Measuring and Monitoring the Tor Network: Privacy Risks and Transparency Challenges
This content delves into the complexities of measuring and monitoring the Tor network, highlighting the inherent privacy risks and transparency challenges involved. It discusses issues such as deanonymization, storing sensitive data at relays, and the potential for leaks and compromises. The importance of balancing network privacy with the need for transparency is emphasized throughout the discussion.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Measuring and Monitoring the Tor Network Aaron Johnson August 19th, 2018 Encryption and Surveillance Workshop
References and Acknowledgements Understanding Tor Usage with Privacy-Preserving Measurement Akshaya Mani (Georgetown University), T Wilson-Brown (UNSW Canberra Cyber, University of New South Wales), Rob Jansen (U.S. Naval Research Laboratory) Aaron Johnson (U.S. Naval Research Laboratory) Micah Sherr (Georgetown University), To appear in the 2018 Internet Measurement Conference. Tunable Transparency: Secure Computation in the Tor Network Ryan Wails (U.S. Naval Research Laboratory) Aaron Johnson (U.S. Naval Research Laboratory) Daniel Starin (George Mason University, Vencore Labs) Arkady Yerukhimovich (MIT Lincoln Laboratory) S. Dov Gordon (George Mason University) In preparation (draft available). 2
Tor Background Users Destinations Tor is a popular system for anonymous, censorship-resistant Internet communication. 4
Tor Background: Onion Routing Users Relays Destinations Circuit Stream 5
Tor Background: Onion Routing Users Relays Onion Services (e.g. nytimes3xbfgragh.onion) Circuit Stream 6
Tor Background: Who Uses Tor Over 6000 relays in over 75 countries Over 2,000,000 daily users 100Gbps aggregate traffic 7
Tor Measurement and Monitoring Do network privacy and transparency conflict? 8
Tor Measurement and Monitoring Privacy risks of measuring Tor Deanonymizing individual connections Storing sensitive data at relays risks leaks from compromise Revealing interesting users (e.g. from censored locations) Revealing private onion services 10
Tor Measurement and Monitoring Problems without some transparency Level of anonymity unknown Network subject to silent attack and abuse Network can be covertly used for attack and abuse Network management and improvement difficult 11
Tor Measurement https://metrics.torproject.org Some current Tor measurements Data How measured Relay bandwidth capacity Self, BW Authorities Relay used bandwidth Per relay Total daily users Per relay Privacy techniques Test measurements Report every 4 hrs Inferred from consensus downloads Report every 24 hrs, round, opt-in Differential privacy, round Report every 24 hrs, opt-in Users per country Per relay # onion services Exit traffic per port Per relay Per relay 12
Tor Measurement https://metrics.torproject.org Some current Tor measurements Data How measured Relay bandwidth capacity Self, BW Authorities Relay used bandwidth Per relay Total daily users Per relay Privacy techniques Test measurements Report every 4 hrs Inferred from consensus downloads Report every 24 hrs, round, opt-in Differential privacy, round Report every 24 hrs, opt-in Users per country Per relay # onion services Exit traffic per port Per relay Per relay Inaccurate 13
Tor Measurement https://metrics.torproject.org Some current Tor measurements Data How measured Relay bandwidth capacity Self, BW Authorities Relay used bandwidth Per relay Total daily users Per relay Privacy techniques Test measurements Report every 4 hrs Inferred from consensus downloads Report every 24 hrs, round, opt-in Differential privacy, round Report every 24 hrs, opt-in Users per country Per relay # onion services Exit traffic per port Per relay Per relay Unsafe 14
Tor Measurement https://metrics.torproject.org Some current Tor measurements Data How measured Relay bandwidth capacity Self, BW Authorities Relay used bandwidth Per relay Total daily users Per relay Privacy techniques Test measurements Report every 4 hrs Inferred from consensus downloads Report every 24 hrs, round, opt-in Differential privacy, round Report every 24 hrs, opt-in Users per country Per relay # onion services Exit traffic per port Per relay Per relay Incomplete 15
Secure Aggregation n Data Collectors (DCs) / Relays x2 x3 x1 Output is noisy aggregate, hiding the inputs xi. Data Aggregators (DAs) m Data Collection: 1. DCs store data obliviously during measurement period. 2. DCs secret-share inputs to DAs at end of measurement period. 3. DAs run protocol to aggregate and add differentially-private noise. Developed two systems: PrivCount: Computes sums PSC: Computes private set-union cardinality Tolerate m-1 malicious DAs Transitioning PrivCount into Tor: Proposal 288 17
Tor Measurement Study Performed Tor measurements Exit, entries, and onion-service statistics 24-hour measurements January May 2018 Ran 16 Tor relays 1.5% total exit, 1.2% guard, 2.8% onion lookup Canada, France, US Used PrivCount and PSC 3 Data Aggregators (DAs) 3 DA operators Located in US and Australia 18
Tor Measurement Study: Exit Statistics Tor Web connections to popular domains (Alexa top 1M) 19
Tor Measurement Study: Entry and Onion Services Daily client activity (95% CI inferred network-wide) Unique client IPs: 6.61 11.2 million Promiscuous clients: 14,400 21,500 Daily onion-service activity (95% CI inferred network-wide) 1,350 1,740 lookups/second 1,192 1,620 failed lookups/s ~93% failure rate 20
Secure Multiparty Computation Flexible transparency with MPC Robust statistics to limit effect of malicious Improved client-size estimation Measure abuse of and with Tor Botnets on onion services Denial-of-service attacks Hacking attempts (e.g. vulnerability scanning) Site scraping 22
Secure Multiparty Computation n Data Collectors (DCs) / Relays x2 x3 x1 Output is some function f(x1,x2,x3), hiding the inputs xi. Computation Parties (CPs) m Data Collection: 1. DCs store data obliviously during measurement period. 2. DCs secret-share inputs to CPs at end of measurement period. 3. CPs run protocol to compute some function f on the inputs. Tor MPC design TinyOT (Burra et al. 2015) for offline/online Boolean-circuit evaluation. Secure against malicious, dishonest majority. 23
Secure Multiparty Computation TinyOT performance estimates 7,000 Data Collectors 5 Computation Parties 40-bit statistical security Count Distinct Median Offline communication 12.7 GB 31.43 GB Offline time (1Gbps BW) 1.69 minutes 4.19 minutes Offline throughput 852/day 344/day Online time (200ms RTT) 5 minutes 2 seconds 32-bit median values, count-distinct error 5.8% (LogLog) 24
Conclusions Tor is developing privacy-focused mechanisms for measurement and monitoring. Flexible transparency mechanisms raise new issues If Tor can reveal information, will it become obligated to do so? Where should the line between transparency and privacy be drawn? What governance mechanisms can handle making these decisions? Other systems may face similar measurement questions Privacy-enhanced cryptocurrencies (Zcash, Monero) Privacy-enhanced cloud services 25