Research Reveals Anonymity Networks

By Dave Nixon

Anonymity systems intended to permit users to carry out actions on the Internet without identifying themselves can frequently be cracked with a small piece of unconventional thinking, according to a Cambridge researcher.

In a recently published PhD thesis, Stephen Murdoch, a researcher in the University of Cambridge’s Security Group, outlined a number of different anonymity-cracking techniques.

The methods intend on removing the cover provided by anonymity systems such as Tor, which can be used by genuine users looking for identity protection, as well as by criminals covering their tracks.

Murdoch has tested his techniques on every occasion possible, and his results illustrate that even purportedly infallible techniques can frequently be overcome by exploiting real-world flaws in the systems.

One technique investigated in the paper, called indirect traffic analysis, relies on investigating the actions of an anonymous user, through which the user’s intent and often their identity can be inferred, according to Murdoch.

A case in point, if an attacker is capable of adjusting certain characteristics of an anonymised data stream coming through an anonymisation network such as Tor, the attacker can frequently determine the first Tor node connected to by the client, Murdoch said.

“This reduces the anonymity provided to that of a single-hop proxy, and then mundane legal mechanisms might be used to discover the initiator,” Murdoch wrote.

In trialling with such methods on Tor, Murdoch said he was able to de-anonymise 11 out of the 13 Tor nodes tested.

One of the more idiosyncratic techniques scrutinized in the paper explores the correlation between processor load and the conduct of the system’s clock crystal - its “clock skew.” Since the processor is enduring a greater load, it is emanating more heat, which subsequently affects the temperature of the clock crystal.

The link has been observed since the early 1990s in the security community, but Murdoch’s improvement is to intentionally provoke a pattern of processor load in an anonymous service, and use the ensuing clock skew data to establish the identity of the service.

“Such an attack could be deployed in practice by an attacker using one machine to access the hidden service, varying traffic over time to cause the server to heat up or cool down,” Murdoch wrote.

“Simultaneously, he probes all candidate machines for timestamps. From these the attacker infers clock skew estimates and when a correlation between the skew and the induced load pattern is found, the hidden service is de-anonymised,” he wrote.

Such an assault is not likely to be the best way to de-anonymise users of anonymity networks, Murdoch conceded, but he anticipates interest in and use of such techniques to develop.

“As systems become hardened against more conventional attacks, this attack could become a plausible threat,” he wrote.