This article presents the results of an experimental study of the properties of SSL/TLS certificates of an anonymous Tor network, based on which it is concluded that there are several features that differ from other SSL/TLS certificates. At present, in the scientific literature and in the documentation of U.S. National Security Agency, and the U.K. Government Communications Headquarters devoted to the identification of Tor network traffic, two signs of SSL/TLS certificates are indicated - the name of the certificate subject, as well as the port of the certificate transmission and network connection. The results of an experimental study allow the authors to state with a high degree of probability that Tor network certificates can be identified in the data stream between the client and server of the specified network by their size, which is between 400 and 600 bytes. The list of features of the Tor network certificates is intended to develop software or add-ons to existing ones, which is used to block access of Internet users to Darknet resources or to limit the use of the Tor anonymous network service. Based on data on the distinguishing features of Tor network certificates, an algorithm is proposed for blocking access to the Internet for users of the Tor Bundle.
Пресечение незаконной деятельности пользователей сети Интернет является одной из актуальных проблем обеспечения информационной безопасности в Российской Федерации. Пресечение деятельности лиц, совершающих противоправные действия с использованием цифровых технологий, в частности, при помощи анонимной сети «Тор», является одной из задач федеральных правоохранительных органов, обеспечивающих информационную безопасность. Сложность выявления и идентификации использования программного комплекса «Тор» в сетях передачи данных обусловлена целым рядом мер, предпринятых его разработчиками, направленными на маскирование потока данных комплекса, среди которых использование современных алгоритмов шифрования пакетов данных. Целью работы является создание и описание набора признаков установления https-соединения программным комплексом «Тор» в условиях применения TLS-шифрования данных протоколом версии v1.3. Задачами работы являются подготовка и анализ материалов трафика программного комплекса «Тор», а также создание на основе полученных данных набора признаков установления соединения между клиентом и сервером анонимной сети. В ходе анализа потока данных анонимной сети исследовался этап установления соединения между клиентом и входным сервером цепи узлов сети «Тор», так называемое «TLS-рукопожатие». Следует отметить, что данная работа дополняет предыдущие исследования по тематике анализа TLS-шифрования в части, касающейся применяемого с 2018 года протокола шифрования TLS v1.3, описывая его особенности как часть механизма реализации анонимизации программным комплексом «Тор». Авторы предлагают использовать размер пакетов «TLS-рукопожатия» в качестве основных признаков, несущих идентифицирующую информацию об установлении анонимного соединения между клиентом и узлом сети «Тор». Исследование выполнено при финансовой поддержке Минобрнауки России (грант ИБ) в рамках научного проекта №23/2020. Программный комплекс «Тор»; обфускация данных; TLS-рукопожатие; протокол шифрования версии TLS v1.3; законное блокирование доступа. V.V. Lapshichyov, O.B. Makarevich SET OF DISTINCTIVE FEATURES OF TLS V1.3 HTTPS-CONNECTION ESTABLISHING BY TOR SOFTWARE COMPLEXThe suppression of illegal activities of Internet users is one of the urgent problems of information security in the Russian Federation. The suppression of the activities of persons committing illegal actions using digital technologies, in particular, using the Tor anonymous network, is one of the tasks of federal law enforcement agencies that ensure information security. The difficulty of detecting and identifying the use of the Tor software package in data transmission networks is due to a number of measures taken by its developers aimed at masking the data flow of the complex, including the use of modern algorithms for encryption of data packets. The aim of the work is to create and describe a set of attributes for establishing an https-connection by the Tor software
This paper presents the result of author’s research aimed at developing a detecting and identifying method of the Tor Bundle use in data transmission networks, in particular, on the Internet. Based on these characteristics, an algorithm has been developed that allows legitimate blocking of user access to a global network by a popular anonymizer. The subject of the study was an SSL/TLS encryption certificate, which is transmitted by the Tor network server to the user of the Tor Bundle and which contains the set of data necessary for its identification during the implementation of the TLS “handshake”. In the course of the study of the certificates features, several distinguishing features were identified, namely: the name of the subject and issuer of the certificate, which is a random set of letters and numbers; port used when connecting to an anonymous network; certificate size. Based on the data received, a method is proposed that allows the provider’s server to block the connection during which a certificate with certain characteristics is transmitted.
Purpose of the study: development of a method that allows detecting and identifying packets of the Tor network, including obfuscated packets on the local machine of the network user, by a Wireshark sniffer using the filter syntax based on the features of the Tor network packets characteristic of the TLS v1.2 and v1.3 encryption versions; studying the possibility of using the SSL Bump attack (decrypting https traffic on a virtual server using self-signed x.509 certificates) to overcome the obfuscation of Tor network packets. Method: software analysis of transmitted network packets, decomposition of the contents of data packets according to their size and belonging to encryption protocols, a comparative method in relation to different versions of the encryption protocol and resources, synthesis of filtering rules based on the syntax of the analyzer was used. Results: an applied method was developed that allows detecting and identifying packets of the Tor Network, including obfuscated packets on the local machine of the network user, by a Wireshark sniffer based on the filtering syntax based on the signs of encryption packets of the TLS v1.2 and v1.3 versions; data on the impossibility of using the SSL Bump attack to overcome the obfuscation of the Tor network was obtained.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.