anonymous routing and mix nets (Tor) Yongdae Kim

Transcription

1 anonymous routing and mix nets (Tor) Yongdae Kim Significant fraction of these slides are borrowed from CS155 at Stanford 1

2 q Why? Anonymous web browsing 1. Discuss health issues or financial matters anonymously 2. Bypass Internet censorship in parts of the world 3. Conceal interaction with gambling sites 4. Law enforcement q Two goals: Hide user identity from target web site: (1), (4) Hide browsing pattern from employer or ISP: (2), (3) q Stronger goal: mutual anonymity (e.g. r ers) 2

3 Current state of the world I q ISPs tracking customer browsing habits: Sell information to advertisers Embed targeted ads in web pages (1.3%)» Example: MetroFi (free wireless) [Web Tripwires: Reis et al. 2008] q Several technologies used for tracking at ISP: NebuAd, Phorm, Front Porch Bring together advertisers, publishers, and ISPs» At ISP: inject targeted ads into non-ssl pages q Tracking technologies at enterprise networks: Vontu (symantec), Tablus (RSA), Vericept 3

4 Current state of the world II q EU directive 2006/24/EC: 3 year data retention For ALL traffic, requires EU ISPs to record:» Sufficient information to identify endpoints (both legal entities and natural persons)» Session duration but not session contents Make available to law enforcement» but penalties for transfer or other access to data q For info on US privacy on the net: privacy on the line by W. Diffie and S. Landau 4

5 Part 1: network-layer privacy Goals: Hide user s IP address from target web site Hide browsing destinations from network

6 1 st attempt: anonymizing proxy anonymizer.com? URL=target User 1 Web 1 User 2 anonymizer.com Web 2 User 3 Web 3 6

7 Anonymizing proxy: security q Monitoring ONE link: eavesdropper gets nothing q Monitoring TWO links: Eavesdropper can do traffic analysis More difficult if lots of traffic through proxy q Trust: proxy is a single point of failure Can be corrupt or subpoenaed» Example: The Church of Scientology vs. anon.penet.fi q Protocol issues: Long-lived cookies make connections to site linkable 7

8 How proxy works q Proxy rewrites all links in response from web site Updated links point to anonymizer.com» Ensures all subsequent clicks are anonymized q Proxy rewrites/removes cookies and some HTTP headers q Proxy IP address: if a single address, could be blocked by site or ISP anonymizer.com consists of >20,000 addresses» Globally distributed, registered to multiple domains» Note: chinese firewall blocks ALL anonymizer.com addresses q Other issues: attacks (click fraud) through proxy 8

9 2 nd Attempt: MIX nets Goal: no single point of failure

10 MIX nets [Chaum 81] R 1 R 3 R 5 R 2 R 6 R 4 srvr q Every router has Sender knows all public keys q To send packet: Pick random route: Onion packet: public/private key pair E pk2 ( R 3, E pk3 ( R 6, R2 R3 R6 srvr E pk6 ( srvr, msg) 10

11 Eavesdropper s view at a single MIX user 1 R i batch user 2 user 3 q Eavesdropper observes incoming and outgoing traffic q Crypto prevents linking input/output pairs Assuming enough packets in incoming batch If variable length packets then must pad all to max len q Note: router is stateless 11

12 q Main benefit: Performance Privacy as long as at least one honest router on path R 2 R 3 R 6 srvr q Problems: High latency (lots of public key ops)» Inappropriate for interactive sessions» May be OK for (e.g. Babel system) No forward security 12

13 3 rd Attempt: Tor MIX circuit-based method Goals: privacy as long as one honest router on path, and reasonable performance

14 The Tor design q Trusted directory contains list of Tor routers q User s machine preemptively creates a circuit Used for many TCP streams New circuit is created once a minute R 1 R 3 R 5 stream 1 srvr 1 R 2 R 4 R 6 stream 2 14 one minute later srvr 2

15 Creating circuits TLS encrypted TLS encrypted R 1 R 2 Create C 1 D-H key exchange K 1 K 1 Relay C 1 Extend R 2 Extend R 2 D-H key exchange K 2 K 2 15

16 Once circuit is created K 1, K 2, K 3, K 4 K 1 R 1 R 2 K 2 K 3 R 3 R 4 K 4 q User has shared key with each router in circuit q Routers only know ID of successor and predecessor 16

17 Sending Data R 1 R 2 K 1 K 2 Relay C 1 Begin site:80 Relay C 2 Begin site:80 TCP handshake Relay C 1 data HTTP GET Relay C 2 data HTTP GET HTTP GET Relay C 1 data resp Relay C 2 data resp resp 17

18 18 Complete View

19 q Performance: Properties Fast connection time: circuit is pre-established Traffic encrypted with AES: no pub-key on traffic q Tor crypto: provides end-to-end integrity for traffic Forward secrecy via TLS q Downside: Routers must maintain state per circuit Each router can link multiple streams via CircuitID» all steams in one minute interval share same CircuitID 19

20 Privoxy q Tor only provides network level privacy No application-level privacy» e.g. mail progs add From: -addr to outgoing mail q Privoxy: Web proxy for browser-level privacy Removes/modifies cookies Other web page filtering 20

21 Anonymity attacks: watermarking R 1 R 2 R 3 q Goal: R 1 and R 3 want to test if user is communicating with server q Basic idea: R 1 and R 3 share sequence: Δ 1, Δ 2,, Δ n {-10,,10} R 1 : introduce inter-packet delay to packets leaving R 1 and bound for R 2. Packet i delayed by Δ i (ms) Detect signal at R 3 21

22 Anonymity attacks: congestion R 1 R 2 R 3 R 8 q Main idea: R 8 can send Tor traffic to R 1 and measure load on R 1 q Exploit: malicious server wants to identify user Server sends burst of packets to user every 10 seconds R 8 identifies when bursts are received at R 1 Follow packets from R 1 to discover user s ID 22