System time in anonymity oriented LiveCDs
Hi list, One issue for anonymity-oriented LiveCDs (such as T(A)ILS[1] and Liberté Linux[2]) is the system time. Tor requires a reasonably correct system time, otherwise no circuits will be opened. This is a major problem for these LiveCDs since they generally route all traffic through Tor transparently (using netfilter/iptables and the like) so no Tor circuits implies no network access for the user. The obvious fix might seem to be to run something like NTP before Tor starts, but since NTP isn't authenticated at the moment[3] an adversary could intercept the NTP sync and force a crafted time on the user which later can be used to fingerprint the user if s/he uses some protocol/application which leaks system time. Hence NTP is out of the question. Liberté Linux has a novel solution to this problem[4] -- it sets the system time according to the Tor consensus' valid-after/until values, which essentially removes Tor's time skew check. We T(A)ILS developers are tempted to implement the same solution, but first we'd like to ask here if this is safe, or if it opens up for any unexpected type of attacks or problems. If any one has a completely different solution for the system time issue we're very interested in hearing that out as well. Cheers! [1] https://amnesia.boum.org [2] http://dee.su/liberte [3] Public key authentication is in the works, supposedly, but we need a working solution _now_. [4] https://liberte.svn.sourceforge.net/svnroot/liberte/trunk/liberte/src/root/bin/tor-date signature.asc Description: OpenPGP digital signature
Re: System time in anonymity oriented LiveCDs
Hi, What about this http://www.eecis.udel.edu/~mills/ntp/html/autokey.html? -- I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Without understanding details of the tor design, did you mention that tor knows the "real" time? So why dont you let tor set the right time. There could be a torrc setting like "when connecting to tor set system time according what tor says". This would enforce to run tor as root, not as unprivileged user, but this is a Live system, so this might be no problem(?). Would this be a nice tor extension to help the LiveCD users? Kind Regards Thomas Am Montag 03 Januar 2011 schrieb anonym: > Hi list, > > One issue for anonymity-oriented LiveCDs (such as T(A)ILS[1] and Liberté > Linux[2]) is the system time. Tor requires a reasonably correct system > time, otherwise no circuits will be opened. This is a major problem for > these LiveCDs since they generally route all traffic through Tor > transparently (using netfilter/iptables and the like) so no Tor circuits > implies no network access for the user. > > The obvious fix might seem to be to run something like NTP before Tor > starts, but since NTP isn't authenticated at the moment[3] an adversary > could intercept the NTP sync and force a crafted time on the user which > later can be used to fingerprint the user if s/he uses some > protocol/application which leaks system time. Hence NTP is out of the > question. > > Liberté Linux has a novel solution to this problem[4] -- it sets the > system time according to the Tor consensus' valid-after/until values, > which essentially removes Tor's time skew check. We T(A)ILS developers > are tempted to implement the same solution, but first we'd like to ask > here if this is safe, or if it opens up for any unexpected type of > attacks or problems. > > If any one has a completely different solution for the system time issue > we're very interested in hearing that out as well. > > Cheers! signature.asc Description: This is a digitally signed message part.
Re: System time in anonymity oriented LiveCDs
thomas.hluch...@netcologne.de wrote: > Without understanding details of the tor design, did you mention that > tor knows the "real" time? So why dont you let tor set the right > time. There could be a torrc setting like "when connecting to tor > set system time according what tor says". This would enforce to > run tor as root, not as unprivileged user, but this is a Live > system, so this might be no problem(?). > > Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Jim wrote: thomas.hluch...@netcologne.de wrote: Without understanding details of the tor design, did you mention that tor knows the "real" time? So why dont you let tor set the right time. There could be a torrc setting like "when connecting to tor set system time according what tor says". This would enforce to run tor as root, not as unprivileged user, but this is a Live system, so this might be no problem(?). Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Oops. Sorry about responding to my own post, but I just realized that the lack of permission problem I mentioned would pertain to running something like a Tor bundle from a USB stick on a public computer rather than a running a Live CD/USB. But I still think my proposal might be useful for that situation. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Jim wrote: thomas.hluch...@netcologne.de wrote: Without understanding details of the tor design, did you mention that tor knows the "real" time? So why dont you let tor set the right time. There could be a torrc setting like "when connecting to tor set system time according what tor says". This would enforce to run tor as root, not as unprivileged user, but this is a Live system, so this might be no problem(?). Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Oops. Sorry about responding to my own post, but I just realized that the lack of permission problem I mentioned would pertain to running something like a Tor bundle from a USB stick on a public computer rather than a running a Live CD/USB. But I still think my proposal might be useful for that situation. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Hi, Jordi Espasa Clofent wrote (03 Jan 2011 16:48:10 GMT) : > What about this http://www.eecis.udel.edu/~mills/ntp/html/autokey.html? After reading this page quite quickly, it seems to me this NTP autokey feature is a way to secure exchanges between a given NTP server you manage and some clients you provide SSL client certs with. Although this seems to be working for authenticating the NTP server, this also has the severe drawback (in the Live system context this discussion arises from) of: - forcing the Live system's authors, or someone else, to run a dedicated NTP server - allowing a "local" attacker (say, an ISP) to very easily fingerprint this Live system's users based on the fact they send NTP (+autokey) requests to this special NTP server. Am I mistaken? Bye, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc | If you must label the absolute, use it's proper name: Temporary. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Hi, thomas.hluch...@netcologne.de wrote (03 Jan 2011 16:56:19 GMT) : > Without understanding details of the tor design, did you mention > that tor knows the "real" time? > So why dont you let tor set the right time. This is exactly what Liberte Linux does, and what we (T(A)ILS developers) are considering to do. We are asking here about possible security / anonymity issues that could be caused by doing this: Tor indeed distributes an approximation of the current time to the Tor users, but this is rather a side effect than an advertised feature, and this is thus probably not meant to be relied on. That's why we are asking the Tor designers / experts / developers if it sounds reasonable to rely on this distributed time to set the system clock within bounds that will allow the Tor client (Tor proxy, in Tor design's words) to work. Bye, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc | The impossible just takes a bit longer. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
On Mon, Jan 03, 2011 at 04:06:44PM +0100, anonym wrote: > One issue for anonymity-oriented LiveCDs (such as T(A)ILS[1] and Liberté > Linux[2]) is the system time. Tor requires a reasonably correct system > time, otherwise no circuits will be opened. This is a major problem for > these LiveCDs since they generally route all traffic through Tor > transparently (using netfilter/iptables and the like) so no Tor circuits > implies no network access for the user. > > Liberté Linux has a novel solution to this problem[4] -- it sets the > system time according to the Tor consensus' valid-after/until values, > which essentially removes Tor's time skew check. We T(A)ILS developers > are tempted to implement the same solution, but first we'd like to ask > here if this is safe, or if it opens up for any unexpected type of > attacks or problems. Whether this is a good idea depends on where you got the consensus. If you connect to a Tor directory mirror and it hands you a consensus from last month, and you set your clock based on it, then you've opened yourself up to exactly the attack that Tor is trying to defend against. If your Tor fetches its consensus from a directory authority, you're in better shape, insofar as the directory authorities are probably not your adversaries. Relays do these directory fetches in the clear, though, due to an earlier bug: https://trac.torproject.org/projects/tor/ticket/827 so we're back to the authentication and integrity question there. Clients set up a TLS connection first and tunnel their directory fetches over it, so they're in slightly better shape. Do your LiveCD users always have both ORPort set to 0? The better answer is for Tor clients to read the time out of the NETINFO cells that are part of the v2 connection handshake we added in Tor 0.2.0.x. See section 4.2 of tor-spec.txt: https://git.torproject.org/tor/doc/spec/tor-spec.txt Using the data in NETINFO cells has been sitting on the todo list for a while: https://git.torproject.org/tor/doc/spec/proposals/149-using-netinfo-data.txt but nobody's moved it forward. Perhaps somebody wants to pick this up and do it? :) Also, ideally you want to get an opinion from more than one directory authority. One design that I could imagine would be to, if we find a directory mirror or entry guard whose time disagrees with us, connect to a directory authority to get a stronger opinion. If the directory authority also disagrees, connect to a threshold of directory authorities and then memorize our relative clock skew based on the majority vote. Potential complications include "what threshold should you require" and "what if you can't reach the directory authorities directly because you're in a censored area". Maybe in the latter case you should just believe your bridge's clock, because it's the one giving you the directory information anyway -- depends if the user wants her Tor to fail open (reachability) or fail closed (safety). --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
On Mon, Jan 03, 2011 at 04:06:44PM +0100, anonym wrote: > Hi list, > > Liberté Linux has a novel solution to this problem[4] -- it sets the > system time according to the Tor consensus' valid-after/until values, > which essentially removes Tor's time skew check. We T(A)ILS developers > are tempted to implement the same solution, but first we'd like to ask > here if this is safe, or if it opens up for any unexpected type of > attacks or problems. > > If any one has a completely different solution for the system time issue > we're very interested in hearing that out as well. > > Cheers! > > [1] https://amnesia.boum.org The latest T(A)ILS is using HTP instead of NTP https://amnesia.boum.org/contribute/design/HTP/ (I hesitated to post this but it doesnt seem to have come up here so far even though people linked to the T(A)ILS site.) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
13/01/11 04:28, Roger Dingledine: > If your Tor fetches its consensus from a directory authority, you're > in better shape, insofar as the directory authorities are probably not > your adversaries. But if we'd force this, we'd be distinguishable from other Tor clients to some extent, I suppose. > Relays do these directory fetches in the clear, though, due to an > earlier bug: https://trac.torproject.org/projects/tor/ticket/827 > so we're back to the authentication and integrity question there. Clients > set up a TLS connection first and tunnel their directory fetches over it, > so they're in slightly better shape. Do your LiveCD users always have > both ORPort set to 0? Yes, ORPort is set to 0 per default. However, a user could easily become and OR by fiddling around in Vidalia. > The better answer is for Tor clients to read the time out of the NETINFO > cells that are part of the v2 connection handshake we added in Tor > 0.2.0.x. See section 4.2 of tor-spec.txt: > https://git.torproject.org/tor/doc/spec/tor-spec.txt You mean that we should read this value when our Tor client makes its very first try to establish a connection to a directory server/mirror? How is this any safer than checking the consensus' valid-after/until values? The mirror we connect to could be compromised, and send us an appropriate timestamp and then replay any old consensus. > Using the data in NETINFO cells has been sitting on the todo list for > a while: > https://git.torproject.org/tor/doc/spec/proposals/149-using-netinfo-data.txt > but nobody's moved it forward. Perhaps somebody wants to pick this up > and do it? :) I'm not sure I understand this proposition (alternatively I don't understand NETINFO cells). It says we don't want to simply trust the NETINFO cell timestamp and IP address blindly, but instead we want some sort of majority "vote" based on the NETINFO cell values of several nodes. I can understand how that makes sense for the timestamp, but the IP address? My understanding is that when a node sends a NETINFO cell, its IP address value should be the sending node's real IP address. Hence, how can looking at other nodes' NETINFO cells help validating the IP address? They should all be pair-wise different. > Also, ideally you want to get an opinion from more than one directory > authority. One design that I could imagine would be to, if we find a > directory mirror or entry guard whose time disagrees with us, connect > to a directory authority to get a stronger opinion. If the directory > authority also disagrees, connect to a threshold of directory authorities > and then memorize our relative clock skew based on the majority vote. How do you propose we'd do this? Remember: we have no directory information when we want to set the time, and the time needs to be set before we get the consensus (otherwise we cannot trust it). Is this a catch-22? signature.asc Description: OpenPGP digital signature