Anonymous networks and timing attacks: low-cost attack on Tarzan and Morphmix
- Transfer
Introduction | Tor | Tarzan and MorphMix | Low Cost Attack | Low Cost Attack on Tarzan and Morphmix | Principles of building secure systems (conclusion)
To test on Tarzan and MorphMix we took the same attack model that was used in Tor. An attacker needs two things: a malicious node and a malicious server. The sender will act as a malicious node in both networks (Tarzan and MorphMix). In Tarzan terminology, it is called the Tarzan client, in MorphMix it is the initiating node.
Next, the malicious host should receive a list of all other hosts on the network. Then, he establishes a connection with each of them and monitors delays that occur in the connections. Observation should be conducted for some time. Throughout the entire monitoring period, the malicious server does not stop sending its traffic to the system. At the end of the observation period, the results of delay measurements in each connection are used to estimate the traffic volumes of the respective nodes. Then, node loads are compared with server traffic. If matches are detected, then the node enters the anonymizing chain. After comparing for all nodes, you can identify the entire chain.
Thus, for a successful attack, the following conditions must be met:
Tor is susceptible to attack because its architecture meets these requirements. First, the Tor developers removed the mixing operations and the covering traffic, so the temporal characteristics of the streams are preserved throughout the chain. This was confirmed by experiments (Murdoch & Danezis 2005). Secondly, Tor provides a directory service with which the Tor client can get a list of all nodes (Tor servers) in the network. Thirdly, nothing prevents the Tor client from establishing a connection with all Tor servers.
Check if the above conditions are met in Tarzan.
There are two main differences between Tarzan and Tor that affect network delays. Firstly, Tor processes queues in round-robin fashion mode. Secondly, in Tor there is no mixing and cover traffic. At Tarzan, things are different. Tarzan provides a simulator mechanism. Due to which the activity of outgoing links from the node is comparable to the activity of incoming ones. If any connection is not active enough, Tarzan adds fake traffic. In addition, before sending, the Tarzan node performs some mixing operations on all outgoing streams.
Thus, the question is whether the simulator mechanism can destroy the timing characteristics of the transmitted streams. The only way to check is to conduct an experiment similar to that which was arranged in Tor. Unfortunately, we do not have a test bench for the simulator mechanism. Let us leave this question open and assume that timing characteristics are not destroyed. Thus, we still believe that the attack on Tor is effective for Tarzan.
To search for other network nodes, the Tarzan node uses a gossip-protocol-based mechanism. Those. each Tarzan node can theoretically receive information about all other network nodes. But the task can be difficult to accomplish due to the fact that Tarzan is a peer-to-peer network and the number of nodes can be very large and constantly changing. Thus, it seems doubtful that a malicious node will be able to evaluate the delays of all other network nodes. However, since There is a theoretical possibility, we assume that the condition is satisfied.
If, after receiving a list of all other network nodes, the malicious node has the opportunity to establish a direct connection with each of them, then the third condition is fulfilled. Unlike Tor, Tarzan allows you to transfer traffic only through facial expressions. Thus, if the node is not among the facial expressions of the malicious node, then the malicious node will not be able to establish a direct connection with it. If the connection requires intermediaries, then the malicious node cannot correctly measure the delays. Because measurements may depend on delays created by intermediate nodes. Thus, everything looks so that the low-cost attack is not applicable to Tarzan. However, this is not so. Tarzan has PNAT - the last node in the tunnel through which the connection goes into the outside world. Unlike other intermediate nodes in the tunnel, when the choice of each next node is limited by the list of facial expressions, any network node can be assigned as a PNAT. Thus, a malicious node has the ability to establish a direct connection without intermediaries with any node - the facial expression mechanism does not solve the problem.
Summarize. The low cost attack is applicable to Tarzan, as the facial expression mechanism does not destroy the timing characteristics of flows, and PNAT can be selected from among all network nodes, and not just from facial expressions.
The main difference between MorphMox and Tor is the network architecture and how the selection of the transfer nodes of the tunnel and the output node occurs. MorphMix follows the peer-to-peer architecture, while Tor uses dedicated servers as the transfer nodes. In Tor, the Tor client independently selects all nodes to organize an anonymous tunnel. In MorphMix, all intermediate nodes are involved in the tunnel formation. Tor has an exit node, but MorphMix doesn't. We will test the applicability of a low-cost attack on MorphMix using the same three criteria.
Once the tunnel is established, the MorphMix and Tor nodes work the same. Both have no covering traffic. Thus, in this section, the attack can be applied to MorphMix.
To operate the network, each MorphMix node may not know all the other nodes. It is enough that every node knows its neighbors. When a node wants to create a tunnel, it sequentially requests each next MorphMix node a list of recommended nodes, from which the next tunnel node will be selected. This mechanism allows you to create anonymous tunnels without having a list of all network nodes.
The point is this. To carry out an attack, a malicious node needs to get a list of all network nodes. This is not a trivial task, because information about other nodes can only be obtained using the tunnel creation mechanism. A successful attack requires a more efficient search engine — otherwise, defining a list of all network nodes is very expensive. Those. “Low cost" attack becomes "expensive". In addition, by the time the list is built, it is likely to be out of date, as The composition of the peer-to-peer network is very unstable. In addition, since MorphMix nodes do not know all the other network nodes, there is no guarantee that communication can be established between all nodes (whether it is direct or not). Thus, the attack is not feasible.
There are no connection restrictions in MorpMix. Those. each node can establish a direct connection to any other node.
In short, the described attack is not applicable to MorpMix, because the malicious host cannot get a list of all other hosts on the network.
To test on Tarzan and MorphMix we took the same attack model that was used in Tor. An attacker needs two things: a malicious node and a malicious server. The sender will act as a malicious node in both networks (Tarzan and MorphMix). In Tarzan terminology, it is called the Tarzan client, in MorphMix it is the initiating node.
Next, the malicious host should receive a list of all other hosts on the network. Then, he establishes a connection with each of them and monitors delays that occur in the connections. Observation should be conducted for some time. Throughout the entire monitoring period, the malicious server does not stop sending its traffic to the system. At the end of the observation period, the results of delay measurements in each connection are used to estimate the traffic volumes of the respective nodes. Then, node loads are compared with server traffic. If matches are detected, then the node enters the anonymizing chain. After comparing for all nodes, you can identify the entire chain.
Thus, for a successful attack, the following conditions must be met:
- The delays observed by the malicious node really should reflect the load of other nodes.
- The malicious node must be able to obtain information about all other network nodes.
- The malicious node must be able to establish a direct connection to all other nodes.
Tor is susceptible to attack because its architecture meets these requirements. First, the Tor developers removed the mixing operations and the covering traffic, so the temporal characteristics of the streams are preserved throughout the chain. This was confirmed by experiments (Murdoch & Danezis 2005). Secondly, Tor provides a directory service with which the Tor client can get a list of all nodes (Tor servers) in the network. Thirdly, nothing prevents the Tor client from establishing a connection with all Tor servers.
Low Cost Attack in Tarzan
Check if the above conditions are met in Tarzan.
Delays
There are two main differences between Tarzan and Tor that affect network delays. Firstly, Tor processes queues in round-robin fashion mode. Secondly, in Tor there is no mixing and cover traffic. At Tarzan, things are different. Tarzan provides a simulator mechanism. Due to which the activity of outgoing links from the node is comparable to the activity of incoming ones. If any connection is not active enough, Tarzan adds fake traffic. In addition, before sending, the Tarzan node performs some mixing operations on all outgoing streams.
Thus, the question is whether the simulator mechanism can destroy the timing characteristics of the transmitted streams. The only way to check is to conduct an experiment similar to that which was arranged in Tor. Unfortunately, we do not have a test bench for the simulator mechanism. Let us leave this question open and assume that timing characteristics are not destroyed. Thus, we still believe that the attack on Tor is effective for Tarzan.
The ability to get information about all network nodes
To search for other network nodes, the Tarzan node uses a gossip-protocol-based mechanism. Those. each Tarzan node can theoretically receive information about all other network nodes. But the task can be difficult to accomplish due to the fact that Tarzan is a peer-to-peer network and the number of nodes can be very large and constantly changing. Thus, it seems doubtful that a malicious node will be able to evaluate the delays of all other network nodes. However, since There is a theoretical possibility, we assume that the condition is satisfied.
The ability to establish a direct connection to other network nodes
If, after receiving a list of all other network nodes, the malicious node has the opportunity to establish a direct connection with each of them, then the third condition is fulfilled. Unlike Tor, Tarzan allows you to transfer traffic only through facial expressions. Thus, if the node is not among the facial expressions of the malicious node, then the malicious node will not be able to establish a direct connection with it. If the connection requires intermediaries, then the malicious node cannot correctly measure the delays. Because measurements may depend on delays created by intermediate nodes. Thus, everything looks so that the low-cost attack is not applicable to Tarzan. However, this is not so. Tarzan has PNAT - the last node in the tunnel through which the connection goes into the outside world. Unlike other intermediate nodes in the tunnel, when the choice of each next node is limited by the list of facial expressions, any network node can be assigned as a PNAT. Thus, a malicious node has the ability to establish a direct connection without intermediaries with any node - the facial expression mechanism does not solve the problem.
Summarize. The low cost attack is applicable to Tarzan, as the facial expression mechanism does not destroy the timing characteristics of flows, and PNAT can be selected from among all network nodes, and not just from facial expressions.
Low Cost Attack in MorphMix
The main difference between MorphMox and Tor is the network architecture and how the selection of the transfer nodes of the tunnel and the output node occurs. MorphMix follows the peer-to-peer architecture, while Tor uses dedicated servers as the transfer nodes. In Tor, the Tor client independently selects all nodes to organize an anonymous tunnel. In MorphMix, all intermediate nodes are involved in the tunnel formation. Tor has an exit node, but MorphMix doesn't. We will test the applicability of a low-cost attack on MorphMix using the same three criteria.
Delays
Once the tunnel is established, the MorphMix and Tor nodes work the same. Both have no covering traffic. Thus, in this section, the attack can be applied to MorphMix.
The ability to get information about all network nodes
To operate the network, each MorphMix node may not know all the other nodes. It is enough that every node knows its neighbors. When a node wants to create a tunnel, it sequentially requests each next MorphMix node a list of recommended nodes, from which the next tunnel node will be selected. This mechanism allows you to create anonymous tunnels without having a list of all network nodes.
The point is this. To carry out an attack, a malicious node needs to get a list of all network nodes. This is not a trivial task, because information about other nodes can only be obtained using the tunnel creation mechanism. A successful attack requires a more efficient search engine — otherwise, defining a list of all network nodes is very expensive. Those. “Low cost" attack becomes "expensive". In addition, by the time the list is built, it is likely to be out of date, as The composition of the peer-to-peer network is very unstable. In addition, since MorphMix nodes do not know all the other network nodes, there is no guarantee that communication can be established between all nodes (whether it is direct or not). Thus, the attack is not feasible.
The ability to establish a direct connection to other network nodes
There are no connection restrictions in MorpMix. Those. each node can establish a direct connection to any other node.
In short, the described attack is not applicable to MorpMix, because the malicious host cannot get a list of all other hosts on the network.