Title: Tor: Overview of Existing Techniques

Release Date: 2014-12-28

Document Date: 2012-01-01

Description: This undated GCHQ presentation indicates the agency’s Tor research efforts as of 2012: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TOP SECRET STRAP1

Tor: Overview of Existing Techniques

(15 minutes)

TOP SECRET STRAP 1

C! X R «two

THIS INCDRHftTION IS EXEMPT UNDER THE FREEDOM QC I hJTOR M ATIG
R FTF n -SV “Q A Q U ERIES Tj GCIIQ n N

CONTAINS iMTELLfCTJAL

The material may be disseminated throughout the recipient organisation, but GCHQ permission m

^Information legislation.

IUBT BE OBTAINED FOR DISSEMINATION OUTSIDE THE ORGANISATION.

^GCHQ^

Previous Work/Current Techniques

ICTR-related techniques
. Identification of events by content
. Tor node dictionary generation - available from web site
. HOMING TROLL - Bridge discovery prototype that feeds dictionary
. Statistical deanonymisation research (MCR)

. NEWTONS CRADLE (JTRIG)

. TRIBAL CARNEM (with CT)

. EPIC FAIL (CT)

. Bulk traffic logging

. QUICK ANT - Low latency deanonymisation. Prototype under evaluation.
. Introducing timing patterns - report available
. Hidden service investigation - report available
. Shaping research - some initial experiments.

. Some extraction of hidden service domain names from passive events.

. Tor implementation analysis (contract task)

Also some work (through contract) on Freenet.

TOP SECRET STRAP 1

fin X R

This information is exempt under the Freedom or Information Act 2000 [FIJIA) and may be exempt under other uk information legislation.

Contains Intellectual Property" owned and/or managed by GCWp.

The MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT ORB ANISATIGN, BUT GCHQ PERMISSION MUST BE BBTAINiED FOR DISSEMINATION OUTSIDE THE ORGANISATION.

^GCHQ^

ICTR-NE Goals for 2012/13

Our plans at present are:

• Tor deanonymisation - collaboration with MCR and JTRIG

• Tor shaping - with JTRIG

• Contract: next stage of Tor Implementation Analysis

• ICTR-CISA: record hidden service hostnames (*.onion) in NATURAL SELECTION.

... so REMATION II fits in well.

Any questions?

TOP SECRET STRAP 1

fit! X R

THIS INFORMATION is EXEMRT UNDER the FREEDOM of lNFORMATIOfr^AC^200|^FaiA^^^MAJMB^EXEMF^UMDE^OTHEj^^ONFORM^IO^^£GISLATiON.

Contains Intellectual Property owned and/or managed by GCHp.

The MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT El RG ANISATIGIM, BUT GCHQ PERMISSION MUST BE OBTAINiED FOR DISSEMINATION OUTSIDE THE ORGANISATION.

^GCHQ^

Reference: Ideas (2011)

• Maintain knowledge of Tor network - Pullthrough from NE?

• Log Tor events into HAKIM for target discovery - TR-FSP

• Build tool to implement low latency attack? - ICTR

• Collecting traffic at exit nodes to feed passive SIGINT - JTRIG

• Testing of MCR passive deanonymisation technique. - MCR/JTRIG/ICTR

• Active injection and detection of timing patterns (probably following test of MCR technique) -
ICTR/JTRIG/MCR

• Herding of targets through our exit nodes (THEMP) - ICTR/JTRIG

• Bulk logging of hidden service onion addresses (possibly only those hosting web sites) - experiment carried
out by ICTR

• Characterisation of hidden web servers by passive analysis - ICTR?

• Characterisation of hidden web servers by web crawling - ICTR?

• Identification of IP addresses hosting hidden services - ICTR?

• Ongoing use/maintenance of TRIBAL CARNEM - CT

• Find TDIs that appear on Tor and non-tor IP addresses (EPIC FAIL) - CT

• Understanding Tor circuit creation and destruction - ICTR contract

• Understanding future developments in Tor - ICTR contract?

• Spotting private Tor networks - ICTR?

• TorChat investigation? - ICTR?

own X R «two

Ji '

TOP SECRET STRAP 1

This information is exempt under the Freedom of Information Act 2QDO CFOIA) and may be exempt under other UK information legislation.

Contains Intellectual Property owned and/or managed by ECHQ.

The material may be disseminated throughout the recipient organisatigim, but GCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

Reference: Data Sources

Tor node consensus (obtained by Tor client)
UNCLASSIFIED

Information on Tor Bridges - CONFIDENTIAL
Collection from exit nodes - SECRET

Passive intercept (SECRET/TOP SECRET)

- SSL events in cloud(s)

- Tor packet logging (ICTR system)

- Content exiting Tor network

TOP SECRET STRAP 1

This information 13 exempt under the Freedom or Information act 2000 cfqiA) and may 6e exempt under other UK information legislation.

REFER ANY FD! A QUERIES TO ECHO ON I
Contain a I htellectual Pt

MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT DRG ANISATIGIM, BUT GCHQ PERMISSION MUST BE OBTAINiED FOR DISSEMINATION OUTSIDE THE ORGANISATION.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh