Herbivore: An Anonymous Information Sharing System

Similar documents
Protocols for Anonymous Communication

P 5 : A Protocol for Scalable Anonymous Communications

CPSC 467b: Cryptography and Computer Security

CNT Computer and Network Security: Privacy/Anonymity

Practical Anonymity for the Masses with MorphMix

Anonymous communications: Crowds and Tor

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

ENEE 459-C Computer Security. Security protocols

ENEE 459-C Computer Security. Security protocols (continued)

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Anonymity. Christian Grothoff.

Efficiency of large-scale DC-networks

CS526: Information security

CS 134 Winter Privacy and Anonymity

The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla

Security and Anonymity

Anonymity. With material from: Dave Levin and Michelle Mazurek

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

CE Advanced Network Security Anonymity II

0x1A Great Papers in Computer Security

A SIMPLE INTRODUCTION TO TOR

Dissent: Accountable Anonymous Group Communication

Scalable overlay Networks

Strongly Anonymous Communications in Mobile Ad Hoc Networks

2 ND GENERATION ONION ROUTER

Anonymity With material from: Dave Levin

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Data and Computer Communications

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

DISSENT: Accountable, Anonymous Communication

Detecting Sybil Nodes in Wireless Networks. *: SIS Dept., UNC Charlotte **: ECE Dept., WPI

Peer-to-peer systems and overlay networks

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Tor: An Anonymizing Overlay Network for TCP

Introduction to Peer-to-Peer Systems

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Overlay and P2P Networks. Unstructured networks: Freenet. Dr. Samu Varjonen

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

P2PNS: A Secure Distributed Name Service for P2PSIP

A k-anonymous Communication Protocol for Overlay Networks

Achieving Privacy in Mesh Networks

Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981

Peer-to-Peer Systems. Network Science: Introduction. P2P History: P2P History: 1999 today

Computer Network Fundamentals Spring Week 3 MAC Layer Andreas Terzis

CS232. Lecture 21: Anonymous Communications

Anonymity. Assumption: If we know IP address, we know identity

Lecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011

Atom. Horizontally Scaling Strong Anonymity. Albert Kwon Henry Corrigan-Gibbs 10/30/17, SOSP 17

Privacy at the communication layer

GNUnet Distributed Data Storage

Objectives. Hexadecimal Numbering and Addressing. Ethernet / IEEE LAN Technology. Ethernet

Privacy defense on the Internet. Csaba Kiraly

Dissent in Numbers: Making Strong Anonymity Scale

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Anonymity and Privacy

Low-Cost Traffic Analysis of Tor

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis

Secure Algorithms and Data Structures for Massive Networks

Design and Analysis of Efficient Anonymous Communication Protocols

Anonymity on the Internet. Cunsheng Ding HKUST Hong Kong

Multicast EECS 122: Lecture 16

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Peer-to-Peer Networks 14 Security. Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg

Outline. Traffic multipliers. DoS against network links. Smurf broadcast ping. Distributed DoS

What's the buzz about HORNET?

Selected Questions. Exam 2 Fall 2006

Towards Efficient Traffic-analysis Resistant Anonymity Networks

: A Protocol for Scalable Anonymous Communication

DISTRIBUTED HASH TABLE PROTOCOL DETECTION IN WIRELESS SENSOR NETWORKS

Randomization. Randomization used in many protocols We ll study examples:

Randomization used in many protocols We ll study examples: Ethernet multiple access protocol Router (de)synchronization Switch scheduling

ECSE-4670: Computer Communication Networks (CCN) Informal Quiz 3

CS 123: Lecture 12, LANs, and Ethernet. George Varghese. October 24, 2006

How Alice and Bob meet if they don t like onions

EE122: Multicast. Kevin Lai October 7, 2002

Interface The exit interface a packet will take when destined for a specific network.

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

EE122: Multicast. Internet Radio. Multicast Service Model 1. Motivation

Content Overlays. Nick Feamster CS 7260 March 12, 2007

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061/1110. Lecture 8. Medium Access Control Methods & LAN

Robust TCP Stream Reassembly In the Presence of Adversaries

Peer to Peer Networks

CS555: Distributed Systems [Fall 2017] Dept. Of Computer Science, Colorado State University

High Level View. EE 122: Ethernet and Random Access protocols. Medium Access Protocols

Review. Error Detection: CRC Multiple access protocols. LAN addresses and ARP Ethernet. Slotted ALOHA CSMA/CD

CSC 4900 Computer Networks: Link Layer (2)

Switching & ARP Week 3

Design and Implementation of Privacy-Preserving Surveillance. Aaron Segal

1 Introduction. Albert Kwon*, David Lazar, Srinivas Devadas, and Bryan Ford Riffle. An Efficient Communication System With Strong Anonymity

Reminder: Datalink Functions Computer Networking. Datalink Architectures

20-CS Cyber Defense Overview Fall, Network Basics

DC Networks The Protocol. Immanuel Scholz

EE 122: Ethernet and

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Wireless Security Security problems in Wireless Networks

Transcription:

Herbivore: An Anonymous Information Sharing System Emin Gün Sirer August 25, 2006

Need Anonymity Online Current networking protocols expose the identity of communication endpoints Anyone with access to backbone Internet traffic can determine communication patterns Internet Encryption helps conceal content, but not identity Constitutes a military vulnerability Easy to determine C&C centers Opportunities for industrial espionage

Goals Anonymity Broadcast Networks DC-Nets Scale Source Rewriting Performance

Commander Source Rewriting Packets sent through an intermediary to mask Attack at dawn Silo origin E.g. MIXes, Crowds, Onion Routing, Tarzan, AP3B Long paths and time delays make it difficult to trace back Practical, implemented High latency A powerful adversary, through observations,

Broadcast Networks Every node sends to every other node all the time E.g. P5 Strong anonymity: cannot tell who or when Must constantly send at peak bandwidth Low throughput High network load Never implemented

Herbivore Overview Herbivore builds on dining cryptographer networks (DC-Nets) Elegant scheme for anonymous communication [Chaum 1981] Strong anonymity guarantee Even an adversary that has tapped the entire network and observed every packet cannot determine packet origin Herbivore makes DC-Nets practical Efficient and scalable, with the same strong anonymity guarantee

DC-Net Operation AB BC Pb = AB BC m Pa = AB AC AC Pc = BC AC Every pair of participants tosses a coin in secret Every participant reports the XOR of all their coins and messages XORing all reported values reveals message XOR of all messages if more than one transmitter

DC-Net Example AB = 0 Pa = 0 AC = 0 Pa Pb Pc = (AB AC) (AB BC m) (BC AC) = AB AB AC AC BC BC m = m BC = 1 0 0 1 = 1 m = 1 Pb = 0 m = 0 Pb = 1 Pc = 1 0 1 1 = 0

DC-Net Properties Why does it work? All nodes participate in the computation of the packet All nodes equally culpable Information theoretic guarantee Shared anonymous broadcast channel Like Ethernet, but virtual As described so far, it is not a practical system Lacks protocol, scale and performance

Herbivore DC-Net Protocol Use PRNG instead of coins Derive stream of coin tosses efficiently Fully-connected key graph Every pair has a unique key, no weak points Communication occurs in rounds, of three phases Reservation Transmission Voting

Herbivore Reservation Phase Goal: anonymously acquire exclusive access to the channel Divide time into transmission slots A node with a message to send selects a transmission slot, i, at random broadcasts a bit vector, with 0 s everywhere and a 1 for the ith bit everyone receives XOR of all reservations transmits in reserved slot, if succeeded Collisions trigger Ethernet-like backoff A: 00001000 B: 00010000 C: 00000010 --------------- 00011010

Herbivore Transmission Phase A node transmits its message in the slot it has reserved Unreserved slots are skipped Collisions may occur during the transmission phase If an odd number of nodes select the same slot, or if there is a malicious node Every packet carries data and hash Provides collision detection & ensures packet integrity Multiple rounds in parallel

Herbivore Voting Phase Goal: signal to other nodes that a node is in the middle of a long transaction Delay departure until transaction is completed, if possible Herbivore voting is bandwidth efficient (2 bytes) Special case for anonymous 1-bit voting

Herbivore Overlay Topology Chaumian DC-Nets use a Fully-Connected Graph O(1) latency, O(N 2 ) load E Pe Pd C Pc Pb B D Pa A

Herbivore Overlay Topology Chaumian DC-Nets use a Fully-Connected Graph O(1) latency, O(N 2 ) load Or Ring O(N) latency, O(N) load E Pe D Pc Pd C Pb Pa A B

Herbivore Overlay Topology Chaumian DC-Nets use a Fully-Connected Graph O(1) latency, O(N 2 ) load Or Ring O(N) latency, O(N) load Me Herbivore uses a Star topology Pd D m m Pa C Pc E All nodes send their packets to a center node in each round Center duties rotate deterministically at each round O(1) latency, O(N) load A m Pb m B

Herbivore Protocol Efficiency Topology Low latency, low load overlay organization Reservation We derive and use optimal vector size Transmission We run multiple transmission rounds concurrently Voting We extend system lifetime with efficient 1-bit voting

Herbivore Scale Traditional DC-Nets do not scale Protocol is too heavy-weight for use at planetary scale Divide and conquer! Self-organize the network into cliques of k-nodes Use the relatively heavy-weight protocol in small cliques Decouple protocol cost from system size

Use Pastry to map nodes to clique Herbivore Clique Management Use a P2P overlay to organize N participants into cliques of minimum size k Clique size ranges from k to 3k, for k = 20 or so Every node solves a crypto-puzzle to obtain a node-id and join the system Puzzle solution randomizes entry into cliques Nodes demonstrate solution of the puzzle to each preexisting clique member No central authority is involved

Herbivore Cliques A clique of more than 3k nodes is split into 2 cliques When nodes depart and clique size drops below k, the nodes depart and join closest existing cliques

Interclique Operation Within a clique, all communication is anonymous Uses the Herbivore DC-Net protocol Between cliques, packets are forwarded via randomly selected proxies Interfacing with the outside world also occurs through randomly selected proxies

DC-Net Filesharing Naïve solution is simple Every node has a list of files it offers for downloads Queries are broadcast from clique to clique Files are transferred back if query hit Naïve solution is open to intersection attacks RIAA queries for Metallica, examines clique membership of all cliques that respond, takes the intersection over time Whoever remains is guilty of placing Metallica songs online

Herbivore Filesharing Batch download system with a simple user interface List of files to publish List of files to acquire Every node has two file stores A-list: files available to others but not yet disseminated to anyone B-list: LRU cache of files recently sent in response to queries

Herbivore Filesharing When a query arrives for a file held in the A or B-list, the node responds with the file If on A-list, the file is transferred to the B-list When a file is overheard on the broadcast channel, it is placed on the B-list Hence, all nodes in the clique have state identical to the originator Can be done probabilistically, with p < 0.5 No way to determine the originator, despite use of small anonymization groups! Can search or sue everyone in the clique (not under US law) Published files may get dropped for lack of interest

Herbivore Status Implemented the system Anonymous filesharing, instant messaging and web browsing YIM-like interface for FS and IM + web proxy ~27,000 lines of code Deployed on Planetlab The system is practical First known deployment of DC-Nets Scales well, efficient protocol

Herbivore Bandwidth Bandwidth (Kb/s) 250 200 150 100 50 Herbivore Bandwidth 1 sender 2 senders 3 senders 4 senders 0 10 15 20 25 30 35 40 Clique Size

Herbivore Latency Latency (s) 1.1 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 Series1 Series2 Series3 Series4 Herbivore Latency 10 15 20 25 30 35 40 Clique Size

Summary Herbivore provides strong anonymity, scalability and performance DC-Nets are practical! Enables participants to share information anonymously, even in the presence of omnipotent adversaries

Further Information E. Gün Sirer egs@cs.cornell.edu http://www.cs.cornell.edu/people/egs/herbivore/

Attacks and Defenses Sybil: use cryptopuzzles Jamming: use commitment and trap Intersection: use A and B-lists Statistical: DC-Nets Sloth: accrues strikes Center: accrues a fractional strike Eclipse: check adjacent clique members on clique creation Abuse: selective revocation with secret sharing

Anonymity and Abuse What if someone uses the system to perform nefarious activities? E.g. plot a terrorist attack Serious problem But not new, police have mechanisms for tracking down criminals with similar anonymous channels in the real world Technical solution Share secret keys using (n, k)-secret sharing Revoke anonymity when k out of n participants agree

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback