Website fingerprinting.} All the above passive
attacks that are at all effective are traffic confirmation attacks. attacks that are at all effective are traffic confirmation attacks.
This puts them outside our general design goals. There is also This puts them outside our general design goals. There is also
a passive traffic analysis attack that is potentially effective. a passive traffic analysis attack that is potentially effective.
Instead of searching exit connections for timing and volume Rather than searching exit connections for timing and volume
correlations it is possible to build up a database of correlations, the adversary may build up a database of
``fingerprints'' containing file sizes and access patterns for many ``fingerprints'' containing file sizes and access patterns for many
interesting websites. If one now wants to interesting websites. He can confirm a user's connection to a given
monitor the activity of a user, it may be possible to confirm a site simply by consulting the database. This attack has
connection to a site simply by consulting the database. This attack has been shown to be effective against SafeWeb \cite{hintz-pet02}. But
been shown to be effective against SafeWeb \cite{hintz-pet02}. Onion Tor is not as vulnerable as SafeWeb to this attack: there is the
Routing is not as vulnerable as SafeWeb to this attack: There is the
possibility that multiple streams are exiting the circuit at possibility that multiple streams are exiting the circuit at
different places concurrently. Also, fingerprinting will be limited to different places concurrently. Also, fingerprinting will be limited to
the granularity of cells, currently 256 bytes. Larger cell sizes the granularity of cells, currently 256 bytes. Other defenses include
and/or minimal padding schemes that group websites into large sets larger cell sizes and/or minimal padding schemes that group websites
are possible responses. But this remains an open problem. Link into large sets. But this remains an open problem. Link
padding or long-range dummies may also make fingerprints harder to padding or long-range dummies may also make fingerprints harder to
detect. (Note that detect.\footnote{Note that
such fingerprinting should not be confused with the latency attacks such fingerprinting should not be confused with the latency attacks
of \cite{back01}. Those require a fingerprint of the latencies of of \cite{back01}. Those require a fingerprint of the latencies of
all circuits through the network, combined with those from the all circuits through the network, combined with those from the
network edges to the targeted user and the responder website. While network edges to the targeted user and the responder website. While
these are in principal feasible and surprises are always possible, these are in principal feasible and surprises are always possible,
these constitute a much more complicated attack, and there is no these constitute a much more complicated attack, and there is no
current evidence of their practicality.) current evidence of their practicality.}
\item \emph{Content analysis.} Tor explicitly provides no content %\item \emph{Content analysis.} Tor explicitly provides no content
rewriting for any protocol at a higher level than TCP. When % rewriting for any protocol at a higher level than TCP. When
protocol cleaners are available, however (as Privoxy is for HTTP), % protocol cleaners are available, however (as Privoxy is for HTTP),
Tor can integrate them in order to address these attacks. % Tor can integrate them to address these attacks.
\end{tightlist} \end{tightlist}
\subsubsection*{Active attacks} \subsubsection*{Active attacks}
\begin{tightlist} \begin{tightlist}
\item \emph{Key compromise.} We consider the impact of a compromise \item \emph{Compromise keys.}
for each type of key in turn, from the shortest- to the If a TLS session key is compromised, an attacker
longest-lived. If a circuit session key is compromised, the
attacker can unwrap a single layer of encryption from the relay
cells traveling along that circuit. (Only nodes on the circuit can
see these cells.) If a TLS session key is compromised, an attacker
can view all the cells on TLS connection until the key is can view all the cells on TLS connection until the key is
renegotiated. (These cells are themselves encrypted.) If a TLS renegotiated. (These cells are themselves encrypted.) If a TLS
private key is compromised, the attacker can fool others into private key is compromised, the attacker can fool others into
thinking that he is the affected OR, but still cannot accept any thinking that he is the affected OR, but still cannot accept any
connections. If an onion private key is compromised, the attacker connections. \\
If a circuit session key is compromised, the
attacker can unwrap a single layer of encryption from the relay
cells traveling along that circuit. (Only nodes on the circuit can
see these cells.) If an onion private key is compromised, the attacker
can impersonate the OR in circuits, but only if the attacker has can impersonate the OR in circuits, but only if the attacker has
also compromised the OR's TLS private key, or is running the also compromised the OR's TLS private key, or is running the
previous OR in the circuit. (This compromise affects newly created previous OR in the circuit. (This compromise affects newly created
circuits, but because of perfect forward secrecy, the attacker circuits, but because of perfect forward secrecy, the attacker
cannot hijack old circuits without compromising their session keys.) cannot hijack old circuits without compromising their session keys.)
In any case, an attacker can only take advantage of a compromise in In any case, periodic key rotation limits the window of opportunity
these mid-term private keys until they expire. Only by for compromising these keys. \\
Only by
compromising a node's identity key can an attacker replace that compromising a node's identity key can an attacker replace that
node indefinitely, by sending new forged mid-term keys to the node indefinitely, by sending new forged descriptors to the
directories. Finally, an attacker who can compromise a directory servers. Finally, an attacker who can compromise a
\emph{directory's} identity key can influence every client's view directory server's identity key can influence every client's view
of the network---but only to the degree made possible by gaining a of the network---but only to the degree made possible by gaining a
vote with the rest of the the directory servers. vote with the rest of the the directory servers.
\item \emph{Iterated compromise.} A roving adversary who can \item \emph{Iterated compromise.} A roving adversary who can
compromise ORs (by system intrusion, legal coersion, or extralegal compromise ORs (by system intrusion, legal coersion, or extralegal
coersion) could march down length of a circuit compromising the coersion) could march down the circuit compromising the
nodes until he reaches the end. Unless the adversary can complete nodes until he reaches the end. Unless the adversary can complete
this attack within the lifetime of the circuit, however, the ORs this attack within the lifetime of the circuit, however, the ORs
will have discarded the necessary information before the attack can will have discarded the necessary information before the attack can
be completed. (Thanks to the perfect forward secrecy of session be completed. (Thanks to the perfect forward secrecy of session
keys, the attacker cannot cannot force nodes to decrypt recorded keys, the attacker cannot force nodes to decrypt recorded
traffic once the circuits have been closed.) Additionally, building traffic once the circuits have been closed.) Additionally, building
circuits that cross jurisdictions can make legal coercion circuits that cross jurisdictions can make legal coercion
harder---this phenomenon is commonly called ``jurisdictional harder---this phenomenon is commonly called ``jurisdictional
arbitrage.'' The Java Anon Proxy project recently experienced this arbitrage.'' The Java Anon Proxy project recently experienced the
issue, when need for this approach, when
the German government successfully ordered them to add a backdoor to the German government successfully ordered them to add a backdoor to
all of their nodes \cite{jap-backdoor}. all of their nodes \cite{jap-backdoor}.
\item \emph{Run a recipient.} By running a Web server, an adversary \item \emph{Run a recipient.} By running a Web server, an adversary
trivially learns the timing patterns of those connecting to it, and trivially learns the timing patterns of users connecting to it, and
can introduce arbitrary patterns in its responses. This can greatly can introduce arbitrary patterns in its responses. This can greatly
facilitate end-to-end attacks: If the adversary can induce certain facilitate end-to-end attacks: If the adversary can induce certain
users to connect to connect to his webserver (perhaps by providing users to connect to his webserver (perhaps by advertising
content targeted at those users), she now holds one end of their content targeted at those users), she now holds one end of their
connection. Additonally, here is a danger that the application connection. Additionally, there is a danger that the application
protocols and associated programs can be induced to reveal protocols and associated programs can be induced to reveal
information about the initiator. This is not directly in Onion information about the initiator. Tor does not aim to solve this problem;
Routing's protection area, so we are dependent on Privoxy and we depend on Privoxy and similar protocol cleaners.
similar protocol cleaners to solve the problem.
\item \emph{Run an onion proxy.} It is expected that end users will \item \emph{Run an onion proxy.} It is expected that end users will
nearly always run their own local onion proxy. However, in some nearly always run their own local onion proxy. However, in some
settings, it may be necessary for the proxy to run settings, it may be necessary for the proxy to run
remotely---typically, in an institutional setting where it was remotely---typically, in an institutional setting which wants
necessary to monitor the activity of those connecting to the proxy. to monitor the activity of those connecting to the proxy.
The drawback, of course, is that if the onion proxy is compromised, Compromising an onion proxy means compromising all future connections
then all future connections through it are completely compromised. through it.
\item \emph{DoS non-observed nodes.} An observer who can observe some \item \emph{DoS non-observed nodes.} An observer who can observe some
of the Tor network can increase the value of this traffic analysis of the Tor network can increase the value of this traffic analysis
if it can attack non-observed nodes to shut them down, reduce by attacking non-observed nodes to shut them down, reduce
their reliability, or persuade users that they are not trustworthy. their reliability, or persuade users that they are not trustworthy.
The best defense here is robustness. The best defense here is robustness.
\item \emph{Run a hostile node.} In addition to the abilties of a \item \emph{Run a hostile node.} In addition to the abilities of a
local observer, an isolated hostile node can create circuits through local observer, an isolated hostile node can create circuits through
itself, or alter traffic patterns, in order to affect traffic at itself, or alter traffic patterns, to affect traffic at
other nodes. Its ability to directly DoS a neighbor is now limited other nodes. Its ability to directly DoS a neighbor is now limited
by bandwidth throttling. Nonetheless, in order to compromise the by bandwidth throttling. Nonetheless, in order to compromise the
anonymity of the endpoints of a circuit by its observations, a anonymity of the endpoints of a circuit by its observations, a
@ -1461,13 +1456,14 @@ design withstands them.
\item \emph{Run multiple hostile nodes.} If an adversary is able to \item \emph{Run multiple hostile nodes.} If an adversary is able to
run multiple ORs, and is able to persuade the directory servers run multiple ORs, and is able to persuade the directory servers
that those ORs are trustworthy and independant, then occasionally that those ORs are trustworthy and independant, then occasionally
some user will choose one of those ORs for the start and another of some user will choose one of those ORs for the start and another
those ORs as the end of a circuit. When this happens, the user's as the end of a circuit. When this happens, the user's
anonymity is compromised for those circuits. If an adversary can anonymity is compromised for those streams. If an adversary can
control $m$ out of $N$ nodes, he should be able to correlate at most control $m$ out of $N$ nodes, he should be able to correlate at most
$\frac{m}{N}$ of the traffic in this way---although an adersary $\frac{m}{N}$ of the traffic in this way---although an adversary
% XXX Isn't this (m/N)^2 ? -RD
could possibly attract a disproportionately large amount of traffic could possibly attract a disproportionately large amount of traffic
by running an exit node with an unusually permisssive exit policy. by running an exit node with an unusually permissive exit policy.
\item \emph{Compromise entire path.} Anyone compromising both \item \emph{Compromise entire path.} Anyone compromising both
endpoints of a circuit can confirm this with high probability. If endpoints of a circuit can confirm this with high probability. If
@ -1485,18 +1481,20 @@ design withstands them.
circuits that converge at a single onion router to circuits that converge at a single onion router to
overwhelm its network connection, its ability to process new overwhelm its network connection, its ability to process new
circuits, or both. circuits, or both.
% We aim to address something like this attack with our congestion
% control algorithm.
\item \emph{Introduce timing into messages.} This is simply a stronger \item \emph{Introduce timing into messages.} This is simply a stronger
version of passive timing attacks already discussed above. version of passive timing attacks already discussed above.
\item \emph{Tagging attacks.} A hostile node could try to ``tag'' a \item \emph{Tagging attacks.} A hostile node could ``tag'' a
cell by altering it. This would render it unreadable, but if the cell by altering it. This would render it unreadable, but if the
connection is, for example, an unencrypted request to a Web site, stream is, for example, an unencrypted request to a Web site,
the garbled content coming out at the appropriate time could confirm the garbled content coming out at the appropriate time could confirm
the association. However, integrity checks on cells prevent the association. However, integrity checks on cells prevent
this attack from succeeding. this attack.
\item \emph{Replace contents of unauthenticated protocols.} When a \item \emph{Replace contents of unauthenticated protocols.} When
relaying an unauthenticated protocol like HTTP, a hostile exit node relaying an unauthenticated protocol like HTTP, a hostile exit node
can impersonate the target server. Thus, whenever possible, clients can impersonate the target server. Thus, whenever possible, clients
should prefer protocols with end-to-end authentication. should prefer protocols with end-to-end authentication.
@ -1519,7 +1517,7 @@ design withstands them.
their connections---or worse, trick ORs into running weakened their connections---or worse, trick ORs into running weakened
software that provided users with less anonymity. We address this software that provided users with less anonymity. We address this
problem (but do not solve it completely) by signing all Tor releases problem (but do not solve it completely) by signing all Tor releases
with an official public key, and including an entry the directory with an official public key, and including an entry in the directory
describing which versions are currently believed to be secure. To describing which versions are currently believed to be secure. To
prevent an attacker from subverting the official release itself prevent an attacker from subverting the official release itself
(through threats, bribery, or insider attacks), we provide all (through threats, bribery, or insider attacks), we provide all
@ -1530,14 +1528,15 @@ design withstands them.
\subsubsection*{Directory attacks} \subsubsection*{Directory attacks}
\begin{tightlist} \begin{tightlist}
\item \emph{Destroy directory servers.} If a single directory \item \emph{Destroy directory servers.} If a few directory
server drops out of operation, the others still arrive at a final servers drop out of operation, the others still arrive at a final
directory. So long as any directory servers remain in operation, directory. So long as any directory servers remain in operation,
they will still broadcast their views of the network and generate a they will still broadcast their views of the network and generate a
consensus directory. (If more than half are destroyed, this consensus directory. (If more than half are destroyed, this
directory will not, however, have enough signatures for clients to directory will not, however, have enough signatures for clients to
use it automatically; human intervention will be necessary for use it automatically; human intervention will be necessary for
clients to decide whether to trust the resulting directory.) clients to decide whether to trust the resulting directory, or continue
to use the old valid one.)
\item \emph{Subvert a directory server.} By taking over a directory \item \emph{Subvert a directory server.} By taking over a directory
server, an attacker can influence (but not control) the final server, an attacker can influence (but not control) the final
@ -1609,14 +1608,13 @@ design withstands them.
\end{tightlist} \end{tightlist}
\Section{Open Questions in Low-latency Anonymity} \Section{Open Questions in Low-latency Anonymity}
\label{sec:maintaining-anonymity} \label{sec:maintaining-anonymity}
% There must be a better intro than this! -NM % There must be a better intro than this! -NM
In addition to the open problems discussed in In addition to the open problems discussed in
Section~\ref{subsec:non-goals}, many other questions remain to be Section~\ref{subsec:non-goals}, many other questions remain to be
solved by future research before we can be truly confident that we solved by future research before we can be confident that we
have built a secure low-latency anonymity service. have built a secure low-latency anonymity service.
Many of these open issues are questions of balance. For example, Many of these open issues are questions of balance. For example,
@ -1826,6 +1824,8 @@ issues remaining to be ironed out. In particular:
may need to move to a solution in which clients only receive may need to move to a solution in which clients only receive
incremental updates to directory state, or where directories are incremental updates to directory state, or where directories are
cached at the ORs to avoid high loads on the directory servers. cached at the ORs to avoid high loads on the directory servers.
% XXX this is a design paper, not an implementation paper. the design
% says that they're already cached at the ORs. Agree/disagree?
\item \emph{Implementing location-hidden servers:} While \item \emph{Implementing location-hidden servers:} While
Section~\ref{sec:rendezvous} describes a design for rendezvous Section~\ref{sec:rendezvous} describes a design for rendezvous
points and location-hidden servers, these feature has not yet been points and location-hidden servers, these feature has not yet been