Template:Persistent Tor Entry Guards Introduction

A checked version of this page, approved on 21 July 2022, was based on this revision.

What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.

Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.

Mitigating this threat requires consideration of the Tor network topology. Suppose the attacker controls, or can observe, C relays from a pool of N total relays. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)². For most users, profiling is as hazardous as being traced all the time. Simply put, users want to repeat activities without the attacker noticing, but being noticed once by the attacker is as detrimental as being noticed more frequently. [...]

The solution to this problem is "entry guards". Each Tor client selects a few relays at random to use as entry points, and only uses those relays for the first hop. If those relays are not controlled or observed, the attacker can't use end-to-end techniques and the user is secure. If those relays are observed or controlled by the attacker, then they see a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, entry guards increase the user's chance of avoiding profiling (on the order of (n-c)/n), compared to the former case.

Restricting entry nodes may also help to defend against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. ^[1] However, this feature won't become really useful until Tor moves to a "directory guard" design as well.

Source and License, see footnote: ^[2]

Many well known enhanced anonymity designs such as Tor, Whonix and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user. ^[3]

Note: Guard fingerprinting techniques are similar to methods that track users via MAC addresses. If this is a realistic threat, then MAC address randomization is also recommended.

In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days. ^[4] ^[5] ^[6]

Warning: In some situations it is safer to not use the usual guard relay!

Guard Fingerprinting Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Template%3APersistent_Tor_Entry_Guards_Introduction?direction=prev&oldid=60691#Guard_Fingerprinting Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Template%3APersistent_Tor_Entry_Guards_Introduction#Guard_Fingerprinting|Guard Fingerprinting]]
Copy as Wikitext Click = Copy Copied to clipboard! [Guard Fingerprinting](https://www.kicksecure.com/wiki/Template%3APersistent_Tor_Entry_Guards_Introduction?direction=prev&oldid=60691#Guard_Fingerprinting)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Guard Fingerprinting](https://www.kicksecure.com/wiki/Template%3APersistent_Tor_Entry_Guards_Introduction?direction=prev&oldid=60691#Guard_Fingerprinting)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Template%3APersistent_Tor_Entry_Guards_Introduction?direction=prev&oldid=60691#Guard_Fingerprinting]Guard Fingerprinting[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards ^[7] and de-anonymize a user. For instance:

The same entry guards are used across various physical locations and access points.
The same entry guards are used after permanently moving to a different physical location.

For details on how this is possible, press Expand on the right.

There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:

Clone Kicksecure (kicksecure) with New Entry Guards.
Regenerate the Tor State File after Saving the Current Tor State.
Configure Tor to use Alternating Bridges.
If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

Forum discussion:
https://forums.whonix.org/t/persistent-tor-entry-guard-relays-can-make-you-trackable-across-different-physical-locations/2090

↑ Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
↑ Source:
torproject.org What are Entry Guards?
license:
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
↑ The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
↑ Prop 291 indicates a 3.5 month guard rotation.
↑ The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
↑ https://github.com/torproject/torspec/blob/master/proposals/291-two-guard-nodes.txt
↑ The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.
↑ https://metrics.torproject.org/relayflags.html

[1] Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.

[2] Source:
torproject.org What are Entry Guards?
license:
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.

[3] The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.

[4] Prop 291 indicates a 3.5 month guard rotation.

[5] The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.

[6] ttps://github.com/torproject/torspec/blob/master/proposals/291-two-guard-nodes.txt

[7] The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.

[8] ttps://metrics.torproject.org/relayflags.html

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Template:Persistent Tor Entry Guards Introduction

Navigation menu

Search