Counter Galois Onion: Improved encryption for Tor circuit traffic

(blog.torproject.org)

104 points by wrayjustin73 days ago

5 comments

amelius65 days ago
> Of course, we need to make sure that the data isn't modified on the way from the client.Why is this necessary if every layer of the onion is a trustable encrypted link?
- MzxgckZtNqX5i65 days ago
 Relays can be malicious and try to tamper with the data. Think of Tor relay encryption like Signal's E2E encryption, where the relays are analogous to Signal's servers. You want to ensure they can neither see what you sent (confidentiality) nor modify it without detection (integrity).
 - amelius65 days ago
 Yes, but if it's all encrypted tunnels inside encrypted tunnels (recursively), then those relays can't really see the data, right?
 - MzxgckZtNqX5i65 days ago
 That is correct. But, (in general) encryption does not necessarily guarantees integrity of the data. In other words, a plaintext can be encrypted, the ciphertext given to another party, and they can tamper with the ciphertext in a way that produces predictable changes in the message obtained by decrypting the tampered ciphertext.
 - amelius65 days ago
 Ok, but if I run (say) HTTPS over the innermost tunnel, then I suppose that HTTPS will take care of any discrepancies.
 costco65 days ago
 The malleability of the ciphertext matters because it enables certain circuit tagging attacks as the article explains. It means that the exit relay could confirm you are using a guard relay also controlled by them and thus discover your origin IP address.There are many reasons that these cryptographic tagging attacks are a lot worse than just the timing correlation attacks that are possible if you control the guard and exit of a client: <a href="https://archive.torproject.org/websites/lists.torproject.org/pipermail/tor-dev/2012-March/003347.html" rel="nofollow">https://archive.torproject.org/websites/lists.torproject.org...</a>
 MzxgckZtNqX5i65 days ago
 You can indeed use HTTPS with the end server (e.g., accessing Wikipedia). This correctly hides the traffic content from all relays.To reach this point, though, you first need to set up the Tor circuit itself. This is done in a 'telescopic' fashion: the user connects via TLS to the first relay, then sends a message to extend the circuit to a second relay, then to the third (and usually last) relay. Finally, to open Wikipedia, you send a layered encrypted message to the last relay. All this data is link-protected by TLS on the wire, but protected by Tor's relay encryption mechanism while being processed by the nodes.
4728284773 days ago
Cool! Congrats! Awesome work.Small typo: “observing predicatable changes“
- sevg65 days ago
 I think you’re getting downvoted because you’re reporting the typo in an odd and likely unproductive place.I’m not sure what you expect HN readers to do about the typo. There is a comment section on the blog itself :)
 - gus_massa65 days ago
 It's not unusual that the author (or someone of the team) see the trafic peak an appears in HN to reply the questions.
 - sevg65 days ago
 Sure, that happens.But instead of just reporting it directly, we instead get this unsubstantive comment (“Cool! Great! Btw you spelled a word wrong.”). Essentially just noise, nothing that provokes curiosity or interesting discussion.
blocchainz72 days ago
[dead]
greekrich9266 days ago
Is it quantum-proof?
- vscode-rest66 days ago
  Quantum isn’t the problem. Majority-internet telemetry is.
- ekjhgkejhgk65 days ago
  Is it alien-proof?
  - JoachimS65 days ago
    All information is translated to Finnish at ingress, so yes.
m00dy65 days ago
hey guys, anyone believes Tor still can provide anonymity to users ? just trying to ask politely.
- dannyobrien65 days ago
 broadly yes, but the real question is: what's your threat model? <a href="https://ssd.eff.org/glossary/threat-model" rel="nofollow">https://ssd.eff.org/glossary/threat-model</a>
 - m00dy65 days ago
 I mean definitely state level actor, for example, let's say you can access all data centers in EU as most tor nodes are located in EU.
 - jeroenhd65 days ago
 There are countermeasures you can take against timing attacks, pattern analysis, and other capabilities an attacker may have if they control many relays. If you're trying to exfiltrate military secrets to the Russians, you can probably do it, but you'll have to be extremely careful. Your behaviour is as important as the network you use to communicate over, if not more important.There is no single state actor that has access to all data centers in the EU, though. For some countries, there's barely a state actor that can access all data centers within a single country.There is no tool that will let you become immune against a theoretical hyper powerful super government that controls all data centers, just by clicking a button. There never will be.
 - edgineer65 days ago
 There's some neat math that shows how one could send (radio) signals which are undetectable to an observer. Last I read, the research was in specific, purely theoretical scenarios but the idea is that you could send bit impulses which stay within the noise floor. Transmit with a power less than R^2 (in discrete time and ignoring triangulation and you have to pre-coordinate the timing of the transmissions with your partner via pre-shared one time pad and use plenty of error correction) the enemy observer cannot prove that someone is sending signals at all.Maybe no such techniques could ever apply to the internet, but I'm not sure it's proven impossible. You would need a well defined threat model but if you can show that your enemy is working with noisy data and strictly in the digital space, I don't see why statistical de-anonymization couldn't be foiled.
- ongy65 days ago
 Low stakes (IP violations etc.): absolutelyHigh stakes (military / nation state scale): no
- lurker_jMckQT9965 days ago
 hey, would you mind elaborating (with sources)?
- jstanley65 days ago
 This FUD comes up whenever Tor is mentioned on Hacker News. The answer is: let's say you think Tor isn't 100% flawless. What are you going to do? Not use Tor? It's better than any other option.
 - impossiblefork65 days ago
 What you'd do is that you'd write a distributed remailer where fixed-size messages are sent on fixed timeslots, possibly with some noise in when it's transmitted, with a message always being sent on its timeslot, even if a dummy message must be sent.I've been writing a system like this in Erlang, intended to be short enough that you can take a picture of the source code and then type it in by hand in a reasonable amount of time, as a sort of protest against Chat Control. I'm not sure I'm going to release it-- after all, they haven't passed it yet, and there are all sorts of problems that this thing could needlessly accelerate, but I've started fiddling with it more intensively recently.
 - 4728284765 days ago
 You may be interested in Katzenpost and the research behind it: <a href="https://katzenpost.network/" rel="nofollow">https://katzenpost.network/</a>
 - impossiblefork65 days ago
 Ah. It actually looks very sensible. I knew things like that existed, but didn't know they had dummy messages.I guess my approach is more P2P, more simplicity, shortness and clarity focused, as well as perhaps emphasizing general networking less-- I sacrifice more, I'm fine with 3-6 second delays on all messages, for example. I guess I also emphasize scale in that I intend to have 10,000+ connection open simultaneously on every peer, and because of this you don't even always need the retransmission aspect, since the person you want to talk to might be in the group of 10,000 that you send a message to every second.So in my thing the mixing is less important and the retransmission aspect is only needed when the network grows so big that you, when you connect don't happen to randomly end up directly peering with the person you want to talk to.
 - zmgsabst65 days ago
 Don’t things like Freenet do similar?Except that every user is also a node, thereby mixing their personal traffic into a share of network traffic. Or so I understand it.
 - impossiblefork65 days ago
 I'm not sure. Freenet actually stores information, this is pure communication system. I don't think it uses dummy messages.My target size is also <500 lines, and I think <200 is feasible, whereas Freenet is apparently 192,000 lines.
 - jeroenhd65 days ago
 While there aren't as many services available, there are alternatives to Tor. Veilid on the protocol level seems to be quite promising, and I2P and other networks also provide some Tor-like features.If you're trying to browse the web then you won't find many alternatives, but if you're looking to avoid the authorities doing some data exchange, you have options.
 - matheusmoreira65 days ago
 The better option is to use Tor while being aware of its caveats and limitations. Don't be lulled into a false sense of security.
 - bigyabai64 days ago
 It's not FUD at all. I think you would be utterly shocked how many active alternatives exist, and how small Tor is compared to it's reputation.