communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Transcription

1 Introduction to anonymous communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.Leuven) 1

2 a few words on the scope of the talk New field, in development Give an idea on the problems, concepts and solutions for anonymous communications Claudia Diaz (K.U.Leuven) 2

3 Outline Anonymity: motivation and concept Anonymity Metrics Mixes Attacks Conclusions and Open Questions Claudia Diaz (K.U.Leuven) 3

4 Motivation for Anonymity I have nothing to hide [Solove] Privacy and Surveillance [The Economist, Oct 2007] Anonymity is a security property Data Protection: minimization E-Voting E-Health, Help Lines Political l speech without t fear or retaliation ti Censorship resistance Individual but also Military/Gov/Business security More generally: informational self-determination Being in control, balance of power Claudia Diaz (K.U.Leuven) 4

5 Anonymity Data and Communication Layers App App Com Com IP Alice Bob Claudia Diaz (K.U.Leuven) 5

6 Classical Security Model Alice Bob Eve Passive / Active Claudia Diaz (K.U.Leuven) 6

7 Anonymity Concept and Model Set of Alices Set of Bobs Claudia Diaz (K.U.Leuven) 7

8 Anonymity Adversary Recipient? Third Parties? Passive/Active Partial/Global Internal/External Claudia Diaz (K.U.Leuven) 8

9 Anonymity Adversary The adversary will: Try to find who is sending messages to whom. Observe All links (Global Passive Adversary) Some links Modify, delay, delete or inject messages. Control some nodes in the network. The adversary'ss limitations Cannot break cryptographic primitives. Cannot see inside nodes he does not control. Claudia Diaz (K.U.Leuven) 9

10 Soft privacy enhancing technologies Hard privacy Focus on data minimization Adversarial data holder / service provider Soft privacy Policies, access control, liability, right to correct information Adversary: 3 rd parties, corrupt insider in honest SP, errors BUT user has already lost control of her data Claudia Diaz (K.U.Leuven) (Slide taken from G. Danezis) 10

11 Other privacy-enhancing technologies Anonymous credentials / e-cash / ZK protocols Steganography g / covert communication Censorship resistance techniques Anonymous publication Private information retrieval (PIR) Private search K-anonymity Location privacy Claudia Diaz (K.U.Leuven) 11

12 Related Work - Timeline Chaumian DC-Nets ISDN Mix OR S-G Mix Mix, Crow wds Definit tions Source: Freehaven Anonymity Bibliography Claudia Diaz (K.U.Leuven) 12

13 Outline Anonymity: motivation and concept Anonymity Metrics Mixes Attacks Contributions and Open Questions Claudia Diaz (K.U.Leuven) 13

14 Abstract Model for Anonymity Claudia Diaz (K.U.Leuven) 14

15 Definition [PfiHan2000] First clear definition of anonymity (2000) Anonymity is the state t of being not identifiable within a set of subjects, the anonymity set. The anonymity set is the set of all possible subjects who might cause an action or be addressed. Claudia Diaz (K.U.Leuven) 15

16 Entropy Measure of the amount of information required on average to describe the random variable Measure of the uncertainty of a random variable Increases with N and with uniformity of distribution N H = log2 i= 1 ( ) p i p Distribution with entropy H equivalent to uniform distribution with 2 H subjects i Claudia Diaz (K.U.Leuven) 16

17 Example: Crowds (Reiter&Rubin) Alice N=7 C=2 p f Bob p C + 1 = 1 p f N C 1 N p i = pf N, i = C + 2KN Claudia Diaz (K.U.Leuven) 17

18 Anonymity of Crowds ) ( log 1 ) 1) ( ( log 1) ( 2 2 f f N N C N p C N f N N N C N p N H + = Claudia Diaz (K.U.Leuven) 18 1) ( f p N C N pf N N

19 Entropy-Based Anonymity Metrics Effective Anonymity Set Size [SD02] Entropy is the metric Undetermined number of users Open systems or not enough info on users available Degree of Anonymity Normalized entropy Systems with known set of users Tradeoff Anonymity/Scalability Claudia Diaz (K.U.Leuven) 19

20 Outline Anonymity: motivation and concept Anonymity Metrics Mixes Attacks Contributions and Open Questions Claudia Diaz (K.U.Leuven) 20

21 Concept of Mix MIX Router that hides correspondence between inputs and outputs????? Claudia Diaz (K.U.Leuven) 21

22 Functionality of Mixes Mixes modify The appearance of messages Encryption / Decryption Sender Mix 1 : {Mix 2, {Rec, msg} K Mix 2 } K Mix 1 Padding / Compression Substitution of information (e.g., IP) The flow of messages Reordering Delaying - Real-time requirements! Dummy traffic - Cost of traffic! Claudia Diaz (K.U.Leuven) 22

23 Pool Mixes Based on the mix proposed by Chaum in 1981: 1. Collect N inputs 2. Shuffle Round 3. Flush (Forward) Pool selection algorithm No pool / Static pool / Dynamic pool Influences the performance and anonymity y provided by the mix Generalized Mix Model: easy framework to analyze pool mixes Flushing condition Time / Threshold Deterministic / Random Claudia Diaz (K.U.Leuven) 23

24 Stop-and-Go Mix Proposed by Kesdogan in 1998 Reordering strategy based on delaying M/M/ Delays generated by the user from an Exponential distribution Timestamping to prevent active attacks Trusted Time Service Anonymity estimates based on the assumption of Poisson incoming traffic Claudia Diaz (K.U.Leuven) 24

25 Deployed systems I Anon.penet.fi (Helsingius 1993) Simple proxy, substituted headers Kept table of correspondences nym- Brought down by legal attack in 1996 Type I Cypherpunk r ers (Hughes, Finney1996) No tables (routing info in msgs themselves), PGP encryption (no attacks based on content) attacks based on size are possible Chains of mixes (distribution of trust) Reusable reply blocks (source of insecurity) Claudia Diaz (K.U.Leuven) 25

26 Deployed systems II Mixmaster (Cottrell, evolving since 1995) Fixed size (padding / dividing large messages) Integrity protection measures to prevent tagging attacks Multiple paths for better reliability No replies Mixminion (Danezis, 2003) SURBs (Single-Use Reply Blocks) Packet format: detection of tagging attacks (all-ornothing) Forward security: trail of keys, updated with one-way functions Claudia Diaz (K.U.Leuven) 26

27 Low-latency applications Onion Routing, ISDN, Web Mixes, Tor, JAP P2P: Crowds, P5 (broadcast), Herbivore (DC- nets) Delaying not an option http traffic: difficult to conceal traffic pattern Vulnerable to strong adversaries (entry+exit) Fingerprinting i attacks Internet exchanges Claudia Diaz (K.U.Leuven) 27

28 Mix Networks Mixes are combined in networks in order to Distribute trust Improve availability Cascade Fully connected network Restricted route network Claudia Diaz (K.U.Leuven) 28

29 Dummy Traffic Fake messages introduced to confuse the attacker Undistinguishable from real messages Very useful in low traffic conditions Dummies improve the anonymity by making more difficult the traffic analysis Claudia Diaz (K.U.Leuven) 29

30 Outline Anonymity: motivation and concept Anonymity Metrics Mixes Attacks Contributions and Open Questions Claudia Diaz (K.U.Leuven) 30

31 Attacks on (high-latency) mix-based systems Passive attacks Long-term intersection attacks (statistical disclosure) Persistent communication patterns Extract social network information Active attacks N-1 attacks Tagging DoS Claudia Diaz (K.U.Leuven) 31

32 Long-Term Intersection Attacks (1) Assumptions Alice has persistent communication relationships (other users modeled as sending uniformly at random) Combine many observations (who receives when Alice sends) Disclosure attack (Kesdogan) Computationally ti intensive i (NP-complete) Exact attack Only threshold mixes Sensitive to deviations of user behavioral model Hitting set attack (Kesdogan) More efficient (heuristics) Claudia Diaz (K.U.Leuven) 32

33 Long-Term Intersection Attacks (2) Statistical disclosure attack (Danezis, Serjantov) Much more efficient Not exact Extensions (Dingledine and Mathewson) Pool mixes Sender-generated dummy traffic Non-uniform sending patterns Two-Sided SDA (Diaz, Danezis, Troncoso) Extract information from replies Receiver-bound cover traffic (Mallesh, Wright) Claudia Diaz (K.U.Leuven) 33

34 N-1 Attack on Chaumian Mix Delay Unknown message Attacker message Target message N N N Claudia Diaz (K.U.Leuven) 34

35 N-1 attack on pool mix: Emptying Phase Claudia Diaz (K.U.Leuven) 35

36 N-1 Attack on pool mixes: Flushing Phase Claudia Diaz (K.U.Leuven) 36

37 Counter measures to N-1 attacks Tickets Timestamps Binomial mixes + dummy traffic RGB dummies Claudia Diaz (K.U.Leuven) 37

38 Conclusions Anonymity is an area of research getting increasing attention ti High-latency applications ( ): Well established primitive Tradeoffs cost/anonymity Problems with persistent user behavior Low-latency applications Insecure towards strong adversaries Anonymous communications are fragile If you want to propose a new system: Check the literature Check known attacks Claudia Diaz (K.U.Leuven) 38

39 (Some) Open Questions Real user behavioral models Apply anonymity metrics to mix networks Which are the best topologies? Find Optimal Mixing Strategies Find Optimal Dummy Strategies Solutions for Low-Latency Anonymous Communication? Claudia Diaz (K.U.Leuven) 39