The Onion Router (TOR)

High Speed Onion Router at the Network Layer (HORNET)CS898AB Privacy Enhancing TechnologiesDr. Murtaza JadliwalaPresented ByAhmed Abdelaziz1

1SummaryHornet DefinitionWhy use Hornet?How can Hornet accomplish High Speed?Problem DefinitionDesired PropertiesOverviewSender anonymitySender anonymity illustrationSender-receiver anonymitySender-receiver anonymity illustrationTOR Browser Demo

2What is HORNET ?A system the enables high-speed end-to-end anonymous channel by leveraging next-generation network architecture.Next Generation network (NGN): is a set of key architectural changes in access networks and telecommunication core. The key idea is that one network transports all information and services (voice, data, video). Convergence.

3Distributed Networkingis adistributedcomputingnetworksystem, said to be "distributed" when the computer programming and the data to be worked on are spread out over more than one computer.3Why HORNET?Recent revelations about global-scale pervasive surveillance programs have demonstrated that privacy of Internet users worldwide is at risk. To protect against these threats, several anonymous systems developed:

Mix networks: Provide high-latency asynchronous messaging.

Onion Routing Networks (TOR): Balance between security and performancelow-latency anonymous communications.Suitable for typical internet activities. Requires per connection state to be maintained by intermediate nodesLimited number of concurrent anonymous connections that can take place simultaneously.

Need for an anonymous system that can scale across the internet and is robust.

4Distributed Networkingis adistributedcomputingnetworksystem, said to be "distributed" when the computer programming and the data to be worked on are spread out over more than one computer.4How can HORNET do it?Offers Payload protection by defaultHighly efficient as it can use short paths offered by underlying network architectures, rather than long paths due to global redirectionInstead of keeping state at each relay node, connection state (e.g. onion layer decryption key, route information) is carried within packet headers, allowing intermediate nodes to quickly forward traffic with per-packet state lookup.55Problem DefinitionAnonymity: against adversaries with mass surveillance capabilities.

relationship anonymity: An adversary observing traffic traversing the network should be unable to link (at large scale) pairs of communications hosts.

Sender anonymity: Anonymity is guaranteed for the source, but the destinations location is public.

Sender-receiver anonymity: Anonymity guarantee is extended to the destination (e.g. hidden services)

6Desired PropertiesHORNET is designed to achieve the following security and anonymity properties:Path information integrity and secrecy: an adversary can not modify a packet header to alter the path with out detection, nor he can learn a nodes forwarding information or a position

No packet correlation: An adversary that can eavesdrop on multiple links in the network cannot correlate packets on those links by observing bit patterns in the header or payload. This should hold regardless if whether the observed traffic belongs to the same packet at different parts of the network or correspond to different packets from a single session.7Desired Properties (cont.)No session linkage: An adversary can not link packets from different session even from the same source and destination

Payload secrecy and end-to-end integrity: An adversary can not learn any information from the data payload except for its length and timing among sequence of packets.8HORNET OVERVIEWThe basic design objectives for HORNET are scalability and efficiency.

To enable Internet-scale anonymous communications:Intermediate nodes must avoid keeping per-session state (e.g. cryptographic keys, and routing information).Instead Session state is offloaded to end hostsEnd hosts embed that information into the packets The intermediate nodes then can extract the state.

9HORNET OVERVIEW (cont.)First challenge presented:Nodes need to prevent their off loaded state from leaking information (e.g. Keys)Each HORNET node maintains a local secret to encrypt the offloaded per-session state.

The encrypted state is called Forwarding Segment (FS)

The FS allows its creating node to dynamically retrieve the embedded information (i.e. next hop, shared key, session expiration time), while hiding this information from unauthorized 3rd parties

10Sender AnonymityAnonymous sessions between the source and a destination requires:The source to establish state between itself and every node on the pathThe state will be carried is subsequent data packetsIntermediate nodes will be able to retrieve their corresponding state and forward the packet to the next hop.

11Sender Anonymity (cont.)Setup Phase: To establish an anonymous session between a source S and a public destination D, S uses a single round of Sphinx (secure mix protocol)The round consists of two Sphinx packets (one for the forward path and one for the backward path)Each Sphinx packets will anonymously establish shared symmetric keys between S and every node on that pathThe modified Sphinx protocol anonymously collects the FSes for each and protects their integrity and secrecySphinx is not suitable for data transmission due to its expensive per-hop asymmetric cryptographic operations. Only used for setup phase.

12Sender Anonymity (cont.)Data transmission Phase: Having collected FSes The source constructs a forward AHDR and a backward AHDR for the forward and backward paths.AHDR carry the FSes which contains all state necessary for nodes to process and forward packets to the next hop.The source onion encrypts the data payload using sessions shared symmetric keys, and prepends the AHDR Each node then retrieves its FS from the AHDR, onion-decrypts the packet and forwards it to the next hop, until it reaches the destinationThe destination uses the backward AHDR (received in the first data packet) to send data back to S, with the only difference that the payload is encrypted along the way instead of decrypted.1314SenderSReceiverRN1N2N3FS-1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2

N1FS Payload

Setup PacketMAC-1MAC-2MAC-315SenderSReceiverRN1N2N3FS-1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2

N1FS Payload

Setup PacketMAC-1MAC-2MAC-316SenderSReceiverRN1N2N3FS-1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2

N1FS Payload

Setup PacketMAC-1MAC-2MAC-3

K117SenderSReceiverRN1N2N3FS-1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2FS Payload

Setup PacketMAC-1MAC-2MAC-3

K1

K1FS Payload

18SenderSReceiverRN1N2N3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2Setup PacketMAC-1MAC-2MAC-3

K1

K1

K1FS-1FS-2FS-3FS-119SenderSReceiverRN1N2N3MAC-1

K1

K1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2FS Payload

Setup PacketMAC-2MAC-3

K1FS-120SenderSReceiverRN1N2N3MAC-1

K1

K1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3

N2FS Payload

Setup PacketMAC-2MAC-3

K1FS-121SenderSReceiverRN1N2N3MAC-1

K1

K1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3FS Payload

Setup PacketMAC-2MAC-3

K1

K2

K2FS-122SenderSReceiverRN1N2N3MAC-1

K1

K1FS-2FS-3Sphinx Payload

Sphinx Header

typehopsEXP

N3FS Payload

Setup PacketMAC-2MAC-3

K1

K2

K2

K2FS-1FS-223SenderSReceiverRN1N2N3MAC-1

K1

K1FS-3

K2

K2Sphinx Payload

Sphinx Header

typehopsEXP

N3FS Payload

Setup PacketMAC-3

K1

K2FS-1FS-2MAC-224SenderSReceiverRN1N2N3MAC-1

K1

K1FS-3

K2

K2MAC-2Sphinx Payload

Sphinx Header

typehopsEXP

N3FS Payload

Setup PacketMAC-3

K1

K2FS-1FS-225SenderSReceiverRN1N2N3MAC-1

K1

K1

K2

K2MAC-2Sphinx Payload

Sphinx Header

typehopsEXPFS Payload

Setup PacketMAC-3

K1

K2FS-1FS-2

K3

K3FS-3FS-326SenderSReceiverRN1N2N3MAC-1

K1

K1

K2

K2MAC-2

K3

K3Sphinx Payload

Sphinx Header

typehopsEXPFS Payload

Setup Packet

K1

K2FS-1FS-2FS-3

K3Sphinx Payload

Sphinx Header

typehopsEXPFS Payload

Setup Packet

K1

K2FS-1FS-2FS-3

K327SenderSReceiverRN1N2N3MAC-1

K1

K1

K2

K2MAC-2

K3

K3Sphinx Payload

Sphinx Header

typehopsEXPFS Payload

Setup Packet Back

K1

K2FS-1FS-2FS-3

K328SenderSReceiverRN1N2N3MAC-1

K1

K1

K2

K2MAC-2

K3

K3Sphinx Payload

Sphinx Header

typehopsEXPFS Payload

Setup Packet Back

K1

K2FS-1FS-2FS-3

K3FS-1FS-2FS-3Sender-Receiver Anonymity (cont.)Where neither S nor D knows the others location (e.g., a hidden service) Since S doesnt know Ds location and vice versa, S cannot retrieve a path to D, which will prohibit the establishment of a state between S and DPublic rendezvous point (RP) to forward traffic between S and D RP must maintain per-session state between S and DIncreases ComplexityBounds the number of receivers Introduces a state exhaustion denial-of-service attack vector29Sender-Receiver Anonymity (cont.)Nested AHDRs:No state to be kept at the RPA forward AHDR from S to the RP will include the AHDR from the RP to DA backward AHDR from D to the RP will include the AHDR from the RP back to SD selects a public rendezvous point R and completes a HORNET session setup between D and R.D publishes AHDRRD , which will not leak any information about D and only allows to send data to D via R within a specific time windowS retrieved AHDRRD then established a HORNET session between S and RS constructs a nested AHDR with AHDRRD inside AHDRSR R will retrieve AHDRRD from AHDRSR and forward the packet to DS also includes AHDRRS in the data payload of the first data packet to D, allowing D to create a return path to S3031SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRD32SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRD33SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDAHDRRD34SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRSRAHDRRD35SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRSRAHDRRDAHDRRD36SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRD37SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRD38SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRD39SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRD40SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRD41SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRDAHDRRSAHDRRS42SenderSReceiverDHORNET PROTOCOLPublic DirectoryRendezvous RHORNETAHDRRDAHDRRDHORNETAHDRRDAHDRSRAHDRRDAHDRRSAHDRRSAHDRRS43

Questions?44