SET OF DISTINCTIVE FEATURES OF TLS V1.3 HTTPS-CONNECTION ESTABLISHING BY TOR SOFTWARE COMPLEX
Abstract
The suppression of illegal activities of Internet users is one of the urgent problems of information security in the Russian Federation. The suppression of the activities of persons committing illegal actions using digital technologies, in particular, using the Tor anonymous network, is one of the tasks of federal law enforcement agencies that ensure information security. The difficulty of detecting and identifying the use of the Tor software package in data transmission networks is due to a number of measures taken by its developers aimed at masking the data flow of the complex, including the use of modern algorithms for encryption of data packets. The aim of the work is to create and describe a set of attributes for establishing an https-connection by the Tor softwarepackage in the context of using TLS data encryption using the version 1.3 protocol. The tasks of the work are the preparation and analysis of traffic materials of the Tor software package, as well as the creation, based on the data obtained, of a set of signs of establishing a connection between the client and the server of the anonymous network. In the course of analyzing the data flow of the anonymous network, the stage of establishing a connection between the client and the input server of the chain of nodes of the Tor network, the so-called "TLS handshake", was investigated. It should be noted that this work complements previous studies on the analysis of TLS encryption in terms of the TLS v1.3 encryption protocol used since 2018, describing its features as part of the mechanism for implementing anonymization by the Tor software package. The authors propose to use the size of the "TLS handshake" packets as the main features that carry identifying information about the establishment of an anonymous connection between the client and the Tor network node. The reported study was funded by Russian Ministry of Science (information security), project number 23/2020.
References
ispol'zuyushchikh instrumenty setevogo analiza informatsionnykh sistem s primeneniem
tekhnologiy anonimizatsii [Method of identification of cybercriminals using tools of network
analysis of information systems using anonymization technologies], Doklady Tomskogo
gosudarstvennogo universiteta sistem upravleniya i radioelektroniki [Reports of Tomsk State
University of Control Systems and Radioelectronics], 2019, Vol. 22, No. 2, pp. 45-51. DOI:
10.21293/1818-0442-2019-22-2-45-51.
2. Rao Z., Niu W., Zhang X.S., Li H. Tor anonymous traffic identification based on gravitational
clustering. Peer-to-Peer Networking and Applications: Vol. 11, Issue 3. New York: Springer
Science+Business Media, 2017, pp. 592-601.
3. Amann J., Sommer R. Exploring Tor’s Activity Through Long-term Passive TLS Traffic
Measurement. Paper presented at the Passive and Active Measurement Conference (PAM),
Heraklion, Crete, Greece, 2016.
4. Makrushin D., Garnaeva M. Uncovering Tor users: where anonymity ends in the Darknet.
Kaspersky Lab SecureList. 18.06.2015. Available at: https://securelist.com/uncovering-Torusers-
where-anonymity-ends-in-the-darknet/70673 (accessed 03 November 2020).
5. Lazarenko A.V. Tekhnologii deanonimizatsii pol'zovateley «Tor» [Technologies of
deanonymization of users "Tor"], Novye informatsionnye tekhnologii v avtomatizirovannykh
sistemakh [New information technologies in automated systems], 2016, pp. 19. Available at:
https://cyberleninka.ru/article/v/tehnologii-deanonimizatsii-polzovateley-Tor (accessed 01 November
2020).
6. Sommer R., Amann J., Hall S. Spicy: A Unified Deep Packet Inspection Framework Dissecting
All Your Data (ICSI Technical Report), Berkeley, CA, USA, University of California, International
Computer Science Institute, 2015.
7. Ferry A.S., Isbat U.N., Balighani F.B. Detecting and blocking onion router traffic using deep
packet inspection. Paper presented at International Electronics Symposium (IES), Denpasar,
Indonesia, 2017.
8. Government Communications Headquarters. A potential technique to deanonymise users of
the Tor network. Snowden Surveillance Archive, 2011. Available at: https://snowdenarchive.
cjfe.org/greenstone/collect/snowden1/index/assoc/HASH0d08.dir/doc.pdf (accessed 01 November
2020).
9. Government Communications Headquarters. A potential technique to deanonymise users of
the Tor network – Slides. Snowden Surveillance Archive, 2011. Available at:
https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HA
SHf400.dir/doc.pdf (accessed 02 November 2020).
10. Government Communications Headquarters. Tor Hidden Services How Hidden is 'Hidden'?
Applied Research. Snowden Surveillance Archive, 2011. Available at: https://snowdenarchive.
cjfe.org/greenstone/collect/snowden1/index/assoc/HASH3ae6.dir/doc.pdf (accessed 02 November
2020).
11. National Security Agency. Tor - 2006 CES Summer Program. Snowden Surveillance Archive,
2006. Available at: https://snowdenarchive.cjfe.org/greenstone/collect/ snowden1/
index/assoc/HASHbefc.dir/doc.pdf (accessed 03 November 2020).
12. National Security Agency. TLS trends at GCHQ, Snowden Surveillance Archive, 2012. Available
at: https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HASH2236.
dir/doc.pdf (accessed 04 November 2020).
13. National Security Agency. Tor Stinks. Snowden Surveillance Archive, 2012. Available at:
https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/
HASH7920.dir/doc.pdf (accessed 03 November 2020).
14. National Security Agency. Types of IAT - Advanced Open Source Multi-Hop. Snowden Surveillance
Archive, 2012. Available at: https://snowdenarchive.cjfe.org/greenstone/ collect/
snowden1/index/assoc/HASH01ad/bb7e08bf.dir/doc.pdf (accessed 01 November 2020).
15. National Security Agency (2013). Peeling Back the Layers of Tor with EGOTISTICAL
GIRAFFE. Snowden Surveillance Archive, 2013. Available at: https://snowdenarchive.
cjfe.org/greenstone/collect/snowden1/index/assoc/HASH32d5.dir/doc.pdf.
16. Lapshichev V.V. Makarevich O.B. Metod obnaruzheniya i identifikatsii ispol'zovaniya
programmnogo kompleksa «Tor» [Method of detection and identification of the use of the
software complex "Tor"], Informatizatsiya i svyaz' [Informatization and Communication],
2020, No. 3, pp. 17-20. DOI: 10.34219/2078-8320-2020-11-3-17-20.
17. Lapshichyov V.V., Makarevich O.B. TLS Certificate as a Sign of Establishing A Connection
With the Network Tor, The 12th International Conference on Security of Information and
Networks (SIN 2019): Proceedings of the 12th International Conference on Security of Information
and Networks, 2019, pp. 92-97. DOI: 10.1145/3357613.3357628.
18. Lapshichev V.V. TLS Certificates of the Tor Network and Their Distinctive Features, International
Journal of Systems and Software Security and Protection, 2019, Vol. 10, No. 2,
pp. 20-43. DOI: 10.4018/IJSSSP.2019070102.
19. Lapshichyov V., Makarevich O. Technology of Deep Packet Inspection For Recognition And
Blocking Traffic of the Tor Network, Bezopasnost' informatsii i komp'yuternykh setey (SIN
2019): Mater. 12-y Mezhdunarodnoy nauchnoy konferentsii [Information Security and Computer
Networks (SIN 2019): Proceedings of the 12th International Scientific Conference],
2019, pp. 24-27.
20. Lapshichyov V., Makarevich O. Algorithm for Analyzing And Blocking Access to the Tor
Network, Bezopasnost' informatsii i komp'yuternykh setey (SIN 2019): Mater. 12-y
Mezhdunarodnoy nauchnoy konferentsii [Information Security and Computer Networks (SIN
2019): Proceedings of the 12th International Scientific Conference], 2019, pp. 27-30.
