[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Compromised entry guards rejecting safe circuits (was Re: OSI 1-3 attack on Tor? in it.wikipedia)



Roger Dingledine wrote:
> (I changed the thread's Subject, since "Anon Mus"'s attack is not the
> same as the attack described on it.wikipedia.)
>
>   

Here's the original quote text translation of the article in 
it.wikipedia from the starting thread to which I replied.

quote: "Tor works on assuming IP protocol's integrity. An ISP, however,

can work on a lower OSI level to divert an user's Tor traffic to a 
separate, fake server. ATM switching or MPLS labeling can be used to 
selectively deviate an user's Tor traffic towards a third-party 
controlled Tor network. Therefore, IP address and key exchange with an 
unknown peer do not ensure that an user has not connected to a rogue
node."

I think this compares well with most of the aspects of the "scenario" I

described in my reply, albeit I added the necessary "pass through" 
component out to the real tor network to make it work.

[The "ATM switching or MPLS labeling" is just the lower-layer network 
protocol/method, many IP networks operate over these, its common place,

so don't be confused by that.]


> On Fri, Feb 15, 2008 at 12:42:59PM -0800, Anon Mus wrote:
>   
>> F. Fox wrote:
>>     
>>> Anon Mus wrote:
>>>       
>>>> 3. Attacker has a list of known public/private key pairs. These
are
>>>> generated over the years by government security service
supercomputers
>>>> and their own secure network computers (around the world). Such
lists
>>>> are
>>>> regularly swapped between 'friendly' countries and are fro sale on
the
>>>> black market. Given any tor nodes public key, the attacker looks
up
>>>> that
>>>> key in the list and it returns the tor nodes genuine private key,
where
>>>> it
>>>> has it in its list. (Interesting note: here you have to imagine
that
>>>> there is software of out there, like the tor network itself, which
>>>> could
>>>> be used for generating and acquiring billions of key pairs a year
over
>>>> millions of networked computers world wide. You only need to store
the
>>>> key pairs such networked software generates after they have
finished
>>>> with them.)
>>>>         
>>> Umm... unless you're talking about lists of *compromised* keys
(i.e.,
>>> stolen, like via malware), then this is pure FUD. Trying to figure
out
>>> the private key by other means, is pretty infeasible.
>>>       
>
> I agree with others here that this particular item from Anon Mus is
> bogus. The math simply doesn't work this way: 1024 bits is really
big,
> and enumerating and storing products of 512ish-bit primes is going to
> fill up your disk way before you have a non-trivial fraction of them.
>
>   

Take a look at figure 1 in here... 
http://home.zonnet.nl/galien8/prime/prime.html now reframe the graph 
there in 512bit primes and extrapolate the graph. The US NSA has many 
floors of high density storage archives. Like a supermassive automated 
DVD changer.

>> I must say, I feel that 3 very deliberate and clumbsy attempts have
>> been 
>> to shoot down such a VERY obvious and sound scenario.
>>
>> Why so?
>>     
>
> Probably the reason they all misinterpreted your attack is the thread
> you posted it in (which describes a similar-sounding attack that *is*
> bogus), plus the above "A.3" which sounds like it's straight out of
some
> conspiracy theory.
>   
Theory???

Facts:::

Connection machines: http://en.wikipedia.org/wiki/Connection_Machine
CM5: http://en.wikipedia.org/wiki/FROSTBURG
Also at connection machines at US edu's

Univ. Penn http://www.ese.upenn.edu/facilities.html
Univ. Maryland
http://www.ece.umd.edu/Academic/Grad/Gen_info/ginfodoc.html
Univ. Florida http://www.cise.ufl.edu/~jnw/IA/ia-software.html
Univ. Florida A&M http://www.oakridge.doe.gov/diversity/florida.html



Now THIS is what I call a conspiracy theory ( :D ):::

A fully global networked array of prime number testers, prime numbers 
being the underlying basis for your public key encryption technology.

1 million decimal digit long primes achieved, the search for 10 million

digit primes underway.

http://en.wikipedia.org/wiki/Great_Internet_Mersenne_Prime_Search

http://mersenne.org/primenet/

" The virtual machine's sustained throughput 
<http://mersenne.org/ips/stats.html>* is currently *29479 billion 
floating point operations per second* (gigaflops), or 2448.9 CPU years 
(Pentium 90Mhz) computing time per day. For the testing of Mersenne 
numbers, this is equivalent to 1052 Cray T916 supercomputers"

Take a look at just which org is offering the $100,000 prize !!! (In
the 
para. headed by "*v22.12 Mersenne Research Software Released")*

http://mersenne.org/ips/index.html#contest

This project went live in 1997 and the CM5 ( 
http://en.wikipedia.org/wiki/FROSTBURG ) was phased out in 1999 .. you 
decide.

Makes 512 bit prime location and storage look like a walk in the park.

> Now that we've cleared that up (if we have), let me rephrase your
attack
> and we can see if it makes sense to more people here.
>
> Imagine an adversary who can observe any connection attempt from
Alice
> and fail any of them that he wants. Imagine this adversary also runs,
say,
> 10% of the Tor network, including some guard nodes and some exit
nodes.
>
> Alice starts up, learns about the Tor network, picks her entry
guards, and
> tries to connect to some. Our adversary keeps tricking her into
thinking
> she picked bad nodes, until she picks an adversary-controlled entry
guard.
> Then he lets all connections to that entry guard succeed, but when
Alice
> picks a second hop that isn't adversary-controlled, he claims that
next
> hop is down. Until eventually he picks an adversary-controlled second
> hop. Repeat for the exit node.
>
> Ignoring bandwidth weightings, exit policies, etc, Alice would need
to
> try (.1*.1)^-1 = an estimated 100 circuits before she makes three bad
> hops (assuming she's already happened across the bad entry guard).
For
> a more reasonable 1% of the network being bad, that changes to 10000
> circuit rebuilds.
>
> See http://freehaven.net/anonbib/#ccs07-doa for a related paper here.
>
> Mike Perry also brought up an attack like this when he was working on
> SoaT. Alas (or perhaps fortunately), he's been working on
Torbutton-dev
> lately instead. The number of competent anonymity programmers and
> designers in the world is still woefully small.
>
> Note that to make this attack work, you really do need to be able to
> reject any connection from Alice that you want. Otherwise, if she
picks
> some bad guards and some good guards, she'll switch to using her good
> guards as soon as the bad guards demonstrate themselves to be flaky.
And
> if you're in that powerful a position for Alice, I'm not too worried
> about this attack; or to say it differently, I worry a lot about
other
> attacks too, and I'm not sure I can help Alice much.
>
> --Roger
>
>
>
>   

Well at least this is (now - hopefully) accepted as at least possible 
(previously pooped on from many directions well before I dropped my 
"cents" into the discussion)...

IMHO

If the attacker has 50 to 150 major tor nodes (as the NSA has) directly

under its control and has the private keys to a further 10% of the tor 
servers. Then most client users are definitely not going to notice that

they are being routed in this manner. (my apologies to US citizens -
NSA 
is just an example).

Would circuits be made to the real tor network? ..

most certainly yes, 100 or so...
and also to 100 or so simulated tor servers..
and perhaps even non-functional circuit builds (e.g. "closed
connection" 
types). to other real tor nodes.


-K-





      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping