blocking.tex 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354
  1. \documentclass{llncs}
  2. \usepackage{url}
  3. \usepackage{amsmath}
  4. \usepackage{epsfig}
  5. %\setlength{\textwidth}{5.9in}
  6. %\setlength{\textheight}{8.4in}
  7. %\setlength{\topmargin}{.5cm}
  8. %\setlength{\oddsidemargin}{1cm}
  9. %\setlength{\evensidemargin}{1cm}
  10. \newenvironment{tightlist}{\begin{list}{$\bullet$}{
  11. \setlength{\itemsep}{0mm}
  12. \setlength{\parsep}{0mm}
  13. % \setlength{\labelsep}{0mm}
  14. % \setlength{\labelwidth}{0mm}
  15. % \setlength{\topsep}{0mm}
  16. }}{\end{list}}
  17. \begin{document}
  18. \title{Design of a blocking-resistant anonymity system}
  19. \author{}
  20. \maketitle
  21. \pagestyle{plain}
  22. \begin{abstract}
  23. Websites around the world are increasingly being blocked by
  24. government-level firewalls. Many people use anonymizing networks like
  25. Tor to contact sites without letting an attacker trace their activities,
  26. and as an added benefit they are no longer affected by local censorship.
  27. But if the attacker simply denies access to the Tor network itself,
  28. blocked users can no longer benefit from the security Tor offers.
  29. Here we describe a design that uses the current Tor network as a
  30. building block to provide an anonymizing network that resists blocking
  31. by government-level attackers.
  32. \end{abstract}
  33. \section{Introduction and Goals}
  34. Websites like Wikipedia and Blogspot are increasingly being blocked by
  35. government-level firewalls around the world.
  36. China is the third largest user base for Tor clients~\cite{geoip-tor}.
  37. Many people already want it, and the current Tor design is easy to block
  38. (by blocking the directory authorities, by blocking all the server
  39. IP addresses, or by filtering the signature of the Tor TLS handshake).
  40. Now that we've got an overlay network, we're most of the way there in
  41. terms of building a blocking-resistant tool.
  42. And it improves the anonymity that Tor can provide to add more different
  43. classes of users and goals to the Tor network.
  44. \subsection{A single system that works for multiple blocked domains}
  45. We want this to work for people in China, people in Iran, people in
  46. Thailand, people in firewalled corporate networks, etc. The blocking
  47. censor will be at different stages of the arms race in different places;
  48. and likely the list of blocked addresses will be different in each
  49. location too.
  50. \section{Adversary assumptions}
  51. \label{sec:adversary}
  52. Three main network attacks by censors currently:
  53. \begin{tightlist}
  54. \item Block destination by string matches in TCP packets.
  55. \item Block destination by IP address.
  56. \item Intercept DNS requests.
  57. \end{tightlist}
  58. Assume the network firewall has very limited CPU~\cite{clayton06}.
  59. Assume that readers of blocked content will not be punished much
  60. (relative to writers).
  61. Assume that while various different adversaries can coordinate and share
  62. notes, there will be a significant time lag between one attacker learning
  63. how to overcome a facet of our design and other attackers picking it up.
  64. \section{Related schemes}
  65. \subsection{public single-hop proxies}
  66. \subsection{personal single-hop proxies}
  67. Easier to deploy; might not require client-side software.
  68. \subsection{break your sensitive strings into multiple tcp packets}
  69. \subsection{steganography}
  70. % \subsection{}
  71. \section{Useful building blocks}
  72. \subsection{Tor}
  73. Anonymizing networks such as
  74. Tor~\cite{tor-design}
  75. aim to hide not only what is being said, but also who is
  76. communicating with whom, which users are using which websites, and so on.
  77. These systems have a broad range of users, including ordinary citizens
  78. who want to avoid being profiled for targeted advertisements, corporations
  79. who don't want to reveal information to their competitors, and law
  80. enforcement and government intelligence agencies who need
  81. to do operations on the Internet without being noticed.
  82. Tor provides three security properties:
  83. \begin{tightlist}
  84. \item A local observer can't learn, or influence, your destination.
  85. \item The destination, or somebody watching the destination, can't learn
  86. your location.
  87. \item No single piece of the infrastructure can link you to your
  88. destination.
  89. \end{tightlist}
  90. We care most clearly about property number 1. But when the arms race
  91. progresses, property 2 will become important -- so the blocking adversary
  92. can't learn user+destination just by volunteering a relay. It's not so
  93. clear to see that property 3 is important, but consider websites and
  94. services that are pressured into treating clients from certain network
  95. locations differently.
  96. Other benefits:
  97. \begin{tightlist}
  98. \item Separates the role of relay from the role of exit node.
  99. \item (Re)builds circuits automatically in the background, based on
  100. whichever paths work.
  101. \end{tightlist}
  102. \subsection{Tor circuits}
  103. can build arbitrary overlay paths given a set of descriptors~\cite{blossom}
  104. \subsection{Tor directory servers}
  105. \subsection{Tor user base}
  106. \section{The Design, version one}
  107. \subsection{Bridge relays}
  108. Some Tor users on the free side of the network will opt to become
  109. bridge relays. They will relay a bit of traffic and won't need to allow
  110. exits. They sign up on the bridge directory authorities, below.
  111. ...need to outline instructions for a Tor config that will publish
  112. to an alternate directory authority, and for controller commands
  113. that will do this cleanly.
  114. \subsection{The bridge directory authority (BDA)}
  115. They aggregate server descriptors just like the main authorities, and
  116. answer all queries as usual, except they don't publish network statuses.
  117. So once you know a bridge relay's key, you can get the most recent
  118. server descriptor for it.
  119. XXX need to figure out how to fetch some server statuses from the BDA
  120. without fetching all statuses. A new URL to fetch I presume?
  121. \subsection{Blocked users}
  122. If a blocked user has a server descriptor for one working bridge relay,
  123. then he can make secure connections to the BDA to update his knowledge
  124. about other bridge
  125. relays, and he can make secure connections to the main Tor network
  126. and directory servers to build circuits and connect to the rest of
  127. the Internet.
  128. So now we've reduced the problem from how to circumvent the firewall
  129. for all transactions (and how to know that the pages you get have not
  130. been modified by the local attacker) to how to learn about a working
  131. bridge relay.
  132. The simplest format for communicating information about a bridge relay
  133. is as an IP address and port for its directory cache. From there, the
  134. user can ask the directory cache for an up-to-date copy of that bridge
  135. relay's server descriptor, including its current circuit keys, the port
  136. it uses for Tor connections, and so on.
  137. However, connecting directly to the directory cache involves a plaintext
  138. http request, so the censor could create a firewall signature for the
  139. request and/or its response, thus preventing these connections. If that
  140. happens, the first fix is to use SSL -- not for authentication, but
  141. just for encryption so requests look different every time.
  142. There's another possible attack here: since we only learn an IP address
  143. and port, a local attacker could intercept our directory request and
  144. give us some other server descriptor. But notice that we don't need
  145. strong authentication for the bridge relay. Since the Tor client will
  146. ship with trusted keys for the bridge directory authority and the Tor
  147. network directory authorities, the user can decide if the bridge relays
  148. are lying to him or not.
  149. Once the Tor client has fetched the server descriptor at least once,
  150. it should remember the identity key fingerprint for that bridge relay.
  151. If the bridge relay moves to a new IP address, the client can then
  152. use the bridge directory authority to look up a fresh server descriptor
  153. using this fingerprint.
  154. another option is to conclude
  155. that it will be better to tunnel through a Tor circuit when fetching them.
  156. The following section describes ways to bootstrap knowledge of your first
  157. bridge relay, and ways to maintain connectivity once you know a few
  158. bridge relays.
  159. \section{Discovering and maintaining working bridge relays}
  160. \subsection{Initial network discovery}
  161. We make the assumption that the firewall is not perfect. People can
  162. get around it through the usual means, or they know a friend who can.
  163. If they can't get around it at all, then we can't help them -- they
  164. should go meet more people.
  165. Thus they can reach the BDA. From here we either assume a social
  166. network or other mechanism for learning IP:dirport or key fingerprints
  167. as above, or we assume an account server that allows us to limit the
  168. number of new bridge relays an external attacker can discover.
  169. \section{The Design, version two}
  170. \item A blinded token, which can be exchanged at the BDA (assuming you
  171. can reach it) for a new IP:dirport or server descriptor.
  172. \subsection{The account server}
  173. Users can establish reputations, perhaps based on social network
  174. connectivity, perhaps based on not getting their bridge relays blocked,
  175. \section{Other issues}
  176. \subsection{How many bridge relays should you know about?}
  177. If they're ordinary Tor users on cable modem or DSL, many of them will
  178. disappear periodically. How many bridge relays should a blockee know
  179. about before he's likely to have at least one up at any given point?
  180. The related question is: if the bridge relays change IP addresses
  181. periodically, how often does the blockee need to "check in" in order
  182. to keep from being cut out of the loop?
  183. \subsection{How do we know if a bridge relay has been blocked?}
  184. We need some mechanism for testing reachability from inside the
  185. blocked area. The easiest answer is for certain users inside
  186. the area to sign up as testing relays, and then we can route through
  187. them and see if it works.
  188. First problem is that different network areas block different net masks,
  189. and it will likely be hard to know which users are in which areas. So
  190. if a bridge relay isn't reachable, is that because of a network block
  191. somewhere, because of a problem at the bridge relay, or just a temporary
  192. outage?
  193. Second problem is that if we pick random users to test random relays, the
  194. adversary should sign up users on the inside, and enumerate the relays
  195. we test. But it seems dangerous to just let people come forward and
  196. declare that things are blocked for them, since they could be tricking
  197. us. (This matters even moreso if our reputation system above relies on
  198. whether things get blocked to punish or reward.)
  199. \subsection{Tunneling directory lookups through Tor}
  200. All you need to do is bootstrap, and then you can use
  201. your Tor connection to maintain your Tor connection,
  202. including doing secure directory fetches.
  203. \subsection{Predictable SSL ports}
  204. We should encourage most servers to listen on port 443, which is
  205. where SSL normally listens.
  206. Is that all it will take, or should we set things up so some fraction
  207. of them pick random ports? I can see that both helping and hurting.
  208. \subsection{Predictable TLS handshakes}
  209. Right now Tor has some predictable strings in its TLS handshakes.
  210. These can be removed; but should they be replaced with nothing, or
  211. should we try to emulate some popular browser? In any case our
  212. protocol demands a pair of certs on both sides -- how much will this
  213. make Tor handshakes stand out?
  214. \section{Anonymity issues from becoming a bridge relay}
  215. You can actually harm your anonymity by relaying traffic in Tor. This is
  216. the same issue that ordinary Tor servers face. On the other hand, it
  217. provides improved anonymity against some attacks too:
  218. \begin{verbatim}
  219. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerAnonymity
  220. \end{verbatim}
  221. \subsection{Cablemodem users don't provide important websites}
  222. ...so our adversary could just block all DSL and cablemodem networks,
  223. and for the most part only our bridge relays would be affected.
  224. The first answer is to aim to get volunteers both from traditionally
  225. ``consumer'' networks and also from traditionally ``producer'' networks.
  226. The second answer (not so good) would be to encourage more use of consumer
  227. networks for popular and useful websites.
  228. \section{Future designs}
  229. \subsection{Bridges inside the blocked network too}
  230. Assuming actually crossing the firewall is the risky part of the
  231. operation, can we have some bridge relays inside the blocked area too,
  232. and more established users can use them as relays so they don't need to
  233. communicate over the firewall directly at all? A simple example here is
  234. to make new blocked users into internal bridges also -- so they sign up
  235. on the BDA as part of doing their query, and we give out their addresses
  236. rather than (or along with) the external bridge addresses. This design
  237. is a lot trickier because it brings in the complexity of whether the
  238. internal bridges will remain available, can maintain reachability with
  239. the outside world, etc.
  240. Hidden services as bridges.
  241. %\bibliographystyle{plain} \bibliography{tor-design}
  242. \end{document}
  243. % need a way for users to get tor itself. (discuss trust chain.)