Protocols for Anonymous Communication

Similar documents
0x1A Great Papers in Computer Security

CS 134 Winter Privacy and Anonymity

ENEE 459-C Computer Security. Security protocols (continued)

ENEE 459-C Computer Security. Security protocols

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

A SIMPLE INTRODUCTION TO TOR

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Tor: An Anonymizing Overlay Network for TCP

CS526: Information security

CE Advanced Network Security Anonymity II

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

CS232. Lecture 21: Anonymous Communications

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Tor Hidden Services. Roger Dingledine Free Haven Project Electronic Frontier Foundation.

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Anonymity. Assumption: If we know IP address, we know identity

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Anonymity and Privacy

2 ND GENERATION ONION ROUTER

Anonymity. With material from: Dave Levin and Michelle Mazurek

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Anonymity Analysis of TOR in Omnet++

Anonymous communications: Crowds and Tor

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Privacy Enhancing Technologies CSE 701 Fall 2017

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

CPSC 467b: Cryptography and Computer Security

Security and Anonymity

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Introduction to Cybersecurity Digital Signatures

How Alice and Bob meet if they don t like onions

Anonymity With material from: Dave Levin

Anonymous Connections and Onion Routing

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

CS Paul Krzyzanowski

Onion services. Philipp Winter Nov 30, 2015

ANONYMOUS CONNECTIONS AND ONION ROUTING

Introduction to Computer Security

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

CNT Computer and Network Security: Privacy/Anonymity

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 23

Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981

ANET: An Anonymous Networking Protocol

DISSENT: Accountable, Anonymous Communication

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

anonymous routing and mix nets (Tor) Yongdae Kim

Onion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J

Anonymity on the Internet. Cunsheng Ding HKUST Hong Kong

Analysing Onion Routing Bachelor-Thesis

Solution of Exercise Sheet 10

Addressing Privacy: Matching User Requirements with Implementation Techniques

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

Privacy defense on the Internet. Csaba Kiraly

Rendezvous Tunnel for Anonymous Publishing

Anonymous Communications

The New Cell-Counting-Based Against Anonymous Proxy

CS6740: Network security

Defining Anonymity in Networked Communication, version 1

What's the buzz about HORNET?

Achieving Privacy in Mesh Networks

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

CSC Network Security

Peer-to-Peer Systems and Security

Herbivore: An Anonymous Information Sharing System

Low Latency Anonymity with Mix Rings

The Loopix Anonymity System

Anonymity. MPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security. Anonymity: particular case of Privacy

IP Security IK2218/EP2120

Peer-to-Peer Networks 14 Security. Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Dissent: Accountable Anonymous Group Communication

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Privacy SPRING 2018: GANG WANG

Design and Analysis of Efficient Anonymous Communication Protocols

Anonymous Communication and Internet Freedom

Public-Key Infrastructure NETS E2008

Challenges in Mobile Ad Hoc Network

Social Networking for Anonymous Communication Systems: A Survey

Anonymous Communication and Internet Freedom

Cryptanalysis of a fair anonymity for the tor network

Port-Scanning Resistance in Tor Anonymity Network. Presented By: Shane Pope Dec 04, 2009

Tor: Online anonymity, privacy, and security.

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

Anonymous communication with on-line and off-line onion encoding

Payload analysis of anonymous communication system with host-based rerouting mechanism

Unit 8 Review. Secure your network! CS144, Stanford University

A Quantitative Analysis of Anonymous Communications

IP address. When you connect to another computer you send it your IP address.

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Scalable overlay Networks

20th ICCRTS. Implementing Covert Communication Networks on Gunther-Hartnell Clique Graph Topologies

Transcription:

18734: Foundations of Privacy Protocols for Anonymous Communication Anupam Datta CMU Fall 2016

Privacy on Public Networks } Internet is designed as a public network } Machines on your LAN may see your traffic, network routers see all traffic that passes through them } Routing information is public } IP packet headers identify source and destination } Even a passive observer can easily figure out who is talking to whom } Encryption does not hide identities } Encryption hides payload, but not routing information } Even IP-level encryption (tunnel-mode IPSec/ESP) reveals IP addresses of IPSec gateways

Applications of Anonymity (I) } Privacy } Hide online transactions, Web browsing, etc. from intrusive governments, marketers and archivists } Untraceable electronic mail } Corporate whistle-blowers } Political dissidents } Socially sensitive communications (online AA meeting) } Confidential business negotiations } Law enforcement and intelligence } Sting operations and honeypots } Secret communications on a public network

Applications of Anonymity (II) } Digital cash } Electronic currency with properties of paper money (online purchases unlinkable to buyer s identity) } Anonymous electronic voting } Censorship-resistant publishing

What is Anonymity? } Anonymity is the state of being not identifiable within a set of subjects } You cannot be anonymous by yourself! } Hide your activities among others similar activities } Unlinkability of action and identity } For example, sender and his email are no more related after observing communication than they were before } Unobservability (hard to achieve) } Any item of interest (message, event, action) is indistinguishable from any other item of interest

Attacks on Anonymity } Passive traffic analysis } Infer from network traffic who is talking to whom } To hide your traffic, must carry other people s traffic! } Active traffic analysis } Inject packets or put a timing signature on packet flow } Compromise of network nodes } Attacker may compromise some routers } It is not obvious which nodes have been compromised } Attacker may be passively logging traffic } Better not to trust any individual router } Assume that some fraction of routers is good, don t know which

Outline } Protocols for anonymous communication } High-latency } Chaum Mixes as a building block, onion routing } Low-latency } Optimized Onion Routing and Tor } Dining Cryptographers

Chaum s Mix } Early proposal for anonymous email } David Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, February 1981. } Public key crypto + trusted re-mailer (Mix) } Untrusted communication medium } Public keys used as persistent pseudonyms Before spam, people thought anonymous email was a good idea J } Modern anonymity systems use Mix as the basic building block

Basic Mix Design B A C {r 1,{r 0,M} pk(b),b} pk(mix) {r 0,M} pk(b),b {r 5,M } pk(b),b E {r 2,{r 3,M } pk(e),e} pk(mix) D {r 4,{r 5,M } pk(b),b} pk(mix) Mix {r 3,M } pk(e),e Adversary knows all senders and all receivers, but cannot link a sent message with a received message

Anonymous Return Addresses M includes {K 1,A} pk(mix), K 2 where K 2 is a fresh public key {r 1,{r 0,M} pk(b),b} pk(mix) {r 0,M} pk(b),b MIX B A A,{{r 2,M } K 2 } K1 Response MIX {K 1,A} pk(mix), {r 2,M } K 2 Secrecy without authentication (good for an online confession service J )

Mix Cascade } Messages are sent through a sequence of mixes } Can also form an arbitrary network of mixes ( mixnet ) } Some of the mixes may be controlled by attacker, but even a single good mix guarantees anonymity } Pad and buffer traffic to foil correlation attacks

Idea: Randomized Routing } Hide message source by routing it randomly } Popular technique: Crowds, Freenet, Onion routing } Routers don t know for sure if the apparent source of a message is the true sender or another router

Onion Routing [Reed, Syverson, Goldschlag 97] Alice R R R 4 R 3 R 1 R R 2 R R Bob R } Sender chooses a random sequence of routers } Some routers are honest, some controlled by attacker } Sender controls the length of the path

Route Establishment Alice R 2 R R 4 Bob 3 R 1 {M} pk(b) {B,{ }} pk(r 4) {R {R 2,{ 3,{ {R 4, } } pk(r 3) } }} pk(r 2) }} pk(r 1) Routing info for each link encrypted with router s public key Each router learns only the identity of the next router

Disadvantages of Basic Mixnets/Onion Routing } Public-key encryption and decryption at each mix/router are computationally expensive } Basic mixnets have high latency } Ok for email, not Ok for anonymous Web browsing } Challenge: low-latency anonymity network

Outline } Protocols for anonymous communication } High-latency } Chaum Mixes as a building block } Low-latency } Onion Routing and Tor } Dining Cryptographers

Tor } Second-generation onion routing network } http://tor.eff.org } Developed by Roger Dingledine, Nick Mathewson and Paul Syverson } Specifically designed for low-latency anonymous Internet communications } Running since October 2003 } 100 nodes on four continents, thousands of users } Easy-to-use client proxy } Freely available, can use it for anonymous browsing

Tor Circuit Setup } Client proxy establishes symmetric session keys with onion routers

Tor Circuit Setup (details) Alice R 2 R R 4 Bob 3 R 1 {M} pk(b) {B,k 4 } pk(r {R 4,k 3 } 4),{ } k 4 pk(r 3),{ } k 3 {R 3,k 2 } pk(r {R 2,k 1 } 2),{ } k 2 pk(r 1),{ } k 1 Routing info for each link encrypted with router s public key Each router learns only the identity of the next router and symmetric key with source

Using a Tor Circuit } Client applications connect and communicate over the established Tor circuit } Note onion now uses only symmetric keys for routers

Using a Tor Circuit(details) Alice R 2 R R 4 Bob 3 R 1 {M} pk(b) {B,{ }} k 4 {R {R 2,{ 3,{ {R 4, } k 3 }} k 2 }} k 1 Note onion now uses only symmetric keys for routers

Tor Management Issues } Many applications can share one circuit } Multiple TCP streams over one anonymous connection } Tor router doesn t need root privileges } Encourages people to set up their own routers } More participants = better anonymity for everyone } Directory servers } Maintain lists of active onion routers, their locations, current public keys, etc. } Control how new routers join the network } Sybil attack : attacker creates a large number of routers } Directory servers keys ship with Tor code

Deployed Anonymity Systems } Free Haven project has an excellent bibliography on anonymity } Linked from the reference section of course website } Tor (http://tor.eff.org) } Overlay circuit-based anonymity network } Best for low-latency applications such as anonymous Web browsing } Mixminion (http://www.mixminion.net) } Network of mixes } Best for high-latency applications such as anonymous email

Outline } Protocols for anonymous communication } High-latency } Chaum Mixes as a building block } Low-latency } Onion Routing and Tor } Dining Cryptographers

Dining Cryptographers } Clever idea how to make a message public in a perfectly untraceable manner } David Chaum. The dining cryptographers problem: unconditional sender and recipient untraceability. Journal of Cryptology, 1988.

Three-Person DC Protocol Three cryptographers are having dinner. Either NSA is paying for the dinner, or one of them is paying, but wishes to remain anonymous. 1. Each diner flips a coin and shows it to his left neighbor. } Every diner will see two coins: his own and his right neighbor s 2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). 3. Odd number of same NSA is paying; even number of same one of them is paying } But a non-payer cannot tell which of the other two is paying!

Non-Payer s View: Same Coins same different same different?? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Non-Payer s View: Different Coins same same same same?? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Superposed Sending } This idea generalizes to any group of size N } For each bit of the message, every user generates 1 random bit and sends it to 1 neighbor } Every user learns 2 bits (his own and his neighbor s) } Each user announces own bit XOR neighbor s bit } Sender announces own bit XOR neighbor s bit XOR message bit } XOR of all announcements = message bit } Every randomly generated bit occurs in this sum twice (and is canceled by XOR), message bit occurs once

DC-Based Anonymity is Impractical } Requires secure pairwise channels between group members } Otherwise, random bits cannot be shared } Requires massive communication overhead and large amounts of randomness } DC-net (a group of dining cryptographers) is robust even if some members collude } Guarantees perfect anonymity for the other members

Thanks! Questions } Acknowledgement: This lecture uses a number of slides provided by Vitaly Shmatikov

Location Hidden Servers } Goal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it } Accessible from anywhere } Resistant to censorship } Can survive full-blown DoS attack } Resistant to physical attack } Can t find the physical server!

Creating a Location Hidden Server Client obtains service descriptor and intro point address from directory Server creates onion routes to introduction points Server gives intro points descriptors and addresses to service lookup directory

Using a Location Hidden Server Client creates onion route to a rendezvous point Rendezvous point mates the circuits from client & server If server chooses to talk to client, connect to rendezvous point Client sends address of the rendezvous point and any authorization, if needed, to server through intro point

A simple idea: Basic Anonymizing Proxy } Channels appear to come from proxy, not true originator } Appropriate for Web connections etc.: SSL, TLS (Lower cost symmetric encryption) } Example: The Anonymizer } Simple, focuses lots of traffic for more anonymity } Main disadvantage: Single point of failure, compromise, attack

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback