International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1722

Masquerading Attack To Break Tors Anonymity
Deepa S.V,
M.Tech Computer Science and Engg.
Calicut University,Kerala,India.


AbstractTOR-The Onion Router, is a low-latency anonymous-
communication overlay network, based on Onion Routing. Tor
aims to resist observers and insiders by distributing each
transaction over several nodes in the network. To prevent the
traffic analysis attack, Tor packs application data into equal-
sized cells. In masquerading attack, at the malicious exit onion
router, the attacker can embed a secret signal generated using
KBRP. The embedded signal will be carried along with the target
traffic and arrive at the malicious entry onion router. Then, an
accomplice of the attacker at the malicious entry onion router
will detect the embedded signal based on the received cells and
confirm the communication relationship among users.


Keywords Tor, Anonymity.
I. INTRODUCTION
There has been extensive research work done on attacks
degrading anonymous communication through Tor. Most
existing approaches are based on traffic analysis [1]. These
traffic analysis attacks can be categorized into two groups:
passive traffic analysis and active watermarking techniques.
Passive traffic analysis technique will record the traffic
passively and identify the correlation between senders
outbound traffic and receivers inbound traffic based on
statistical measures. This type of technique requires a
relatively long period of traffic observation for a reasonable
detection rate. Active watermarking technique can reduce
attack lasting time, improve attack success rate and has
recently received more attention. The idea is to actively
introduce special signals (or marks) into the senders
outbound traffic with the intention of recognizing the
embedded signal at the receivers inbound traffic. However, in
order to accurately confirm the anonymous communication
relationship of users, the flow-marking scheme needs to
embed a signal modulated by a relatively long length of PN
code, and also the signal is embedded into the traffic flow
rate variation. Their approach records the traffic timing of the
incoming flows and correlates them with the outgoing flows.
II. BACKGROUND
This section first present Tor network components
and then review the existing cell counting based attack against
Tor.

A. Components of Tor network
Tor is a real-world, circuit-based low-latency anonymous
communication network. It is an open source project and
provides anonymity service for TCP applications[1]. As
shown in Figure 1, it has the following four basic components.
Alice (i.e. Client) runs a local software called onion
proxy(OP) to anonymize the client data into Tor.
Bob (i.e. Server) runs TCP applications such as a web
service and anonymously communicates with Alice
over Tor.
Onion routers (OR) are special proxies that relay the
application data between Alice and Bob. By default,
client uses three ORs to relay their data. Denote these
three ORs as entry router (OR1), middle router (OR2)
and exit router (OR3), respectively. In Tor, Transport
Layer Security (TLS) connections are used for the
overlay link encryption between two onion routers. The
application data is packed into equal-sized cells (512
bytes as shown in Figure 2) transmitted through TLS
connections.
Directory servers hold onion router information such as
public keys for onion routers. Directory authorities hold
authoritative information on onion routers and directory
caches the downloaded directory information of onion
routers from authorities.
Figure 2 illustrates Tors cell format. Figure 2 illustrates
Tors cell format. All cells have a three bytes header, which is
not encrypted so that the intermediate onion router can see this
header. The other 509 bytes are encrypted in the onion-like
fashion. There are two types of cells: control cell shown in
Figure 2(a) and relay cell shown in Figure 2(b).

B. Selecting a Path and Creating a Circuit
In order to anonymously communicate with applications,
i.e., browsing a web server, a client uses a way of source
routing and chooses a series of onion routers from the locally
cached directory, downloaded from the directory caches. We
denote the series of onion routers as the path through Tor. The
number of onion routers is referred to as the path length. We
use the default path length of 3 as an example in Figure 1 to
illustrate how the path is chosen. The client first chooses an
appropriate exit onion router OR3, which should have an exit
policy supporting the relay of the TCP stream from the sender.
Then, the client chooses an appropriate entry onion router
OR1 and a middle onion router OR2.
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1723

Once the path is chosen, the client initiates the procedure
of creating a circuit over the path incrementally, one hop at a
time. Figure 3 illustrates the procedure of creating a circuit
when the path has a default length of 3. Tor uses TLS/SSLv3
for link authentication and encryption In Figure 3, OP first
sets up a TLS connection with OR1 using the TLS protocol.
Then, tunneling through this connection, OP sends a CELL
CREATE cell and uses the Diffie-Hellman (DH) handshake
protocol to negotiate a base key with OR, which responds with
a CELL CREATED cell. From this base key material, a
forward symmetric key and a backward symmetric key are
produced. In this way, a one-hop circuit C1 is created.


Fig. 1. Tor Network

To extend the circuit one hop further, the OP sends to OR1
a RELAY COMMAND EXTEND cell, specifying the address
of the next onion router, i.e., OR2 in Figure 3. This RELAY
COMMAND EXTEND cell is encrypted by AES in the counter
mode (AES-CTR) with kf1. Once OR1 receives this cell, it
decrypts the cell and negotiates secret keys with OR2 using
the DH handshake protocol. Therefore, a second segment C2
of the 2-hop circuit is created. OR1 sends OP a RELAY
COMMAND EXTENDED cell, which holds information for
OP generating the shared secret keys: forward key and
backward key, with OR2. This RELAY COMMAND
EXTENDED cell is encrypted by AES-CTR with key. OP will
decrypt the RELAYCOMMAND EXTENDED cell and use the
information to create the corresponding keys. Encryption of
later cells by these secret keys uses AES-CTR as well.

Fig. 1 Cell format

In summary, OP negotiates secret keys with the three
onion routers one by one and consequently creates a circuit
along the path3. With the exception that the connection from
the exit onion router to the server is not link encrypted, other
connections along the path are all protected by TLS within
Tor. That is, cells encrypted in the onion-like fashion are
protected by link encryption. In the description above, we
simply use a circuit of path length 3 as an example and a
circuit of path length greater than 3 can be set up in a similar
manner.
C. Transmitting Tcp Streams
To transmit data to Bob, Alices application (such as web
browser) first contacts the OP, which is implemented as a
SOCKS proxy locally. The OP learns the destination IP
address and port. OP sends a RELAY COMMAND BEGIN cell
to the exit onion router OR3, and the cell is encrypted as
{{{Begin < IP,Port >}kf3 }kf2 }kf1 , where the subscript refers
to the key used for encryption of one onion skin. The three
layers of onion skin are removed one by one each time the cell
traverses an onion router through the circuit. When Alices
application finishes the data transmission, the connection from
Alices application to the OP will be released. As shown in
Figure 4, after 5 bytes of data Hello in a RELAY
COMMAND DATA cell is transmitted, Alices application
releases the connection to OP.

Fig. 3. Tor Circuit Creation
When OR3 removes the last onion skin by decryption, it
recognizes that the request intends to open a TCP stream to a
port at the destination IP, which belongs to Bob. Therefore,
OR3 acts as a proxy, sets up a TCP connection with Bob, and
sends a RELAY COMMAND CONNECTED cell back to
Alices OP. The OP then accepts data from Alices
application, packs it into relay cells with the Relay Command
of RELAY COMMAND DATA and transmits it to Bob through
the circuit. The whole process is transparent to Alice, who
only needs to configure the application to use the OP. OP then
sends a RELAY COMMAND END cell to OR3 and OR3 finally
releases the connection to Bob. In this way, the circuit of path
over Tor will be released completely.
III. BASIC IDEA OF MASQUERADING ATTACK
An attacker at the exit onion router first selects the target
traffic flow between Alice and Bob. The attacker then selects
a random signal (e.g., a sequence of binary bits), chooses an
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1724

appropriate time, and changes the cell count of target traffic
based on the selected random signal. In this way, the attacker
is able to embed a signal into the target traffic from Bob. The
signal will be carried along with the target traffic to the entry
onion router connecting to Alice. An accomplice of the
attacker at the entry onion router will record the variation of
the received cells and recognize the embedded signal. If the
same pattern of the signal is recognized, the attacker confirms
the communication relationship between Alice and Bob.

Fig. 4. TCP Connection Creation and Data Transmission on Tor
1.Selecting the Target: At a malicious exit onion router
connected to the server Bob, the attacker will log the
information, including server Bobs host IP address and port
used for a given circuit, as well as the circuit ID. The attacker
uses CELL_RELAY_DATA cells since those cells transmit the
data stream. According to the description of Tor the attacker is
able to obtain the first cell backward to the client, which is a
CELL_CREATED cell and is used to negotiate a symmetric
key with the middle onion router. The second cell backward to
the client will be a CELL_RELAY_CONNECTED cell. All
sequential cells will be CELL_RELAY_DATA cell, and the
attacker starts the encoding process shown in Step 2.
2.Encoding the Signal: The CELL_RELAY_DATA cells will
be waiting in the circuit queue of the onion router until the
write event is called. Then, the cells in the circuit queue are all
flushed into the output buffer. Hence, the attacker can benefit
from this and manipulate the number of cells flushed to the
output buffer all together. In this way, the attacker can embed
a secret signal (a sequence of binary bits, i.e., 10101) into
the variation of the cell count during a short period in the
target traffic. Particularly, in order to encode bit 1, the
attacker flushes three cells from the circuit queue. In order to
encode bit 0, the attacker flushes only one cell from the
circuit queue. In order to accurately manipulate the number of
the cells to be flushed, the attacker needs to count the number
of cells in the circuit queue. Once the number of the cells is
adequate (i.e,, three cells for encoding 1 bit of the signal,
and one cell for 0 bit of the signal), the attacker calls the
circuit write event promptly and all the cells are flushed to the
output buffer immediately. Unfortunately, due to the network
congestion and delay, the cells may be combined or separated
at the middle onion routers, or the network link between the
onion routers.
3.Recording Packets: After the signal is embedded in the
target traffic in Step 2, it will be transmitted to the entry onion
router along with the target traffic. An accomplice of the
attacker at the entry onion router will record the received cells
and related information, including Alices host IP address and
port used for a given circuit, as well as the circuit ID. Since
the signal is embedded in the variation of the cell count for
CELL_RELAY_DATA cells, an accomplice of the attacker at
the entry onion router needs to determine whether the received
cells are CELL_RELAY_DATA cells. This can be done
through a way similar to the one in Step 1.We know that the
first two cells that arrive at the entry onion router are
CELL_RELAY_EXTENDED cells, and the third one is a
CELL_RELAY_CONNECTED cell. After these three cells, all
cells are a CELL_RELAY_DATA cell. Therefore, starting from
this point, the attacker records the cells arriving at the circuit
queue.
4: Recognizing the Embedded Signal: With recorded cells,
the attacker enters the phase of recognizing the embedded
signal. Once the original signal is identified, the entry onion
router knows Alices host IP address, and the exit onion router
knows Bobs host IP address of the TCP stream. Therefore,
the attacker can link the communication relationship between
Alice and Bob. As mentioned earlier, when the signal is
transmitted through Tor, it will be distorted because of
network delay and congestion. For example, when the chunks
of three cells for encoding bit 1 arrive at the middle onion
router, the first cell will be flushed to the output buffer
promptly if there is no data in the output buffer. The
subsequent two cells are queued in the circuit queue. When
the write event is called, the first cell is sent to the network,
while the subsequent two cells are flushed into the output
buffer. Therefore, the chunks of the three cells for carrying bit
1 may be split into two portions. The first portion contains
the first cell, and the second portion contains the second and
third cell together. Therefore, attention must be paid to take
these into account to recognize a signal bit. Due to the
network congestion and delay, the cells may be combined or
separated at the middle onion routers, or the network link
between the onion routers . All these facts cause a distorted
version of the originally embedded signal to be received at the
entry onion router.

Fig 5 Masquerading attack
IV. KEY BASED RANDOM PERMUTATION (KBRP)
A permutation, also called an "arrangement number"
or "order," is a rearrangement of the elements of an ordered
list S into a one-to-one correspondence with S itself. The
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1725

number of permutations on a set of n elements is given by n!
(n factorial). A list of length n an be tested to see if it is a
permutation of 1, ..., n using the command PermutationQ[list]
in the Mathematica add-on package
DiscreteMath`Combinatorica[3]. A random permutation is a
permutation containing a fixed number n of a random
selection from a given set of elements. There are two main
algorithms for constructing random permutations. The first
constructs a vector of random real numbers and uses them as
keys to records containing the integers 1 to n. The second
starts with an arbitrary permutation and then exchanges the ith
element with a randomly selected one from the first i elements
for i =1, ..., n[6,9]. Schemes for generating permutations and
for numbering permutation have been developed over the
years[10-12]. Campbell[7] gave a simple numbering scheme
for calculating the permutation. Hussain[4] gave a method for
generating permutation from string of bits.
Key Based Random Permutation (KBRP) is a
method that can generate one permutation of size n out of n!
permutations. This permutation is generated from certain key
(alphanumeric string) by considering all the elements of this
given key in the generation process. The permutation is stored
in one-dimensional array of size equal to the permutation size
(N). The process involves three consecutive steps: init(),
eliminate(), and fill(). First step, init(), is to initialize array of
size n with elements from the given key, by taking the ASCII
code of each element in the key and storing them in the array
consecutively. To complete all elements of the array, we add
elements to the array by adding two consecutive values of the
array until all the elements of the array are set to values.
Finally, all values are set to the range 1 to N by applying the
mode operation. The second step, eliminate(), is to get rid of
repeated values by replacing them with value of zero and keep
only one value out of these repeated values. Last step, fill(), is
to replace all zero values with nonzero values in the range 1 to
N which are not exist in the array. The resulted array now
represents the permutation.

Step1: init()
Initialization step can be shown as follows:
Let
K: key (string of alphanumeric) of size S
P: array holds permutation with values 1 to N
N: array size
A[i] =K[i] for i=1 to S
P[i] =P[i] +P[i+1] for i=1 to S-1
P[S] =A[1]
While (S <N)
j =S+1
For( i =1 to S-1 )
For( k =i to S-1 && j _ N )
P[i] =P[i] +P[k+1]
j++
P[i] =P[i] MOD N for i =1 to N
Step2: eliminate()
In this step, array P contains N values. Repetition for
some values maybe exists; therefore, the repeated values are
examined and replaced with zero. Only one value out of the
repeated values is kept in P. now P has only distinct values in
the range 1 to N and some zero values are appeared in P.
Missing values in the range 1 to N that are not exist in P will
be substituted by the zero elements. This process is shown in
the following algorithm:
Let
L: left of array P
R: right of array P
For all values where L <R
P[i] =0 if P[L] =P[i] for i =L+1 to R
P[j] =0 if P[R] =P[j] for j =R-1 to L+1
Increment L by 1
Decrement R by 1
Step3: fill()
The final step, fill(), is to replace any zero value in P
by a value in the range 1 to N which is not exist in P. All zero
values will be replaced through a sequence of one value from
the left side of P and one value from the right side of P and
repeating this sequence until all zero values are gone. The
resulted array now contains all distinct values in the range 1 to
N which represents the permutation stored in P. This process
is shown in the following algorithm:
Let
A: array contains missing values in P
m: number of missing values in A
i =0
while ( i <m )
j =N
while( P[i] !=0 && j >0 )
decrement j
if( j >0 )
P[j] =A[i]
increment i
k =1
while( P[k] !=0 && k _ N )
increment k
if( k <=N )
P[k] =A[i]
increment i
A. An illustrative example
To illustrate the three steps of the process of KBRP,
let us take the following example:
KEY: computer
Permutation size: 12
step1, fill() works as follows: array P holds first the ASCII
code of the input

Then values will be changed to the following

Finally, P will hold the following values

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 6June 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 1726

In step2, the repeated values are examined and replaced with
zero and this is done by the function eliminate(). Now P looks
like

Finally, the function fill() replaces all zero values with the missing
values in P in order to get the final permutation P.

Application: Permutation is used for encryption.
Shiho and Serge[5] stated that block cipher can be considered
as an instance of a random permutation over a message block
space. In block cipher, permutation is used to rearrange a
message block. This permutation needs to be random and
secret. I have built the method KBRP that provides
randomness and secrecy. Randomness is available since
producing the permutation is completely depending on the
secret key and each key generate one permutation for a given
permutation size. Secrecy of permutation is comprised in the
generating way. Permutation is used in block cipher as a
mapping function that maps the elements of a message block
in its original position into a new position. For example, a
permutation, P, of size 4 has four elements P[1], P[2], P[3],
and P[4] whose vales are 3,4,1, and 2 respectively. Any
message block M of size 4 can be rearranged according to the
permutation P. this mapping is shown in Fig. 6.

Fig. 6: Mapping message M with permutation P
Mapping reflects the relation between original
position and destination position of the message block. This
relation should be weak for the reason of the difficulty of
knowing or guessing the mapping (permutation). For this
reason, I propose a test for the generated permutation and the
sequence set one to block size (original positions of message
block). This test is the correlation coefficient test (r), whose
accepted values are |r| <0.5; otherwise, the permutation can
be easily changed by making a one right shift and then
compute new correlation. Right shift continues until we get
the proper correlation value. Fig. 7 shows the mapping for the
permutation generated in our illustrative example, P, and then
we make one right shift to get a new permutation, P1. These
permutations are

Correlations for P and P1 are 0.587413 and 0.20979
respectively.

Fig. 7: Mapping two permutations into original position
V.CONCLUSION
This paper introduced a masquerading attack against
Tor. This attack is difficult to detect and is able to quickly and
accurately confirm the anonymous communication
relationship among users on Tor. An attacker at the malicious
exit onion router slightly manipulates the transmission of cells
from a target TCP stream and embeds a secret signal (a series
of binary bits) into the cell counter variation of the TCP
stream. An accomplice of the attacker at the entry onion router
recognizes the embedded signal. Due to Tors fundamental
design, defending against this attack remains a very
challenging task that we will investigate in our future research.
REFERENCES
[1] L. Overlier and P. Syverson, Locating hidden servers, in
Proceedings of the IEEE Security and Privacy Symposium (S&P), May
2006.
[2] R.Dingledine and N. Mathewson, Tor protocol
specification,http://tor.eff.org/svn/trunk/doc/spec/tor-spec.txt, 2008.
[3] http://mathworld.wolfram.com
[4] Hussain, S., 1998. Dynamic generation of permutation froma string
of bits. Proc. SCCA'98, Applied Science University, J ordan, 21-22: 158-
160.

[5] R. Dingledine, N. Mathewson, and P. Syverson, Tor: Anonymity
online, 2008 [Online]. Available: http://tor.eff.org/index.html.en
[6] Z. Ling, J . Luo, W. Yu, X. Fu, D. Xuan, and W. J ia, A new cell counter
based attack against tor, in Proceedings of 16th ACM Conference on
Computer and Communications Security (CCS), November 2009.
[7] William, C., 2004. Indexing permutation. Comput,
J ., 19: 296-300.