How to Troubleshoot Apps for the Modern Connected Worker
Tor: How it works to keep you safe online. PhutureCon 2014
1. How it works to keep you safe online
Phuturecon 2014
IceQUICK
ParkBenchIndustries.com
2. Who am I
Former USAF NOC admin (Active Duty and Contractor)
Windows/Solaris/Linux admin
IT process architect (ITIL)
Not a developer (Tor is written in C)
Tor Experience
User for 10+ years
Relay node admin for ~3 years
3. This presentation
Combined from a variety of sources
No tricks, vulnerabilities, hacks
Not ‘breaking news’
Why I trust the network
Why you should contribute
4. What is Tor?
Network of virtual tunnels
Privately Browse Internet
FREE!
Used by…
Journalists
Activists
Censorship circumventing
citizens
Military intel analysts
Law enforcement
Whistleblowers
Bloggers
http://www.torproject.org/ Privacy-contious
5. Tor History
~1995 - Naval Research Lab as “Onion Routing”
2002 - Converted to TOR “The Onion Router”
Code open-sourced
2006 – Tor Project Formed
501(c)(3) research-educational non-profit
Today: 60%+ of funding still from US Government
10. Life of a session
Client to Node 1(Guard)
Perform DH Key Exchange
Acquire PFS Session Key
Use Node 1(Guard) to repeat process to Node 2(Relay)
Use Node 2(Relay) to repeat process to Node 3 (Exit)
Use Node 3 to contact internet resource
Create new path every 10 minutes
Will route existing TCP sessions through existing paths
Repeat…
11. DH Key Exchange
Key Exchange
Client gets the node’s public key from directory
Client sends the first half of DH handshake encrypted with node’s
public key
Node receives, decrypts it, using its private key
Node has first half (client’s) of two-way DH handshake
Node completes second half of the handshake, creating session
key
Hashes the resulting session key and signs it with it private key
Node sends to client – both parties now have the session key
Verify Session Key
Client believes session key came from the router
Client decrypts session key using router's public key
Will only work if session key was signed with the router's private
key
12. Uses
Web Browsing
DNS
Most services using TCP
Chat, Mail, etc.
Hidden Services
E.g. http://j8hlg2sh2hoasdh8.onion/
13. What can you do?
Run a Relay
Exit node or not
Home cable modem
VPS
Tor Cloud – Amazon
Help Develop
C, C++, Python, Java
OnionTip.com
BTC to node operators
Defend its use
Start
Router 1 (aka Guard)
DH Exchange
client gets the first onion router's public key
sends the first half of this Diffie-Hellman handshake encrypted under that first router's public key
So the first router receives that. It decrypts it, using its private key.
And then it has the first half of this two-way handshake.
It finishes the handshake, sends back the second half of the handshake to the client, and hashes the resulting session key and signs it with it
So when it finishes the handshake, now it has the session key.
Session Key for first link
Once the client receives that second half of the handshake, the client also will have the matching session key for the encryption.
To prove that the onion router also has it, the onion router hashes that key and then signs it with its private key
Verify Session Key
So the client now receives that, which it believes came from the onion router that it's trying to establish a connection to. It decrypts that using that router's public key, which will only work if it was signed with the router's private key. That returns - that finishes the handshake, allows it to establish the secret pseudorandom session key that they will be using to communicate henceforth, and it's able to verify that they both had the same session key by decrypting the hash of the key.
Securely and with authentication of the onion router established a connection, sort of the first link.
Second Node (aka Relay)
Pick second node from directory
Repeat steps, but sending all communication through Node 1/Guard
Third Node (aka Exit)
Pick third node from directory
Repeat steps, but sending all communication through Node 2/Relay, via Node 1/Guard
Destination Service
D