[tor-dev] The limits of timing obfuscation in obfs4

[David Fifield]

Web page with graphics: https://people.torproject.org/~dcf/obfs4-timing/

I was experimenting with ways to better obfuscate the timing signature
of Tor-in-obfs4, while staying compatible with the obfs4 specification.
I tried to make a constant bitrate mode that sends 500 bytes every
100 ms, in which the size and timing of obfs4 packets is independent of
the TLS packets underneath. It turns out that obfs4 mostly makes this
possible, with one exception: a gap in the client traffic while the
client waits for the server's handshake response, during which time the
client cannot send anything because it doesn't yet know the shared key.

Currently, the implementation of obfs4 sends data only when the
underlying process (i.e., tor) has something to send. When tor is quiet,
obfs4 is quiet; and when tor wants to send a packet, obfs4 sends a
packet without delay. obfs4 does add a random amount of padding to its
packets, which slightly alters the packet size signature but not the
timing signature. Even the modes that add short interpacket delays
(iat-mode=1 and iat-mode=2) only really have an effect on bulk
upload/download—they don't have much of an effect on the initial
handshake. See the first three rows of the attached graphic—the timing
of the first dozen or so packets hardly varies across the three modes.

This design, where obfs4 only sends packets when driven by tor, is an
implementation choice and isn't inherent in the protocol. obfs4's
framing structure [spec §5] allows for frames that contain only padding:

++--++--+++
|  2 bytes   | 16 bytes | 1 byte |   2 bytes| (optional) | 
(optional) |
| Frame len. |   Tag|  Type  | Payload len. |  Payload   |  Padding 
  |

++--++--+++
 \_ Obfs.  _/ \___ NaCl secretbox (Poly1305/XSalsa20) 
___/
obfs4 could send padding frames (at whatever size and rate) during the
times when tor is quiet. The current implementation, in pseudocode,
works like this (transports/obfs4/obfs4.go obfs4Conn.Write):
on recv(data) from tor:
send(frame(data))
If it instead worked like this, then obfs4 could choose its own packet
scheduling, independent of tor's:
on recv(data) from tor:
enqueue data on send_buffer

func give_me_a_frame(): # never blocks
if send_buffer is not empty:
dequeue data from send buffer
return frame(data)
else:
return frame(padding)

in a separate thread:
buf = []
while true:
while length(buf) < 500:
buf = buf + give_me_a_frame()
chunk = buf[:500]
buf = buf[500:]
send(chunk)
sleep(100 ms)
The key idea is that give_me_a_frame never blocks: if it doesn't have
any application data immediately available, it returns a padding frame
instead. The independent sending thread calls give_me_a_frame as often
as necessary and obeys its own schedule. Note also that the boundaries
of chunks sent by the sending thread are independent of frame
boundaries. Yawning points me to this code in basket2 that uses the same
idea of independently sending padding according to a schedule:
https://git.schwanenlied.me/yawning/basket2/src/72f203e133c90a26f68f0cd33b0ce90ec6a6b76c/padding_tamaraw.go

I attach a proof-of-concept patch for obfs4proxy that makes it operate
in a constant bitrate mode. You can see its timing signature in the
fourth row of the attached graphic. With this proof of concept, I'm not
trying to claim that a constant bitrate is good for performance or for
censorship resistance. It's just an example of shaping obfs4's traffic
pattern in a way that is independent of the underlying stream. The fifth
row of the graphic shows a more complicated sine wave pattern—it could
be anything.

You will however notice an oddity in the fourth and fifth rows of the
graphic, a gap in the stream of client packets. This is what I alluded
to in the first paragraph, where after the client has sent its client
handshake but before it has received the server handshake, the client
doesn't yet know the shared key. Because every frame sent after the
handshake needs to begin with a tag that depends on the shared key, the
client cannot send anything, not even padding, until it receives the
server's reponse. During this time, the give_me_a_frame function has no
choice but to block.

k = ephemeral key
p = random amount of padding
m = MAC signifying end of padding
a = authentication tag
d = data frames
The obfs4 client handshake looks like this [spec §4]:
k | p | m
The server doesn't reply until it has verified the client's MAC, which
p

Re: [tor-dev] .onion name resolution with Blockstack

[Jude Nelson]

> In case you missed it, you could test this implementation with
> https://github.com/meejah/torns -- which functions similarly to the Stem
> / OnionNS thing but speaks to the actual plugins uning the Prop279
> protocol over stdin/out.

I saw that :)  We'll be using that as the reference test harness.

Best,
Jude

On Sun, Jun 11, 2017 at 2:31 PM, meejah  wrote:

> Jude Nelson  writes:
>
> > We plan to add support to the stdin/stdout protocol in Prop279 as
> > well.
>
> Neat!
>
> In case you missed it, you could test this implementation with
> https://github.com/meejah/torns -- which functions similarly to the Stem
> / OnionNS thing but speaks to the actual plugins uning the Prop279
> protocol over stdin/out.
>
> --
> meejah
> ___
> tor-dev mailing list
> tor-dev@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>



-- 

*JUDE NELSON*   *ENGINEERING PARTNER  @BlockstackLabs*
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Open topics of prop247: Defending Against Guard Discovery Attacks using Vanguards

[Jaskaran Singh]

Hi George,

On Wednesday 17 May 2017 05:21 PM, George Kadianakis wrote:
> 1.1. Visuals
>
>  Here is how a hidden service rendezvous circuit currently looks like:
>
> -> middle_1 -> middle_A
> -> middle_2 -> middle_B
> -> middle_3 -> middle_C
> -> middle_4 -> middle_D
>   HS -> guard   -> middle_5 -> middle_E -> Rendezvous Point
> -> middle_6 -> middle_F
> -> middle_7 -> middle_G
> -> middle_8 -> middle_H
> ->   ...->  ...
> -> middle_n -> middle_n
>
>  this proposal pins the two middles nodes to a much more restricted
>  set, as follows:
>
>  -> guard_3A_A
> -> guard_2_A -> guard_3A_B
>  -> guard_3A_C -> Rendezvous Point
>   HS -> guard_1
>  -> guard_3B_D
> -> guard_2_B -> guard_3B_E
>  -> guard_3B_F -> Rendezvous Point
>
>
>  Note that the third level guards are partitioned into buckets such that
>  they are only used with one specific second-level guard. In this way,
>  we ensure that even if an adversary is able to execute a Sybil attack
>  against the third layer, they only get to learn one of the second layer
>  Guards, and not all of them. This prevents the adversary from gaining
>  the ability to take their pick of the weakest of the second-level
>  guards for further attack.

I think this scheme works like if there are x number of third level
guards, then they are divided into buckets of x/k number of guards each,
where k is the number of second level guards. Now, I feel that dividing
guards into buckets is a little pointless. Suppose we have 1000 possible
third level guards, and 500 possible second level guards. We have to
select 4 third level guards for each bucket, and 2 second level guard
for each hidden service. Now even in this case the adversary has to do
as much effort as before. What if the guards are divided into buckets,
at least now the possible pool of third level guards in which the sybil
attack is to be conducted get reduced. So the 1000 third level guards
get divided into pool of 500 each. Hence easier to accomplish that
attack, but for that the adversary has to allocate 2x resources if she
wants to take advantage of that. So net result is zero.

I haven't had my coffee, so please correct me if I'm wrong somewhere :)

Regards,
-- 
Jaskaran Veer Singh (jvsg)
jvsg1303 at gmail dot com
PGP 2814 3FB7 A32D 429B 092E 27F0 8AA3 C532 9E1A 6AD8

___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] .onion name resolution with Blockstack

[meejah]

Jude Nelson  writes:

> We plan to add support to the stdin/stdout protocol in Prop279 as
> well.

Neat!

In case you missed it, you could test this implementation with
https://github.com/meejah/torns -- which functions similarly to the Stem
/ OnionNS thing but speaks to the actual plugins uning the Prop279
protocol over stdin/out.

-- 
meejah
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev