aboutsummaryrefslogtreecommitdiff
path: root/doc/design-paper
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2006-11-20 13:00:16 +0000
committerRoger Dingledine <arma@torproject.org>2006-11-20 13:00:16 +0000
commit6120cb7d6427b1f2022a76d0b0f434dfd73a0b1f (patch)
treeb6ffd9b8993f05527d5183a1814448bb020a067a /doc/design-paper
parenta0ac8e03e4e12f01fb340223682cc5abdee3e2dc (diff)
downloadtor-6120cb7d6427b1f2022a76d0b0f434dfd73a0b1f.tar.gz
tor-6120cb7d6427b1f2022a76d0b0f434dfd73a0b1f.zip
fixes based on early feedback from the blocking paper
svn:r8968
Diffstat (limited to 'doc/design-paper')
-rw-r--r--doc/design-paper/blocking.pdfbin198914 -> 199671 bytes
-rw-r--r--doc/design-paper/blocking.tex49
-rw-r--r--doc/design-paper/tor-design.bib2
3 files changed, 29 insertions, 22 deletions
diff --git a/doc/design-paper/blocking.pdf b/doc/design-paper/blocking.pdf
index 7a24fbbc34..e5d38e4d75 100644
--- a/doc/design-paper/blocking.pdf
+++ b/doc/design-paper/blocking.pdf
Binary files differ
diff --git a/doc/design-paper/blocking.tex b/doc/design-paper/blocking.tex
index 208e7d816f..a6da81b959 100644
--- a/doc/design-paper/blocking.tex
+++ b/doc/design-paper/blocking.tex
@@ -5,7 +5,7 @@
\usepackage{epsfig}
\setlength{\textwidth}{6.0in}
-\setlength{\textheight}{8.4in}
+\setlength{\textheight}{8.5in}
\setlength{\topmargin}{.5cm}
\setlength{\oddsidemargin}{1cm}
\setlength{\evensidemargin}{1cm}
@@ -80,7 +80,7 @@ network from China each day.
The current Tor design is easy to block if the attacker controls Alice's
connection to the Tor network---by blocking the directory authorities,
by blocking all the server IP addresses in the directory, or by filtering
-based on the signature of the Tor TLS handshake. Here we describe an
+based on the fingerprint of the Tor TLS handshake. Here we describe an
extended design that builds upon the current Tor network to provide an
anonymizing
network that resists censorship as well as anonymity-breaking attacks.
@@ -125,7 +125,7 @@ understanding of the current situation around the world.
In the traditional security style, we aim to defeat a strong
attacker---if we can defend against this attacker, we inherit protection
against weaker attackers as well. After all, we want a general design
-that will work for citizens of China, Iran, Thailand, and other censored
+that will work for citizens of China, Thailand, and other censored
countries; for
whistleblowers in firewalled corporate networks; and for people in
unanticipated oppressive situations. In fact, by designing with
@@ -498,7 +498,9 @@ these proxies is questionable: it's widely believed that most of them
don't realize what they're offering, and probably wouldn't allow it if
they realized. Third, in many cases the connection to the proxy is
unencrypted, so firewalls that filter based on keywords in IP packets
-will not be hindered. And last, many users are suspicious that some
+will not be hindered. Fourth, in many countries (including China), the
+firewall authorities hunt for open proxies as well, to preemptively
+block them. And last, many users are suspicious that some
open proxies are a little \emph{too} convenient: are they run by the
adversary, in which case they get to monitor all the user's requests
just as single-hop proxies can?
@@ -562,7 +564,9 @@ Murdoch and Watson discovered that rather than blocking all packets in a TCP
streams once a forbidden word was noticed, the firewall was simply forging
RST packets to make the communicating parties believe that the connection was
closed~\cite{clayton:pet2006}. They proposed altering operating systems
-to ignore forged RST packets.
+to ignore forged RST packets. This approach might work in some cases, but
+in practice it appears that many firewalls start filtering by IP address
+once a sufficient number of RST packets have been sent.
Other packet-level responses to filtering include splitting
sensitive words across multiple TCP packets, so that the censors'
@@ -646,7 +650,7 @@ to get more relay addresses, and to distribute them to users differently.
%We need to address three problems:
%- adapting the relay component of Tor so it resists blocking better.
%- Discovery.
-%- Tor's network signature.
+%- Tor's network fingerprint.
%Here we describe the new pieces we need to add to the current Tor design.
@@ -770,8 +774,8 @@ out too much.
-\section{Hiding Tor's network signatures}
-\label{sec:network-signature}
+\section{Hiding Tor's network fingerprint}
+\label{sec:network-fingerprint}
\label{subsec:enclave-dirs}
Currently, Tor uses two protocols for its network communications. The
@@ -789,7 +793,8 @@ directory cache for an up-to-date copy of its server descriptor, and
learn its current circuit keys, its ORPort, and so on.
However, connecting directly to the directory cache involves a plaintext
-HTTP request. A censor could create a network signature for the request
+HTTP request. A censor could create a network fingerprint (known as a
+\emph{signature} in the intrusion detection field) for the request
and/or its response, thus preventing these connections. To resolve this
vulnerability, we've modified the Tor protocol so that users can connect
to the directory cache via the main Tor port---they establish a TLS
@@ -856,7 +861,7 @@ differently from, say, instant messaging.
% by Marc Liberatore and Brian Neil Levine (CCS 2006)
% They substantially flesh out the numbers for the web fingerprinting
% attack. -PS
-% Yes, but I meant detecting the signature of Tor traffic itself, not
+% Yes, but I meant detecting the fingerprint of Tor traffic itself, not
% learning what websites we're going to. I wouldn't be surprised to
% learn that these are related problems, but it's not obvious to me. -RD
@@ -1323,7 +1328,7 @@ but we should keep both sides of the issue in mind.
Tor encrypts traffic on the local network, and it obscures the eventual
destination of the communication, but it doesn't do much to obscure the
traffic volume. In particular, a user publishing a home video will have a
-different network signature than a user reading an online news article.
+different network fingerprint than a user reading an online news article.
Based on our assumption in Section~\ref{sec:adversary} that users who
publish material are in more danger, should we work to improve Tor's
security in this situation?
@@ -1334,7 +1339,7 @@ are known where the adversary observes the origin and the
destination of traffic and confirms that they are part of the
same communication~\cite{danezis:pet2004,e2e-traffic}. Related are
\emph{website fingerprinting attacks}, where the adversary downloads
-a few hundred popular websites, makes a set of "signatures" for each
+a few hundred popular websites, makes a set of "fingerprints" for each
site, and then observes the target Tor client's traffic to look for
a match~\cite{pet05-bissias,defensive-dropping}. But can we do better
against a limited adversary who just does coarse-grained sweeps looking
@@ -1545,7 +1550,7 @@ related attacks.) It would be nice to slow down this attack. It would
be even nicer to make it hard to learn whether we're a bridge without
first knowing some secret. We call this general property \emph{scanning
resistance}, and it goes along with normalizing Tor's TLS handshake and
-network signature.
+network fingerprint.
We could provide a password to the blocked user, and she (or her Tor
client) provides a nonced hash of this password when she connects. We'd
@@ -1555,13 +1560,13 @@ present the password until we've finished the TLS handshake, else it
would look unusual. If Alice can authenticate the bridge before she
tries to send her password, we can resist an adversary who pretends
to be the bridge and launches a man-in-the-middle attack to learn the
-password. But even if she can't, we resist against widespread scanning.
+password. But even if she can't, we still resist against widespread
+scanning.
-Another approach would be some kind of ID-based knocking protocol,
-where the bridge only answers after some predefined set of connections
-or interactions. The bridge could even act like an unconfigured HTTPS
-server (``welcome to the default Apache page'') if accessed without the
-correct authorization.
+How should the bridge behave if accessed without the correct
+authorization? Perhaps it should act like an unconfigured HTTPS server
+(``welcome to the default Apache page''), or maybe it should mirror
+and act like common websites, or websites randomly chosen from Google.
We might assume that the attacker can recognize HTTPS connections that
use self-signed certificates. (This process would be resource-intensive
@@ -1665,7 +1670,9 @@ website and leave mirrors and the network itself untouched.
Falling back on word-of-mouth is always a good last resort, but we should
also take steps to make sure it's relatively easy for users to get a copy,
such as publicizing the mirrors more and making copies available through
-other media.
+other media. We might also mirror the latest version of the software on
+each bridge, so users who hear about an honest bridge can get a good
+copy.
See Section~\ref{subsec:first-bridge} for more discussion.
\section{Future designs}
@@ -1699,7 +1706,7 @@ and they would be a fine target to take down the network.
\label{sec:conclusion}
Technical solutions won't solve the whole censorship problem. After all,
-the firewalls in places like China and Iran are \emph{socially} very
+the firewalls in places like China are \emph{socially} very
successful, even if technologies and tricks exist to get around them.
However, having a strong technical solution is still necessary as one
important piece of the puzzle.
diff --git a/doc/design-paper/tor-design.bib b/doc/design-paper/tor-design.bib
index b5a8dfb83b..cb8282c19b 100644
--- a/doc/design-paper/tor-design.bib
+++ b/doc/design-paper/tor-design.bib
@@ -1330,7 +1330,7 @@ Stefan Katzenbeisser and Fernando P\'{e}rez-Gonz\'{a}lez},
@InProceedings{chaum-blind,
author = {David Chaum},
title = {Blind Signatures for Untraceable Payments},
- booktitle = {Advances in Cryptology:Proceedings of Crypto 82},
+ booktitle = {Advances in Cryptology: Proceedings of Crypto 82},
pages = {199--203},
year = 1983,
editor = {D. Chaum and R.L. Rivest and A.T. Sherman},