A potential technique to deanonymise users of the … potential technique to deanonymise users of the TOR network OPC-MCR, ... TOR uses a rate-limitin store-and-forwarg d

UK TOP SECRET STRAP1 COMINT

A potential technique to deanonymise users of the TOR network

OPC-MCR, GCHQ

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

© Crown Copyright. All rights reserved.


Outline • TOR and the need for deanonymisation • Data transformation • Scoring • Results • Current status • Software

I G C H Q ^

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on|



What is TOR? • "The Onion Router" • Hides source of traffic by passing encrypted

versions of your internet traffic between multiple TOR routers

• Notation: - "Client" - the initiator of communication - "Guard node" - the TOR router the client contacts - "Exit node" - the TOR router that relays your traffic to

the final destination (with no extra encryption so this link can be exploited by SIGINT system)

G C H Q^^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ


Onion Router

Onion Router

Onion Router

Onion Router

Client

Server


What is TOR? Guard Node

/ Onion \ T Router /

Exit Node

G C H Q^^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ or|



Who uses TOR? • TOR was created by the US government and is

now maintained by the Electronic Frontier Foundation (EFF)

• EFF will tell you there are many pseudo-legitimate uses for TOR

• We're interested as bad people use TOR, in particular: - Terrorists - Paedophiles

I G C H Q ^

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ or



Aim • Find client IP address associated with TOR

exit node traffic • Attack based on externals - specifically packet

timings - Strong crypt is being used

I G C H Q ^




Aim • We'll make our task easier by assuming we own

the exit node being used - Allows us to see all the traffic associated with a TOR

circuit - Demultiplex traffic by (unknown) user

F ^ ^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

I G C H Q ^ © Crown Copyright. All rights reserved.


Side note: Circuit tracing • One suggestion was to track packets through each

hop in the TOR network • We experimented with spotting all links in circuits

created by GCHQ • Visibility was too low to be a sensible approach

- 13 out of 8294 potential inter-TOR-router links were seen

• We will directly correlate: - exit node traffic, and - traffic between client and guard node

I G C H Q ^




Own

IGCHQ^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on|



Test data collection • Used the standard "TOR button" web-browser

package to access TOR • Made minor changes to ensure we could collect exit

node traffic 1. "News": Search for news, visit news websites 2. "TOR": Browse the TOR website and then use a privacy

checking website Split into 2a and 2b as TOR changed circuit mid-way through

1. "Download": visit to SlashDot followed by downloading a large PDF file.

2. "Forum": Search on Google followed by browsing a PC technical help forum.




Flattening of timing patterns ^ ^ ^ ^ • ( I C T R - N E ) observed that TOR can flatten out timing patterns TOR uses a rate-limiting store-and-forward procedure at each TOR router Graph shows bytes of exit node traffic in green and client traffic in red whilst downloading a 1MB file (figure from

- 5 Q Q 0 0

— 2 5 0 Q Q

T Os

T 5 0 ; 1 0 0 s 1 5 D S 2 0 0 s

F ^ ^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ^ ^ other UK information legislation. Refer disclosure requests to GCHQ on

I G C H Q ^ © Crown Copyright. All rights reserved.


Cumulative packet counts Our new insight is to use cumulative packet counts Hope packets are approximately preserved - Approximate as TOR

repacketises data See strong correlation

Exit Guard

l r

StoC

T 1 1 1 1 1 1 5 : 4 6 1 5 : 4 8 1 5 : 5 0 1 5 : 5 2 1 5 : 5 4 1 5 : 5 6 1 5 : 4 6 1 5 : 4 8 1 5 : 5 0 1 5 : 5 2 1 5 : 5 4 1 5 : 5 6

1 6 : 2 2 1 6 : 2 4 1 6 : 2 6 16:28 15:22

Time (hh:mm) 15:24

1 r 16:26 16:2B

G C H Q^^ o i This information is exempt from disclosure under the Freedom of Inforn other UK information legislation. Refer disclosure requests to GCHQ or



Scoring: basic idea An idea of - Bin time into intervals - For each interval get a pair (E,, G,)

• Cumulative exit node packets upto time i • Cumulative guard node packets upto time i

- Measure the correlation between these pairs We use Is time-windows - Easy for the SIGI NT system - Seems to work

G C H Q^^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on|



Scoring: refinements • We also expect counts to be similar

- Fit a linear model . Gi = a+pE i

- Only accept sessions where V 2 < ¡ 5 < 2

I G C H Q ^




Scoring: refinements • There may be an unknown time-offset

- Traffic takes time to relay through the TOR network - SIGINT clocks may not be synchronised - We slide the traces against each other and find the best

match - Truncate to exit node trace (we know that it is a

complete TOR circuit)

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

G C H Q ^ ^ © Crown Copyright. All rights reserved.


Self-comparison beta

We show how the score behaviour as a function of time slide See high correlation (pink) at small time offset Also generally see (3 (blue) in a sensible range

2.0

1.5

1.0

0 ,5

2 .0

1.5

1.0 -

0.5

0.0

2.0 -

1.5

1.0

0 .5 H

0.0

r~2

-500 500

CtoS 1 StoC 1

CtoS 2a StoC 2a

1 \ il 1 1 ft CtoS 2 b StoC 2b

\ \ CtoS 3 StoC 3

\

CtoS 4 StoC 4

X \ -500 500

Time offset / s

IGCHQ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

^ other UK information legislation. Refer disclosure requests to GCHQ on

Crown Copyright. All rights reserved.


False positives • Want an algorithm with very low false positive rate • Used 2 hours of (timestamp, source IP, destination

IP) tuples captured from 4 10G internet bearers • Filtered to tuples between a guard node and a non-

TOR node • Allow time to arbitrarily slide +/- 2 hours

- In real redeployment one would restrict this slide • Allow us to plot ROC curves for the technique

I G C H Q ^



UK TOP SECRET STRAF

False positives Linear - log ROC curve plot Server-to-client good - We miss the very short "2a"

session with no false-positives - Threshold r2=0.998

• High as comparing increasing functions

Client-to-server direction -many false positives - There's less structure in data as

less data flows in this direction when web-browsing

Server to client

« £

-i—' v> o CL <D

OO Ö

CO o

CN Ö o Ö n

1 e - 0 6

I I 1e-04 1e-02

False positive rate

Client to server

1e+00

jD œ

I ¡7) O CL

où Ó (O ö ö

(M Ö O ö

IGCHQ̂ This information is exempt from disclosure under the Freedom of Infoi other UK information legislation. Refer disclosure requests to GCHQ c


1e-06 1e-04 1e-02

False positive rate

1e+00


A larger experiment • We want to find some false hits to understand worst

case accuracy for the server-to-client direction • Let's open the aperture very wide

- 2027 bearer hours of logs with any time slide - Filter to all traffic involving a TOR node

• Not just likely guard-to-client traffic as before

• We find some false hits (540) but rate is assessed to be low enough.

• 92% of false hits are against the big download session which has little structure




The next step • We are collecting the required logs of packet

times with TOR guard nodes in SIGINT • GTE / JTRIG have adapted some TOR exit nodes

we own to collect the required exit node data - We are keen to engage with others with exit nodes too

• Then run the attack - Expect to basically work - Some extra work might be required to only allow

queries on sessions with enough structure • Need the bulk data first to progress this question

This information is exempt from disclosure under the Freedom of lnformatiorW\ç^OO(^JTçhT^^ other UK information legislation. Refer disclosure requests to GCHQ

IGCHQ^ © Crown Copyright. All rights reserved.


R package An R packaae can be downloaded from

Includes algorithm and the collected web-browsing data Recommend R packages for sharing analytics, can contain: - R / C / Fortran code - Example data - Runnable examples and documentation - Unit tests

G C H Q^^ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on|



Conclusion • Have shown a potential externals-based

deanonymisation attack for TOR - Requires SIGINT collection of guard-to-client packet

times - Requires TOR collection from exit nodes we own

• Hope to get this running live at GCHQ soon

• Full paper and software available from

IGCHQ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on |





Documents

A potential technique to deanonymise users of the … potential technique to deanonymise users of the TOR network OPC-MCR, ... TOR uses a rate-limitin store-and-forwarg d