Tor Hidden Services How Hidden is Hidden This information is exempt under the Freedom of Information Act 2000 FOIA and may be exempt under other UK Slide 1 information legislation Refer any FOIA queries to GCHQ on UK TOP SECRET COMINT What is Tor - Tor is an implementation of 2nd generation onion routing Originally sponsored by the US Naval Research Laboratory Later became an Electronic Frontier Foundation pro' - Helps to prevent network traffic analysis surveillance Open network with over 2000 nodes - Anonymity tool Uses multiple layers of - Multi-hop proxy Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 2 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT What I have done on Tor General Tor research HOMING TROLL Bridge discovery capability Hidden Services - Helped with a few deanonymisation techniques - Worked with JTRIG MCR Maths resear - Provided support to OP SUPERIORITY Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 3 throughout the recipient organisation dissemination outside the Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated throughout the recipient organisation but GCHQ permission must be obtained for dissemination outside the Slide 4 Middle Node Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 5 throughout the recipient organisation but GCHQ permission must be obtained for dissemination outside the UK TOP SECRET COMINT What is it used for The Good People living in oppressive countries circumvent firewalls Access to free media instead of state propaganda People can say what they want without it being linked t2- The Bot herders use Tor to give instructions to their bots Allows paedophiles access content without linking themse State actors can launch attacks without being attributable Anonymous LU Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 6 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT What do we see Any traffic between the client tor is heavily We can only really see traffic from an exit node to a webs' But we don t know where this traffic originated from Still could link up aliases though Somebody could still visit a dodgy forum and log in with send an email using a known target email address Ass use SSL at least there is some intelligence RigbLZE z Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 7 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Hidden Services Hides the IP address of a web service Protects content providers by anonymously hosting content Publication of undesirable content Both client and server are anonymous to an observer and to each other ll Normal Tor Hidden 8 User Website User - Clear text Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 8 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT So what do we see now Not - All Hidden Service traffic is heavily Most we can gather is that one Tor node talks to an i Hiding in the crowd at its best Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 9 throughout the recipient organisation dissemination outside the 0 What s this onion business TLD Tor uses to initiate a connection to a hidden service - Example onion domain 16 characters in b85632 few characters are actually missing it oqznfi3td06nwg3f onion - Tor uses something similar to DNS to resolve an onion Onion domains resolve to 3 IP addresses called Inttod IPT Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 10 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Pieces of the Jig-Saw - The actual Hidden Service HS Where the service actually originates from User The user who wishes to access the Hidden Service - Hidden Service Directory A directory server that hold information on a Hidden Servi Introduction Point IPT Hidden Service s front door relay Rendezvous Point RP Client s front door relay Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 11 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS -7 Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may disseminated Slide 12 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may Edisseminated Slide 13 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may Edisseminated Slide 14 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may Edisseminated Slide 15 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may disseminated Slide 16 throughout the recipient organisation bqg C iEpirge mggbe qur dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemntinn Iinrler nrher lenislai inn Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed oy uwnersnip ULHU ine material may disseminated Slide 17 throughout the recipient organisation bqg C iEpirge mggbe qur dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may disseminated Slide 18 throughout the recipient organisation bqg C iEpirge mggbe qur dissemination outside the UK TOP SECRET COMINT Fitting it together 1 HS selects random IPTs 2 HS uploads descriptor to 3 Client finds out about HS 4 Client requests descriptor from 5 Client selects a random RP 6 Client contacts one IPT 7 HS replies to RP 8 RP relays between client and HS Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may disseminated Slide 19 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Possible Exploits - Rendezvous Point RP What if we owned the Traffic still although only a single layer of Still only content don't know who the user is or where the H8 is located Clients randomly select their RP so unlikely to be picked anyway - Hidden Service Directory If we take a down there are still many left Could potentially collect onion domains if we acted as a Client No real way to distinguish between a Tor user accessing the web Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by bLl lQ Ine material may be disseminated Slide 20 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT - Introduction Points IPT All Hidden Service IPTs are listed on its descriptor the thing that s stored on a Potential for an attack on IPTs to stop them accepting connections for the HS This could be done using a Coil Attack Doesn t stop a HS selecting another set of IPTs - HS can their IPTs in their descriptor but not Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 21 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT - Hidden Service HS What about exploiting the HS directly Potential to identify the IP addresses hidden services - But cant really say which one Identified a beaconing pattern from HS Dependant on collection posture Great for PRESTON Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 22 throughout the recipient organisation dissemination outside the Idle Client Beacons EijiiIIn-i 4ijii2irn EijiiIIn-i Eiijiijirn Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemofion imr ler ofher informafion leoislafion Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated throughout the recipient organisation but GCHQ permission must he obtained for dissemination outside the Slide 23 Idle HS Beacons ill ll Ill I l I I I I'll II ll Ill Ilill- I II r lbw in ll IIHI Illni lira 200m 400m Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated throughout the recipient organisation but GCHQ permission must be obtained for dissemination outside the Slide 24 UK TOP SECRET COMINT Summary - Tor helps people become anonymous - Very naughty people use Tor - Hidden Services hide the fact web content even exi - Near impossible to figure out who is talking to who Its complicated Some areas for further research a Until Doesn t stop us from using them Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 25 throughout the recipient organisation dissemination outside the UK TOP SECRET COMINT Crown Copyright All rights reserved This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information leoislation Refer disclosure requests to GCHQ on Contains Intellectual Property owned and or managed by Ownership GCHQ The material may be disseminated Slide 26 throughout the recipient organisation dissemination outside the da 1 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu
OCR of the Document
View the Document >>