Until 2012 the Intelligence failed to decrypt Tor network

Pierluigi Paganini December 30, 2014

A new collection of documents leaked by Snowden and disclosed by the Der Spiegel reveals the difficulties of Intelligence agencies to de-anonymize Tor users

A new collection of NSA documents crawled by the Edward Snowden was leaked online during the weekend, the German news agency Der Spiegel has published online a dump of PDF files detailing how intelligence agencies belonging to the Five Eyes Alliance (USA, UK, Australia, Canada and New Zealand) run cyber attacks on popular anonymizing technologies.

der Spiegel Snowden documents Tor

The documents cover a period between the 2010 and 2012 and offer an interesting view of the activities run by the Intelligence of the five countries to break strong encryption online and de-anonymize users.

As you know, I’m very interested in the activity run by the NSA and its allies to de-anonymize the Tor users and I found a document dated June 2011 that analyzes a technique to track Tor users.

“A potential technique to deanonymise users of the TOR network”.

The 18-page document classified as “UK TOP SECRET STRAP1 COMINT” states that the GCHQ has the capabilities to try to  de-anonimize Tor users:

“We have shown a technique that can deanonymise TOR web-browsing given packet times between the client and guard node and packet times from the exit node filtered to a single circuit. The false positive rate looks low enough to suggest this technique should be carried forward.

The required data is not collected at present. For this technique to work the following additional data feeds will be required:

  • Second-accurate packet logging at TOR exit nodes we control with packets labelled by a unique circuit identifier.
  • Second-accurate packet logging of sessions between TOR clients and TOR guard nodes. This data could be obtained by SIGINT [signals intelligence] or by running guard nodes. The SIGINT solution would require an up-to-date feed of TOR “consensus” documents; TOR IP addresses could then be extracted from the “consensus” documents for filtering by the SIGINT system.

At the time of writing JTRIG [Joint Threat Research Intelligence Group] are investigating the collection of the exit node data and ICTR-FSP are trialling a feed of guard node data from research bearers.”

The document explains why the British Intelligence was not able to track a circuit through the Tor Network. The experts had the main problem of a high “false positive rate” that requested further test sessions to tune the technique. The researchers compared two different sources of data:

  • Data related the communication between TOR servers seen by a collection of SIGINT nodes inserted in the Tor network.
  • Tor links used by JTRIG.

The archive includes also set of slides from GCHQ that includes the results of the study on the feasibility of the Tor network hacking.

The documents reveal the great effort spent by the Intelligence to break online encryption, in particular the agencies tried to compromise protocols like PGP to secure emails, the AES standard and the OTR, aka Off-the-Record Messaging, used to provide encryption for instant messaging services.

The documents confirm that PGP is still secure, meanwhile the SSH had also been successfully attacked and a slide reveals the existence of a database of obtained SSH keys/passwords.

Regarding the attack on instant messaging services, the agencies consider OTR secure, so they opted to research bugs in the client software used by the targets.

VPN and SSL protocols could be decrypted is the agencies are able to infect the computer of the interlocutors to steal shared secret keys and passwords.

“For VPN this would involve, say, hacking into a victim’s router or PC, or slapping a court order on a company’s sysadmin, while SSL private keys can easily be swiped by asking the CA root to hand it over.” state a blog post published by the Register. 

Let me suggest you to give a look at the documents, below the complete list related to the analysis of the “Deanonymizing” techniques exploited by the Agencies.

Pierluigi Paganini

(Security Affairs –  Tor network, Intelligence)



you might also like

leave a comment