[tor-dev] Defending against guard discovery attacks by pinning middle nodes

Mike Perry mikeperry at torproject.org
Tue Nov 11 23:25:17 UTC 2014

A. Johnson:
> >> The idea would be that Guard_3 would rotate on the order of hours,
> >> Guard_2 would come from a set that is rotated on the order of days
> >> (based on the expected duration for the adversary to become
> >> Guard_3), and Guard_1 would rotate on the order of months (based on
> >> the expected duration for the adversary to become Guard_2).
> > 
> > Why set guard 2 to expire in days? If that is less than surveillance
> > speed, then once the adversary had guard 3, it’s game over.
> Sorry, I should have stated this more clearly as "If that is greater
> than the time needed for surveillance”. And I can imagine rotating
> guard 2 faster than guard 1 for performance reasons (faster rotation
> more quickly takes advantage of new capacity in the network). But the
> only reason that I can see treating guard 2 differently than guard 1
> is that you judge the “cost" of the attack starting from guard 2 to be
> higher, thus compensating for the increase in attack speed. That is,
> if guard 2 rotates to a malicious relay, the adversary still has to
> identify and then do a targeted compromised of guard 1, while if a
> malicious relay is selected as guard 1, then the target HS can be
> relatively easily observed directly. Such an argument is hard to
> evaluate carefully, because the costs in terms of added technical and
> legal complexity are hard to estimate. For example, at what point is
> it “cheaper" to run more malicious nodes and/or wait longer in hopes
> of obtaining guard 1 than to try and identify guard 2 but then have to
> perform surveillance on an identified guard 1?

Well, based on your analysis, I was actually proposing a hybrid scheme
somewhere between "virtual circuits" (which win out for load balancing)
and "two layers of single guards" (which may win out for security, but
only if you make certain assumptions about how the adversary can
compromise nodes). Going back to my diagram:

HS -> Guard_1 -> Guard_2 -> Guard_3 -> RP.

The idea is that Guard_1 is a single node that you choose and keep for
O(6 months, or as long as possible), but Guard_2 actually comes from a
set of 3-6 or so nodes that you keep for O(weeks), and Guard_3 you
rotate something like O(hours).

The reason they then are "treated differently" in terms of rotation
lifespan is that this hybrid scheme naturally exposes you to more of the
network in a given time period in the Guard_2 position, and even more in
the Guard_3 position. So these two positions would have shorter
durations for a given probability of compromise (by selecting a
malicious node), simply because they rotate faster.

In other words, these timespans are based entirely on compromise
probabilities over many rotation periods, and have less to do with
how long it takes to compromise a node once you discover it.

The hope behind my reasoning is that if it is incredibly likely for you
to rotate your guard(s) before they are discovered, guard discovery
attacks lose their value.

OTOH, perhaps I am reasoning about this wrong, and it is operationally
better to stick with a guard node in the second position for as long as
you stick with your first guard. In my mind, having identical rotation
periods is only better if you subscribe to the theory that compromising
a node is a noisy process, and unlikely to succeed in repeated
succession. In which case, you probably just want a static route of
exactly three (and only three) guard nodes, fixed for the lifetime of
your HS. At least, if you want the most security in this threat model.

Does this make sense?
> So I would argue to protect guard 2 as much as guard 1, and then look
> for other, better understood, methods to improve performance. Some fun
> methods that come to mind are (i) carefully choosing number of primary
> and secondary guards and (ii) trying to reduce the HS path length, and
> (iii) allowing HSes to pay for improved performance (yes, I haven’t
> given up on this idea, haha). Exposing to the HS operator the options
> controlling the security/performance tradeoff may also be a good
> option.

Do you subscribe to the "it's cumbersome and noisy to compromise a node
(and therefore you should sit on your routes as long as possible until
they break)" threat model, or the "it's likely quiet and/or quick (and
therefore all we can do is try to improve the statistics to reduce the
likelihood of compromise early in the rotation period)" threat model? Or
is there an additional threat model/goal we should be aiming to satisfy

It sounds like you subscribe to the first "it's cumbersome to compromise
a node, so keep a fixed route" threat model and goal, right? Would it
make you more nervous if the exit was also fixed? If so, why? If not,
why not?

If we agree that is the best threat model (and I'm not fully convinced
yet, but I could be), then it does sound like we're arriving at three or
four different path selection algorithms that are successively worse for
security under this threat model, but better for performance (three
layer guards, two layer guards, variable position sets+lifespans, and
virtual circuits).

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141111/3b7d40c0/attachment.sig>

More information about the tor-dev mailing list