Hello list,
here is the vanguard proposal that supersedes proposal 247.
It specifies the newest vanguard design which we've been working on:
https://github.com/mikeperry-tor/vanguards
FWIW, the above project is still in experimental state and we are
expecting to launch it officially in the short term future. Until then,
feel free to experiment with it if you feel like it.
Check out the proposal and code and let us know if you have any
questions or feedback!
Thanks!
---
Filename: 292-mesh-vanguards.txt
Title: Mesh-based vanguards
Authors: George Kadianakis and Mike Perry
Created: 2018-05-08
Status: Open
Supersedes: 247
0. Motivation
A guard discovery attack allows attackers to determine the guard
node of a Tor client. The hidden service rendezvous protocol
provides an attack vector for a guard discovery attack since anyone
can force an HS to construct a 3-hop circuit to a relay (#9001).
Following the guard discovery attack with a compromise and/or
coercion of the guard node can lead to the deanonymization of a
hidden service.
1. Overview
This document tries to make the above guard discovery + compromise
attack harder to launch. It introduces a configuration
option which makes the hidden service also pin the second and third
hops of its circuits for a longer duration.
With this new path selection, we force the adversary to perform a
Sybil attack and two compromise attacks before succeeding. This is
an improvement over the current state where the Sybil attack is
trivial to pull off, and only a single compromise attack is required.
With this new path selection, an attacker is forced to do a one or
more node compromise attacks before learning the guard node of a hidden
service. This increases the uncertainty of the attacker, since
compromise attacks are costly and potentially detectable, so an
attacker will have to think twice before beginning a chain of node
compromise attacks that they might not be able to complete.
1.1. Tor integration
The mechanisms introduced in this proposal are currently implemented
partially in Tor and partially through an external Python script:
https://github.com/mikeperry-tor/vanguards
The Python script uses the new Tor configuration options HSLayer2Nodes and
HSLayer3Nodes to be able to select nodes for the guard layers. The Python
script is tasked with maintaining and rotating the guard nodes as needed
based on the lifetimes described in this proposal.
In the future, we are aiming to include the whole functionality into Tor,
with no need for external scripts.
1.2. Visuals
Here is how a hidden service rendezvous circuit currently looks like:
-> middle_1 -> middle_A
-> middle_2 -> middle_B
-> middle_3 -> middle_C
-> middle_4 -> middle_D
HS -> guard -> middle_5 -> middle_E
-> middle_6 -> middle_F
-> middle_7 -> middle_G
-> middle_8 -> middle_H
-> ...-> ...
-> middle_n -> middle_n
this proposal pins the two middle positions into a much more
restricted sets, as follows:
-> guard_2A
-> guard_3A
-> guard_1A -> guard_2B -> guard_3B
HS -> guard_3C
-> guard_1B -> guard_2C -> guard_3D
-> guard_3E
-> guard_2D -> guard_3F
Additionally, to avoid linkability, we insert an extra middle node
after the third layer guard for client side intro and hsdir circuits,
and service-side rendezvous circuits. This means that the set of
paths for Client (C) and Service (S) side look like this:
C - G - L2 - L3 - R
S - G - L2 - L3 - HSDIR
S - G - L2 - L3 - I
C - G - L2 - L3 - M - I
C - G - L2 - L3 - M - HSDIR
S - G - L2 - L3 - M - R
1.3. Threat model, Assumptions, and Goals
Consider an adversary with the following powers:
- Can launch a Sybil guard discovery attack against any node of a
rendezvous circuit. The slower the rotation period of the node,
the longer the attack takes. Similarly, the higher the percentage
of the network is compromised, the faster the attack runs.
- Can compromise any node on the network, but this compromise takes
time and potentially even coercive action, and also carries risk
of discovery.
We also make the following assumptions about the types of attacks:
1. A Sybil attack is observable by both people monitoring the network
for large numbers of new nodes, as well as vigilant hidden service
operators. It will require either large amounts of traffic sent
towards the hidden service, multiple test circuits, or both.
2. A Sybil attack against the second or first layer Guards will be
more noisy than a Sybil