commit 1dd430acb841b2f64ffbad9c1ff9aed655572379 Author: Steven Murdoch Steven.Murdoch@cl.cam.ac.uk Date: Mon Nov 5 18:12:26 2012 +0000
Updates to Introduction --- tor-design-2012.tex | 100 ++++++++++++++++++++++++++++++++++++-------------- 1 files changed, 72 insertions(+), 28 deletions(-)
diff --git a/tor-design-2012.tex b/tor-design-2012.tex index 1b74b5e..da7c70b 100644 --- a/tor-design-2012.tex +++ b/tor-design-2012.tex @@ -145,10 +145,10 @@ proxy'' for each supported application protocol---most of which were never written, so many applications were never supported. Tor uses the standard and near-ubiquitous SOCKS~\cite{socks4} proxy interface, allowing us to support most TCP-based programs -without modification. Tor now relies on the filtering features -of privacy-enhancing application-level proxies such as -Privoxy~\cite{privoxy}, without trying to duplicate those -features itself. +without modification. For the protocol cleaning of HTTP and +HTTPS, Tor relies on Torbutton~\cite{torbutton} (a Firefox +add-on) and modifications made to the version of Firefox +delivered to users as part of the Tor Browser Bundle.
\textbf{No mixing, padding, or traffic shaping (yet):} Onion Routing originally called for batching and reordering cells as @@ -177,7 +177,9 @@ every request, and also presented a threat to anonymity from building so many circuits; see Section~\ref{sec:maintaining-anonymity}. Tor multiplexes multiple TCP streams along each circuit to improve efficiency -and anonymity. +and anonymity, but allows the user to control which streams may +share a circuit with which other streams to prevent unintended +linking of pseudonyms.
\textbf{Leaky-pipe circuit topology:} Through in-band signaling within the circuit, Tor initiators can direct traffic to nodes @@ -200,16 +202,19 @@ until the congestion subsides. % We've been working on this some; we have found that our current approach % doesn't work so well. -NM
-\textbf{Directory servers:} The earlier Onion Routing design +\textbf{Directory authorities:} The earlier Onion Routing design planned to flood state information through the network---an approach that can be unreliable and complex. Tor takes a simplified view toward distributing this information. Certain -more trusted nodes act as \emph{directory servers}: they provide -signed directories describing known routers and their current -state. Users periodically download them via HTTP. +more trusted nodes act as \emph{directory authorities}: they +provide signed directories describing known routers and their +current state. Users periodically download them directly from +the authorities or from a mirror, via HTTP tunelled over a Tor +circuit. % The above paragraph is almost right. But the more trusted nodes are called % ``authorities'' and we use http-over-tor to fetch stuff. There's a layer % of caches too. -NM +% Believed done - SJM
\textbf{Variable exit policies:} Tor provides a consistent mechanism for each node to advertise a policy describing the @@ -255,6 +260,29 @@ network stands at 32 nodes spread over two continents. % The above figure is wrong; the above paragraph doesn't summarize our status % well -NM
+\textbf{Censorship resistance:} A growing number of Tor users +require not only anonymous communications but also censorship +resistance. Tor circumvents attempts to block access to the +network by allowing users to access the network via a ``bridge'' +-- a special purpose Tor node which does not appear in the +directory and whose IP address is only known by a small number +of individuals to reduce the chance of it being blocked by IP +address. The Tor protocol has also been designed to be similar +to HTTPS such that blocking Tor, without blocking HTTPS, is made +more difficult. + +\textbf{Modular architecture:} The Tor program is only one part +of an effective anonymous communication system and Tor provides +functionality to integrate with other components to fulfil a +wide variety of user requirements. The graphical user interface +is a separate program (Vidalia, in the Tor Browser Bundle, but +alternatives exist) which communicates with Tor via a local +socket -- the ``control port''. Special-purpose controllers have +also been developed by researchers to analyse Tor and prototype +modifications. Additional resistance against protocol +fingerprinting, for the purposes of censorship resistance, may +be provided by an external ``pluggable transport'' obfuscator. + We review previous work in Section~\ref{sec:related-work}, describe our goals and assumptions in Section~\ref{sec:assumptions}, and then address the above list @@ -485,6 +513,15 @@ that integrates the best accepted approaches to protecting anonymity.\ % Do we keep the above? -NM
+\textbf{Resistant to censorship:} Many users will be using an +anonymous communication system because they are accessing +websites which may be frowned upon by their country, and so are +blocked. Consequently countries may choose to block access to +the Tor network in order to meet their goal of blocking access +to the sites in question. Tor should therefore be resistant to +censorship, both blocking by IP address and blocking as a result +of protocol fingerprinting. + \noindent{\large\bf Non-goals}\label{subsec:non-goals}\ In favoring simple, deployable designs, we have explicitly deferred several possible goals, either because they are solved @@ -505,19 +542,22 @@ Section~\ref{sec:maintaining-anonymity} for more discussion. \textbf{No protocol normalization:} Tor does not provide \emph{protocol normalization} like Privoxy or the Anonymizer. If senders want anonymity from responders while using complex and -variable protocols like HTTP, Tor must be layered with a -filtering proxy such as Privoxy to hide differences between -clients, and expunge protocol features that leak identity. Note -that by this separation Tor can also provide services that are -anonymous to the network yet authenticated to the responder, -like SSH. Similarly, Tor does not integrate tunneling for -non-stream-based protocols like UDP; this must be provided by an -external service if appropriate. +variable protocols like HTTP or HTTPS, Tor must be layered with a +specialized web browser to hide differences between clients, and +expunge protocol features that leak identity. Note that by this +separation Tor can also provide services that are anonymous to +the network yet authenticated to the responder, like SSH. +Similarly, Tor does not integrate tunneling for non-stream-based +protocols like UDP; this must be provided by an external service +if appropriate. % Filtering proxies: no! Specialized browsers: yes! -NM +% Believed done -SJM
-\textbf{Not steganographic:} Tor does not try to conceal who is -connected to the network. +%\textbf{Not steganographic:} Tor does not try to conceal who is +%connected to the network. % This is no longer a goal. -NM +% In fact it is contradictory to ``Resistant to censorship''. +% Removed -SJM
\subsection{Threat Model} \label{subsec:threat-model} @@ -579,15 +619,17 @@ well the Tor design defends against each of these attacks. The Tor network is an overlay network; each onion router (OR) runs as a normal user-level process without any special privileges. Each onion router maintains a TLS~\cite{TLS} -connection to every other onion router. Each user runs local -software called an onion proxy (OP) to fetch directories, -establish circuits across the network, and handle connections -from user applications. These onion proxies accept TCP streams -and multiplex them across the circuits. The onion router on the -other side of the circuit connects to the requested destinations -and relays data. -% Is our topology actually clique any longer? -NM -% Perhaps mention that the OR and the OP are the same software. -NM +connection to onion routers to which it has been recently +communicating with. Each user runs local software called an +onion proxy (OP) to fetch directories, establish circuits across +the network, and handle connections from user applications. +These onion proxies accept TCP streams and multiplex them across +the circuits. The onion router on the other side of the circuit +connects to the requested destinations and relays data. +% Is our topology actually clique any longer? -NM Perhaps +% I've changed this to indicate the fact that unused links are +% timed out -SJM +% mention that the OR and the OP are the same software. -NM
Each onion router maintains a long-term identity key and a short-term onion key. The identity key is used to sign TLS @@ -2053,3 +2095,5 @@ overall usability. % 'Substitute ``Damn'' every time you're inclined to write ``very;'' your % editor will delete it and the writing will be just as it should be.' % -- Mark Twain + +% vim:tw=64:ruler