NSA can decrypt Tor Traffic?

Discussion in 'privacy technology' started by Shark_M, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. Shark_M

    Shark_M Registered Member

    Joined:
    Feb 23, 2007
    Posts:
    7
    Hi,
    The weak link in Tor is the encryption. Tor needs to use multi-layer encryption to encrypt its traffic.

    The One Time Pad, should be used in conjunction with RSA and other 3 layered systems

    They should also allow the use to give us some kind of control on what tor servers to connect to per country.

    So I want to be able to tell Tor Client to connect only to tor servers in those specific countries and not to randomly select from the entire globe.

    This is to prevent Malicious tor end nodes.

    What do you think? How do I give feedback to Tor's devs.
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    " NSA can decrypt Tor Traffic"?

    But why in the world would they want to devote the kind of time and resources to decrypt Tor?.... unless a person is a terrorist.......in which case I hope they do. They are the greatest threat to freedom of speech known to mankind. Religious Fundamentalism (of any kind) is a disease.
     
  3. Shark_M

    Shark_M Registered Member

    Joined:
    Feb 23, 2007
    Posts:
    7
    Your reasons are wrong.

    Not every one who uses Tor is bad. NSA can decrypt SSL. This makes Tor useless.

    People who use tor are not all as you say.

    Secondly, what does terrorists have to do with Tor?

    The topic of this Thread is about a vulnerability to Tor's cryptosystem. The purpose of cryptography is to scramble the messages. If by your argument then Tor itself should not exist.o_O
     
  4. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    This question was answered before, right here:

    ISP question - regarding anonymous browser

    Some posts from the creator of XeroBank browser made on 2006. It was called Torpark browser at that time. I saved from his own personal board, which now doesn't exist anymore (it was removed):

    Now, the explanation about what Torpark/Xerobank does exactly from another user:

    Steve Topletz, the creator of Torpark/XeroBank browser also replied on the same thread:

    I only disagree with his first statement when he says that "the data about what websites you visit never resides with your ISP". Data retention is not something unusual. We must assume that all ISPs out there are saving and retaining all kinds of informations about us, because privacy is something not respected these days.
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I know that not everyone who uses tor is bad. I use it sometimes. But the NSA was brought up. That is why I mentioned that the only reason that they (NSA) would go to the trouble of decrypting something is if they suspected someone of being a terroist. What other reason could you think ofo_O For downloading Britney Spears? I think not.

    You have misinterpreted what I was saying completely.

    The topic or title of this thread is specifically "NSA can decrypt Tor Traffic"? So who else besides the NSA has the super computers and knowledge of how to decrypt toro_O

    So you are saying that the only need for tor is so the NSA can decrypt it to catch terrorists? Otherwise is is of no use? I certainly did not say that. Or even imply it.
     
  6. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    They can?

    I won't claim to be an expert on Tor; in fact, I don't keep up with much of the analysis related to it. But, if encryption is its weakest link, then that could imply that the rest must be built like a tank. Needless to say, cryptography is rarely ever the weakest link; it's usually the strongest. In that case, they must be doing something horribly wrong with the cryptography or something amazingly right with the rest of the protocol. Are you saying that it's weak from an implementation standpoint or a cryptographic one? What do you mean by multi-layer?

    I don't really like that idea. By suggesting the use of a one-time-pad, this probably means that you're wanting information-theoretic security. While it achieves unconditionally secure confidentiality, it's lousy at providing integrity; to be more exact, it provides absolutely none.

    Fortunately, we can build an unconditionally-secure MAC from a 2-universal hash, to give us unconditionally secure integrity, against adversaries with unbounded computing power. I suggest taking a look at this link. It should give you a thorough treatment of the subject.

    Honestly, I'd stick to conventional cryptographic primitives, but if you're going to go the route of a one-time-pad, make sure you do it right. If you're not preserving integrity, you're out of luck; the one-time-pad can't save you here. Oh, and again, what are these "multi-layer," "3 layered systems" you speak of? I can't think of any good reason why you'd not just use something like the AES.

    They can? I would rather see folks using protocols we've studied extensively, like SSL/TLS, rather than attempting to roll their own ad hoc design. It seems quite sufficient to me, and I'm sure you'll find much of the cryptographic community to be under the same impression.

    Actually, there are many, often more important, purposes for using cryptography. Encryption alone is almost never sufficient - not even for a one-time-pad.
     
    Last edited: Dec 30, 2007
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I think you've misunderstood. If you are browsing the web with Tor and using a program like xB Browser to make sure the DNSing goes through the onion network, then your ISP never gets to see what websites you visit, and does not have that data to store.
     
  8. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    As per Justin, encryption is very secure if you use a mainstream algorithm and it is implemented properly.

    One of the reason why stream ciphers came into being is the difficulty of implementing the one time pad. One time pads are of academic value and just isnt practical.

    Well the problem is religious fundamentalism not crypto.

    How do you know? :p

    I also have some doubts about Steve Topletz's comments on the NSA. Modern cryptography was designed with governments in mind. Is it really just a matter of a few days to brute force 128bit keys?
     
  9. controler

    controler Guest

    I used TOR years ago but haven't for some time now.

    Does this new Xerobank have more layers of encryption?

    I refer back to Jim varard's post.

    Steve states it ha 3 layers of encryption.
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Tor has attackers in mind who have less power than a government intelligence agency. Intel agencies can do massive traffic analysis, they don't need to break the crypto to find out who/where you are. Not to mention a large amount of the tor nodes are operated by governments, imho. With todays processing power, over 128 bit is overkill.

    Otherwise, yes, 128 bit is fine. XeroBank uses a 2048-bit DH key exchange so you can verify we are who we say we are, and we verify you are the account holder, then a 192/256-bit AES crypto stream routed through xerobank. I'll have to check and make sure of the strength on the stream, but it certainly defeats sub gov intel agencies capabilities to crack... except for maybe the owners of the storm worm botnet (>1m computers).

    And I'm sure you are aware that each bit of crypto in the same algo is another order of magnitude as difficult to crack. So the difference between 128 -> 192 is huge, as is the jump to 256 bits. 3 layers of 128 bit AES doesn't come close. Just for a really unscientific sake of argument, that would be the generic equivalent of ~130bit AES (no such, and probably isn't even right).

    So yes, there is a funny tipping point: Anyone who has the processing power to crack aes128 probably also has the network power to break anonymity systems by traffic analysis.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It serves no purpose to make such an unsubstantiated statement about "all ISPs."

    This topic came up last year on another forum and I contacted my ISP (local here in my community). He replied that the only information about users he retains is that which was submitted upon signing up for the service.

    At the end of each day, he deletes all user surfing data from the server.


    ----
    rich
     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I don't understand how they could tell who someone is or where they live by analyzing traffic coming from Tor. If tor does not even know your IP address at the exit point, how could analyzing traffic do so?
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX

    Actually, we don't do any logging at all of our users. In our new system, we won't even be able to tell who owns what account.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Because the ISP can see *who* your computer is talking to, and intelligence agencies have the internet tapped. They can see you visit website x, talking through tor node 3, talking through tor node 2, talking through tor node 1, talking to your computer. They can see who is talking to whom, and depending on your computer sending requests that get relaying through the network, they can follow the string right back to you because they are capable of observing the whole internet.
     
  15. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    It's sufficient, really.

    I tend to agree that 128-bit security is sufficient. Most of the time I see anything above that, it's either a marketing ploy, or, more reasonably, a certification requirement. However, when I say I think 128-bit security is sufficient, I mean just that: 128-bit security. It's often easier to realize this through 256-bit keys, since key material has the nasty habit of leaking in real-world products.

    Just as I mentioned here, I'm not one for speculation, especially when it's unfounded, as this appears to be. It's best not to worry consumers with things like this, because it leads them to assume that what cryptographers call "sufficient," is not. Paranoia ensues and there are numerous companies and snake-oil peddlers that prey on this. If your system falls apart, the last reason for it doing so will be because you used the AES with a 192-bit or 256-bit key.

    On a side note, you mention how you do key exchange and how you handle the confidentiality part of data exchange, but what do you do for the integrity part of data exchange? A MAC? Is all of this handled with SSL/TLS?
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes, it is TLS, executed with OpenVPN core. And your remark on a scheme being broken is poignant, a system isn't going to be compromised because the cypher strength was 192-bit vs. 256-bit, as that isn't the weak point.

    The specifics is that it uses blowfish and aes128cbc but you can change the cipher to 192 or 256 and the server will accept it. I will check to see if there is a hmac, i'm no openvpn master, but looking at the default config I don't see tls-auth directive.

    Here is the pertinent info:

    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    tls-client
    ca certauth.crt
    cert cert.crt
    key keyfile.key
    dh dh2048.pem

    cipher BF-CBC
    cipher AES-256-CBC

    ns-cert-type server
    comp-lzo
    verb 3
     
    Last edited: Dec 30, 2007
  17. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Use a MAC.

    Be sure to use authentication; it's almost never enough to use encryption alone. Being able to manipulate data is often far worse than being able to divulge it. Furthermore, confidentiality can even be lost by a lack of integrity. Given that, t's best to always use a MAC, when you can.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I thought the XeroBank browser and the Vidalia bundle with privoxy prevented the ISP from knowing what websites you visit. I know that they can see that you connect to a Tor server, but I thought that it was impossible to see where it leaves Tor and where it goes from there.
     
  19. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Use a MAC.

    The official response back from the CSO was "TLS-auth is nice if you have clients that you trust. XB does not have explicit trust in clients, so there is no help or harm in our implementation."
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    It prevents your ISP from knowing what website YOU visit, but they know you are talking to Tor node 1. Tor node 1's ISP knows he is talking to Tor node 2 and so on. If all ISPs collude, or simply an intelligence agency can monitor all the ISPs, they can perform traffic analysis.
     
  21. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Any good reasons?

    So, it's worth the trouble to preserve confidentiality, but not integrity? In other words, adversaries aren't allowed to divulge information, but they are allowed to manipulate it; is that right? Allowing the latter can lead to the allowance of the former, if you're not careful. Is there a good reason why you don't use a MAC?
     
  22. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Wow. I did not know that this was possible. But is this some kind of far fetched scenario that would be used under extreme circumstances......like for terrorists or something? It seems awfully involved and complicated a technique to employ just for some minor legal violoation, like downling music. I mean there are all kinds of internet scams that no one seems to be able to track or resolve. Identity theft seems to be rampant and I have NEVER heard of any of these thieves being tracked this way. Could traffic analysis be done with XeroBank? And if so, who would be capable of this and for what reasons would they go to such trouble?
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It already does - the connection from your PC to the first Tor node has 3 layers of 128-bit AES encryption. The first layer is decrypted by node 1 before it sends the data onto node 2 (meaning it now has 2 layers) and node 2 will decrypt another layer before sending it onto node 3. Node 3 decrypts the last layer and sends the cleartext traffic to the final destination. This is detailed in the Tor Overview.
    While One Time Pads (OTPs) are the only encryption method mathematically proven to be uncrackable, they are (as mentioned above) impractical for almost all situations. The reason is that the cipher key ends up the same size as the encrypted data (i.e. 100MB of data requires a 100MB key) and you have to send this key using a method that cannot be intercepted by an attacker.

    Due to this, the only situation where OTPs would make sense is with secure communications channels that can only be used intermittently (e.g. a diplomatic pouch to an embassy). In such a case, OTPs could be sent for later use on encrypting otherwise insecure communcations.
    Being able to select the country for the exit node is on one To Do list (but not the "main To Do"). However if you are concerned about government monitoring, then the best option is to select nodes from around the globe - multiple countries means multiple jurisdictions making both legal (and extra-legal) tracking harder to arrange.
    Nothing mentioned above would prevent end-node operators from monitoring or attempting to alter traffic. End-node web (http) traffic cannot be encrypted simply because the final destination would not be able to understand it. The best defence is to use encrypted traffic where possible (e.g. https on websites that offer it) and to employ rigorous filtering on other traffic to ensure that you don't fall foul of malicious code (using a non-IE browser is a good idea too).

    Also, since cookie data can be monitored by a malicious node operator, be aware that they could use it to impersonate you on sites relying on cookies only for authentication (including forums like this one). This risk however exists whether or not you use an anonymity service.

    You could switch to an anonymiser like XeroBank or JAP that only allows "trusted" operators to run nodes, but then you have fewer nodes which can be more easily blocked by sites wishing to prevent anonymous connections. This also involves more work to run a node which in turn tends to mean a commercial service (and then you have to ensure that the method of payment used is not one that can be traced back to you).

    Even with these systems though, exit traffic could be monitored or manipulated by anyone with access to the network connection between the exit node and the website you visit so you can only reduce this risk, not eliminate it.
    Curiosity about how security works is great, but there is plenty of documentation available on Tor (including the Tor Wiki) and its design philosophy which can answer most questions. Anyone using Tor should take the time to review these in order to learn its strengths and weaknesses.

    The Tor project does have a contact page and several mailing lists. Doubtless a quick Google search could turn up more information.
    It would be far easier to use traffic analysis to link cleartext exit-node traffic to a source than to brute-force the encryption used. However, that does not necessarily make it easy.

    With anonymity services that use just a single server to relay traffic (that's everything bar Tor, XeroBank and JAP, though with JAP you have to change from the default Dresden-Dresden mix), anyone with access to the network that the server is on can attempt traffic analysis. For multiple relay systems like Tor and XeroBank, an attacker would need access to the network connections of every server involved (and with Tor changing connections every 10 minutes, and XeroBank presumably doing the same, they would need access to every server used by a particular user).

    Now Tor uses 3 relays while XeroBank uses 2 so it may be tempting to think that Tor would be a tougher target for traffic analysis. However another factor is how many traffic streams each server is handling. If you have a server with thousands of connections, it will be far harder to link incoming and outgoing traffic than one with just a few, but only a small number of Tor nodes offer the bandwidth to support large numbers of connections (the entry level for a Tor node is 20KB/s which realistically isn't going to handle more than 4 or 5 connections at dialup speeds). However you are likely to be using one of the larger Tor nodes somewhere along the way and Tor can share/reuse circuits (meaning that a connection may contain more than one user's traffic - this presumably applies to XeroBank also) so overall Tor and XeroBank are likely to be similar in terms of traffic analysis difficulty.
    It's rather difficult to perform an "online scam" without having a website. Tor doesn't offer website hosting and while it does offer "hidden services" these can only be viewed by other Tor users, making their value to fraudsters (who generally need to target the greatest number of poorly-informed users) next to zero. Most scammers either use "tolerant" ISPs that turn a blind eye to complaints or hijacked PCs for hosting their sites.
    In Tor's case, nodes have a private key for authentication but the exit node cleartext traffic can be manipulated. There's no way to provide integrity (or confidentiality) over what an existing website or protocol will allow.
     
    Last edited: Jan 2, 2008
  24. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Cheers.

    Right. I was aware of the situation with what happens between the exit node and target server, but I was concerned about the links between the intermediate nodes. Section 4.4 of their design paper answered my questions. Cheers!
     
    Last edited: Jan 2, 2008
  25. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I did not realize that you could choose the path that tor takes when you use it. That sounds complicated.
     
Loading...
Thread Status:
Not open for further replies.