blocking.tex 10.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294
  1. \documentclass{llncs}
  2. \usepackage{url}
  3. \usepackage{amsmath}
  4. \usepackage{epsfig}
  5. %\setlength{\textwidth}{5.9in}
  6. %\setlength{\textheight}{8.4in}
  7. %\setlength{\topmargin}{.5cm}
  8. %\setlength{\oddsidemargin}{1cm}
  9. %\setlength{\evensidemargin}{1cm}
  10. \newenvironment{tightlist}{\begin{list}{$\bullet$}{
  11. \setlength{\itemsep}{0mm}
  12. \setlength{\parsep}{0mm}
  13. % \setlength{\labelsep}{0mm}
  14. % \setlength{\labelwidth}{0mm}
  15. % \setlength{\topsep}{0mm}
  16. }}{\end{list}}
  17. \begin{document}
  18. \title{Design of a blocking-resistant anonymity system}
  19. \author{}
  20. \maketitle
  21. \pagestyle{plain}
  22. \begin{abstract}
  23. ...
  24. \end{abstract}
  25. \section{Introduction and Goals}
  26. Websites like Wikipedia and Blogspot are increasingly being blocked by
  27. government-level firewalls around the world.
  28. China is the third largest user base for Tor clients~\cite{geoip-tor}.
  29. Many people already want it, and the current Tor design is easy to block
  30. (by blocking the directory authorities, by blocking all the server
  31. IP addresses, or by filtering the signature of the Tor TLS handshake).
  32. Now that we've got an overlay network, we're most of the way there in
  33. terms of building a blocking-resistant tool.
  34. And it improves the anonymity that Tor can provide to add more different
  35. classes of users and goals to the Tor network.
  36. \subsection{A single system that works for multiple blocked domains}
  37. We want this to work for people in China, people in Iran, people in
  38. Thailand, people in firewalled corporate networks, etc. The blocking
  39. censor will be at different stages of the arms race in different places;
  40. and likely the list of blocked addresses will be different in each
  41. location too.
  42. \section{Adversary assumptions}
  43. \label{sec:adversary}
  44. Three main network attacks currently:
  45. \begin{tightlist}
  46. \item Block destination by string matches in TCP packets.
  47. \item Block destination by IP address.
  48. \item Intercept DNS requests.
  49. \end{tightlist}
  50. Assume the network firewall has very limited CPU [clayton06] %~\cite{clayton06}.
  51. Assume that readers of blocked content will not be punished much
  52. (relative to writers).
  53. \section{Related schemes}
  54. \subsection{public single-hop proxies}
  55. \subsection{personal single-hop proxies}
  56. Easier to deploy; might not require client-side software.
  57. \subsection{break your sensitive strings into multiple tcp packets}
  58. \subsection{steganography}
  59. % \subsection{}
  60. \section{Useful building blocks}
  61. \subsection{Tor}
  62. Tor provides three security properties:
  63. \begin{tightlist}
  64. \item A local observer can't learn, or influence, your destination.
  65. \item The destination, or somebody watching the destination, can't learn
  66. your location.
  67. \item No single piece of the infrastructure can link you to your
  68. destination.
  69. \end{tightlist}
  70. We care most clearly about property number 1. But when the arms race
  71. progresses, property 2 will become important -- so the blocking adversary
  72. can't learn user+destination just by volunteering a relay. It's not so
  73. clear to see that property 3 is important, but consider websites and
  74. services that are pressured into treating clients from certain network
  75. locations differently.
  76. Other benefits:
  77. \begin{tightlist}
  78. \item Separates the role of relay from the role of exit node.
  79. \item (Re)builds circuits automatically in the background, based on
  80. whichever paths work.
  81. \end{tightlist}
  82. \subsection{Tor circuits}
  83. can build arbitrary overlay paths given a set of descriptors [blossom] %~\cite{blossom}
  84. \subsection{Tor directory servers}
  85. \subsection{Tor user base}
  86. \section{The Design}
  87. \subsection{Bridge relays}
  88. Some Tor users on the free side of the network will opt to become bridge
  89. relays. They will relay a bit of traffic and don't allow exits. They
  90. sign up on the bridge directory authorities, below.
  91. ...need to outline instructions for a Tor config that will publish
  92. to an alternate directory authority, and for controller commands
  93. that will do this cleanly.
  94. \subsection{The bridge directory authority (BDA)}
  95. They aggregate server descriptors just like the main authorities, and
  96. answer all queries as usual, except they don't publish network statuses.
  97. So once you know a bridge relay's key, you can get the most recent
  98. server descriptor for it.
  99. XXX need to figure out how to fetch some statuses from the BDA without
  100. fetching all statuses. A new URL to fetch I presume?
  101. \subsection{Blocked users}
  102. If a blocked user knows about a working bridge relay, then he can make
  103. secure connections to the BDA to update his knowledge about bridge
  104. relays, and he can make secure connections to the main Tor network
  105. and directory servers to build circuits and connect to the rest of
  106. the Internet.
  107. So now we've reduced the problem from how to circumvent the firewall
  108. for all transactions (and how to know that the pages you get are the
  109. real ones) to how to learn about a working bridge relay. They can
  110. be distributed in three ways:
  111. \begin{tightlist}
  112. \item IP:dirport, so the user can connect directly to the bridge
  113. relay, learn the associated
  114. server descriptor, and start building circuits. This is great, but what if
  115. the firewall creates signatures for plaintext http requests for server
  116. descriptors, to block them? One option is a workaround that changes the
  117. appearance of the plaintext at each step (I can imagine a simple scheme
  118. where we send a 16 byte key, and then encrypt the rest of the stream with
  119. that key -- it doesn't provide actual confidentiality, but it's hard to
  120. recognize that it's a Tor connection); another option is to conclude that
  121. it will be better to tunnel through a Tor circuit when fetching them.
  122. \item Key fingerprint, which lets you lookup the most recent server
  123. descriptor at the BDA (assuming you can reach it).
  124. \item A blinded token, which can be exchanged at the BDA (assuming you
  125. can reach it) for a new IP:dirport or server descriptor.
  126. \end{tightlist}
  127. See the following section for ways to bootstrap knowledge of your first
  128. bridge relay, and ways to maintain connectivity once you know a few
  129. bridge relays.
  130. \section{Discovering and maintaining working bridge relays}
  131. \subsection{Initial network discovery}
  132. We make the assumption that the firewall is not perfect. People can
  133. get around it through the usual means, or they know a friend who can.
  134. If they can't get around it at all, then we can't help them -- they
  135. should go meet more people.
  136. Thus they can reach the BDA. From here we either assume a social
  137. network or other mechanism for learning IP:dirport or key fingerprints
  138. as above, or we assume an account server that allows us to limit the
  139. number of new bridge relays an external attacker can discover.
  140. \subsection{The account server}
  141. Users can establish reputations, perhaps based on social network
  142. connectivity, perhaps based on not getting their bridge relays blocked,
  143. \section{Other issues}
  144. \subsection{How many bridge relays should you know about?}
  145. If they're ordinary Tor users on cable modem or DSL, many of them will
  146. disappear periodically. How many bridge relays should a blockee know
  147. about before he's likely to have at least one up at any given point?
  148. The related question is: if the bridge relays change IP addresses
  149. periodically, how often does the blockee need to "check in" in order
  150. to keep from being cut out of the loop?
  151. \subsection{How do we know if a bridge relay has been blocked?}
  152. We need some mechanism for testing reachability from inside the
  153. blocked area. The easiest answer is for certain users inside
  154. the area to sign up as testing relays, and then we can route through
  155. them and see if it works.
  156. First problem is that different network areas block different net masks,
  157. and it will likely be hard to know which users are in which areas. So
  158. if a bridge relay isn't reachable, is that because of a network block
  159. somewhere, because of a problem at the bridge relay, or just a temporary
  160. outage?
  161. Second problem is that if we pick random users to test random relays, the
  162. adversary should sign up users on the inside, and enumerate the relays
  163. we test. But it seems dangerous to just let people come forward and
  164. declare that things are blocked for them, since they could be tricking
  165. us. (This matters even moreso if our reputation system above relies on
  166. whether things get blocked to punish or reward.)
  167. \subsection{Tunneling directory lookups through Tor}
  168. All you need to do is bootstrap, and then you can use
  169. your Tor connection to maintain your Tor connection,
  170. including doing secure directory fetches.
  171. \subsection{Predictable SSL ports}
  172. We should encourage most servers to listen on port 443, which is
  173. where SSL normally listens.
  174. Is that all it will take, or should we set things up so some fraction
  175. of them pick random ports? I can see that both helping and hurting.
  176. \subsection{Predictable TLS handshakes}
  177. Right now Tor has some predictable strings in its TLS handshakes.
  178. These can be removed; but should they be replaced with nothing, or
  179. should we try to emulate some popular browser? In any case our
  180. protocol demands a pair of certs on both sides -- how much will this
  181. make Tor handshakes stand out?
  182. \section{Anonymity issues from becoming a bridge relay}
  183. You can actually harm your anonymity by relaying traffic in Tor. This is
  184. the same issue that ordinary Tor servers face. On the other hand, it
  185. provides improved anonymity against some attacks too:
  186. \begin{verbatim}
  187. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerAnonymity
  188. \end{verbatim}
  189. \section{Future designs}
  190. \subsection{Bridges inside the blocked network too}
  191. Assuming actually crossing the firewall is the risky part of the
  192. operation, can we have some bridge relays inside the blocked area too,
  193. and more established users can use them as relays so they don't need to
  194. communicate over the firewall directly at all? A simple example here is
  195. to make new blocked users into internal bridges also -- so they sign up
  196. on the BDA as part of doing their query, and we give out their addresses
  197. rather than (or along with) the external bridge addresses. This design
  198. is a lot trickier because it brings in the complexity of whether the
  199. internal bridges will remain available, can maintain reachability with
  200. the outside world, etc.
  201. Hidden services as bridges.
  202. %\bibliographystyle{plain} \bibliography{tor-design}
  203. \end{document}