mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2025-02-23 14:40:51 +01:00
formatting changes, no edits
svn:r743
This commit is contained in:
Roger Dingledine
parent
2595770c1f
commit
7234c8393f
1 changed files with 322 additions and 331 deletions
|
|
@ -1388,324 +1388,311 @@ Below we summarize a variety of attacks, and discuss how well our
|
||||||
design withstands them.
|
design withstands them.
|
||||||
|
|
||||||
\subsubsection*{Passive attacks}
|
\subsubsection*{Passive attacks}
|
||||||
\begin{tightlist}
|
|
||||||
\item \emph{Observing user traffic patterns.} Observations of connection
|
|
||||||
between a user and her first onion router will not reveal to whom
|
|
||||||
the user is connecting or what information is being sent. It will
|
|
||||||
reveal patterns of user traffic (both sent and received). Simple
|
|
||||||
profiling of user connection patterns is not generally possible,
|
|
||||||
however, because multiple application streams may be operating
|
|
||||||
simultaneously or in series over a single circuit. Thus, further
|
|
||||||
processing is necessary to discern even these usage patterns.
|
|
||||||
|
|
||||||
\item \emph{Observing user content.} At the user end, content is
|
|
||||||
encrypted; however, connections from the network to arbitrary
|
|
||||||
websites may not be. Further, a responding website may itself be
|
|
||||||
hostile. Filtering content is not a primary goal of
|
|
||||||
Onion Routing; nonetheless, Tor can directly make use of Privoxy and
|
|
||||||
related filtering services to anonymize application data streams.
|
|
||||||
|
|
||||||
\item \emph{Option distinguishability.} Configuration options can be a
|
\emph{Observing user traffic patterns.} Observations of connection
|
||||||
source of distinguishable patterns. In general there is economic
|
between a user and her first onion router will not reveal to whom
|
||||||
incentive to allow preferential services \cite{econymics}, and some
|
the user is connecting or what information is being sent. It will
|
||||||
degree of configuration choice can attract users, which
|
reveal patterns of user traffic (both sent and received). Simple
|
||||||
provide anonymity. So far, however, we have
|
profiling of user connection patterns is not generally possible,
|
||||||
not found a compelling use case in Tor for any client-configurable
|
however, because multiple application streams may be operating
|
||||||
options. Thus, clients are currently distinguishable only by their
|
simultaneously or in series over a single circuit. Thus, further
|
||||||
behavior.
|
processing is necessary to discern even these usage patterns.
|
||||||
|
|
||||||
|
\emph{Observing user content.} At the user end, content is
|
||||||
|
encrypted; however, connections from the network to arbitrary
|
||||||
|
websites may not be. Further, a responding website may itself be
|
||||||
|
hostile. Filtering content is not a primary goal of
|
||||||
|
Onion Routing; nonetheless, Tor can directly make use of Privoxy and
|
||||||
|
related filtering services to anonymize application data streams.
|
||||||
|
|
||||||
|
\emph{Option distinguishability.} Configuration options can be a
|
||||||
|
source of distinguishable patterns. In general there is economic
|
||||||
|
incentive to allow preferential services \cite{econymics}, and some
|
||||||
|
degree of configuration choice can attract users, which
|
||||||
|
provide anonymity. So far, however, we have
|
||||||
|
not found a compelling use case in Tor for any client-configurable
|
||||||
|
options. Thus, clients are currently distinguishable only by their
|
||||||
|
behavior.
|
||||||
%XXX Actually, circuitrebuildperiod is such an option. -RD
|
%XXX Actually, circuitrebuildperiod is such an option. -RD
|
||||||
|
|
||||||
\item \emph{End-to-end Timing correlation.} Tor only minimally hides
|
\emph{End-to-end Timing correlation.} Tor only minimally hides
|
||||||
end-to-end timing correlations. An attacker watching patterns of
|
end-to-end timing correlations. An attacker watching patterns of
|
||||||
traffic at the initiator and the responder will be
|
traffic at the initiator and the responder will be
|
||||||
able to confirm the correspondence with high probability. The
|
able to confirm the correspondence with high probability. The
|
||||||
greatest protection currently available against such confirmation is to hide
|
greatest protection currently available against such confirmation is to hide
|
||||||
the connection between the onion proxy and the first Tor node,
|
the connection between the onion proxy and the first Tor node,
|
||||||
by running the onion proxy locally or
|
by running the onion proxy locally or
|
||||||
behind a firewall. This approach
|
behind a firewall. This approach
|
||||||
requires an observer to separate traffic originating at the onion
|
requires an observer to separate traffic originating at the onion
|
||||||
router from traffic passing through it; but because we do not mix
|
router from traffic passing through it; but because we do not mix
|
||||||
or pad, this does not provide much defense.
|
or pad, this does not provide much defense.
|
||||||
|
|
||||||
\item \emph{End-to-end Size correlation.} Simple packet counting
|
\emph{End-to-end Size correlation.} Simple packet counting
|
||||||
without timing correlation will also be effective in confirming
|
without timing correlation will also be effective in confirming
|
||||||
endpoints of a stream. However, even without padding, we have some
|
endpoints of a stream. However, even without padding, we have some
|
||||||
limited protection: the leaky pipe topology means different numbers
|
limited protection: the leaky pipe topology means different numbers
|
||||||
of packets may enter one end of a circuit than exit at the other.
|
of packets may enter one end of a circuit than exit at the other.
|
||||||
|
|
||||||
\item \emph{Website fingerprinting.} All the above passive
|
\emph{Website fingerprinting.} All the above passive
|
||||||
attacks that are at all effective are traffic confirmation attacks.
|
attacks that are at all effective are traffic confirmation attacks.
|
||||||
This puts them outside our general design goals. There is also
|
This puts them outside our general design goals. There is also
|
||||||
a passive traffic analysis attack that is potentially effective.
|
a passive traffic analysis attack that is potentially effective.
|
||||||
Rather than searching exit connections for timing and volume
|
Rather than searching exit connections for timing and volume
|
||||||
correlations, the adversary may build up a database of
|
correlations, the adversary may build up a database of
|
||||||
``fingerprints'' containing file sizes and access patterns for many
|
``fingerprints'' containing file sizes and access patterns for many
|
||||||
interesting websites. He can confirm a user's connection to a given
|
interesting websites. He can confirm a user's connection to a given
|
||||||
site simply by consulting the database. This attack has
|
site simply by consulting the database. This attack has
|
||||||
been shown to be effective against SafeWeb \cite{hintz-pet02}. But
|
been shown to be effective against SafeWeb \cite{hintz-pet02}. But
|
||||||
Tor is not as vulnerable as SafeWeb to this attack: there is the
|
Tor is not as vulnerable as SafeWeb to this attack: there is the
|
||||||
possibility that multiple streams are exiting the circuit at
|
possibility that multiple streams are exiting the circuit at
|
||||||
different places concurrently. Also, fingerprinting will be limited to
|
different places concurrently. Also, fingerprinting will be limited to
|
||||||
the granularity of cells, currently 256 bytes. Other defenses include
|
the granularity of cells, currently 256 bytes. Other defenses include
|
||||||
larger cell sizes and/or minimal padding schemes that group websites
|
larger cell sizes and/or minimal padding schemes that group websites
|
||||||
into large sets. But this remains an open problem. Link
|
into large sets. But this remains an open problem. Link
|
||||||
padding or long-range dummies may also make fingerprints harder to
|
padding or long-range dummies may also make fingerprints harder to
|
||||||
detect.\footnote{Note that
|
detect.\footnote{Note that
|
||||||
such fingerprinting should not be confused with the latency attacks
|
such fingerprinting should not be confused with the latency attacks
|
||||||
of \cite{back01}. Those require a fingerprint of the latencies of
|
of \cite{back01}. Those require a fingerprint of the latencies of
|
||||||
all circuits through the network, combined with those from the
|
all circuits through the network, combined with those from the
|
||||||
network edges to the targeted user and the responder website. While
|
network edges to the targeted user and the responder website. While
|
||||||
these are in principal feasible and surprises are always possible,
|
these are in principal feasible and surprises are always possible,
|
||||||
these constitute a much more complicated attack, and there is no
|
these constitute a much more complicated attack, and there is no
|
||||||
current evidence of their practicality.}
|
current evidence of their practicality.}
|
||||||
|
|
||||||
%\item \emph{Content analysis.} Tor explicitly provides no content
|
|
||||||
% rewriting for any protocol at a higher level than TCP. When
|
|
||||||
% protocol cleaners are available, however (as Privoxy is for HTTP),
|
|
||||||
% Tor can integrate them to address these attacks.
|
|
||||||
|
|
||||||
\end{tightlist}
|
|
||||||
|
|
||||||
\subsubsection*{Active attacks}
|
\subsubsection*{Active attacks}
|
||||||
\begin{tightlist}
|
|
||||||
\item \emph{Compromise keys.}
|
|
||||||
If a TLS session key is compromised, an attacker
|
|
||||||
can view all the cells on TLS connection until the key is
|
|
||||||
renegotiated. (These cells are themselves encrypted.) If a TLS
|
|
||||||
private key is compromised, the attacker can fool others into
|
|
||||||
thinking that he is the affected OR, but still cannot accept any
|
|
||||||
connections. \\
|
|
||||||
If a circuit session key is compromised, the
|
|
||||||
attacker can unwrap a single layer of encryption from the relay
|
|
||||||
cells traveling along that circuit. (Only nodes on the circuit can
|
|
||||||
see these cells.) If an onion private key is compromised, the attacker
|
|
||||||
can impersonate the OR in circuits, but only if the attacker has
|
|
||||||
also compromised the OR's TLS private key, or is running the
|
|
||||||
previous OR in the circuit. (This compromise affects newly created
|
|
||||||
circuits, but because of perfect forward secrecy, the attacker
|
|
||||||
cannot hijack old circuits without compromising their session keys.)
|
|
||||||
In any case, periodic key rotation limits the window of opportunity
|
|
||||||
for compromising these keys. \\
|
|
||||||
Only by
|
|
||||||
compromising a node's identity key can an attacker replace that
|
|
||||||
node indefinitely, by sending new forged descriptors to the
|
|
||||||
directory servers. Finally, an attacker who can compromise a
|
|
||||||
directory server's identity key can influence every client's view
|
|
||||||
of the network---but only to the degree made possible by gaining a
|
|
||||||
vote with the rest of the the directory servers.
|
|
||||||
|
|
||||||
\item \emph{Iterated compromise.} A roving adversary who can
|
\emph{Compromise keys.}
|
||||||
compromise ORs (by system intrusion, legal coersion, or extralegal
|
If a TLS session key is compromised, an attacker
|
||||||
coersion) could march down the circuit compromising the
|
can view all the cells on TLS connection until the key is
|
||||||
nodes until he reaches the end. Unless the adversary can complete
|
renegotiated. (These cells are themselves encrypted.) If a TLS
|
||||||
this attack within the lifetime of the circuit, however, the ORs
|
private key is compromised, the attacker can fool others into
|
||||||
will have discarded the necessary information before the attack can
|
thinking that he is the affected OR, but still cannot accept any
|
||||||
be completed. (Thanks to the perfect forward secrecy of session
|
connections. \\
|
||||||
keys, the attacker cannot force nodes to decrypt recorded
|
If a circuit session key is compromised, the
|
||||||
traffic once the circuits have been closed.) Additionally, building
|
attacker can unwrap a single layer of encryption from the relay
|
||||||
circuits that cross jurisdictions can make legal coercion
|
cells traveling along that circuit. (Only nodes on the circuit can
|
||||||
harder---this phenomenon is commonly called ``jurisdictional
|
see these cells.) If an onion private key is compromised, the attacker
|
||||||
arbitrage.'' The Java Anon Proxy project recently experienced the
|
can impersonate the OR in circuits, but only if the attacker has
|
||||||
need for this approach, when
|
also compromised the OR's TLS private key, or is running the
|
||||||
the German government successfully ordered them to add a backdoor to
|
previous OR in the circuit. (This compromise affects newly created
|
||||||
all of their nodes \cite{jap-backdoor}.
|
circuits, but because of perfect forward secrecy, the attacker
|
||||||
|
cannot hijack old circuits without compromising their session keys.)
|
||||||
\item \emph{Run a recipient.} By running a Web server, an adversary
|
In any case, periodic key rotation limits the window of opportunity
|
||||||
trivially learns the timing patterns of users connecting to it, and
|
for compromising these keys. \\
|
||||||
can introduce arbitrary patterns in its responses. This can greatly
|
Only by
|
||||||
facilitate end-to-end attacks: If the adversary can induce certain
|
compromising a node's identity key can an attacker replace that
|
||||||
users to connect to his webserver (perhaps by advertising
|
node indefinitely, by sending new forged descriptors to the
|
||||||
content targeted at those users), she now holds one end of their
|
directory servers. Finally, an attacker who can compromise a
|
||||||
connection. Additionally, there is a danger that the application
|
directory server's identity key can influence every client's view
|
||||||
protocols and associated programs can be induced to reveal
|
of the network---but only to the degree made possible by gaining a
|
||||||
information about the initiator. Tor does not aim to solve this problem;
|
vote with the rest of the the directory servers.
|
||||||
we depend on Privoxy and similar protocol cleaners.
|
|
||||||
|
|
||||||
\item \emph{Run an onion proxy.} It is expected that end users will
|
|
||||||
nearly always run their own local onion proxy. However, in some
|
|
||||||
settings, it may be necessary for the proxy to run
|
|
||||||
remotely---typically, in an institutional setting which wants
|
|
||||||
to monitor the activity of those connecting to the proxy.
|
|
||||||
Compromising an onion proxy means compromising all future connections
|
|
||||||
through it.
|
|
||||||
|
|
||||||
\item \emph{DoS non-observed nodes.} An observer who can observe some
|
\emph{Iterated compromise.} A roving adversary who can
|
||||||
of the Tor network can increase the value of this traffic analysis
|
compromise ORs (by system intrusion, legal coersion, or extralegal
|
||||||
by attacking non-observed nodes to shut them down, reduce
|
coersion) could march down the circuit compromising the
|
||||||
their reliability, or persuade users that they are not trustworthy.
|
nodes until he reaches the end. Unless the adversary can complete
|
||||||
The best defense here is robustness.
|
this attack within the lifetime of the circuit, however, the ORs
|
||||||
|
will have discarded the necessary information before the attack can
|
||||||
\item \emph{Run a hostile node.} In addition to the abilities of a
|
be completed. (Thanks to the perfect forward secrecy of session
|
||||||
local observer, an isolated hostile node can create circuits through
|
keys, the attacker cannot force nodes to decrypt recorded
|
||||||
itself, or alter traffic patterns, to affect traffic at
|
traffic once the circuits have been closed.) Additionally, building
|
||||||
other nodes. Its ability to directly DoS a neighbor is now limited
|
circuits that cross jurisdictions can make legal coercion
|
||||||
by bandwidth throttling. Nonetheless, in order to compromise the
|
harder---this phenomenon is commonly called ``jurisdictional
|
||||||
anonymity of the endpoints of a circuit by its observations, a
|
arbitrage.'' The Java Anon Proxy project recently experienced the
|
||||||
hostile node must be immediately adjacent to that endpoint.
|
need for this approach, when
|
||||||
|
the German government successfully ordered them to add a backdoor to
|
||||||
\item \emph{Run multiple hostile nodes.} If an adversary is able to
|
all of their nodes \cite{jap-backdoor}.
|
||||||
run multiple ORs, and is able to persuade the directory servers
|
|
||||||
that those ORs are trustworthy and independant, then occasionally
|
|
||||||
some user will choose one of those ORs for the start and another
|
|
||||||
as the end of a circuit. When this happens, the user's
|
|
||||||
anonymity is compromised for those streams. If an adversary can
|
|
||||||
control $m$ out of $N$ nodes, he should be able to correlate at most
|
|
||||||
$\left(\frac{m}{N}\right)^2$ of the traffic in this way---although an
|
|
||||||
adversary
|
|
||||||
could possibly attract a disproportionately large amount of traffic
|
|
||||||
by running an exit node with an unusually permissive exit policy.
|
|
||||||
|
|
||||||
\item \emph{Compromise entire path.} Anyone compromising both
|
\emph{Run a recipient.} By running a Web server, an adversary
|
||||||
endpoints of a circuit can confirm this with high probability. If
|
trivially learns the timing patterns of users connecting to it, and
|
||||||
the entire path is compromised, this becomes a certainty; however,
|
can introduce arbitrary patterns in its responses. This can greatly
|
||||||
the added benefit to the adversary of such an attack is small in
|
facilitate end-to-end attacks: If the adversary can induce certain
|
||||||
relation to the difficulty.
|
users to connect to his webserver (perhaps by advertising
|
||||||
|
content targeted at those users), she now holds one end of their
|
||||||
|
connection. Additionally, there is a danger that the application
|
||||||
|
protocols and associated programs can be induced to reveal
|
||||||
|
information about the initiator. Tor does not aim to solve this problem;
|
||||||
|
we depend on Privoxy and similar protocol cleaners.
|
||||||
|
|
||||||
\item \emph{Run a hostile directory server.} Directory servers control
|
\emph{Run an onion proxy.} It is expected that end users will
|
||||||
admission to the network. However, because the network directory
|
nearly always run their own local onion proxy. However, in some
|
||||||
must be signed by a majority of servers, the threat of a single
|
settings, it may be necessary for the proxy to run
|
||||||
hostile server is minimized.
|
remotely---typically, in an institutional setting which wants
|
||||||
|
to monitor the activity of those connecting to the proxy.
|
||||||
|
Compromising an onion proxy means compromising all future connections
|
||||||
|
through it.
|
||||||
|
|
||||||
|
\emph{DoS non-observed nodes.} An observer who can observe some
|
||||||
|
of the Tor network can increase the value of this traffic analysis
|
||||||
|
by attacking non-observed nodes to shut them down, reduce
|
||||||
|
their reliability, or persuade users that they are not trustworthy.
|
||||||
|
The best defense here is robustness.
|
||||||
|
|
||||||
\item \emph{Selectively DoS a Tor node.} As noted, neighbors are
|
\emph{Run a hostile node.} In addition to the abilities of a
|
||||||
bandwidth limited; however, it is possible to open up sufficient
|
local observer, an isolated hostile node can create circuits through
|
||||||
circuits that converge at a single onion router to
|
itself, or alter traffic patterns, to affect traffic at
|
||||||
overwhelm its network connection, its ability to process new
|
other nodes. Its ability to directly DoS a neighbor is now limited
|
||||||
circuits, or both.
|
by bandwidth throttling. Nonetheless, in order to compromise the
|
||||||
|
anonymity of the endpoints of a circuit by its observations, a
|
||||||
|
hostile node must be immediately adjacent to that endpoint.
|
||||||
|
|
||||||
|
\emph{Run multiple hostile nodes.} If an adversary is able to
|
||||||
|
run multiple ORs, and is able to persuade the directory servers
|
||||||
|
that those ORs are trustworthy and independant, then occasionally
|
||||||
|
some user will choose one of those ORs for the start and another
|
||||||
|
as the end of a circuit. When this happens, the user's
|
||||||
|
anonymity is compromised for those streams. If an adversary can
|
||||||
|
control $m$ out of $N$ nodes, he should be able to correlate at most
|
||||||
|
$\left(\frac{m}{N}\right)^2$ of the traffic in this way---although an
|
||||||
|
adversary
|
||||||
|
could possibly attract a disproportionately large amount of traffic
|
||||||
|
by running an exit node with an unusually permissive exit policy.
|
||||||
|
|
||||||
|
\emph{Compromise entire path.} Anyone compromising both
|
||||||
|
endpoints of a circuit can confirm this with high probability. If
|
||||||
|
the entire path is compromised, this becomes a certainty; however,
|
||||||
|
the added benefit to the adversary of such an attack is small in
|
||||||
|
relation to the difficulty.
|
||||||
|
|
||||||
|
\emph{Run a hostile directory server.} Directory servers control
|
||||||
|
admission to the network. However, because the network directory
|
||||||
|
must be signed by a majority of servers, the threat of a single
|
||||||
|
hostile server is minimized.
|
||||||
|
|
||||||
|
\emph{Selectively DoS a Tor node.} As noted, neighbors are
|
||||||
|
bandwidth limited; however, it is possible to open up sufficient
|
||||||
|
circuits that converge at a single onion router to
|
||||||
|
overwhelm its network connection, its ability to process new
|
||||||
|
circuits, or both.
|
||||||
% We aim to address something like this attack with our congestion
|
% We aim to address something like this attack with our congestion
|
||||||
% control algorithm.
|
% control algorithm.
|
||||||
|
|
||||||
\item \emph{Introduce timing into messages.} This is simply a stronger
|
\emph{Introduce timing into messages.} This is simply a stronger
|
||||||
version of passive timing attacks already discussed above.
|
version of passive timing attacks already discussed above.
|
||||||
|
|
||||||
\item \emph{Tagging attacks.} A hostile node could ``tag'' a
|
\emph{Tagging attacks.} A hostile node could ``tag'' a
|
||||||
cell by altering it. This would render it unreadable, but if the
|
cell by altering it. This would render it unreadable, but if the
|
||||||
stream is, for example, an unencrypted request to a Web site,
|
stream is, for example, an unencrypted request to a Web site,
|
||||||
the garbled content coming out at the appropriate time could confirm
|
the garbled content coming out at the appropriate time could confirm
|
||||||
the association. However, integrity checks on cells prevent
|
the association. However, integrity checks on cells prevent
|
||||||
this attack.
|
this attack.
|
||||||
|
|
||||||
\item \emph{Replace contents of unauthenticated protocols.} When
|
\emph{Replace contents of unauthenticated protocols.} When
|
||||||
relaying an unauthenticated protocol like HTTP, a hostile exit node
|
relaying an unauthenticated protocol like HTTP, a hostile exit node
|
||||||
can impersonate the target server. Thus, whenever possible, clients
|
can impersonate the target server. Thus, whenever possible, clients
|
||||||
should prefer protocols with end-to-end authentication.
|
should prefer protocols with end-to-end authentication.
|
||||||
|
|
||||||
\item \emph{Replay attacks.} Some anonymity protocols are vulnerable
|
\emph{Replay attacks.} Some anonymity protocols are vulnerable
|
||||||
to replay attacks. Tor is not; replaying one side of a handshake
|
to replay attacks. Tor is not; replaying one side of a handshake
|
||||||
will result in a different negotiated session key, and so the rest
|
will result in a different negotiated session key, and so the rest
|
||||||
of the recorded session can't be used.
|
of the recorded session can't be used.
|
||||||
% ``NonSSL Anonymizer''?
|
|
||||||
|
|
||||||
\item \emph{Smear attacks.} An attacker could use the Tor network to
|
\emph{Smear attacks.} An attacker could use the Tor network to
|
||||||
engage in socially dissapproved acts, so as to try to bring the
|
engage in socially dissapproved acts, so as to try to bring the
|
||||||
entire network into disrepute and get its operators to shut it down.
|
entire network into disrepute and get its operators to shut it down.
|
||||||
Exit policies can help reduce the possibilities for abuse, but
|
Exit policies can help reduce the possibilities for abuse, but
|
||||||
ultimately, the network will require volunteers who can tolerate
|
ultimately, the network will require volunteers who can tolerate
|
||||||
some political heat.
|
some political heat.
|
||||||
|
|
||||||
\item \emph{Distribute hostile code.} An attacker could trick users
|
\emph{Distribute hostile code.} An attacker could trick users
|
||||||
into running subverted Tor software that did not, in fact, anonymize
|
into running subverted Tor software that did not, in fact, anonymize
|
||||||
their connections---or worse, trick ORs into running weakened
|
their connections---or worse, trick ORs into running weakened
|
||||||
software that provided users with less anonymity. We address this
|
software that provided users with less anonymity. We address this
|
||||||
problem (but do not solve it completely) by signing all Tor releases
|
problem (but do not solve it completely) by signing all Tor releases
|
||||||
with an official public key, and including an entry in the directory
|
with an official public key, and including an entry in the directory
|
||||||
describing which versions are currently believed to be secure. To
|
describing which versions are currently believed to be secure. To
|
||||||
prevent an attacker from subverting the official release itself
|
prevent an attacker from subverting the official release itself
|
||||||
(through threats, bribery, or insider attacks), we provide all
|
(through threats, bribery, or insider attacks), we provide all
|
||||||
releases in source code form, encourage source audits, and
|
releases in source code form, encourage source audits, and
|
||||||
frequently warn our users never to trust any software (even from
|
frequently warn our users never to trust any software (even from
|
||||||
us!) that comes without source.
|
us!) that comes without source.
|
||||||
\end{tightlist}
|
|
||||||
|
|
||||||
\subsubsection*{Directory attacks}
|
\subsubsection*{Directory attacks}
|
||||||
\begin{tightlist}
|
|
||||||
\item \emph{Destroy directory servers.} If a few directory
|
|
||||||
servers drop out of operation, the others still arrive at a final
|
|
||||||
directory. So long as any directory servers remain in operation,
|
|
||||||
they will still broadcast their views of the network and generate a
|
|
||||||
consensus directory. (If more than half are destroyed, this
|
|
||||||
directory will not, however, have enough signatures for clients to
|
|
||||||
use it automatically; human intervention will be necessary for
|
|
||||||
clients to decide whether to trust the resulting directory, or continue
|
|
||||||
to use the old valid one.)
|
|
||||||
|
|
||||||
\item \emph{Subvert a directory server.} By taking over a directory
|
\emph{Destroy directory servers.} If a few directory
|
||||||
server, an attacker can influence (but not control) the final
|
servers drop out of operation, the others still arrive at a final
|
||||||
directory. Since ORs are included or excluded by majority vote,
|
directory. So long as any directory servers remain in operation,
|
||||||
the corrupt directory can at worst cast a tie-breaking vote to
|
they will still broadcast their views of the network and generate a
|
||||||
decide whether to include marginal ORs. How often such marginal
|
consensus directory. (If more than half are destroyed, this
|
||||||
cases will occur in practice, however, remains to be seen.
|
directory will not, however, have enough signatures for clients to
|
||||||
|
use it automatically; human intervention will be necessary for
|
||||||
|
clients to decide whether to trust the resulting directory, or continue
|
||||||
|
to use the old valid one.)
|
||||||
|
|
||||||
\item \emph{Subvert a majority of directory servers.} If the
|
\emph{Subvert a directory server.} By taking over a directory
|
||||||
adversary controls more than half of the directory servers, he can
|
server, an attacker can influence (but not control) the final
|
||||||
decide on a final directory, and thus can include as many
|
directory. Since ORs are included or excluded by majority vote,
|
||||||
compromised ORs in the final directory as he wishes. Other than
|
the corrupt directory can at worst cast a tie-breaking vote to
|
||||||
trying to ensure that directory server operators are truly
|
decide whether to include marginal ORs. How often such marginal
|
||||||
independent and resistant to attack, Tor does not address this
|
cases will occur in practice, however, remains to be seen.
|
||||||
possibility.
|
|
||||||
|
|
||||||
\item \emph{Encourage directory server dissent.} The directory
|
\emph{Subvert a majority of directory servers.} If the
|
||||||
agreement protocol requires that directory server operators agree on
|
adversary controls more than half of the directory servers, he can
|
||||||
the list of directory servers. An adversary who can persuade some
|
decide on a final directory, and thus can include as many
|
||||||
of the directory server operators to distrust one another could
|
compromised ORs in the final directory as he wishes. Other than
|
||||||
split the quorum into mutually hostile camps, thus partitioning
|
trying to ensure that directory server operators are truly
|
||||||
users based on which directory they used. Tor does not address
|
independent and resistant to attack, Tor does not address this
|
||||||
this attack.
|
possibility.
|
||||||
|
|
||||||
\item \emph{Trick the directory servers into listing a hostile OR.}
|
\emph{Encourage directory server dissent.} The directory
|
||||||
Our threat model explicitly assumes directory server operators will
|
agreement protocol requires that directory server operators agree on
|
||||||
be able to filter out most hostile ORs. If this is not true, an
|
the list of directory servers. An adversary who can persuade some
|
||||||
attacker can flood the directory with compromised servers.
|
of the directory server operators to distrust one another could
|
||||||
|
split the quorum into mutually hostile camps, thus partitioning
|
||||||
|
users based on which directory they used. Tor does not address
|
||||||
|
this attack.
|
||||||
|
|
||||||
\item \emph{Convince the directories that a malfunctioning OR is
|
\emph{Trick the directory servers into listing a hostile OR.}
|
||||||
working.} In the current Tor implementation, directory servers
|
Our threat model explicitly assumes directory server operators will
|
||||||
assume that if they can start a TLS connection to an an OR, that OR
|
be able to filter out most hostile ORs. If this is not true, an
|
||||||
must be running correctly. It would be easy for a hostile OR to
|
attacker can flood the directory with compromised servers.
|
||||||
subvert this test by only accepting TLS connections from ORs, and
|
|
||||||
ignoring all cells. Thus, directory servers must actively test ORs
|
\emph{Convince the directories that a malfunctioning OR is
|
||||||
by building circuits and streams as appropriate. The benefits and
|
working.} In the current Tor implementation, directory servers
|
||||||
hazards of a similar approach are discussed in \cite{mix-acc}.
|
assume that if they can start a TLS connection to an an OR, that OR
|
||||||
|
must be running correctly. It would be easy for a hostile OR to
|
||||||
|
subvert this test by only accepting TLS connections from ORs, and
|
||||||
|
ignoring all cells. Thus, directory servers must actively test ORs
|
||||||
|
by building circuits and streams as appropriate. The benefits and
|
||||||
|
hazards of a similar approach are discussed in \cite{mix-acc}.
|
||||||
|
|
||||||
\end{tightlist}
|
|
||||||
|
|
||||||
\subsubsection*{Attacks against rendezvous points}
|
\subsubsection*{Attacks against rendezvous points}
|
||||||
\begin{tightlist}
|
|
||||||
\item \emph{Make many introduction requests.} An attacker could
|
\emph{Make many introduction requests.} An attacker could
|
||||||
attempt to deny Bob service by flooding his Introduction Point with
|
attempt to deny Bob service by flooding his Introduction Point with
|
||||||
requests. Because the introduction point can block requests that
|
requests. Because the introduction point can block requests that
|
||||||
lack authentication tokens, however, Bob can restrict the volume of
|
lack authentication tokens, however, Bob can restrict the volume of
|
||||||
requests he receives, or require a certain amount of computation for
|
requests he receives, or require a certain amount of computation for
|
||||||
every request he receives.
|
every request he receives.
|
||||||
|
|
||||||
\item \emph{Attack an introduction point.} An attacker could try to
|
\emph{Attack an introduction point.} An attacker could try to
|
||||||
disrupt a location-hidden service by disabling its introduction
|
disrupt a location-hidden service by disabling its introduction
|
||||||
point. But because a service's identity is attached to its public
|
point. But because a service's identity is attached to its public
|
||||||
key, not its introduction point, the service can simply re-advertise
|
key, not its introduction point, the service can simply re-advertise
|
||||||
itself at a different introduction point.
|
itself at a different introduction point.
|
||||||
|
|
||||||
\item \emph{Attack multiple introduction points.} If an attacker is
|
|
||||||
able to disable all of the introduction points for a given service,
|
|
||||||
he can block access to the service. However, re-advertisement of
|
|
||||||
introduction points can still be done secretly so that only
|
|
||||||
high-priority clients know the address of the service's introduction
|
|
||||||
points. These selective secret authorizations can also be issued
|
|
||||||
during normal operation. Thus an attacker must disable
|
|
||||||
all possible introduction points.
|
|
||||||
|
|
||||||
\item \emph{Compromise an introduction point.} If an attacker controls
|
\emph{Attack multiple introduction points.} If an attacker is
|
||||||
an introduction point for a service, it can flood the service with
|
able to disable all of the introduction points for a given service,
|
||||||
introduction requests, or prevent valid introduction requests from
|
he can block access to the service. However, re-advertisement of
|
||||||
reaching the hidden server. The server will notice a flooding
|
introduction points can still be done secretly so that only
|
||||||
attempt if it receives many introduction requests. To notice
|
high-priority clients know the address of the service's introduction
|
||||||
blocking of valid requests, however, the hidden server should
|
points. These selective secret authorizations can also be issued
|
||||||
periodically test the introduction point by sending its introduction
|
during normal operation. Thus an attacker must disable
|
||||||
requests, and making sure it receives them.
|
all possible introduction points.
|
||||||
|
|
||||||
\item \emph{Compromise a rendezvous point.} Controlling a rendezvous
|
\emph{Compromise an introduction point.} If an attacker controls
|
||||||
point gains an attacker no more than controlling any other OR along
|
an introduction point for a service, it can flood the service with
|
||||||
a circuit, since all data passing along the rendezvous is protected
|
introduction requests, or prevent valid introduction requests from
|
||||||
by the session key shared by the client and server.
|
reaching the hidden server. The server will notice a flooding
|
||||||
|
attempt if it receives many introduction requests. To notice
|
||||||
|
blocking of valid requests, however, the hidden server should
|
||||||
|
periodically test the introduction point by sending its introduction
|
||||||
|
requests, and making sure it receives them.
|
||||||
|
|
||||||
\end{tightlist}
|
\emph{Compromise a rendezvous point.} Controlling a rendezvous
|
||||||
|
point gains an attacker no more than controlling any other OR along
|
||||||
|
a circuit, since all data passing along the rendezvous is protected
|
||||||
|
by the session key shared by the client and server.
|
||||||
|
|
||||||
\Section{Open Questions in Low-latency Anonymity}
|
\Section{Open Questions in Low-latency Anonymity}
|
||||||
\label{sec:maintaining-anonymity}
|
\label{sec:maintaining-anonymity}
|
||||||
|
|
@ -1901,57 +1888,61 @@ issues remaining to be ironed out. In particular:
|
||||||
% Many of these (Scalability, cover traffic, morphmix)
|
% Many of these (Scalability, cover traffic, morphmix)
|
||||||
% are duplicates from open problems.
|
% are duplicates from open problems.
|
||||||
%
|
%
|
||||||
\begin{tightlist}
|
|
||||||
\item \emph{Scalability:} Tor's emphasis on design simplicity and
|
\emph{Scalability:} Tor's emphasis on design simplicity and
|
||||||
deployability has led us to adopt a clique topology, a
|
deployability has led us to adopt a clique topology, a
|
||||||
semi-centralized model for directories and trusts, and a
|
semi-centralized model for directories and trusts, and a
|
||||||
full-network-visibility model for client knowledge. None of these
|
full-network-visibility model for client knowledge. None of these
|
||||||
properties will scale to more than a few hundred servers, at most.
|
properties will scale to more than a few hundred servers, at most.
|
||||||
Promising approaches to better scalability exist (see
|
Promising approaches to better scalability exist (see
|
||||||
Section~\ref{sec:maintaining-anonymity}), but more deployment
|
Section~\ref{sec:maintaining-anonymity}), but more deployment
|
||||||
experience would be helpful in learning the relative importance of
|
experience would be helpful in learning the relative importance of
|
||||||
these bottlenecks.
|
these bottlenecks.
|
||||||
\item \emph{Cover traffic:} Currently we avoid cover traffic because
|
|
||||||
of its clear costs in performance and bandwidth, and because its
|
\emph{Cover traffic:} Currently we avoid cover traffic because
|
||||||
security benefits are not well understood. With more research
|
of its clear costs in performance and bandwidth, and because its
|
||||||
\cite{SS03,defensive-dropping}, the price/value ratio may change,
|
security benefits are not well understood. With more research
|
||||||
both for link-level cover traffic and also long-range cover traffic.
|
\cite{SS03,defensive-dropping}, the price/value ratio may change,
|
||||||
\item \emph{Better directory distribution:} Even with the threshold
|
both for link-level cover traffic and also long-range cover traffic.
|
||||||
directory agreement algorithm described in Section~\ref{subsec:dirservers},
|
|
||||||
the directory servers are still trust bottlenecks. We must find more
|
\emph{Better directory distribution:} Even with the threshold
|
||||||
decentralized yet practical ways to distribute up-to-date snapshots of
|
directory agreement algorithm described in Section~\ref{subsec:dirservers},
|
||||||
network status without introducing new attacks. Also, directory
|
the directory servers are still trust bottlenecks. We must find more
|
||||||
retrieval presents a scaling problem, since clients currently
|
decentralized yet practical ways to distribute up-to-date snapshots of
|
||||||
download a description of the entire network state every 15
|
network status without introducing new attacks. Also, directory
|
||||||
minutes. As the state grows larger and clients more numerous, we
|
retrieval presents a scaling problem, since clients currently
|
||||||
may need to move to a solution in which clients only receive
|
download a description of the entire network state every 15
|
||||||
incremental updates to directory state, or where directories are
|
minutes. As the state grows larger and clients more numerous, we
|
||||||
cached at the ORs to avoid high loads on the directory servers.
|
may need to move to a solution in which clients only receive
|
||||||
|
incremental updates to directory state, or where directories are
|
||||||
|
cached at the ORs to avoid high loads on the directory servers.
|
||||||
% XXX this is a design paper, not an implementation paper. the design
|
% XXX this is a design paper, not an implementation paper. the design
|
||||||
% says that they're already cached at the ORs. Agree/disagree?
|
% says that they're already cached at the ORs. Agree/disagree?
|
||||||
% XXX Agree. -NM
|
% XXX Agree. -NM
|
||||||
\item \emph{Implementing location-hidden servers:} While
|
|
||||||
Section~\ref{sec:rendezvous} describes a design for rendezvous
|
\emph{Implementing location-hidden servers:} While
|
||||||
points and location-hidden servers, these features have not yet been
|
Section~\ref{sec:rendezvous} describes a design for rendezvous
|
||||||
implemented. While doing so we are likely to encounter additional
|
points and location-hidden servers, these features have not yet been
|
||||||
issues that must be resolved, both in terms of usability and anonymity.
|
implemented. While doing so we are likely to encounter additional
|
||||||
\item \emph{Further specification review:} Although we have a public,
|
issues that must be resolved, both in terms of usability and anonymity.
|
||||||
byte-level specification for the Tor protocols, this protocol has
|
|
||||||
not received extensive external review. We hope that as Tor
|
\emph{Further specification review:} Although we have a public,
|
||||||
becomes more widely deployed, more people will become interested in
|
byte-level specification for the Tor protocols, this protocol has
|
||||||
examining our specification.
|
not received extensive external review. We hope that as Tor
|
||||||
\item \emph{Wider-scale deployment:} The original goal of Tor was to
|
becomes more widely deployed, more people will become interested in
|
||||||
gain experience in deploying an anonymizing overlay network, and
|
examining our specification.
|
||||||
learn from having actual users. We are now at the point in design
|
|
||||||
and development where we can start deploying a wider network. Once
|
\emph{Wider-scale deployment:} The original goal of Tor was to
|
||||||
we have many actual users, we will doubtlessly be better
|
gain experience in deploying an anonymizing overlay network, and
|
||||||
able to evaluate some of our design decisions, including our
|
learn from having actual users. We are now at the point in design
|
||||||
robustness/latency trade-offs, our performance trade-offs (including
|
and development where we can start deploying a wider network. Once
|
||||||
cell size), our abuse-prevention mechanisms, and
|
we have many actual users, we will doubtlessly be better
|
||||||
our overall usability.
|
able to evaluate some of our design decisions, including our
|
||||||
|
robustness/latency trade-offs, our performance trade-offs (including
|
||||||
|
cell size), our abuse-prevention mechanisms, and
|
||||||
|
our overall usability.
|
||||||
% XXX large and small cells on same network.
|
% XXX large and small cells on same network.
|
||||||
% XXX work with morphmix spec
|
% XXX work with morphmix spec
|
||||||
\end{tightlist}
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue