CyberArmy University | Open Source Institute | CyberArmy Intelligence & Security | CyberArmy Services & Projects

[Library Index]

[View category: Security] [Discuss Article]

Tor: Is it for You?

 Article is yet to be rated
Author:      1746
Submitted:      13-Jul-2005 07:09:29
Imported From:      zZine (original author: 1746)


Who needs privacy? Essentially, everyone does, and Tor is the way to do it. Let's examine what Tor is, what it does, and how it does it.
Introduction

Individuals need privacy for:
* Web browsing -- both from the remote website (so it can't track and sell your behavior), and similarly from your local ISP.
* Avoiding monitoring activities: if a local government doesn't approve of its citizens visiting certain websites, they may monitor the sites and put readers on a list of suspicious persons.
* Circumvention of local censorship: connecting to resources (news sites, instant messaging, etc.) that are restricted from your ISP/school/company/government.
* Socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists and NGOs need safety for:
* Dissidents and whistleblowers to communicate more safely.
* Censorship-resistant publication, such as making news events available and accessing sites not permitted in some countries.
* Private secure communication; such as filing reports.

Companies need business security for:
* Competitive analysis: browse the competition's website safely.
* Protecting collaborations of sensitive business units or partners.
* Protecting procurement suppliers or patterns.
* Putting the \"P\" back in \"VPN\": traditional VPNs reveal the exact amount and frequency of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research groups are communicating with your company's patent lawyers?
* Allowing workers to check back with the home website while they're in a foreign country without notifying everybody nearby that they're working with your organization.

Governments need traffic-analysis-resistant communication for:
* Open source intelligence gathering (hiding individual analysts is not enough -- the organization itself may be sensitive).
* Depth of defense on open and classified networks -- networks with a million users (even if they're all cleared) can't be made safe just by hardening them to external threat.
* Dynamic and semi-trusted international coalitions: the network can be shared without revealing the existence or amount of communication between all parties.
* Networks partially under known hostile control: to block communications, the enemy must take down the whole network.
* Politically sensitive negotiations.
* Road warriors.
* Protecting procurement patterns.
* Anonymous tips.

Law enforcement needs safety for:
* Allowing anonymous tips or crime reporting
* Allowing agents to observe websites without notifying them that they're being observed (or, more broadly, without having it be an official visit from law enforcement).
* Surveillance and honeypots (sting operations)

Does the idea of sharing a network with all of these groups bother you? It shouldn't -- you need them for your security. (Extract from )


The Threat Model

First we build a threat model - dealing with a global passive threat by an attacker that can monitor end to end is beyond the scope of this article: if the attacker can monitor end to end, they can confirm your traffic with a little work, although strong encryption can delay analysis of content. Essentially, you are compromised.

Our threat model is an attacker who may use traffic analysis to confirm who you are and who you are \"talking\" to. In this instance we assume an adversary who can observe some fraction of network traffic, who can generate, modify, delete, or delay traffic.

Observing user traffic patterns: observing a user's connection will not reveal their destination or data, but it will reveal traffic patterns (both sent and received). Profiling via user connection patterns requires further processing, because multiple application streams may be operating simultaneously or in series over a single circuit.

Observing user content: while content may be encrypted, connections to responders may not be. Indeed, the responding website itself may be hostile and may attempt to analyse a connection request for identifying information including user's IP and any other information it can glean.

Briefly stated, we may need to be able to:
1. Secure the content from analysis
2. Secure the path from content interception
3. Secure the path from traffic analysis
4. Secure the path from traffic confirmation

To secure our content, there are any number of readily available freeware applications to filter content and anonymize the user's data stream, such as PGP encryption, Privoxy, Proxomitron, and any effective cookie management system. The user's individual needs should dictate their choice of applications. While most are user friendly, some have steep learning curves.

To secure our path, an oft-used solution is to filter content and use a one hop proxy that strips the origin before resending in order to hide the user's IP and obscure the path. However, it's vulnerable to backdoors, any serious traffic analysis and confirmation that can monitor ingoing and outgoing traffic, and moreover, users must trust the proxy. If the proxy is compromised, so are the users, and they may not be aware of it. Typically, finding this type of proxy server is difficult and often results in users placing their security in unknown hands.

An Alternative to the \"One Hop Proxy\": Tor

Tor research and development grew out of the Onion Project and has been funded by ONR and DARPA for use in securing government communications, and by the Electronic Frontier Foundation for use in maintaining civil liberties for ordinary citizens' online. The Tor protocol is one of the leading choices for the anonymizing layer in the European Union's PRIME directive to help maintain privacy in Europe. The AN.ON project in Germany has integrated an independent implementation of the Tor protocol into their popular Java Anon Proxy anonymizing client.

Tor is a low latency anonymity design, which means it's fast enough for a variety of protocols, so the average net user can use most applications with only a small loss of speed. It uses SOCKS, and relies on having an application level proxy that can be configured to use it, such as Privoxy. Any number of filters can be added by the user in this way.

Users have reported using the Tor network for web browsing, FTP, IRC, AIM, SSH, and recipient-anonymous email via rendezvous points. It also provides location-hidden services; one user has anonymously set up a Wiki as a hidden service, where other users anonymously publish the addresses of their hidden services.

Tor provides perfect forward privacy: users can connect to Internet sites without revealing either their logical or physical locations to those sites or to any observers.

Tor servers can support authorized users without giving an effective vector for physical or online attackers, and can provide these protections even when a portion of its infrastructure is compromised. To connect to a remote server via Tor, the client software learns a signed list of Tor nodes from one of several central directory servers, and incrementally creates a private pathway or circuit of encrypted connections through authenticated Tor nodes on the network, negotiating a separate set of encryption keys for each hop along the circuit. The circuit is extended one node at a time, and each node along the way knows only the nodes immediately previous and following in the circuit, thus no individual Tor node knows the complete path that each fixed-sized data packet (or cell ) will take. Thus, neither an eavesdropper nor a compromised node can see both the connection's source and destination. Later requests use a new circuit, to complicate long-term linkability between different actions by a single user.

Tor also helps servers hide their locations while providing services such as web publishing or instant messaging. Using rendezvous points, other Tor users can connect to these authenticated hidden services, neither one learning the other's network identity.

Tor attempts to anonymize the transport layer, not the application layer. This approach is useful for applications such as SSH where authenticated communication is desired. However, when
anonymity from those with whom we communicate is desired, application protocols that include personally identifying information need additional application-level scrubbing proxies, such as Privoxy for HTTP.

Furthermore, Tor does not relay arbitrary IP packets; it only anonymizes TCP streams and DNS requests. Most node operators do not want to allow arbitrary TCP traffic. To address this, Tor provides exit policies so each exit node can block the IP addresses and ports it is unwilling to allow. Tor nodes advertise their exit policies to the directory servers, so that client can tell which nodes will support their connections.

As of January 2005, the Tor network had grown to around a hundred nodes on four continents, with a total capacity exceeding 1Gbit/s. The network is now sufficiently diverse for further development and testing and encourages new nodes to join. If you have any bandwidth to spare please consider becoming a Tor node.

Distributed Trust

In practice, Tor's threat model is based on dispersal and diversity. The defense lies in having a diverse enough set of nodes to prevent most real-world adversaries from being in the right places to attack users by distributing each transaction over several nodes in the network. This distributed trust approach means the Tor network can be safely operated and used by a wide variety of mutually distrustful users, providing sustainability and security.

No organization can achieve this security on its own. If a single corporation or government agency were to build a private network to protect its operations, any connections entering or leaving that network would be obviously linkable to the controlling organization. The members and operations of that agency would be easier, not harder, to distinguish. Instead, to protect Tor networks from traffic analysis, they collaboratively blend the traffic from many organizations and private citizens, so that an eavesdropper can't tell which users are which, and who is looking for what information.

The Tor network has a broad range of users, including ordinary citizens concerned about their privacy, corporations who don't want to reveal information to their competitors, and law enforcement and government intelligence agencies who need to do operations on the Internet without being noticed. If most participating providers are reliable, Tor tolerates some hostile infiltration of the network. For maximum protection, the Tor design includes an enclave approach that lets data be encrypted (and authenticated) end-to-end, so high-sensitivity users can be sure it hasn't been read or modified. This even works for Internet services that don't have built-in encryption and authentication, such as unencrypted HTTP or chat, and it requires no modification of those services.

The Tor client and server software is free and available for a variety of platforms. If this sounds like a good solution to your privacy concerns I suggest visiting the Tor site at; http://tor.eff.org/index.html. They provide an in depth look at a number of things I have only briefly touched upon, such as vulnerability assesment, methods of encryption and the direction of future development.

Sources:

http://tor.eff.org/cvs/tor/doc/design-paper/challenges.pdf

http://tor.eff.org/cvs/tor/doc/tor-doc.html

1746

This article was originally published by CyberArmy.net in the CyberArmy Library.

You must be logged in to vote on an article
About Us | Privacy Policy | Mission Statement | Help