leaving timing channel fingerprints in hidden service log ... · second-generation onion routing...
TRANSCRIPT
![Page 1: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/1.jpg)
DIGITAL FORENSIC RESEARCH CONFERENCE
Leaving Timing Channel Fingerprints in
Hidden Service Log Files
By
Bilal Shebaro, Fernando Perez-Gonzalez and Jedidiah R. Crandall
Presented At
The Digital Forensic Research Conference
DFRWS 2010 USA Portland, OR (Aug 2nd - 4th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
![Page 2: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/2.jpg)
![Page 3: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/3.jpg)
• Someone serving illegal content using Tor hidden service
• This physical machine is confiscated
• Our job is to prove that this machine is in fact the machine that had been hosting the illegal content
• We’ll be fingerprinting its log file: leaving an identifiable fingerprint in this log file as a timing channel that can be recovered
![Page 4: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/4.jpg)
• Basic Idea • Requirements • Tor Network • Tor Hidden Services • Webserver Traffic Analysis • Tor Network Relay • Our Fingerprinting Algorithm • Results • Discussion and Future Work
![Page 5: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/5.jpg)
• Tor hidden web server (apache) • Tor client • ECC: Reed Solomon Error Correction Code
![Page 6: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/6.jpg)
Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson
and Paul Syverson Specifically designed for low-latency anonymous
Internet communications
Running since October 2003 100 nodes on four continents, thousands of
users “Easy-to-use” client proxy
Freely available, can use it for anonymous browsing
![Page 7: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/7.jpg)
Client proxy establish a symmetric session key and circuit with Onion Router #1
![Page 8: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/8.jpg)
Client proxy extends the circuit by establishing a symmetric session key with Onion Router #2 Tunnel through Onion Router #1
![Page 9: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/9.jpg)
Client proxy extends the circuit by establishing a symmetric session key with Onion Router #3 Tunnel through Onion Routers #1 and #2
![Page 10: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/10.jpg)
![Page 11: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/11.jpg)
What about Hidden Service’s public and private keys???
![Page 12: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/12.jpg)
• Our fingerprinting timestamps look exactly the same as those normal requests
• We don’t want to make it look suspicious • Some portions of the log file were deleted • False positive fingerprints may exist (solved
by repeating our algorithm more than once as well as using RS-ecc)
• We are not claiming our method is impossible to detect, especially if the host knows our approach
![Page 13: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/13.jpg)
• Our fingerprinting timestamps look exactly the same as those normal requests
• We don’t want to make it look suspicious • Some portions of the log file were deleted. • False positive fingerprints may exist
(solved by repeating our algorithm more than once as well as using RS-ecc)
![Page 14: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/14.jpg)
![Page 15: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/15.jpg)
![Page 16: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/16.jpg)
![Page 17: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/17.jpg)
![Page 18: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/18.jpg)
Choices made:
- Add 35 additional requests per min.
- Cut-off value = 40
![Page 19: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/19.jpg)
RS encoder
RS decoder
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 20: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/20.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 21: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/21.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 22: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/22.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 23: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/23.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 24: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/24.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 25: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/25.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 26: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/26.jpg)
RS encoder
RS decoder
36 bit
36 bit
60 bit
60 bit
![Page 27: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/27.jpg)
• RS will produce a 60 bit codeword
• Each bit is given 60 sec
• If that bit is 0 then do nothing
• If that bit is 1 then do additional 35 requests to the hidden service
• Recover a 60 bit codeword from the log file (by comparing each minute to the cut-off value: 40 requests in our case)
![Page 28: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/28.jpg)
Cut-off Bit flip
![Page 29: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/29.jpg)
![Page 30: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/30.jpg)
![Page 31: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/31.jpg)
• Robust technique for leaving timing channel fingerprints in hidden service log files
• Ability to recover a 36-bit fingerprint with a 60-minute fingerprinting process
• Tradeoff in terms of how long it takes to leave a fingerprint vs. how much traffic must be added per minute
• We are not breaking the anonymity of Tor, our assumptions doesn’t break in to Tor’s main goal
![Page 32: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/32.jpg)
• Explore the tradeoffs in a stronger threat model
• Faster fingerprinting with less requests or additional timestamps
• Modeling the probability distribution of the network delays
• Time domain analysis of the gathered data will provide useful elements for the design of channel coding mechanisms
![Page 33: Leaving Timing Channel Fingerprints in Hidden Service Log ... · Second-generation onion routing network Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f03b78d7e708231d40a6c8a/html5/thumbnails/33.jpg)
• NSF #0905201 • UNM CS support
– George Kelbley – Jeff Bowles
• Tor Project People