Anonymity. Assumption: If we know IP address, we know identity

Similar documents
Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Anonymous communications: Crowds and Tor

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

2 ND GENERATION ONION ROUTER

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

0x1A Great Papers in Computer Security

A SIMPLE INTRODUCTION TO TOR

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Analysing Onion Routing Bachelor-Thesis

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

CS526: Information security

Protocols for Anonymous Communication

ENEE 459-C Computer Security. Security protocols

ENEE 459-C Computer Security. Security protocols (continued)

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Anonymity Analysis of TOR in Omnet++

CS 134 Winter Privacy and Anonymity

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

Tor: An Anonymizing Overlay Network for TCP

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

CS Paul Krzyzanowski

CE Advanced Network Security Anonymity II

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

anonymous routing and mix nets (Tor) Yongdae Kim

Tor: The Second-Generation Onion Router

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Privacy defense on the Internet. Csaba Kiraly

L13. Reviews. Rocky K. C. Chang, April 10, 2015

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Security. Communication security. System Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

(2½ hours) Total Marks: 75

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Computer Networks. Wenzhong Li. Nanjing University

UNIT - IV Cryptographic Hash Function 31.1

Encryption. INST 346, Section 0201 April 3, 2018

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis

Achieving Privacy in Mesh Networks

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Cryptanalysis of a fair anonymity for the tor network

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

ANONYMOUS CONNECTIONS AND ONION ROUTING

Anonymous Connections and Onion Routing


CS 161 Computer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

Computers and Security

Network Security Chapter 8

2.1 Basic Cryptography Concepts

Please ensure answers are neat and legible. Illegible answers may be given no points.

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

A New Replay Attack Against Anonymous Communication Networks

Introduction to Computer Security

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Chapter 4: Securing TCP connections

Privacy Enhancing Technologies CSE 701 Fall 2017

A Report on Modified Onion Routing and its Proof of Concept

Onion services. Philipp Winter Nov 30, 2015

PROTECTING CONVERSATIONS

CS232. Lecture 21: Anonymous Communications

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

Key Establishment and Authentication Protocols EECE 412

CS6740: Network security

Distributed Systems. Lecture 14: Security. Distributed Systems 1

ANET: An Anonymous Networking Protocol

Distributed Systems. Lecture 14: Security. 5 March,

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CSC 774 Network Security

CNT Computer and Network Security: Privacy/Anonymity

Design Principles for Low Latency Anonymous Network Systems Secure against Timing Attacks

Password. authentication through passwords

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Anonymous Communications

CSE 127: Computer Security Cryptography. Kirill Levchenko

The New Cell-Counting-Based Against Anonymous Proxy

Exercises with solutions, Set 3

Crypto Background & Concepts SGX Software Attestation

Onion Routing. 1) Introduction. 2) Operations. by Harikrishnan S (M.Tech CSE) Ramji Nagariya (M.S CSE), Sai Sambhu J (M.Tech CSE).

IP address. When you connect to another computer you send it your IP address.

2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w

Privacy and Anonymity in the Internet

David Wetherall, with some slides from Radia Perlman s security lectures.

Network Security. Chapter 8. MYcsvtu Notes.

CS Computer Networks 1: Authentication

Kurose & Ross, Chapters (5 th ed.)

Pluggable Transports Roadmap

Cryptography (Overview)

Session key establishment protocols

Transcription:

03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We do not assume that the ISP will keep our identity secret In any case, we are not anonymous to the ISP Assumption: If we know address, we know identity EITN40 - Advanced Web Security EITN40 - Advanced Web Security Pros Discussion of sensitive and personal issues Information searches Freedom of speech in intolerant environments Polls/Surveys Counceling for drug or alcohol abuse Criminal victims Snitches and rats Cons Accusations Propaganda Spreading of copyright protected material Other illegal acts We just focus on the technology You can only be anonymous within a set of other users More people using the system more anonymity is possible Anonymity set The set of people in which you are anonymous Large set can provide higher anonymity than small EITN40 - Advanced Web Security 3 EITN40 - Advanced Web Security 4

03--4 Two main categories High-latency designs There is a significant delay between sending and receiving a message Chaum mixes master Babel minion Low-latency designs Aims at minimizing the time between sending and receiving a message Tor TARZAN Java anon proxy Freedom An adversary that can observe every node in the network A very strong adversary Typically Low-latency designs cannot protect against the GPA High-latency designs aims at protecting against the GPA EITN40 - Advanced Web Security 5 EITN40 - Advanced Web Security 6 First anonymity system: D Chaum, 98 Allowed anonymous encrypted email (hiding the address of the sender) Uses public key cryptography Based on a Sender Sender Sender m Cryptographic operations Reordering of items Addressee Addressee Addressee m Security assumption It is not possible to find the correspondence between plaintext and ciphertext Power of adversary Anyone can learn origin and destination of any and all messages in the underlying communication system Anyone may inject, modify or remove messages EITN40 - Advanced Web Security 7 EITN40 - Advanced Web Security 8

03--4 Purpose: Hide the correspondence between input and output items Computer that process each item Can perform cryptographic operations Reorders incoming items High latency many inputs must be collected before output is produced to avoid timing attacks Make sure no item is processed more than once Otherwise sender can be identified If one item is duplicated at both input and output we know the correspondence between that sender and addressee Sender Sender Sender m Sender Sender Sender m Sender sent message to Addressee! Duplicate message deleted by Addressee Addressee Addressee m Addressee Addressee Addressee m EITN40 - Advanced Web Security 9 EITN40 - Advanced Web Security 0 Prepare a message M to send to A: Add randomness R 0 to message in order to avoid simple guessing attacks Encrypt message using A s public key 3 Add address of receiver together with randomness R 4 Encrypt with public key of Process data in Decrypt data using private key of Remove R 3 Identify receiver A and forward encrypted message to A Read message at Receiver Decrypt message with receiver s private key Allow addressee to return message to sender without revealing return address Include untraceable return address A x Return address used by addressee K x - Temporary public key used by addressee R - Random string also used as key by Message returned to sender and processed by EITN40 - Advanced Web Security EITN40 - Advanced Web Security 3

03--4 Use cascade of n mixes only one needs to be honest Prepare message for n es Message exiting first Message exiting last Untracable return address prepared as Returned together with message Output of first mix Output of last Sender x Addressee y Sender x Addressee y First Last Last First EITN40 - Advanced Web Security 3 EITN40 - Advanced Web Security 4 Message size Problem: If the size of the messages are different then it is easy to correlate inputs and outputs Solution: Pad all packets to the same size Replay attack Problem: Replaying an old message will send it to the same place as before Solution: Save a fingerprint of ALL messages, or use time stamps N attack Problem: If an adversary controls all messages going into the except the target message, then it is easy to see where the target message is going Solution: Make sure all packets come from different senders (Will at least make this attack more difficult) Generic attack, works even when es are perfect Assumption Adversary can observe all messages entering and leaving the network Adversary has good chance of guessing when a message entering the network is likely to leave Assume messages can be linked to same sender Mailing list or forum pseudonym Consequtive messages in conversation Store a list of possible senders at time i, i+,i+, Intersect lists right sender will be left in list Problem: The anonymity set is different in each time instance EITN40 - Advanced Web Security 5 EITN40 - Advanced Web Security 6 4

03--4 Remove linkability Sometimes difficult or impossible Send dummy traffic from as many users as possible Will increase the anonymity sets Not possible with offline users Kedogan, Agrawal and Penz, 00 Generic attack, similar to the intersection attack Assume all senders are different Alice has m communication partners, reveal these! N users of system S R b senders S (One or more) R n receivers n b S b- R n- S b R n EITN40 - Advanced Web Security 7 EITN40 - Advanced Web Security 8 Learning phase Attacker records all receivers used when Alice is sender at time t in set R t This is done until we have m mutually disjoint sets R,R m Now we know that each set includes a communication partner of Alice Excluding phase Take new set R If Then replace by Decrease set size until all m sets contain only one recipient these m recipients are Alice s communication partners Conclusion: A is insecure if EITN40 - Advanced Web Security 9 EITN40 - Advanced Web Security 0 5

03--4 High-latency design might be ok for email For interactive use such as HTTP, low latency is required Basically a set of real-time Chaum es One is not enough in real-time since timing attacks will be easy Anonymity set is necessarily small On the other hand, real-time allows for eg, HTTP based traffic, voice over, etc Improving protection Many es Large volumes of traffic Synthetic traffic All packets arriving within some small fixed time interval is mixed EITN40 - Advanced Web Security EITN40 - Advanced Web Security Dingledine, Mathewson and Syverson, 004 Originally sponsored by US Naval Research Laboratory Now funded by Tor Project, a non-profit organization Low latency appropriate for real-time traffic like HTTP Because of the low latency requirement we do not want each to decrypt the message using a private key Symmetric cryptography is much faster User connects to remote server through several onion routers Each (blue) link is encrypted with TLS User shares short term symmetric key with each router Each router has public/private key pairs Encrypted link Unencrypted link EITN40 - Advanced Web Security 3 EITN40 - Advanced Web Security 4 6

03--4 Each cell is 5 bytes Two types of cells Control cells always interpreted by receiving node Padding Create, Created Destroy Relay cells Interpreted by last cell, relayed by other cells Relay begin Relay data Relay extend Bytes 509 CircID CMD DATA Bytes 4 498 CircID CMD Relay CMD Recognized StreamID Digest Length DATA CircID Hold a -byte ID for the connection to the next router CMD command to determine what to do Recognized used to know if packet should be relayed or interpreted StreamID ID for this stream Digest Integrity check Length bytes in DATA that is real data Control cell Relay cell EITN40 - Advanced Web Security 5 EITN40 - Advanced Web Security 6 Diffie-Hellman key exchange Alice OR Contact second node through first node Alice OR OR Unilateral entity authentication Alice knows she is handshaking with OR, but OR does not know who is opening the circuit Unilateral key authentication Alice knows that only OR knows the shared key K K() Public key encryption (asymm) K{} Secret key encryption (symm) EITN40 - Advanced Web Security 7 OR keeps track of mapping between ID and ID Alice do not need any info about ID K() Public key encryption (asymm) K{} Secret key encryption (symm) EITN40 - Advanced Web Security 8 7

03--4 OR only knows about node before and after ID is used to identify where to send packets Table is kept to identify where incoming packets are going User changes to new circuit periodically (about once a minute) Setup requires public key operations Takes time Users construct circuits preemtively Alice OR OR Website 8 bit AES in counter mode is used K() Public key encryption (asymm) K{} Secret key encryption (symm) EITN40 - Advanced Web Security 9 EITN40 - Advanced Web Security 30 4 498 CircID CMD Relay CMD Recognized StreamID Digest Length DATA Control cells are always interpreted Relay cells are interpreted by exit node Recognized field set to zero and digest calculated with SHA- by initiator before encrypted with K n,,k,k After decryption at OR i these 6 bytes are checked If OK, then interpret, otherwise relay Probablity of failure: -48 Leaky pipe circuit Allow exit at different ORs in same circuit Tor does not claim to protect against A Global Passive Adversary someone who can observe all network links Traffic confirmation attacks Almost no mixing because of real time Is the Global Passive Adversary realistic? Maybe not, but an attacker does not really have to observe everything A real world observer can instead be adaptive select where to observe based on prior information Users running their own router has higher anonymity Relay cell EITN40 - Advanced Web Security 3 EITN40 - Advanced Web Security 3 8

03--4 If private key of a router is compromised, the session key can still not be derived Property of Diffie-Hellman Key exchange Anonymous services (hidden services), eg, anonymous webserver How can we provide a service through a web server without revealing our? Tor Implication: If encrypted traffic is recorded, and session keys are destroyed, it can never be decrypted even if long-term keys are stolen Compare to the case when the client eg, generates a session key and encrypts it with router s public key no perfect forward secrecy EITN40 - Advanced Web Security 33 Alice User Bob Service provider EITN40 - Advanced Web Security 34 Bob initializes service Bobs service identified by his public key Bobs chooses a set of introduction points () Bob builds circuit to each introduction point Public key can be found at A, B, C, is written in database DB Alice wants to use Bobs service Alice finds s to Bob in database Alice chooses OR as rendezvous point (RP) and connects to it Alice connects to one of Bobs s and tells it about her RP Introduction point forwards message to Bob and Bob can connect to the RP chosen by Alice DB Tor Circuits Bob User Service provider Alice Alice User 3 RP 5 4 Tor Circuits Bob Service provider EITN40 - Advanced Web Security 35 EITN40 - Advanced Web Security 36 9

03--4 Tor does not provide end-to-end encryption Owner of exit node decrypts traffic and forwards it in plain text Identifying information in data stream can still reveal your identity If you log in to an email account If you pay with your credit card If you send instant messages Sept 007, 00 email accounts from embassies and government agencies posted on internet Tor exit node was used to capture the info Probable chain of events: Stolen accounts Use Tor to hide who you are End node sees the traffic EITN40 - Advanced Web Security 37 0

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback