1 / 32

Participant can communicate anonymously with non-participant User can talk to CNN

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science mfreed@cs.nyu.edu Public Design Workshop September 13, 2002 http://pdos.lcs.mit.edu/tarzan/. The Grail of Anonymization. Participant can communicate anonymously with non-participant

avi
Download Presentation

Participant can communicate anonymously with non-participant User can talk to CNN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Peer-to-Peer Anonymizing Network LayerMichael J. Freedman NYU Dept of Computer Science mfreed@cs.nyu.eduPublic Design Workshop September 13, 2002http://pdos.lcs.mit.edu/tarzan/

  2. The Grail of Anonymization • Participant can communicate anonymously with non-participant • User can talk to CNN.com ? User • Nobody knows who user is Building a Peer-to-Peer Anonymizing Network Layer

  3. Should we offer anonymity? Actions of user seeking anonymity Legal Illegal Legal Yes No (?) ?=? Method of observing user’s identity Definitely! ??? Illegal Building a Peer-to-Peer Anonymizing Network Layer

  4. Our Vision for Anonymization • Thousands of nodes participate • Bounce traffic off one another • Mechanism to organize nodes: peer-to-peer • All applications can use: IP layer Building a Peer-to-Peer Anonymizing Network Layer

  5. Proxy Alternative 1: Proxy Approach • Intermediate node to proxy traffic • Completely trust the proxy Anonymizer.com User Building a Peer-to-Peer Anonymizing Network Layer

  6. Realistic Threat Model • Corrupt proxy(s) • Adversary runs proxy(s) • Adversary targets proxy(s) and compromises, possibly adaptively • Network links observed • Limited, localized network sniffing • Wide-spread (even global) eavesdropping • e.g., Carnivore, Chinese firewall, ISP search warrants Building a Peer-to-Peer Anonymizing Network Layer

  7. Proxy Proxy Failures of Proxy Approach User • Proxy reveals identity • Traffic analysis is easy Building a Peer-to-Peer Anonymizing Network Layer

  8. Proxy Failures of Proxy Approach • CNN blocks connections from proxy X User X • Proxy reveals identity • Traffic analysis is easy • Adversary blocks access to proxy (DoS) Building a Peer-to-Peer Anonymizing Network Layer

  9. Relay Relay Relay Alternative 2: Centralized Mixnet • MIX encoding creates encrypted tunnel of relays • Individual malicious relays cannot reveal identity • Packet forwarding through tunnel User Onion Routing, Freedom Small-scale, static network Building a Peer-to-Peer Anonymizing Network Layer

  10. Relay Relay Relay Alternative 2: Centralized Mixnet • MIX encoding creates encrypted tunnel of relays • Individual malicious relays cannot reveal identity • Packet forwarding through tunnel User • Cover traffic among relays hides data traffic Building a Peer-to-Peer Anonymizing Network Layer

  11. Relay Relay Relay Failures of Centralized Mixnet X • CNN blocks core routers Building a Peer-to-Peer Anonymizing Network Layer

  12. Relay Relay Relay Relay Failures of Centralized Mixnet • CNN blocks core routers • Adversary targets core routers Building a Peer-to-Peer Anonymizing Network Layer

  13. Relay Relay Relay Relay Failures of Centralized Mixnet • CNN blocks core routers • Adversary targets core routers • Allows network-edge analysis Building a Peer-to-Peer Anonymizing Network Layer

  14. Relay Relay Relay Relay Failures of Centralized Mixnet X • CNN blocks core routers • Adversary targets core routers • Allows network-edge analysis • Cover traffic doesn’t protect edges (n2) Building a Peer-to-Peer Anonymizing Network Layer

  15. Tarzan: Me Relay, You Relay • Thousands of nodes participate • Build tunnel over pseudorandom set of nodes • Cover traffic covers edges Crowds: small-scale, not self-organizing, not a mixnet, no cover Building a Peer-to-Peer Anonymizing Network Layer

  16. ? ? ? ? ? Benefits of Peer-to-Peer Design • CNN cannot block everybody • Adversary cannot target everybody • Global eavesdropping gains little info • No network edge to analyze: • First hop does not know he’s first Building a Peer-to-Peer Anonymizing Network Layer

  17. Managing Peers • Requires a mechanism that • Discovers peers • Scalable • Robust against adversaries Building a Peer-to-Peer Anonymizing Network Layer

  18. Adversaries Can Join System • Adversary can join more than once • Stop it from spoofing addresses outside of control? • Contact peers directly to • Validate IP address • Learn public key Building a Peer-to-Peer Anonymizing Network Layer

  19. Adversaries Can Join System • Adversary can join more than once • Can control many addresses on each subnet! • Randomly select nodes by subnet “domain”, not IP address Building a Peer-to-Peer Anonymizing Network Layer

  20. Tarzan: Joining the System 1. Contacts known peers to learn neighbor lists 2. Validates each peer by directly pinging User Building a Peer-to-Peer Anonymizing Network Layer

  21. Tarzan: Discovering Peers 3. Nodes pair-wise choose (verifiable) mimics 4. Mimics begin passing cover traffic User Building a Peer-to-Peer Anonymizing Network Layer

  22. Tarzan: Discovering Peers User 5. Building tunnel: Iteratively selects peers and builds tunnel from among last-hop’s mimics Building a Peer-to-Peer Anonymizing Network Layer

  23. PNAT Real IP Address Public Alias Address Tunnel Private Address Tarzan: Building Tunnel User • 5. Building tunnel: • Public-key encrypts tunnel info during setup • Maps flowid  session key, next hop IP addr Building a Peer-to-Peer Anonymizing Network Layer

  24. X IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP User Diverts packets to tunnel source router Building a Peer-to-Peer Anonymizing Network Layer

  25. IP IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP User • NATs to private address space 192.168.x.x • Layer encrypts packet Building a Peer-to-Peer Anonymizing Network Layer

  26. Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP IP IP IP User • Encapsulates in UDP and forwards packet • Strips off encryption, forwards to next hop Building a Peer-to-Peer Anonymizing Network Layer

  27. IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP User • NATs again to public alias address Building a Peer-to-Peer Anonymizing Network Layer

  28. IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP User • Reads IP headers and sends accordingly Building a Peer-to-Peer Anonymizing Network Layer

  29. IP IP IP IP IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP IP IP IP User • Response repeats process in reverse Building a Peer-to-Peer Anonymizing Network Layer

  30. IP IP IP IP IP IP IP IP IP IP IP IP Tarzan: Tunneling Data Traffic Transparently supports anonymous servers Can build double-blinded channels APP IP IP IP IP IP IP Server Oblivious User Building a Peer-to-Peer Anonymizing Network Layer

  31. Summary • Gain anonymity: • Peer-to-peer: scalable, decentralized, secure • Cover traffic over mimics • Transparent IP-layer anonymization • Towards a critical mass of users Building a Peer-to-Peer Anonymizing Network Layer

  32. More information… http://pdos.lcs.mit.edu/tarzan/ Building a Peer-to-Peer Anonymizing Network Layer

More Related