Tor, anonymity: http://css.csail.mit.edu/6.858/2012/lec/l16-tor.txt Goals: Hide visited websites from ISP Hide visitors from website Onion routing: pick N (usually 3) random OR connect to first OR, build tunnel ask first OR to connect to second OR perform key exchange with second OR through first OR now first OR can't see traffic between you and second OR repeat Exit nodes: proxies between the WWW and the tor network Directory: list of nodes multiple directory services to distribute trust Hidden services: indentity determined by public key service registers itself at several introduction points publishes introduction points clients pick a rendezvous point through introduction point, both client and service meet at rendezvous point Issues: Fingerprinting (panopticlick - TBB tries to have uniform fingerprint) Browser exploits Timing attacks (global passive adversary) Malicious exit nodes (no SSL) BitLocker: http://css.csail.mit.edu/6.858/2013/lec/l18-bitlocker.txt 1. The TPM, used to protect master key to harddisk Threat model: stolen laptop with a somewhat bad user password Need to store key securely => use TPM TPM measures boot: first BIOS, then BIOS measures Bitlocker loader, then run loader Only after this exact sequence of measurements will TPM reveal key Measuring works by extending TPM registers: PCR_i' = Hash(PCR_i, measurement) 2. How to use a block cipher on a harddisk AES operates on 128 bit blocks Disk exposes sectors as atomic write blocks (512 bytes) AES needs an IV and does not provide authentication No space on disk because of section alignment Solution: determine IV from sector number + master secret use AES-CBC + diffuser to encrypt an entire block AES-CBC: C_i = E_k(P_i XOR C_{i-1}) Without diffuser, can change C_{i - 1} to flip bits in C_i Diffuser provides block-level authentication by shuffling P_i 3. Old quiz question: Can we break Bitlocker if the TPM's hash function is bad (chosen-prefix collision)?