tor hidden services...jan 26, 2015 · - th usee whr o wishes to access the hidde servicn e hidden...

Tor Hidden Services How Hidden is 'Hidden'?

- ICTR Network Expl

© This information is exempt under the Freedom of Information Act 2000 {FOIA) and may be exempt under other UK n information legislation. Refer any FOIA queries to GCHQ on

UK TOP SECRET STRAP1 COMINT

• Tor is an implementation of 2nd generation onion routing

• Originally sponsored by the US Naval Research Laboratory

• Later became an Electronic Frontier Foundation project

• Helps to prevent network traffic analysis & surveillance

• Open network with over 2000 nodes

• Anonymity tool

• Uses multiple layers of encryption

• Multi-hop proxy © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act

2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 2 throughout the recipient organisation, b i ^^C l j tg jP^^ j s r ^o r ; must ̂ f j f f c ^ ^ j f l f t f l v j f f dissemination outside the


• General Tor research

• HOMING TROLL

- Bridge discovery capability

• Hidden Services

• Helped with a few deanonymisation techniques

• Worked with JTRIG & MCR (Maths & Crypt research)

• Provided support to OP SUPERIORITY

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exerrmtion under other UK information leaislation. Refer disclosure requests to GCHQ on


m TOR

Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemntion under other UK information leoislation. Refer disclosure requests to GCHQ on


is ah

Ltn

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act S ^ ^ B 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 5 throughout the recipient organisation, b i ^ ^ C l j t g j P ^ ^ j s r ^ o r ; must ̂ fjffc^^jflftflvjff dissemination outside the


• The Good - People living in oppressive countries (circumvent firewalls)

- Access to free media instead of state propaganda

- People can say what they want without it being linked to their public profile

• The Bad - Bot herders use Tor to give instructions to their bots

- Allows paedophiles access content without linking themselves to it

- State actors can launch attacks without being attributable

- "Anonymous" & LULZSec

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated throughout the recipient organisation, b i^^Cygpagç^s.^or ; m u s t ^ ^ t ^ t j ^ i ^ ^ r dissemination outside the


• Any traffic between the client & tor is heavily encrypted.

• We can only really see traffic from an exit node to a website - But we don't know where this traffic originated from

• Still could link up aliases though ^ ^ ^ m - 'Somebody' could still visit a dodgy forum and log in with an alias, or even

send an email using a known target email address (Assuming they don't use SSL). ^ ^ ^ ^ ^ ^ ^

• Phew... at least there is some intelligence gain.... Right?


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated throughout the recipient organisation, b i ^ ^ c y g p a f j ^ ^ o r ; m u s t ^ ^ t ^ t j ^ i ^ ^ r dissemination outside the


. Hides the IP address of a web service

. Protects content providers by anonymously hosting content

. Publication of undesirable content

. Both client and server are anonymous to an observer and to each other

User

Normal Tor

Clear text

Hidden Services Website User Website

Encrypted

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated g throughout the recipient organisation, bi^^Cljtgjpermis^'or; must j ^ j ^ t ^ t j ^ i ^ ^ r dissemination outside the

olluë O rti-rt-i rt ic-irt n


• Not much...

• All Hidden Service traffic is heavily encrypted.

• Most we can gather is that one Tor node talks to another (IP level)

• Hiding in the crowd at its best!


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 9 throughout the recipient organisation, b i ^^C l j tg jP^^ j s r ^o r ; must f̂jffĉ ĵflftflvjff dissemination outside the

• What's this .onion business? - TLD Tor uses to initiate a connection to a hidden service

• Example onion domain w - 16 characters in base32 (few characters are actually missing)

- oqznfi3tdo6nwg3f.onion

• DNS? ^ ^ ^ L - Tor uses something similar to DNS to resolve an onion domain

- Onion domains 'resolve' to 3+ IP addresses called Introduction Points (IPT)


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated throughout the recipient organisation, b i^^Cygpagç^s.^or ; m u s t ^ ^ t ^ t j ^ i ^ ^ r dissemination outside the


Pieces of the Jig-Saw

The actual Hidden Service (HS) - Where the service actually originates from

User

- The user who wishes to access the Hidden Service

Hidden Service Directory (HSDir) - A directory server that hold information on a Hidden Service

Introduction Point (IPT) j - Hidden Service's 'front door' / relay

Rendezvous Point (RP) - Client's 'front door' / relay

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act S p & t l 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 11 throughout the recipient organisation, bi^^CljtgjP^^jsr^or; must ^fjffc^^jflftflvjff dissemination outside the


1. HS selects random IPTs

2. HS uploads descriptor to HSDir

3. Client finds out about HS

4. Client requests descriptor from HSDir

5. Client selects a random RP

6. Client contacts one IPT

7. HS replies to RP

8. RP relays between client and HS


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 12 t h r o u g h o u t the recipient organisation, b i^^Cl j tg jP^^ js r^or ; must ^fjffc^^jflftflvjff dissemination outside the








7. HS replies to RP


HSDir IPT

t HS


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 13 t h r o u g h o u t the recipient organisation, b i ^^C l j tg jP^^ js r^or ; must ^fjffc^^jflftflvjff dissemination outside the


Fitting it together




Client

^ n j ^ g r




7. HS replies to RP


HSDir IPT

HS


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 14 t h r o u g h o u t t h e recipient organisation, b i ^^C l j tg jP^^ js r^or ; must ^ f j f fc^^ j f l f t f lv j f f dissemination outside the


Fitting it together




Client




7. HS replies to RP


IPT

HS


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 15 t h r o u g h o u t t h e recipient organisation, bi^^CljtgjP^^jsr^or; must ^fjffc^^jflftflvjff dissemination outside the


Fitting it together







7. HS replies to RP

Client

l 3 l

IPT


HS

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act S j O 2000 and may be subject to exemDtion under other UK information leaislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 16 t h r o u g h o u t t h e recipient organisation, b i ^ ^C l j t g jP^^ j s r ^o r ; must ^fjffc^^jflftflvjff dissemination outside the


Fitting it together







7. HS replies to RP


Client

« H P

IPT RP

HS

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to e X P m n 1 " i n n I i n r l p r nfhpr UK infnrmatinn Ipriklatinn Rpfpr riidrlosure requests to GCHQ on

I Contains Intellectual Property ownea ana/or managea oy uwnersnip uui-ig. i ne material may be disseminated

Slide 17 t h r o u 9 h o u t t h e recipient organisation, bi^^C^@|perm:5'-/on m u s ^ ^ t ^ t j ^ ^ l ^ r dissemination outside the


Fitting it together

1. HS selects random I PTs






7. HS replies to RP


HSDir

Client

• H I

IPT

HS

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemDtion under other UK information leaislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 18 t h r o u g h o u t the recipient organisation, b i ^ ^ C l j t g j P ^ ^ j s r ^ o r ; must ̂ fjffc^^jflftflvjff dissemination outside the








7. HS replies to RP


Clien

HSDir IPT RP

HS


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 19 t h r o u 9 h o u t ^ e recipient organisation, bi|tj£0|l@|paj;|3{s^on must dissemination outside the

omanicatinri


Rendezvous Point (RP) - What if we owned the RP?

- Traffic still encrypted, although only a single layer of encryption

- Still only content, don't know who the user is or where the HS is located

- Clients randomly select their RP so unlikely to be picked anyway

Hidden Service Directory (HSDir) - If we take a HSDir down, there are still many left

- Could potentially collect onion domains if we acted as a HSDir

Client ^ - No real way to distinguish between a Tor user accessing the web or a HS


Contains Intellectual Property ownea ana/or managea Dy uwnersnip


• Introduction Points (IPT) - All Hidden Service IPTs are listed on its descriptor (the thing that's stored

on a HSDir)

- Potential for an attack on IPTs to stop them accepting connections for the HS

- This could be done using a 'Coil Attack'

- Doesn't stop a HS selecting another set of IPTs

- HS can encrypt their IPTs in their descriptor (but not many do)


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated throughout the recipient organisation, b i ^ ^ c y g p a f j ^ ^ o r ; m u s t ^ ^ t ^ t j ^ i ^ ^ r dissemination outside the


Hidden Service (HS) - What about exploiting the HS directly?

- Potential to identify the IP addresses hidden services • But cant really say which one

- Identified a beaconing pattern from HS

- Dependant on collection posture

- Great for PRESTON

© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act fë* 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 22 throughout the recipient organisation, b i ^ ^ C l j t g j P ^ ^ j s r ^ o r ; must ̂ f j f f c ^ ^ j f l f t f l v j f f dissemination outside the


© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exprnntïnn unrlpr nthpr I IK infnrmat-inn Ipnklatinn Rpfpr disclosure requests to GCHQ on


IMWJititi É É M H

0

0


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 24 throughout the recipient organisation, bi^£0|fg|paf;£9(Sjvori must l ^ j ^ t ^ t j ^ i ^ ^ r dissemination outside the


Tor helps people become anonymous

Very naughty people use Tor

Hidden Services hide the fact web content even exits!

Near impossible to figure out who is talking to who

Its complicated

Some areas for further research

Until then... Doesn't stop us from using them

) Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on

Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 25 throughout the recipient organisation, b i^^Cl j tg jP^^ js r^or ; must ^fj f fc^^jf l f t f lvjff dissemination outside the


Questions?


Contains Intellectual Property owned and/or managed by Ownership GCHQ. The material may be disseminated Slide 26 t h r o u g h o u t t h e recipient organisation, b i ^^C l j tg jP^^ j s r ^o r ; must ^fjffc^^jflftflvjff dissemination outside the

tor hidden services...jan 26, 2015 · - th usee whr o wishes to access the hidde servicn e hidden...

Documents