Jump to: navigation, search

Template:Persistent Tor Entry Guards Introduction

What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.

Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.

Mitigating this threat requires consideration of the Tor network topology. Suppose the attacker controls, or can observe, C relays from a pool of N total relays. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)2. For most users, profiling is as hazardous as being traced all the time. Simply put, users want to repeat activities without the attacker noticing, but being noticed once by the attacker is as detrimental as being noticed more frequently. Mathematically speaking, choosing many random entry and exit points to the network prevents the user from escaping profiling by this kind of attacker with end-to-end capabilities.

The solution to this problem is "entry guards". Each Tor client selects a few relays at random to use as entry points, and only uses those relays for the first hop. If those relays are not controlled or observed, the attacker can't use end-to-end techniques and the user is secure. If those relays are observed or controlled by the attacker, then they see a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, entry guards increase the user's chance of avoiding profiling (on the order of (n-c)/n), compared to the former case.

You can read more at An Analysis of the Degradation of Anonymous Protocols, Defending Anonymous Communication Against Passive Logging Attacks, and especially Locating Hidden Servers.

Restricting entry nodes may also help to defend against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. [1] However, this feature won't become really useful until Tor moves to a "directory guard" design as well.

Source and License, see footnote: [2]

Persistent Tor entry guards are beneficial for security and used by Tor, Whonix, Tor Browser Bundle (TBB) and other software. The number of entry guards has changed in recent Tor releases: [3] [4]

  • Before v2.9: Tor selects three random guard nodes and rotates them every 2-3 months.
  • v2.9: Tor selects a solitary guard node and rotates it every 9-10 months. [5]
  • v3.0+: Tor selects three guard nodes, but defers to a primary guard wherever possible. Guards have a primary lifetime of 120 days. [6]

The guard relays picked by the Tor client can lead to fingerprinting of Tor use across different physical locations and access points. In some corner cases like the example described below, this may cause a user to be deanonymized. The risk of this attack is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.

Consider the following scenario. A user runs Tor from their home address, but soon attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired. The fact that the Tor client is using the same entry guard normally correlated with the user's home address is problematic. Network adversaries have a high certainty that the "anonymous" posts from the city location are related to the same person who connected to that specific guard relay from their home. The relative uncommonness of Tor usage exacerbates the problem of potential deanonymization.

This adversary technique is similar to tracking users via MAC addresses. Therefore, for users facing this threat in their personal circumstances, MAC address randomization is also recommended.

Forum discussion:

  1. Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
  2. Source:
    torproject.org What are Entry Guards? (w)
    license (w):
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  3. https://gitweb.torproject.org/torspec.git/tree/proposals/236-single-guard-node.txt
  4. https://gitweb.torproject.org/torspec.git/tree/proposals/271-another-guard-selection.txt
  5. If the guard node ever becomes unusable, Tor picks a new guard rather than replacing it, and adds it to the end of the list.
  6. Non-primary guards are also selected under various circumstances.