ANET: An Anonymous Networking Protocol

Similar documents
0x1A Great Papers in Computer Security

ANONYMOUS CONNECTIONS AND ONION ROUTING

Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981

Peer-to-Peer Networks 14 Security. Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg

ENEE 459-C Computer Security. Security protocols

Protocols for Anonymous Communication

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

ENEE 459-C Computer Security. Security protocols (continued)

Security. Communication security. System Security

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Anonymity. Assumption: If we know IP address, we know identity

Towards measuring anonymity

CS 134 Winter Privacy and Anonymity

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

8. Network Layer Contents

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Challenges in Mobile Ad Hoc Network

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

FTP. FTP offers many facilities :

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Firewalls, Tunnels, and Network Intrusion Detection

2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w

CS 161 Computer Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Onion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J

CPSC 467: Cryptography and Computer Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Privacy defense on the Internet. Csaba Kiraly

Overview. SSL Cryptography Overview CHAPTER 1

Anonymity and Privacy

Encryption. INST 346, Section 0201 April 3, 2018

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Receiver Anonymity via Incomparable Public Keys

Simulation on Agent-based Onion Routing Network *

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Crowds Anonymous Web Transactions. Why anonymity?

Smart Cards in Hostile Environments

Outline More Security Protocols CS 239 Computer Security February 6, 2006

CPSC 467b: Cryptography and Computer Security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

PROTECTING CONVERSATIONS

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Cryptography and Network Security

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

A Report on Modified Onion Routing and its Proof of Concept

VAST: Versatile Anonymous System for Web Users

Analyzing the Dual-Path Peer-to-Peer Anonymous Approach

Network Security and Cryptography. 2 September Marking Scheme

David Wetherall, with some slides from Radia Perlman s security lectures.

NETWORK SECURITY & CRYPTOGRAPHY

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

A Scheme for Route Optimization in Mobile IP without. Compromising Location Privacy. Yang-hua Chu, Jun Gao and Sanjay Rao

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CS519: Computer Networks. Lecture 2: Feb 2, 2004 IP (Internet Protocol)

Cryptographic Checksums

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

IPSec. Overview. Overview. Levente Buttyán

Analysing Onion Routing Bachelor-Thesis

(2½ hours) Total Marks: 75

Cryptography (Overview)

Lecture 1: Perfect Security

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Analysis of an Anonymity Network for Web Browsing

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Lecture 1 Applied Cryptography (Part 1)

MIX Network for Location Privacy First Draft

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CS408 Cryptography & Internet Security

Anonymous communications: Crowds and Tor

CS526: Information security

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

UNIT - IV Cryptographic Hash Function 31.1

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Outline More Security Protocols CS 239 Computer Security February 4, 2004

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

A SIMPLE INTRODUCTION TO TOR

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

An Efficient PGP Keyserver without Prior Context

Chapter 8 Web Security

CSE 127: Computer Security Cryptography. Kirill Levchenko

Payload analysis of anonymous communication system with host-based rerouting mechanism

Kurose & Ross, Chapters (5 th ed.)

Lecture 18 - Chosen Ciphertext Security

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Virtual Private Network

Secure Networking with NAT Traversal for Enhanced Mobility

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Nigori: Storing Secrets in the Cloud. Ben Laurie

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

WHITE PAPER. Authentication and Encryption Design

On the Internet, nobody knows you re a dog.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CSC 6575: Internet Security Fall 2017

Computers and Security

Transcription:

ANET: An Anonymous Networking Protocol Casey Marshall csm@soe.ucsc.edu May 31, 2005 Abstract This paper presents a simple, anonymizing network protocol. Its primary goal is to provide untraceability of connections between two parties, by routing messages securely through a loosely organized, untrusted peerto-peer network. This paper is primarily a companion to the reference implementation of this protocol, as freely redistributable Java source, and is intended to fulfill the project requirements for CMPS 223: Advanced Computer Security, at the University of California, Santa Cruz. 1 Introduction and Related Work ANET is a simple, anonymizing, general-purpose network protocol. It uses a distributed, ad-hoc peer-to-peer network to route messages between peers. The protocol is message-based, and does not guarantee that messages will arrive in the order they are sent, if at all in which regard it is similar in intended usage to UDP. As such, it only requires the most basic underlying transmission method, such as UDP or TCP (TCP can be used, even though it does not preserve message boundaries, because the protocol itself will preserve those boundaries). The class of anonymity we aim for here is sender-recipient anonymity, where the mere fact that two peers are in communication is hidden from the rest of the group, and from outside observers. ANET is not intended to be a bulk data transfer protocol, as it is far too inefficient. It is, instead, meant to preserve as much anonymity as possible in the face of collaborating peers. Mixes [2] is perhaps the oldest notion of anonymous communication using public-key cryptography, and a number of modern protocols can be thought of as descendants of this. Onion routing [5] is an example: it gets its name from the layers of encryption applied to messages when they are routed, and how a layer is removed on every hop. These protocols aim to establish sender anonymity, where the server has no information about who is making the request. Crowds [4] is possibly the protocol that most resembles the present one; crowds relies on the same assumptions as ANET for its security that two peers can create a private channel between them by becoming lost in the noise 1

of a crowd: here, a network of peers. Crowds is interesting because it has amongst its design goals reasonable performance for web transactions. Six/Four [3] is another anonymizing, general-purpose network protocol, whose primary goal is to use such a network to provide citizens of states (China being the typical example) access to information that the local censorship policy would normally prevent access to. Notable features of six/four is its attempts at masking the existence of the network, by making nodes appear to be web servers using the HTTPS protocol; the primary disadvantage of six/four is its reliance on trusted peers, which make the system much more vulnerable to attack and censorship than it could otherwise be. 2 Informal Description of the Protocol Each peer is identified by a triplet in the system: a public RSA key, an internet address (in this version, an IPv4 address and a port number), and a 16-byte identifier. Each message is encoded in a packet, which has the following structure: uint16 byte[16] byte[16] uint16 byte[n] time-to-live last-hop nonce payload-length (n) payload The general algorithm each peer uses when receiving a packet is: AnetReceive() 1 while true 2 do (packet, source-address) ReadDatagram() 3 if packet. ttl > 0 4 then packet. ttl packet. ttl 1 5 next-hop = {Peers {packet. last-hop} {source-address}} R 6 packet. last-hop source-address 7 SendDatagram(next-hop, packet) 8 MaybeDecrypt(packet. payload) 9 MaybeAssymmetricDecrypt(packet. payload) That is, whenever a packet is received, it is immediately forwarded to another random peer if the time-to-live field is nonzero; the packet will never be forwarded to either the previous peer, or the next-to-last peer. After the packet is forwarded, if its connection ID is that of the currently active connection, the payload is processed with the symmetric encryption and MAC key of the session; otherwise, an attempt is made to decrypt the payload with the private 2

RSA key. If the packet is a connection-request message, then the payload will have the following form, encrypted with the destination peer s public key: {N, A, B, pre-master-secret} P KB (1) N is the nonce in the enclosing packet, and A and B are the identifiers of the connector and connectee. Nothing else but the presence of a payload encrypted with the receiving peer s public key signifies a connection request. This payload establishes a connection between source-peer and dest-peer. Additionally, the payload for such messages will be padded with a random amount of random data (up to the limit of a packet size), to foil observations on the length of the packet in determining a connection request. Since the ciphertext in RSA is always based on the size of the key, the boundary between encrypted message and padding is implicit. If dest-peer accepts the connection, it generates four keys like so: K 0 SHA-256(pre-master-secret) K 1 SHA-256(K 0 ) K 2 SHA-256(K 1 ) K 3 SHA-256(K 2 ) And sends a reply message, encrypted with the public key of the source peer (N is again the nonce from the enclosing packet): {N, A, B} P KA (2) Otherwise, the payload is encrypted and authenticated with two of these four keys (the first two keys comprise the connecting peer s encryption and MAC keys; the last two the accepting peer s encryption and MAC keys). The payload will have the following format: C = AES-CTR(nonce, M, K E ) payload = {C, HMAC-SHA-256(C, K M )} Sending a packet to a peer, given the payload as constructed above, is a straightforward process: AnetSend(payload) 1 packet.payload payload 2 packet.ttl {512... 1024} R 3 last-hop {Peers} R 4 next-hop {Peers {last-hop}} R 5 SendDatagram(packet) 3

3 Security Analysis The goal of this protocol is to allow two peers to establish a secure connection with one another, without exposing to any of the other peers nor an outside observer the fact that these two peers are communicating with one another. We believe that we are on solid cryptographic ground here, except in proving the identity of the connecting peer. A further refinement to the protocol would be to introduce a digital signature created by the connecting peer in the connection attempt. However, our more immediate goal is to guarantee that the presence of a connection between two peers cannot be determined by other observers, within the network or without. Specific features of this protocol that try to provide this are: The random initial time-to-live. This is intended to make tracing the path of a packet back to its true source infeasible. Given that each path is between 512 and 1024 hops, and n peers in the network, the number of possible paths is 1024 i=512 (n 3) i We substract three because a peer never forwards a packet to itself, to the peer that immediately sent the packet, or to the peer two hops ago. This is not a computationally complex number, but still guarantees that it is not possible to say, within a reasonable degree, that two nodes were in communication. The policy of always forwarding messages to a new random peer, regardless of whether or not it has reached its destination already. This should help foil observational attacks where a packet is seen to be sent to a peer, but not forwarded because it was the final destination. The lack of identifying values sent in the clear. One thing we are sure we cannot accomplish with this (or indeed, perhaps any) protocol is perfect anonymity if a certain percentage of the peers in the network are corrupt that is, if a certain number of peers are collaborating to trace the communication of messages, they can trace messages between two peers with certainty. Reiter and Rubin are aware of this [4], and make the argument that within a certain limit, their protocol still achieves an adequate level of anonymity. Wright et al argue [6] that outside of these assumptions, attacks exist that can still undermine the anonymity of a number of protocols, typically with approximately polynomial complexity. What the present protocol aims to provide, through its complete rejection of path re-use, and using a completely random path for every message, is resistance to such analysis. 4

As Reiter and Rubin point out, a local eavesdropper that is, someone able to monitor all communications going into and out of a peer will be able to tell, with certainty, when a peer initiates a connection. ANET too is vulnerable to such observations, because even though most attributes of the packet sent are random, it is simple to observe that no packet with those attributes was received by a peer, but one was emitted. This attack could be foiled as well, if peers periodically, but at random intervals, send out dummy packets whose only purpose is to bounce around until they expire. 3.1 Trust We have not defined any notion of trust in this protocol. Our presumption in this initial version is that trust is established among the peers before they begin using the protocol that is, that each peer has the public keys of all the other peers, and that each peer has assigned a trust label to peers that he has confirmed the trust of. Thus, we follow roughly the PGP trust model, as peers must establish trust through different channels. 4 Reliability One possible cause for concern in this protocol is the definite possibility of messages being dropped as their time-to-live drops to zero. Aside from performance impact, this should not preclude the general use of this protocol. Given the rather large time-to-live range, most packets should reach their destination if the peer network is not overly large. We know that the probability of a packet reaching its destination after at most l hops through a network of n peers is: l ( 1 Pr(A l B) = 1 1 ) i 1 n 3 n 3 i=1 Which leads to a high likelihood that a packet will reach its destination before the packet is dropped (for example, given a network of 50 peers, the probability that the packet will reach its destination in at most 512 hops is greater than 99.9%). A definite problem with the current protocol is that duplicate packets are possible, as a packet might be forwarded to the same peer (who is also the recipient) more than once. This suggests that the time-to-live range should be chosen with care, and chosen to suit the number of peers. 5 Implementation and Conclusion We have presented a very simple protocol that we believe achieves anonymous connections between two peers with a high tolerance for collaborating peers in the network, with a low probability of packet loss, but at the expense of performance. 5

A better revision to the two-phase key exchange would be to adopt the model of OpenPGP [1] so that messages will be encrypted and authenticated on a per-peer basis, though using a symmetric key for an extended session is advantageous. The focus in this paper was on the routing layer, and it should be a simple task to adapt a scheme for privacy and authenticity to this routing layer. A basic implementation of this protocol is being written in Java. Unfortunately, at the time of this writing, it is still incomplete. The basic routing layer is in place, but it doesn t use the cryptographic operations described above. 6 Future Work An elegant alternative to the stateless random forwarding presented above would be a stateful forwarding that ensured that each packet would be sent to each peer exactly once. On receipt, each peer would insert its own identifier into a randomly-ordered set (each peer could even shuffle this set before sending it again), then forward the packet to a randomly-selected peer from that set. This solves many problems in ANET, namely that packets might arrive more than once, or not at all. Such a scheme requires a tightly-knit group of peers (adding or removing peers would not be trivial) but such a protocol does have some interesting properties, and is worthy of further study. References [1] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. RFC 2440: OpenPGP Message Format. http://www.ietf.org/rfc/rfc2440.txt, 1998. [2] David L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonymns. Communications of the ACM, 24(2):84 88, 1981. [3] The Hacktivismo Group. The Six/Four System. http://www.hacktivismo. com/projects/. [4] Michael K. Reiter and Aviel D. Rubin. Crowds: anonymity for Web transactions. ACM Transactions on Information and System Security, 1(1):66 92, 1998. [5] P. F. Syverson, D. M. Goldschlag, and M. G. Reed. Anonymous connections and onion routing. In IEEE Symposium on Security and Privacy, pages 44 54, Oakland, California, 4 7 1997. [6] M. Wright, M. Adler, B. Levine, and C. Shields. An analysis of the degradation of anonymous protocols, 2001. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback