1 / 39

BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans

BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans. 信息論匿名 XìnXī Lùn NìMíng (Information Theoretical Anonymity). Provides a method that defines anonymity concretely using methods of entropy from IT. Defines Nodes as one of:

avery
Download Presentation

BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans

  2. 信息論匿名XìnXī Lùn NìMíng(Information Theoretical Anonymity) • Provides a method that defines anonymity concretely using methods of entropy from IT. • Defines Nodes as one of: • Senders The nodes who send or have the ability to send messages • Receivers The nodes who receive the messages (passive or active (reply)) • Mixes Input a message and output a message so that the new message is uncorrelatable with the original message

  3. 信息論匿名XìnXī Lùn NìMíng(Information Theoretical Anonymity) • Defines Attackers as: • Internal/External The attacker, if internal, controls the actions of one or more nodes, external can only compromise communication channels • Passive/Active  A passive attacker can only listen to messages and cannot modify, add, or remove them; otherwise he is active • Local/Global A global attacker has access to all channels of the network; local attackers have access to part of the network

  4. 信息論匿名XìnXī Lùn NìMíng(Information Theoretical Anonymity) • Degree Of Anonymity: • Let , i.e. the probability that nodei sent the message. • Define the entropy associated with the set. • Define the maximum anonymity as • The degree of anonymity is then Trivially for one user d 0, and for perfect anonymity d  lg(N)

  5. 人群RénQún (Crowds) • System to give anonymity by being “a member of a crowd” • The message is forwarded through random nodes • On receiving a message, a node forwards it to the destination with probability (1 – pf) and to another node with probability pf • Attacker is assumed to be Internal/Passive/Local • Assume N nodes and C corrupt nodes (C < N - 2)

  6. 人群RénQún (Crowds) 0 7 1 6 2 5 3 4 • Node0 ((0)) sends a message to (blue):

  7. 人群RénQún (Crowds) 0 7 1 6 2 5 3 4 • Node0 ((0)) sends a message to (blue): • (0) chooses randomly a node to forward to (3).

  8. 人群RénQún (Crowds) 0 7 1 6 2 5 3 4 • Node0 ((0)) sends a message to (blue): • (0) chooses randomly a node to forward to (3). • (3) flips biased coin and forwards to (7)

  9. 人群RénQún (Crowds) 0 7 1 6 2 5 3 4 • Node0 ((0)) sends a message to (blue): • (0) chooses randomly a node to forward to (3). • (3) flips biased coin and forwards to (7) • (7) flips its biased coin and forwards to (5)

  10. 人群RénQún (Crowds) 0 7 1 6 2 5 3 4 • Node0 ((0)) sends a message to (blue): • (0) chooses randomly a node to forward to (3). • (3) flips biased coin and forwards to (7) • (7) flips its biased coin and forwards to (5) • (5) flips its biased coin and forwards to (blue)

  11. 人群RénQún (Crowds) • The maximum anonymity is: HM lg(N - C) • Probability assigned to predecessor of first node in C is: • Probability to other nodes not in C is: • Therefore H(X) is: • d maximally equals 1 iff the message passes through no nodes existing in C, otherwise depends on C, N and pf, see [2] for graphs.

  12. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • A method to guarantee sender and receiver anonymity • Kind of like the Dining Philosophers; given N cryptographers sitting at a table one wishes to pay without revealing whom is paying against any attacker • Is impractical as the number of bits required to send a single bit anonymously grows linearly with N

  13. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • 3 Player DC description: • Each node chooses a random bit and reveals it securely to his left neighbor (so that no others see the bit) • Each diner announces the XOR of their bits • The diner that is paying lies and announces the XNOR of the bits • Nobody can tell who is paying, only that one of the two others is paying

  14. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • From FBI’s View: • FBI reveals 1 to Jefferson • FBI sees 1 from Washington 1 1

  15. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • From FBI’s View: • FBI reveals 1 to Jefferson • FBI sees 1 from Washington • FBI cannot tell who is lying without seeing shared secret coin flip 1 0 1 1

  16. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • From FBI’s View: • FBI reveals 1 to Jefferson • FBI sees 1 from Washington • FBI cannot tell who is lying without seeing shared secret coin flip 1 0 Payer 1 1 1

  17. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • From FBI’s View: • FBI reveals 1 to Jefferson • FBI sees 1 from Washington • FBI cannot tell who is lying without seeing shared secret coin flip 1 0 Payer 0 1 1

  18. 進餐譯解密碼者JìnCān YìJiěMìMǎZhě(Dining Cryptographers) • Generalizable to N diners • Problems: • Requires pairwise secure channels between all users • Requires many messages to be exchanged • Requires secure RNG for the bits • The degree of anonymity is trivially 1 as long as C < N - 2

  19. 令牌环Lìng Pái Huán(Token Ring) 0 7 1 6 2 5 3 4 • r tokens exist on a ring • A node can add a message to a token iff it is empty • The tokens are passed from (0)…(7)(0) • Advantages: global attacker cannot tell initiator of message, all nodes do the same amount of work

  20. 单蝙蝠Dān BiānFú(Single BianFu) • Arrange nodes into a token ring such that each node has a symmetric key (SK) with its predecessor and successor and knows all other nodes’ public key (PK). • To send a message, a node encrypts the message with the receiver’s PK and adds it to the token. • Each node decrypts the token and determines if there is a message (if it is addressed to them) • As all messages are encrypted, and an encryption looks like a random string; no node can tell if there is a message unless it is addressed to them

  21. 单蝙蝠Dān BiānFú(Single BianFu) 0 7 1 6 2 5 3 4 Random • (0) Sends a message to (2): • (0) Creates message E2(M)

  22. 单蝙蝠Dān BiānFú(Single BianFu) 0 7 1 6 2 5 3 4 E2(M) • (0) Sends a message to (2): • (0) Creates message E2(M) • (0) Adds message E1(E2(M)) to token

  23. 单蝙蝠Dān BiānFú(Single BianFu) 0 7 1 6 2 5 3 4 • (0) Sends a message to (2): • (0) Creates message E2(M) • (0) Adds message E1(E2(M)) to token • (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M))) E2(M)

  24. 单蝙蝠Dān BiānFú(Single BianFu) 0 7 1 6 2 5 3 4 • (0) Sends a message to (2): • (0) Creates message E2(M) • (0) Adds message E1(E2(M)) to token • (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M))) • (2) Sees E2(M) and tries its PK and sees M but has no idea who sent it. M

  25. 单蝙蝠Dān BiānFú(Single BianFu) • A global passive eavesdropper has no knowledge of if there is a message and cannot therefore tell who initiated a message, i.e. d HM  1 • A local passive eavesdropper has no knowledge of who initiated a message as it is equally likely to have come from any node (pi  1/N), again d  1 • A global internal attacker has the same knowledge as a local passive eavesdropper. • Simple concept yielding perfect anonymity

  26. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) • Problems with simple 单蝙蝠: • Collisions grow exponentially with N (1 - paddMsg)N/2 • Adding a mechanism to support replies requires either sacrificing Sender anonymity against the receiver or generating a random SK (latter is not a big problem) • Delay grows linearly with N (i.e. the average length is N/2 and for large N this is impractical)

  27. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) • Keep the individual rings small by having multiple rings that are a small fixed size (X nodes/ring) • Disable collisions by reserving a bucket for each node in the token (sender-segregated), i.e. [(0),(1),…,(X)] • Arrange each node to belong to k of these rings • All nodes know the PK of all other nodes and know the shortest path to any nodes, SK with nodes in its ring • Each ring has r tokens • Connecting nodes relay messages between rings

  28. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) • To send a message, a node encrypts with the SK the destination ring of the final node and the PK encrypted message, Ei(a,Ed(M)). • Nodes receiving a message containing a forward address, look up the path to the destination and forward the message encrypting it with SK, if needed • The receiver will have no knowledge of the sender if the path length (L) is greater than or equal to 2 • SK for small rings is preferable due to the high cost of PK operations

  29. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) • To allow the receiver to reply to the sender, the sender simply includes a one time use SK, EDest(Rid,SKInit,Dest,M) • The sender must be sure to use the same ring id for each message to the receiver, otherwise it will decrease its entropy (anonymity)

  30. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 0 E4(B,E5(A,SK5,2,M)) 2 3 4 3 6 4 7 • (1) wishes to send a message to (5): • (1) Creates a message E4(B,E5(A,SK5,1,M)) • (1) Adds it to the token and forwards it A B

  31. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 6 3 0 E4(B,E5(A,SK5,2,M)) 2 3 4 7 4 • (1) wishes to send a message to (5): • (2) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares • (2) Forwards the token A B

  32. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 6 3 0 E4(B,E5(A,SK5,2,M)) 2 3 4 7 4 • (1) wishes to send a message to (5): • (3) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares • (3) Forwards the token A B

  33. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 6 3 0 E4(B,E5(A,SK5,2,M)) 2 3 4 7 4 • (1) wishes to send a message to (5): • (4) Sees there is a “route” message and forwards it to ring B (as B is destination (4) doesn’t encrypt with SK) A B

  34. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 E5(A,SK5,2,M) 5 6 7 8 3 6 7 4 • (1) wishes to send a message to (5): • (4) Adds the message to the token for B • (4) Forwards the token A B

  35. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) 0 8 1 2 5 E5(A,SK5,2,M) 5 6 7 8 3 6 7 4 • (1) wishes to send a message to (5): • (5) Receives the token and checks for messages using its PK • (5) Receives M, the initiating ring id, and the SK it shares with (2) unknowing of who it shares it with A B

  36. 倍数蝙蝠BèiShù BiānFú (Multiple BianFu) • d 1 if C < k (X - 1), otherwise d  0 ! • Say (i) receives the token from (i-1) and (i) somehow knows there is a message (he can be in communication with the final recipient) but as (i-1) belongs to k rings (i-1) could be forwarding a message from any of the k rings that (i-1) belongs to; each node, as in 单蝙蝠, has a probability of 1/(N-C): as it is impossible for any node other than node (i-1) to know if (i-1) is forwarding a message or initiating his own

  37. 締結DìJié(Conclusion) • 蝙蝠 has the benefits of DC-Net (i.e. guaranteed perfect anonymity) with a much lower cost of operation • Has the same requirement as in Crowds that the “route” should be constant (i.e. the ring id the node uses for its messages should be constant) • Am working on a network simulator to provide some test data

  38. 问题吗 (Questions?)

  39. References • Andrei Serjantov, George Danezis. Towards an Information Theoretic Metric for Anonymity. • Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity. • Michael K. Reiter and Aviel D. Rubin. Crowds: anonymity for Web transactions. • David Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability.

More Related