Research unmasks anonymity networks

Research unmasks anonymity networks
Research unmasks anonymity networks 

By Matthew Broersma
01 February 2008

Anonymity systems designed to allow users to carry out actions on the 
Internet without identifying themselves can often be cracked with a bit 
of unorthodox thinking, according to a Cambridge researcher.

Stephen Murdoch, a researcher in the University of Cambridge's Security 
Group, outlined a number of different anonymity-cracking techniques in a 
recently published PhD thesis [1].

The techniques aim at removing the cloak provided by anonymity systems 
such as Tor, which can be used by legitimate users looking to protect 
their identities, as well as by criminals covering their tracks.

Murdoch has tested his techniques whenever possible, and his results 
show that even supposedly infallible techniques can often be defeated by 
exploiting real-world weaknesses in the systems.

One technique explored in the paper, called indirect traffic analysis, 
relies on examining the actions of an anonymous user, through which the 
user's intent and often their identity can be inferred, according to 

For example, if an attacker is able to modify certain characteristics of 
an anonymised data stream coming through an anonymisation network such 
as Tor, the attacker can often discover the first Tor node connected to 
by the client, Murdoch said.

"This reduces the anonymity provided to that of a single-hop proxy, and 
then mundane legal mechanisms might be used to discover the initiator," 
Murdoch wrote.

In experimenting with such techniques on Tor, Murdoch said he was able 
to de-anonymise 11 out of the 13 Tor nodes tested.

One of the more outr techniques examined in the paper explores the link 
between processor load and the behaviour of the system's clock crystal - 
its "clock skew." This is because when the processor is undergoing a 
greater load, it is emitting more heat, which in turn affects the 
temperature of the clock crystal.

The link has been examined since the early 1990s in the security 
community, but Murdoch's innovation is to deliberately induce a pattern 
of processor load in an anonymous service, and use the resulting clock 
skew data to determine the identity of the service.

"Such an attack could be deployed in practice by an attacker using one 
machine to access the hidden service, varying traffic over time to cause 
the server to heat up or cool down," Murdoch wrote.

"Simultaneously, he probes all candidate machines for timestamps. From 
these the attacker infers clock skew estimates and when a correlation 
between the skew and the induced load pattern is found, the hidden 
service is de-anonymised," he wrote.

Such an attack is unlikely to be the fastest way to de-anonymise users 
of anonymity networks, Murdoch conceded, but he expects interest in and 
use of such techniques to grow.

"As systems become hardened against more conventional attacks, this 
attack could become a plausible threat," he wrote.


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods