Silk Road forums
Discussion => Security => Topic started by: kmfkewm on February 06, 2013, 09:46 am
-
C = compromised node
g = good node
x = either/or
any single circuit is good so long as it is not
C <-> x <-> C
Tor client keeps half a dozen to a dozen or so circuits open
C <-> g <-> g
g <-> C <-> g
g <-> g <-> C
g <-> g <-> g
g <-> C <-> g
g <-> g <-> C
by default the currently active circuit changes approximately once every ten minutes, other circuits are kept open to avoid delay of circuit construction when switching active circuit
none of the open circuits presented are bad as none fall into the
C <-> x <-> C
pattern
on exit Tor client sends close circuit packet down all circuits from entry to exit, informing nodes to shut down the open circuit
assume active circuit is
client <-> g <-> g <-> C <-> destination
C can see client destination but not the client as entry and middle are good
on shut down packet is sent down all circuits, including
Client -> C -> g -> g -> Nil
Client -> g -> C -> g -> Nil
Client -> g -> g -> C (<->) Destination server
timing attack on circuit shut down packet can probably be used to link traffic across multiple circuits, thus deanonymizing client traffic that exited from
g <-> g <-> C, even though none of the individual circuits are compromised circuits.
-
essentially what this means is that when you exit Tor, it is probably not correct to look at individual circuits, but rather positions across circuits. Imagine that each attacker controlled node is a 1 and each good node is a 0. Normally any circuit other than 1x1 means that you are fine, but when you close out of Tor it is like each of the positions on each of the circuits bitwise or with the nodes on your other open circuits at the same position.
001
000
100
000
000
001
|=____
101 == compromised (exit traffic from circuits in pattern xx1 is linkable to you)
this attack can also be used to break circuit isolation. Assume all letters are good nodes other than A which is attacker controlled node.
BCA
DEA
FGA
now you should already know that the controller of node A is capable of determining all of your exit traffic, but they can not trace you as the middle and entry nodes are good. However it is generally thought that the controller of node A is incapable of determining that traffic from node E C and G originates from the same entity, and thus there is per circuit traffic isolation. Well, on exit timing attack of circuit shut down packet probably can be used to link all three circuits together, and thus link all exit traffic from these circuits together to the same entity, breaking circuit exit traffic isolation.
-
Nice kmf, always good to read your technical posts.
I am a little confused though. In the next scheme :
"
001
000
100
000
000
001
|=____
101 == compromised (exit traffic from circuits in pattern xx1 is linkable to you)"
One of those compromised nodes will know it's an exit node, but the other one how does he know he's an entry node and not a middle node? As far as I know a relay has no knowledge if you originated the data or you just passed them to him, right?
Did you put 2 compromised entry nodes for that reason, to narrow it down?
Also does this apply to both clearnet and hidden service traffic?
Thanks
-
Nice kmf, always good to read your technical posts.
I am a little confused though. In the next scheme :
"
001
000
100
000
000
001
|=____
101 == compromised (exit traffic from circuits in pattern xx1 is linkable to you)"
One of those compromised nodes will know it's an exit node, but the other one how does he know he's an entry node and not a middle node? As far as I know a relay has no knowledge if you originated the data or you just passed them to him, right?
Did you put 2 compromised entry nodes for that reason, to narrow it down?
Also does this apply to both clearnet and hidden service traffic?
Thanks
Middle nodes know they are not exit nodes, that leaves them as either middle or entry nodes. Middle nodes only get connections from Tor relays and bridges, Entry nodes only get incoming connections from clients. A node operator who knows they are not an exit node could get connections from Tor relays, clients or bridges. If they are getting a connection from a Tor relay they know they are a middle node. If they get a connection that isn't from a Tor relay it could be from a client or a bridge. They can try to use the connecting party as a bridge to confirm if it is one, if the connecting party acts as a bridge then they know they are a middle node and if it doesn't then they know they are an entry node.
Or they could just count the number of extend cells they have forwarded on. If they forwarded two extend cells they are an entry, if one they are a middle node.
I am not sure if it applies to hidden service connections, I don't know if circuit shut down cells will end up being forwarded all the way up to the hidden services entry node or if they will stop at the clients exit node. If they are forwarded all the way to the hidden services entry nodes then it would work against hidden services as well.
C = client
H = Hidden Service
M = Malicious Node
G = Good Node
(open unused circuit)
Client <-> CM <-> CG <-> CG
(active circuit to hidden service)
Client <-> CG <-> CG <-> CG <-> HG <-> HG <-> HM <-> Hidden Service
if the circuit tear down cell goes all the way out to HM, which it PROBABLY does actually since hidden services make a new circuit per client and there would be no point in keeping the hidden services circuit up after the clients circuit is torn down (but I am not positive I will look into it more), then if the client exits Tor while the connection to the hidden service is still active, the attacker who owns CM and HM will see a shut down circuit packet at CM and then shortly after they will see a shut down packet at HM. All the current research I have read points to a single packet being enough to utilize a timing attack, and thus I believe that this attacker could probably link the client to the hidden services IP address. Of course the attacker in this scenario will need to additionally identify the hidden services IP address, but as they are one of its entry guards they could just send the .onion address of interest a watermarked stream and wait to see if they observe themselves relaying that stream back to the hidden service they are an entry guard for.
-
Middle nodes know they are not exit nodes, that leaves them as either middle or entry nodes. Middle nodes only get connections from Tor relays and bridges, Entry nodes only get incoming connections from clients. A node operator who knows they are not an exit node could get connections from Tor relays, clients or bridges. If they are getting a connection from a Tor relay they know they are a middle node. If they get a connection that isn't from a Tor relay it could be from a client or a bridge. They can try to use the connecting party as a bridge to confirm if it is one, if the connecting party acts as a bridge then they know they are a middle node and if it doesn't then they know they are an entry node.
I knew I was missing something, I get it now. Interesting thoughts.
Like most threats it comes down to how many compromised nodes there are in the network and the possibility to use some of them.
Is there a board where people discuss such threats with the developers?
-
problem is that it is much more likely that two of your open circuits will fall into patterns
GGC and CGG
than it is that an individual circuit will fall into pattern
CGC
Tor devs are aware of this attack, they are going to research it further. One possible solution is to apply the circuit construction rules to ALL circuits rather than to individual circuits. Already you cannot use the same node at two positions on two different circuits, or two nodes from the same family on the same circuit for that matter. That said there are no rules regarding node selection across multiple circuits, and it is not rare to find that you have open circuits in the following pattern:
GFG
GGF
or even more worrying,
FGG
GFG
GGF
Where F == a node that is either the same node, or from the same family of nodes.
-
Interesting attack.
Clients send most of their circuits through high bandwidth nodes, which maintain hundreds to thousands of simultaneous connections. So, what is the circuit close frequency on those nodes? If it is at least once per second, then a timing attack probably would not be effective. This also requires that your entry guard is pwned, and you cycle through them very slowly.
-
Interesting attack.
Clients send most of their circuits through high bandwidth nodes, which maintain hundreds to thousands of simultaneous connections. So, what is the circuit close frequency on those nodes? If it is at least once per second, then a timing attack probably would not be effective. This also requires that your entry guard is pwned, and you cycle through them very slowly.
It doesn't require your entry guard to be pwnt for an attacker to enumerate your entry guards, although it does require a pwnt entry guard for it to be used to link a client to their destination. As far as I am aware, the current research shows that a single packet is enough to link two parts of an observed stream together. There are millions of packets going across the Tor network at any given time but this does not prevent an attacker who can see only two packets from linking them together. For this reason I highly doubt that noise of other users exiting Tor will be enough to protect from this attack. Also it doesn't require compromised entry or middle node if it is used to compromise circuit isolation for exit traffic linking.
-
It doesn't require your entry guard to be pwnt for an attacker to enumerate your entry guards, although it does require a pwnt entry guard for it to be used to link a client to their destination.
Right, that's the main thing to worry about.
How about this as a mitigation strategy: never close your client with circuits open to sensitive web sites. After you are done browsing sensitive web sites, do some mundane browsing for 15 minutes, then close your client. The attacker may be able to identity you, but you will be uninteresting.
-
It does not matter if the circuit is still active , only that it is still open. So not closing out of Tor until the circuit used to exit to a sensitive site is no longer active will not help. Although perhaps you could manually close such circuits, surf for fifteen minutes, and then exit Tor.
-
What does this mean for the future of sr. Can this be fixed
-
What does this mean for the future of sr. Can this be fixed
Not much and yes.
-
Don't close the circuits, just pull the Ethernet cable when your done surfing controversial web sites.