112-bring-back-pathlencoinweight.txt 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
  1. Filename: 112-bring-back-pathlencoinweight.txt
  2. Title: Bring Back Pathlen Coin Weight
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Mike Perry
  6. Created:
  7. Status: Superseded
  8. Superseded-By: 115
  9. Overview:
  10. The idea is that users should be able to choose a weight which
  11. probabilistically chooses their path lengths to be 2 or 3 hops. This
  12. weight will essentially be a biased coin that indicates an
  13. additional hop (beyond 2) with probability P. The user should be
  14. allowed to choose 0 for this weight to always get 2 hops and 1 to
  15. always get 3.
  16. This value should be modifiable from the controller, and should be
  17. available from Vidalia.
  18. Motivation:
  19. The Tor network is slow and overloaded. Increasingly often I hear
  20. stories about friends and friends of friends who are behind firewalls,
  21. annoying censorware, or under surveillance that interferes with their
  22. productivity and Internet usage, or chills their speech. These people
  23. know about Tor, but they choose to put up with the censorship because
  24. Tor is too slow to be usable for them. In fact, to download a fresh,
  25. complete copy of levine-timing.pdf for the Anonymity Implications
  26. section of this proposal over Tor took me 3 tries.
  27. There are many ways to improve the speed problem, and of course we
  28. should and will implement as many as we can. Johannes's GSoC project
  29. and my reputation system are longer term, higher-effort things that
  30. will still provide benefit independent of this proposal.
  31. However, reducing the path length to 2 for those who do not need the
  32. (questionable) extra anonymity 3 hops provide not only improves
  33. their Tor experience but also reduces their load on the Tor network by
  34. 33%, and can be done in less than 10 lines of code. That's not just
  35. Win-Win, it's Win-Win-Win.
  36. Furthermore, when blocking resistance measures insert an extra relay
  37. hop into the equation, 4 hops will certainly be completely unusable
  38. for these users, especially since it will be considerably more
  39. difficult to balance the load across a dark relay net than balancing
  40. the load on Tor itself (which today is still not without its flaws).
  41. Anonymity Implications:
  42. It has long been established that timing attacks against mixed
  43. networks are extremely effective, and that regardless of path
  44. length, if the adversary has compromised your first and last
  45. hop of your path, you can assume they have compromised your
  46. identity for that connection.
  47. In [1], it is demonstrated that for all but the slowest, lossiest
  48. networks, error rates for false positives and false negatives were
  49. very near zero. Only for constant streams of traffic over slow and
  50. (more importantly) extremely lossy network links did the error rate
  51. hit 20%. For loss rates typical to the Internet, even the error rate
  52. for slow nodes with constant traffic streams was 13%.
  53. When you take into account that most Tor streams are not constant,
  54. but probably much more like their "HomeIP" dataset, which consists
  55. mostly of web traffic that exists over finite intervals at specific
  56. times, error rates drop to fractions of 1%, even for the "worst"
  57. network nodes.
  58. Therefore, the user has little benefit from the extra hop, assuming
  59. the adversary does timing correlation on their nodes. The real
  60. protection is the probability of getting both the first and last hop,
  61. and this is constant whether the client chooses 2 hops, 3 hops, or 42.
  62. Partitioning attacks form another concern. Since Tor uses telescoping
  63. to build circuits, it is possible to tell a user is constructing only
  64. two hop paths at the entry node. It is questionable if this data is
  65. actually worth anything though, especially if the majority of users
  66. have easy access to this option, and do actually choose their path
  67. lengths semi-randomly.
  68. Nick has postulated that exits may also be able to tell that you are
  69. using only 2 hops by the amount of time between sending their
  70. RELAY_CONNECTED cell and the first bit of RELAY_DATA traffic they
  71. see from the OP. I doubt that they will be able to make much use
  72. of this timing pattern, since it will likely vary widely depending
  73. upon the type of node selected for that first hop, and the user's
  74. connection rate to that first hop. It is also questionable if this
  75. data is worth anything, especially if many users are using this
  76. option (and I imagine many will).
  77. Perhaps most seriously, two hop paths do allow malicious guards
  78. to easily fail circuits if they do not extend to their colluding peers
  79. for the exit hop. Since guards can detect the number of hops in a
  80. path, they could always fail the 3 hop circuits and focus on
  81. selectively failing the two hop ones until a peer was chosen.
  82. I believe currently guards are rotated if circuits fail, which does
  83. provide some protection, but this could be changed so that an entry
  84. guard is completely abandoned after a certain ratio of extend or
  85. general circuit failures with respect to non-failed circuits. This
  86. could possibly be gamed to increase guard turnover, but such a game
  87. would be much more noticeable than an individual guard failing circuits,
  88. though, since it would affect all clients, not just those who chose
  89. a particular guard.
  90. Why not fix Pathlen=2?:
  91. The main reason I am not advocating that we always use 2 hops is that
  92. in some situations, timing correlation evidence by itself may not be
  93. considered as solid and convincing as an actual, uninterrupted, fully
  94. traced path. Are these timing attacks as effective on a real network
  95. as they are in simulation? Would an extralegal adversary or authoritarian
  96. government even care? In the face of these situation-dependent unknowns,
  97. it should be up to the user to decide if this is a concern for them or not.
  98. It should probably also be noted that even a false positive
  99. rate of 1% for a 200k concurrent-user network could mean that for a
  100. given node, a given stream could be confused with something like 10
  101. users, assuming ~200 nodes carry most of the traffic (ie 1000 users
  102. each). Though of course to really know for sure, someone needs to do
  103. an attack on a real network, unfortunately.
  104. Implementation:
  105. new_route_len() can be modified directly with a check of the
  106. PathlenCoinWeight option (converted to percent) and a call to
  107. crypto_rand_int(0,100) for the weighted coin.
  108. The entry_guard_t structure could have num_circ_failed and
  109. num_circ_succeeded members such that if it exceeds N% circuit
  110. extend failure rate to a second hop, it is removed from the entry list.
  111. N should be sufficiently high to avoid churn from normal Tor circuit
  112. failure as determined by TorFlow scans.
  113. The Vidalia option should be presented as a boolean, to minimize confusion
  114. for the user. Something like a radiobutton with:
  115. * "I use Tor for Censorship Resistance, not Anonymity. Speed is more
  116. important to me than Anonymity."
  117. * "I use Tor for Anonymity. I need extra protection at the cost of speed."
  118. and then some explanation in the help for exactly what this means, and
  119. the risks involved with eliminating the adversary's need for timing attacks
  120. wrt to false positives, etc.
  121. Migration:
  122. Phase one: Experiment with the proper ratio of circuit failures
  123. used to expire garbage or malicious guards via TorFlow.
  124. Phase two: Re-enable config and modify new_route_len() to add an
  125. extra hop if coin comes up "heads".
  126. Phase three: Make radiobutton in Vidalia, along with help entry
  127. that explains in layman's terms the risks involved.
  128. [1] http://www.cs.umass.edu/~mwright/papers/levine-timing.pdf