Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Similar documents
Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Network Security: Denial of Service (DoS), Anonymity. Tuomas Aura

0x1A Great Papers in Computer Security

Protocols for Anonymous Communication

A SIMPLE INTRODUCTION TO TOR

CS526: Information security

ENEE 459-C Computer Security. Security protocols (continued)

ENEE 459-C Computer Security. Security protocols

Anonymity. Assumption: If we know IP address, we know identity

CS 134 Winter Privacy and Anonymity

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Anonymous communications: Crowds and Tor

Tor: An Anonymizing Overlay Network for TCP

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Metrics for Security and Performance in Low-Latency Anonymity Systems

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

2 ND GENERATION ONION ROUTER

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

How Alice and Bob meet if they don t like onions

anonymous routing and mix nets (Tor) Yongdae Kim

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis

CS Paul Krzyzanowski

The Loopix Anonymity System

CSE484 Final Study Guide

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Anonymity on the Internet. Cunsheng Ding HKUST Hong Kong

Anonymous communications and systems

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

CS Final Exam

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 494/594 Computer and Network Security

CE Advanced Network Security Anonymity II

Privacy defense on the Internet. Csaba Kiraly

FBI Tor Overview. Andrew Lewman January 17, 2012

Privacy and Anonymity in the Internet

CS6740: Network security

Anonymous Communications

Onion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J

Analysing Onion Routing Bachelor-Thesis

Anonymity and Privacy

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Introduction to Cybersecurity Digital Signatures

VPN Overview. VPN Types

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

A Report on Modified Onion Routing and its Proof of Concept

ANET: An Anonymous Networking Protocol

Karaoke. Distributed Private Messaging Immune to Passive Traffic Analysis. David Lazar, Yossi Gilad, Nickolai Zeldovich

APNIC elearning: Cryptography Basics

Computer Networks. Wenzhong Li. Nanjing University

Encryption. INST 346, Section 0201 April 3, 2018

Summary on Crypto Primitives and Protocols

CSE 127: Computer Security Cryptography. Kirill Levchenko

Crypto Background & Concepts SGX Software Attestation

Anonymity. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Introduction to Computer Security

Pluggable Transports Roadmap

Introduction and Overview. Why CSCI 454/554?

Dissent: Accountable Anonymous Group Communication

Key Establishment and Authentication Protocols EECE 412

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Achieving Privacy in Mesh Networks

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Auth. Key Exchange. Dan Boneh

Network Security Chapter 8

CPSC 467b: Cryptography and Computer Security

Low-Cost Traffic Analysis of Tor

CNT Computer and Network Security: Privacy/Anonymity

CS232. Lecture 21: Anonymous Communications

CS Computer Networks 1: Authentication

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Port-Scanning Resistance in Tor Anonymity Network. Presented By: Shane Pope Dec 04, 2009

Challenges in building overlay networks: a case study of Tor. Steven Murdoch Principal Research Fellow University College London

Privacy Enhancing Technologies CSE 701 Fall 2017

CS 356 Internet Security Protocols. Fall 2013

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Lecture 1 Applied Cryptography (Part 1)

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Introducing SOR: SSH-based Onion Routing

Anonymity in P2P Systems

Anonymity Analysis of TOR in Omnet++

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Network Security: Threats and goals. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Anonymous Communication and Internet Freedom

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Strongly Anonymous Communications in Mobile Ad Hoc Networks

Anonymous Communication and Internet Freedom

CIS 4360 Secure Computer Systems Applied Cryptography

(2½ hours) Total Marks: 75

Transcription:

Network Security: Anonymity Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010

Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor 2

Anonymity and privacy 3

Anonymity terminology Identity, identifier Anonymity they don t know who you are Unlinkability they cannot link two events or actions (e.g. messages) with each other Pseudonymity intentionally allow linking of some events to each other E.g. sessions, payment and service access Authentication strong verification of identity Weak identifier not usable for strong authentication but may compromise privacy E.g. nickname, IP address, SSID, service usage profile Authorization verification of access rights Does not always imply authentication (remember SPKI) 4

Anonymity in communications Anonymity towards communication peers Sender anonymity receiver does not know who and where sent the message Receiver anonymity can send a message to a recipient without knowing who and where they are Third-party anonymity an outside observer cannot know who is talking to whom Unobservability an outside observer cannot tell whether communication takes place or not Strength depends on the capabilities of the adversary Anonymity towards access network Access network does not know who is roaming there Relate concept: location privacy 5

Privacy Control over personal information Emphasized in Europe Gathering, disclosure and false representation of facts about one s personal life Right to be left alone Emphasized in America Avoiding spam, control, discrimination, censorship Anonymity is a tool for achieving privacy Blending into the crowd 6

Identity protection in key exchange Identity protection against passive observers achieved by encrypting the authentication with a Diffie-Hellman key or a secret send with public-key encryption Identity protection of one party against active attackers achieved by authenticating the other party first Recall these protocols: PGP TLS/SSL, EAP-TLS IKEv2 Kerberos WPA2 Lower-layer identifiers (MAC and IP address) can still leak identity Traffic analysis can still be used to profile the node 7

Who is the adversary? Discussion: who could violate your privacy and anonymity? Global attacker, your government e.g. total information awareness, retention of traffic data Servers across the Internet, colluding commercial interests e.g. web cookies, trackers, advertisers Criminals e.g. identity theft Employer People close to you e.g. stalkers, co-workers, neighbors, family members 8

Randomized identifiers Replace permanent identifiers with random pseudonyms Especially important below the encryption layer Random interface id in IPv6 address [RFC 4941] Random MAC addresses suggested Need to consider weak identifiers (i.e. implicit identifiers), too E.g., IPID, TCP sequence number 9

Strong anonymity? Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authentication Even the strongest mechanisms have serious weaknesses Need to trust many others to be honest Services operated by volunteers and activists Side-channel attacks Anonymity tends to degrade over time for persistent communication 10

High-latency anonymous routing

Mix (1) A E B E Mix (F,M 1 ) E Mix (H,M 2 ) Mix M 1 M 2 F C E Mix (G,M 3 ) M 3 G E Mix (E,M 4 ) M 4 D H Mix is an anonymity service [Chaum 1981] Attacker sees both sent and received messages but cannot link them to each other sender anonymity, third-party anonymity against a global observer The mix receives encrypted messages (e.g. email), decrypts them, and forwards to recipients 12

Mix (2) A E B E Mix (F,M 1 ) E Mix (H,M 2 ) Mix M 1 M 2 F C E Mix (G,M 3 ) M 3 G E Mix (E,M 4 ) M 4 D H Attacker can see the input and output of the mix Attacker cannot see how messages are shuffled in the mix Anonymity set = all nodes that could have sent (or could be recipients of) a particular message 13

Mix (3) A E B E Mix (F,M 1 ) E Mix (H,M 2 ) Mix M 1 M 2 F C E Mix (G,M 3 ) M 3 G E Mix (E,M 4 ) M 4 D Two security requirements: Bitwise unlinkability of input and output messages cryptographic property, must resist active attacks Resistance to traffic analysis add delay or inject dummy messages Not just basic encryption! Resist adaptive chosen-ciphertext attacks (IND-CCA2 i.e. NM-CCA2) Replay prevention and integrity check needed at the mix Examples of design mistakes: No freshness check at mix No random initialization vector for encryption No padding to hide message length Malleable encryption, e.g. stream cipher, or no integrity check FIFO order of delivering messages H 14

Mixing in practice Threshold mix wait to receive k messages before delivering Anonymity set size k Pool mix mix always buffers k messages, sends one when it receives one Both strategies add delay high latency Not all senders and receivers are always active In a closed system, injecting cover traffic can fix this; in the Internet, not Real communication (email, TCP packets) does not comprise single, independent messages but common traffic patterns such as connections Attacker can observe beginning and end of connections Attacker can observe requests and response pairs statistical attacks 15

16 Who sends to whom? D C B A E F G H D C B A E F G H D C B A E F G H D C B A E F G H D C B A E F G H D C B A E F G H D C B A E F G H Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 D C B A E F G H D C B A E F G H Round 8 Round 9 Threshold mix with threshold 3

Anonymity metrics Size of the anonymity set: k-anonymity Suitable for one round of threshold mixing Problems with k-anonymity: Multiple rounds statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is high Pool mix k = Entropy: E = Σ i=1 n (p i log 2 p i ) Measures the amount of missing in information in bits: how much does the attacker not know Can measure entropy of the sender, recipient identity etc. Problems with measuring anonymity: Anonymity of individual messages vs. anonymity in a system Depends on the attacker s capabilities and background information Anonymity usually degrades over time as attacker collects more statistics 17

The mix must be honest Trusting the mix Example: anonymous remailers for email anon.penet.fi 1993 96 Route packets through multiple mixes to avoid single point of failure Attacker must compromise all mixes on the route Compromising almost all mixes may reduce the size of the anonymity set 18

Mix network (1) 19

Mix network (2) Mix network is just a distributed implementation of mix 20

Mix networks Mix cascade all messages from all senders are routed through the same sequence of mixes Good anonymity, poor load balancing, poor reliability Free routing each message is routed independently via multiple mixes Other policies between these two extremes But remember that the choice of mixes could be a weak identifier Onion encryption: Alice M1: E M1 (M2,E M2 (M3,E M3 (Bob,M))) M1 M2: E M2 (M3,E M3 (Bob,M)) M2 M3: E M3 (Bob,M) M3 Bob: M Encryption at every layer must provide bitwise unlinkability detect replays and check integrity in free routing, must keep message length constant Re-encryption mix special crypto that keeps the message length constant with multiple layers of encryption 21

Sybil attack Attack against open systems which anyone can join Mixes tend to be run by volunteers Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes some routes will go through only attacker s nodes Defence: increase the cost of joining the network: Human verification that each mix is operated by a different person or organization The IP address of each mix must be in a new domain Require good reputation of some kind that takes time and effort to establish Select mixes in a route to be at diverse locations Sybil attacks are a danger to most P2P systems, not just anonymous routing E.g. reputation systems, content distribution 22

(n-1) attack Other attacks Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though easy to trace because all other packets are the attacker s Potential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection Statistical attacks Attacker may accumulate statistics about the communication over time and reconstruct the senderreceiver pairs based on its knowledge of common traffic patterns 23

Receiver anonymity Alice distributes a reply onion: E M3 (M2,k3,E M2 (M1,k2,E M1 (Alice,k1,E Alice (K)))) Messages from Bob to Alice: Bob M3: E M3 (M2,k3,E M2 (M1,k2,E M1 (Alice,k1,E Alice (K)))), M M3 M2: E M2 (M1,k2,E M1 (Alice,k1,E Alice (K))), E k3 (M) M2 M1: E M1 (Alice,k1,E Alice (K)), E k2 (E k3 (M)) M1 Alice: E Alice (K), E k1 (E k2 (E k3 (M))) Alice can be memoryless: ki = h(k, i) 24

25 Low-latency anonymous routing

Tor 2nd generation onion router Mix networks are ok for email but too slow for interactive use like web browsing New compromise between efficiency and anonymity: No mixing at the onion routers All packets in a session, in both directions, go through the same routers Short route, always three onion routers Tunnels based on symmetric cryptography No cover traffic Protects against local observers at any part of the path, but vulnerable to a global attacker More realistic attacker model: can control some nodes, can sniff some links, not everything SOCKS interface at clients works for any TCP connection 26

Tunnels in Tor [Danezis] Alice OR 1 OR 2 OR 3 Bob Authenticated DH Alice OR 1 K 1 Encrypted with K 1 K 1 Authenticated DH, Alice OR 2 Alice not authenticated, only the ORs K 1,K 2 K 2 Encrypted with K 1, K 2 Authenticated DH, Alice OR 3 K 1,K 2,K 3 K 3 Encrypted with K 1, K 2, K 3 TCP connection Alice Bob Last link unencrypted 27

Tunnels in Tor [Danezis] Alice OR 1 OR 2 OR 3 Bob Authenticated DH Alice OR 1 K 1 K 1 Alice not authenticated, only the ORs Encrypted with K 1 Authenticated DH, Alice OR 2 K 1,K 2 K 2 Encrypted with K 1, K 2 Authenticated DH, Alice OR 3 K 1,K 2,K 3 Encrypted with K 1, K 2, K 3 K 3 Additionally, linkwise TLS connections: Alice OR 1 OR 2 OR 3 TCP connection Alice Bob Last link unencrypted 28

Tor limitations (1) Identifying packet streams is very easy Passive fingerprinting by packet size, timing Active traffic shaping (stream watermarking) Anonymity compromised if attacker can see or control the first and last link Includes attackers who own the first and last OR longer routes do not help If c is the fraction of compromised ORs, probability of compromise is c 2 Why three routers, not two? Out of habit? Attacker in control of 1st or last router cannot immediately go and compromise the other when there is a middle router 29

Tor limitations (2) Client must know the addresses and public keys of all onion routers If client only knows a small subset of routers, it will always choose all three routers from this subset implicit identifier E.g. client knows 10 out of 1000 routers = 1% Attacker in control of the last router can narrow down the client identity to (0.01) 2 = 0.01% of all clients Attacker in control of two last routers can narrow the client identity down to (0.01) 3 = 0.0001% of all clients Blacklisting of entry or exit nodes 30

Applications of anonymous routing Censorship resistance, freedom or speech Protection against discrimination, e.g. geographic access control or price differentiation Business intelligence, police investigation, political and military intelligence Whistle blowing, crime reporting Electronic voting Crime, forbidden and immoral activities? 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback