0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
35 visualizzazioni5 pagine
TOR-The Onion Router, is a low-latency anonymouscommunication
overlay network, based on Onion Routing. Tor
aims to resist observers and insiders by distributing each
transaction over several nodes in the network. To prevent the
traffic analysis attack, Tor packs application data into equalsized
cells. In masquerading attack, at the malicious exit onion
router, the attacker can embed a secret signal generated using
KBRP. The embedded signal will be carried along with the target
traffic and arrive at the malicious entry onion router. Then, an
accomplice of the attacker at the malicious entry onion router
will detect the embedded signal based on the received cells and
confirm the communication relationship among users.
TOR-The Onion Router, is a low-latency anonymouscommunication
overlay network, based on Onion Routing. Tor
aims to resist observers and insiders by distributing each
transaction over several nodes in the network. To prevent the
traffic analysis attack, Tor packs application data into equalsized
cells. In masquerading attack, at the malicious exit onion
router, the attacker can embed a secret signal generated using
KBRP. The embedded signal will be carried along with the target
traffic and arrive at the malicious entry onion router. Then, an
accomplice of the attacker at the malicious entry onion router
will detect the embedded signal based on the received cells and
confirm the communication relationship among users.
TOR-The Onion Router, is a low-latency anonymouscommunication
overlay network, based on Onion Routing. Tor
aims to resist observers and insiders by distributing each
transaction over several nodes in the network. To prevent the
traffic analysis attack, Tor packs application data into equalsized
cells. In masquerading attack, at the malicious exit onion
router, the attacker can embed a secret signal generated using
KBRP. The embedded signal will be carried along with the target
traffic and arrive at the malicious entry onion router. Then, an
accomplice of the attacker at the malicious entry onion router
will detect the embedded signal based on the received cells and
confirm the communication relationship among users.
Masquerading Attack To Break Tors Anonymity Deepa S.V, M.Tech Computer Science and Engg. Calicut University,Kerala,India.
AbstractTOR-The Onion Router, is a low-latency anonymous- communication overlay network, based on Onion Routing. Tor aims to resist observers and insiders by distributing each transaction over several nodes in the network. To prevent the traffic analysis attack, Tor packs application data into equal- sized cells. In masquerading attack, at the malicious exit onion router, the attacker can embed a secret signal generated using KBRP. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users.
Keywords Tor, Anonymity. I. INTRODUCTION There has been extensive research work done on attacks degrading anonymous communication through Tor. Most existing approaches are based on traffic analysis [1]. These traffic analysis attacks can be categorized into two groups: passive traffic analysis and active watermarking techniques. Passive traffic analysis technique will record the traffic passively and identify the correlation between senders outbound traffic and receivers inbound traffic based on statistical measures. This type of technique requires a relatively long period of traffic observation for a reasonable detection rate. Active watermarking technique can reduce attack lasting time, improve attack success rate and has recently received more attention. The idea is to actively introduce special signals (or marks) into the senders outbound traffic with the intention of recognizing the embedded signal at the receivers inbound traffic. However, in order to accurately confirm the anonymous communication relationship of users, the flow-marking scheme needs to embed a signal modulated by a relatively long length of PN code, and also the signal is embedded into the traffic flow rate variation. Their approach records the traffic timing of the incoming flows and correlates them with the outgoing flows. II. BACKGROUND This section first present Tor network components and then review the existing cell counting based attack against Tor.
A. Components of Tor network Tor is a real-world, circuit-based low-latency anonymous communication network. It is an open source project and provides anonymity service for TCP applications[1]. As shown in Figure 1, it has the following four basic components. Alice (i.e. Client) runs a local software called onion proxy(OP) to anonymize the client data into Tor. Bob (i.e. Server) runs TCP applications such as a web service and anonymously communicates with Alice over Tor. Onion routers (OR) are special proxies that relay the application data between Alice and Bob. By default, client uses three ORs to relay their data. Denote these three ORs as entry router (OR1), middle router (OR2) and exit router (OR3), respectively. In Tor, Transport Layer Security (TLS) connections are used for the overlay link encryption between two onion routers. The application data is packed into equal-sized cells (512 bytes as shown in Figure 2) transmitted through TLS connections. Directory servers hold onion router information such as public keys for onion routers. Directory authorities hold authoritative information on onion routers and directory caches the downloaded directory information of onion routers from authorities. Figure 2 illustrates Tors cell format. Figure 2 illustrates Tors cell format. All cells have a three bytes header, which is not encrypted so that the intermediate onion router can see this header. The other 509 bytes are encrypted in the onion-like fashion. There are two types of cells: control cell shown in Figure 2(a) and relay cell shown in Figure 2(b).
B. Selecting a Path and Creating a Circuit In order to anonymously communicate with applications, i.e., browsing a web server, a client uses a way of source routing and chooses a series of onion routers from the locally cached directory, downloaded from the directory caches. We denote the series of onion routers as the path through Tor. The number of onion routers is referred to as the path length. We use the default path length of 3 as an example in Figure 1 to illustrate how the path is chosen. The client first chooses an appropriate exit onion router OR3, which should have an exit policy supporting the relay of the TCP stream from the sender. Then, the client chooses an appropriate entry onion router OR1 and a middle onion router OR2. International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013
Once the path is chosen, the client initiates the procedure of creating a circuit over the path incrementally, one hop at a time. Figure 3 illustrates the procedure of creating a circuit when the path has a default length of 3. Tor uses TLS/SSLv3 for link authentication and encryption In Figure 3, OP first sets up a TLS connection with OR1 using the TLS protocol. Then, tunneling through this connection, OP sends a CELL CREATE cell and uses the Diffie-Hellman (DH) handshake protocol to negotiate a base key with OR, which responds with a CELL CREATED cell. From this base key material, a forward symmetric key and a backward symmetric key are produced. In this way, a one-hop circuit C1 is created.
Fig. 1. Tor Network
To extend the circuit one hop further, the OP sends to OR1 a RELAY COMMAND EXTEND cell, specifying the address of the next onion router, i.e., OR2 in Figure 3. This RELAY COMMAND EXTEND cell is encrypted by AES in the counter mode (AES-CTR) with kf1. Once OR1 receives this cell, it decrypts the cell and negotiates secret keys with OR2 using the DH handshake protocol. Therefore, a second segment C2 of the 2-hop circuit is created. OR1 sends OP a RELAY COMMAND EXTENDED cell, which holds information for OP generating the shared secret keys: forward key and backward key, with OR2. This RELAY COMMAND EXTENDED cell is encrypted by AES-CTR with key. OP will decrypt the RELAYCOMMAND EXTENDED cell and use the information to create the corresponding keys. Encryption of later cells by these secret keys uses AES-CTR as well.
Fig. 1 Cell format
In summary, OP negotiates secret keys with the three onion routers one by one and consequently creates a circuit along the path3. With the exception that the connection from the exit onion router to the server is not link encrypted, other connections along the path are all protected by TLS within Tor. That is, cells encrypted in the onion-like fashion are protected by link encryption. In the description above, we simply use a circuit of path length 3 as an example and a circuit of path length greater than 3 can be set up in a similar manner. C. Transmitting Tcp Streams To transmit data to Bob, Alices application (such as web browser) first contacts the OP, which is implemented as a SOCKS proxy locally. The OP learns the destination IP address and port. OP sends a RELAY COMMAND BEGIN cell to the exit onion router OR3, and the cell is encrypted as {{{Begin < IP,Port >}kf3 }kf2 }kf1 , where the subscript refers to the key used for encryption of one onion skin. The three layers of onion skin are removed one by one each time the cell traverses an onion router through the circuit. When Alices application finishes the data transmission, the connection from Alices application to the OP will be released. As shown in Figure 4, after 5 bytes of data Hello in a RELAY COMMAND DATA cell is transmitted, Alices application releases the connection to OP.
Fig. 3. Tor Circuit Creation When OR3 removes the last onion skin by decryption, it recognizes that the request intends to open a TCP stream to a port at the destination IP, which belongs to Bob. Therefore, OR3 acts as a proxy, sets up a TCP connection with Bob, and sends a RELAY COMMAND CONNECTED cell back to Alices OP. The OP then accepts data from Alices application, packs it into relay cells with the Relay Command of RELAY COMMAND DATA and transmits it to Bob through the circuit. The whole process is transparent to Alice, who only needs to configure the application to use the OP. OP then sends a RELAY COMMAND END cell to OR3 and OR3 finally releases the connection to Bob. In this way, the circuit of path over Tor will be released completely. III. BASIC IDEA OF MASQUERADING ATTACK An attacker at the exit onion router first selects the target traffic flow between Alice and Bob. The attacker then selects a random signal (e.g., a sequence of binary bits), chooses an International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013
appropriate time, and changes the cell count of target traffic based on the selected random signal. In this way, the attacker is able to embed a signal into the target traffic from Bob. The signal will be carried along with the target traffic to the entry onion router connecting to Alice. An accomplice of the attacker at the entry onion router will record the variation of the received cells and recognize the embedded signal. If the same pattern of the signal is recognized, the attacker confirms the communication relationship between Alice and Bob.
Fig. 4. TCP Connection Creation and Data Transmission on Tor 1.Selecting the Target: At a malicious exit onion router connected to the server Bob, the attacker will log the information, including server Bobs host IP address and port used for a given circuit, as well as the circuit ID. The attacker uses CELL_RELAY_DATA cells since those cells transmit the data stream. According to the description of Tor the attacker is able to obtain the first cell backward to the client, which is a CELL_CREATED cell and is used to negotiate a symmetric key with the middle onion router. The second cell backward to the client will be a CELL_RELAY_CONNECTED cell. All sequential cells will be CELL_RELAY_DATA cell, and the attacker starts the encoding process shown in Step 2. 2.Encoding the Signal: The CELL_RELAY_DATA cells will be waiting in the circuit queue of the onion router until the write event is called. Then, the cells in the circuit queue are all flushed into the output buffer. Hence, the attacker can benefit from this and manipulate the number of cells flushed to the output buffer all together. In this way, the attacker can embed a secret signal (a sequence of binary bits, i.e., 10101) into the variation of the cell count during a short period in the target traffic. Particularly, in order to encode bit 1, the attacker flushes three cells from the circuit queue. In order to encode bit 0, the attacker flushes only one cell from the circuit queue. In order to accurately manipulate the number of the cells to be flushed, the attacker needs to count the number of cells in the circuit queue. Once the number of the cells is adequate (i.e,, three cells for encoding 1 bit of the signal, and one cell for 0 bit of the signal), the attacker calls the circuit write event promptly and all the cells are flushed to the output buffer immediately. Unfortunately, due to the network congestion and delay, the cells may be combined or separated at the middle onion routers, or the network link between the onion routers. 3.Recording Packets: After the signal is embedded in the target traffic in Step 2, it will be transmitted to the entry onion router along with the target traffic. An accomplice of the attacker at the entry onion router will record the received cells and related information, including Alices host IP address and port used for a given circuit, as well as the circuit ID. Since the signal is embedded in the variation of the cell count for CELL_RELAY_DATA cells, an accomplice of the attacker at the entry onion router needs to determine whether the received cells are CELL_RELAY_DATA cells. This can be done through a way similar to the one in Step 1.We know that the first two cells that arrive at the entry onion router are CELL_RELAY_EXTENDED cells, and the third one is a CELL_RELAY_CONNECTED cell. After these three cells, all cells are a CELL_RELAY_DATA cell. Therefore, starting from this point, the attacker records the cells arriving at the circuit queue. 4: Recognizing the Embedded Signal: With recorded cells, the attacker enters the phase of recognizing the embedded signal. Once the original signal is identified, the entry onion router knows Alices host IP address, and the exit onion router knows Bobs host IP address of the TCP stream. Therefore, the attacker can link the communication relationship between Alice and Bob. As mentioned earlier, when the signal is transmitted through Tor, it will be distorted because of network delay and congestion. For example, when the chunks of three cells for encoding bit 1 arrive at the middle onion router, the first cell will be flushed to the output buffer promptly if there is no data in the output buffer. The subsequent two cells are queued in the circuit queue. When the write event is called, the first cell is sent to the network, while the subsequent two cells are flushed into the output buffer. Therefore, the chunks of the three cells for carrying bit 1 may be split into two portions. The first portion contains the first cell, and the second portion contains the second and third cell together. Therefore, attention must be paid to take these into account to recognize a signal bit. Due to the network congestion and delay, the cells may be combined or separated at the middle onion routers, or the network link between the onion routers . All these facts cause a distorted version of the originally embedded signal to be received at the entry onion router.
Fig 5 Masquerading attack IV. KEY BASED RANDOM PERMUTATION (KBRP) A permutation, also called an "arrangement number" or "order," is a rearrangement of the elements of an ordered list S into a one-to-one correspondence with S itself. The International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013
number of permutations on a set of n elements is given by n! (n factorial). A list of length n an be tested to see if it is a permutation of 1, ..., n using the command PermutationQ[list] in the Mathematica add-on package DiscreteMath`Combinatorica[3]. A random permutation is a permutation containing a fixed number n of a random selection from a given set of elements. There are two main algorithms for constructing random permutations. The first constructs a vector of random real numbers and uses them as keys to records containing the integers 1 to n. The second starts with an arbitrary permutation and then exchanges the ith element with a randomly selected one from the first i elements for i =1, ..., n[6,9]. Schemes for generating permutations and for numbering permutation have been developed over the years[10-12]. Campbell[7] gave a simple numbering scheme for calculating the permutation. Hussain[4] gave a method for generating permutation from string of bits. Key Based Random Permutation (KBRP) is a method that can generate one permutation of size n out of n! permutations. This permutation is generated from certain key (alphanumeric string) by considering all the elements of this given key in the generation process. The permutation is stored in one-dimensional array of size equal to the permutation size (N). The process involves three consecutive steps: init(), eliminate(), and fill(). First step, init(), is to initialize array of size n with elements from the given key, by taking the ASCII code of each element in the key and storing them in the array consecutively. To complete all elements of the array, we add elements to the array by adding two consecutive values of the array until all the elements of the array are set to values. Finally, all values are set to the range 1 to N by applying the mode operation. The second step, eliminate(), is to get rid of repeated values by replacing them with value of zero and keep only one value out of these repeated values. Last step, fill(), is to replace all zero values with nonzero values in the range 1 to N which are not exist in the array. The resulted array now represents the permutation.
Step1: init() Initialization step can be shown as follows: Let K: key (string of alphanumeric) of size S P: array holds permutation with values 1 to N N: array size A[i] =K[i] for i=1 to S P[i] =P[i] +P[i+1] for i=1 to S-1 P[S] =A[1] While (S <N) j =S+1 For( i =1 to S-1 ) For( k =i to S-1 && j _ N ) P[i] =P[i] +P[k+1] j++ P[i] =P[i] MOD N for i =1 to N Step2: eliminate() In this step, array P contains N values. Repetition for some values maybe exists; therefore, the repeated values are examined and replaced with zero. Only one value out of the repeated values is kept in P. now P has only distinct values in the range 1 to N and some zero values are appeared in P. Missing values in the range 1 to N that are not exist in P will be substituted by the zero elements. This process is shown in the following algorithm: Let L: left of array P R: right of array P For all values where L <R P[i] =0 if P[L] =P[i] for i =L+1 to R P[j] =0 if P[R] =P[j] for j =R-1 to L+1 Increment L by 1 Decrement R by 1 Step3: fill() The final step, fill(), is to replace any zero value in P by a value in the range 1 to N which is not exist in P. All zero values will be replaced through a sequence of one value from the left side of P and one value from the right side of P and repeating this sequence until all zero values are gone. The resulted array now contains all distinct values in the range 1 to N which represents the permutation stored in P. This process is shown in the following algorithm: Let A: array contains missing values in P m: number of missing values in A i =0 while ( i <m ) j =N while( P[i] !=0 && j >0 ) decrement j if( j >0 ) P[j] =A[i] increment i k =1 while( P[k] !=0 && k _ N ) increment k if( k <=N ) P[k] =A[i] increment i A. An illustrative example To illustrate the three steps of the process of KBRP, let us take the following example: KEY: computer Permutation size: 12 step1, fill() works as follows: array P holds first the ASCII code of the input
Then values will be changed to the following
Finally, P will hold the following values
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013
In step2, the repeated values are examined and replaced with zero and this is done by the function eliminate(). Now P looks like
Finally, the function fill() replaces all zero values with the missing values in P in order to get the final permutation P.
Application: Permutation is used for encryption. Shiho and Serge[5] stated that block cipher can be considered as an instance of a random permutation over a message block space. In block cipher, permutation is used to rearrange a message block. This permutation needs to be random and secret. I have built the method KBRP that provides randomness and secrecy. Randomness is available since producing the permutation is completely depending on the secret key and each key generate one permutation for a given permutation size. Secrecy of permutation is comprised in the generating way. Permutation is used in block cipher as a mapping function that maps the elements of a message block in its original position into a new position. For example, a permutation, P, of size 4 has four elements P[1], P[2], P[3], and P[4] whose vales are 3,4,1, and 2 respectively. Any message block M of size 4 can be rearranged according to the permutation P. this mapping is shown in Fig. 6.
Fig. 6: Mapping message M with permutation P Mapping reflects the relation between original position and destination position of the message block. This relation should be weak for the reason of the difficulty of knowing or guessing the mapping (permutation). For this reason, I propose a test for the generated permutation and the sequence set one to block size (original positions of message block). This test is the correlation coefficient test (r), whose accepted values are |r| <0.5; otherwise, the permutation can be easily changed by making a one right shift and then compute new correlation. Right shift continues until we get the proper correlation value. Fig. 7 shows the mapping for the permutation generated in our illustrative example, P, and then we make one right shift to get a new permutation, P1. These permutations are
Correlations for P and P1 are 0.587413 and 0.20979 respectively.
Fig. 7: Mapping two permutations into original position V.CONCLUSION This paper introduced a masquerading attack against Tor. This attack is difficult to detect and is able to quickly and accurately confirm the anonymous communication relationship among users on Tor. An attacker at the malicious exit onion router slightly manipulates the transmission of cells from a target TCP stream and embeds a secret signal (a series of binary bits) into the cell counter variation of the TCP stream. An accomplice of the attacker at the entry onion router recognizes the embedded signal. Due to Tors fundamental design, defending against this attack remains a very challenging task that we will investigate in our future research. REFERENCES [1] L. Overlier and P. Syverson, Locating hidden servers, in Proceedings of the IEEE Security and Privacy Symposium (S&P), May 2006. [2] R.Dingledine and N. Mathewson, Tor protocol specification,http://tor.eff.org/svn/trunk/doc/spec/tor-spec.txt, 2008. [3] http://mathworld.wolfram.com [4] Hussain, S., 1998. Dynamic generation of permutation froma string of bits. Proc. SCCA'98, Applied Science University, J ordan, 21-22: 158- 160.
[5] R. Dingledine, N. Mathewson, and P. Syverson, Tor: Anonymity online, 2008 [Online]. Available: http://tor.eff.org/index.html.en [6] Z. Ling, J . Luo, W. Yu, X. Fu, D. Xuan, and W. J ia, A new cell counter based attack against tor, in Proceedings of 16th ACM Conference on Computer and Communications Security (CCS), November 2009. [7] William, C., 2004. Indexing permutation. Comput, J ., 19: 296-300.