250 likes | 362 Views
Anonymity without Sacrificing Performance. Enhanced Nymble System with Distributed Architecture. CS 858 Project Presentation Omid Ardakanian * Nam Pham *. *David R. Cheriton School of Computer Science, University of Waterloo. Outline. Introduction Review of Nymble New goals
E N D
Anonymity without Sacrificing Performance Enhanced Nymble System with Distributed Architecture CS 858 Project Presentation Omid Ardakanian* Nam Pham* *David R. Cheriton School of Computer Science, University of Waterloo
Outline • Introduction • Review of Nymble • New goals • Ring Signature for dummies! • Proposed Solution • Distributed Pseudonym Manager • Distributed Nymble Manager • Analysis • Future Work • Summary
Nymble Weaknesses • Collusion between NM and PM • De-anonymizes the network • Reveals user behavior • TTPs are single point of failure • Scalability problem
Related Work • BLacklistable Anonymous Credential (BLAC) • Pros: Eliminates the reliance of TTPs • Cons: Suffers from severe bottleneck at the side of Service Providers • PEREA • Pros: Computation is linear in the size of the blacklist • Cons: Performance is still a problem
New goals • Maintaining security properties of original Nymble Design • Mis-authentication resistance • Blacklistability • Anonymity and Non-frameability • Enhancements • Unconditional Anonymity • Scalability & Robustness
Proposed Solutions • Consists of two main parts: • Distributing Pseudonym Manager • Distributing Nymble Manager
Ring Signature • By Rivest, Shamir and Tauman • A group member can sign a message on behalf of the group without revealing her identity. • Ring signature is created on demand! • No setup procedure or agreement
Distributing Pseudonym Manager • Previously • Motivation If a pseudonym can represent an IP, why don’t we use it recursively? IP address PM pnym User
Round 1 • Alice • Chooses a random index i • Connects to PMi directly with her IPA • Requests a pseudonym for the next round IPA PMi PM1 PM2 PMn Alice
Round 1 (cont’d) • PMi • Generates a codename for Alice • Signs using a ring signature scheme • Informs all other PMs “IPA has been issued a pseudonym in round 1” IPA IPA IPA IPA PMj PM1 PM2 PMn Alice
Round 1 (cont’d) • PMi • Waits for Acknowledgements from other PMs • Sends ‘codename’ back to Alice Ack IPA Ack Codename + Ack PMi PM1 PM2 PMn Alice
Round 2 • Alice • Chooses another random index j • Connects to PMj anonymously using Tor • Requests a pseudonym to connect to NM codename PMj PM1 PM2 PMn Somebody
Round 2 (cont’d) • PMj • Verifies the validity of <codename, signature> • Creates a pnymfor that ‘somebody’ • Signs pnym using a ring signature scheme • Informs all other PMs: “The guy with ‘codename’ has been issued a pseudonym in round 2” codename + codename codename PMj PM1 PM2 PMn codename Somebody
Round 2 (cont’d) • PMj • Waits for Acknowledgement from other PMs • Sends <pnym, signature> back to the user Ack Ack pnym + PMj PM1 PM2 PMn Ack Somebody
Aspects of DPM • Alice’s IP address is protected by one more security level • It’s not feasible for Alice to obtain more than one pseudonym with her IP
Distributing NM PMi PMj Pseudonym acquisition Codename acquisition NM NymbleTicket acquisition
Distributing NM Service Provider Server Authentication
Distributing NM Service Provider Linking Token Extraction NM’ NM
Distributing NM (cont’d) • Seed HkhkN(pnym,sid,w) • How should we generate the seed? • S1: Ask another NM to create the hash of server id with his own key • Seed will not be unique • S2: Ask another NM to create the hash of server id with the shared key • Vulnerable to brute force attack
Analysis • Our Solution: • Provides collusion prevention without eliminating TTPs • No proof generation and proof verification needed • Better performance than BLAC and PEREA • Decreases the number of required signature • Eliminates unnecessary key sharing • Makes use of an efficient ring signature scheme with efficient size
Future Work • Dynamic Forgiveness • Multiple Rounds for Pseudonym Registration • Optimal Ring Signature • Experimental Analysis
Summary • We introduced an anonymous blocking system based on Nymble • Using distributed TTPs architecture • With collusion resistance feature • With less computation cost • With increased usability