Internet censorship is becoming an increasingly important problem around the world. This leads to an intensified "arms race" - government agencies and private corporations in different countries seek to block various content and struggle with means to bypass such restrictions, while developers and researchers strive to create effective tools to combat censorship.
Scientists from Carnegie Mellon Universities, Stanford University and SRI International conducted , during which they developed a special service for masking the use of Tor, one of the most popular tools for bypassing locks. We present to you a story about the work done by the researchers.
Tor against blocking
Tor provides user anonymity by using special relays - that is, intermediate servers between the user and the site he needs. Usually, there are several relays between the user and the site, each of which can only decrypt a small amount of data in the transmitted packet - exactly enough to find out the next point in the chain and send it there. As a result, even if a relay controlled by attackers or censors is added to the chain, they will not be able to find out both the addressee and the destination of the traffic.
As an anti-censorship tool, Tor works well, but censors still have the ability to block it entirely. Iran and China have had successful lockdown campaigns. They were able to identify Tor traffic by scanning TLS handshakes and other distinguishing characteristics of Tor.
Subsequently, the developers managed to adapt the system to bypass locks. The censors responded by blocking HTTPS connections to numerous sites, including Tor. The project developers have created the obfsproxy program, which additionally encrypts traffic. This competition continues all the time.
Initial data of the experiment
The researchers decided to develop a tool that would mask the use of Tor to make it possible to use it even in regions where the system is completely blocked.
- As initial assumptions, scientists put forward the following:
- The censor controls an isolated internal network segment that connects to the external uncensored Internet.
- Blocking authorities control the entire network infrastructure within the censored network segment, but not the software on end-user computers.
- The censor seeks to prevent users from accessing materials that are undesirable from his point of view, it is assumed that all such materials are located on servers outside the controlled network segment.
- The routers on the perimeter of this segment analyze the unencrypted data of all packets to block unwanted content and prevent the corresponding packets from entering the perimeter.
- All Tor relays are located outside the perimeter.
How it works
To mask the use of Tor, the researchers created the StegoTorus tool. Its main goal is to improve Tor's ability to resist automated protocol analysis. The tool is located between the client and the first relay in the chain, uses its own encryption protocol and steganography modules to make it difficult to identify Tor traffic.
At the first step, a module called chopper comes into play - it converts traffic into a sequence of blocks of various lengths, which are sent further out of order.
Data is encrypted using AES in GCM mode. The block header contains a 32-bit sequence number, two length fields (d and p) - they indicate the amount of data, a special field F and a 56-bit check field, the value of which must be zero. The minimum block length is 32 bytes and the maximum is 217+32 bytes. The length is controlled by the steganography modules.
When a connection is established, the first few bytes of information are a handshake message, with which the server understands whether it is dealing with an existing or a new connection. If the connection belongs to a new link, then the server replies with a handshake, and each of the participants in the exchange extracts session keys from it. In addition, the system implements a rekeying mechanism - it is similar to session key allocation, but blocks are used instead of handshake messages. This mechanism changes the sequence number but does not change the link ID.
After both participants in the data exchange have sent and received the fin block, the link is closed. To protect against replay attacks or block delivery delays, both participants must remember the ID for how long after closing.
The built-in steganography module hides Tor traffic inside the p2p protocol, similar to how Skype works with secure VoIP communications. The HTTP Steganography module simulates unencrypted HTTP traffic. The system mimics a real user with a regular browser.
Attack resistance
In order to test how much the proposed method improves the efficiency of Tor, the researchers developed two types of attacks.
The first of these is to separate Tor streams from TCP streams based on the fundamental characteristics of the Tor protocol - this is the method used to block the Chinese government system. The second attack is to examine already known Tor streams in order to extract information about which sites the user has visited.
The researchers confirmed the effectiveness of the first type of attack against "vanilla Tor" - for this they collected traces of visits to sites from the top 10 Alexa.com twenty times through regular Tor, obfsproxy and StegoTorus with an HTTP steganography module. As a reference for comparison, the CAIDA dataset with data on port 80 was used - almost certainly all these are HTTP connections.
The experiment showed that it is quite easy to calculate the usual Tor. The Tor protocol is too specific and has a number of characteristics that are easy to calculate - for example, when using it, TCP connections last 20-30 seconds. The Obfsproxy tool does little to hide these obvious points either. StegoTorus, in turn, generates traffic that is much closer to the CAIDA reference.
In the case of a visited sites attack, the researchers compared the likelihood of such data disclosure in the case of "vanilla Tor" and their StegoTorus solution. The scale was used to evaluate (Area Under Curve). According to the results of the analysis, it turned out that in the case of regular Tor without additional protection, the probability of disclosing data about visited sites is significantly higher.
Conclusion
The history of confrontation between the authorities of countries that introduce censorship on the Internet and developers of blocking bypass systems suggests that only comprehensive protection measures can be effective. The use of only one tool cannot guarantee access to the necessary data and that information about bypassing the lock will not become known to the censors.
Therefore, when using any tools for ensuring privacy and access to content, it is important not to forget that there are no ideal solutions, and, if possible, to combine different methods to achieve the greatest efficiency.
Useful links and materials from :
Source: habr.com