1 / 83

Modeling and Analysis of Anonymous-Communication Systems

This paper explores the concept of anonymity in communication, discusses different anonymity systems, and presents the theory and practice of Onion Routing. It provides a comprehensive analysis of mix networks and their provable anonymity.

clarkt
Download Presentation

Modeling and Analysis of Anonymous-Communication Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum http://www.cs.yale.edu/homes/jf WITS’08; Princeton NJ; June 18, 2008 Acknowledgement: Aaron Johnson

  2. Outline • Anonymity: What and why • Examples of anonymity systems • Theory: Definition and proof • Practice: Onion Routing • Theory meets practice

  3. Anonymity: What and Why • The adversary cannot tell who is communicating with whom. Not the same as confidentiality (and hence not solved by encryption). • Pro: Facilitates communication by whistle blowers, political dissidents, members of 12-step programs, etc. • Con: Inhibits accountability

  4. Outline • Anonymity: What and why • Examples of anonymity systems • Theory: Definition and proof • Practice: Onion Routing • Theory meets practice

  5. Anonymity Systems • Remailers / Mix Networks • anon.penet.fi • MixMaster • Mixminion • Low-latency communication • Anonymous proxies, anonymizer.net • Freedom • Tor • JAP • Data Publishing • FreeNet

  6. Mix Networks • First outlined by Chaum in 1981 • Provide anonymous communication • High latency • Message-based (“message-oriented”) • One-way or two-way

  7. Mix Networks Users Mixes Destinations

  8. Adversary Mix Networks Users Mixes Destinations

  9. Adversary Mix Networks Users Mixes Destinations Protocol

  10. Adversary Mix Networks u d M1 M2 M3 Users Mixes Destinations Protocol • User selects a sequence of mixes and a destination.

  11. Adversary Mix Networks u d M1 M2 M3 Users Mixes Destinations Protocol • User selects a sequence of mixes and a destination. • Onion-encrypt the message.

  12. Adversary Mix Networks u d M1 M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  13. Adversary Mix Networks {{{,d}M3,M3}M2,M2}M1 u d M1 M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  14. Adversary Mix Networks {{{,d}M3,M3}M2,M2}M1 u d M1 M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Send the message, removing a layer of encryption at each mix. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  15. Adversary Mix Networks {{,d}M3,M3}M2 u d M1 M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Send the message, removing a layer of encryption at each mix. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  16. Adversary Mix Networks u d M1 {,d}M3 M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Send the message, removing a layer of encryption at each mix. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  17. Adversary Mix Networks u d M1  M2 M3 Users Mixes Destinations Protocol Onion Encrypt • User selects a sequence of mixes and a destination. • Onion-encrypt the message. • Send the message, removing a layer of encryption at each mix. • Proceed in reverse order of the user’s path. • Encrypt (message, next hop) with the public key of the mix.

  18. Adversary Mix Networks u d Users Mixes Destinations • Anonymity? • No one mix knows both source and destination.

  19. Adversary Mix Networks u d v f Users Mixes Destinations • Anonymity? • No one mix knows both source and destination. • Adversary cannot follow multiple messages through the same mix.

  20. Adversary Mix Networks u d v e w f Users Mixes Destinations • Anonymity? • No one mix knows both source and destination. • Adversary cannot follow multiple messages through the same mix. • More users provides more anonymity.

  21. Outline • Anonymity: What and why • Examples of anonymity systems • Theory: Definition and proof • Practice: Onion Routing • Theory meets practice

  22. Provable Anonymity in Mix Networks Setting • N users • Passive, local adversary • Adversary observes some of the mixes and the links. • Fraction f of links are not observed by adversary. • Users and mixes are roughly synchronized. • Users choose mixes uniformly at random.

  23. Provable Anonymity in Mix Networks Definition • Users should be unlinkable to their destinations. • Let  be a random permutation that maps users to destinations. • Let C be the traffic matrix observed by the adversary during the protocol. Cei = # of messages on link e in round i 1 2 3 4 5 e1 1 0 0 1 1 e2 0 1 1 0 0

  24. Provable Anonymity in Mix Networks Information-theory background • Use information theory to quantify information gain from observing C. • H(X) = x -Pr[X=x] log(Pr[X=x]) is the entropy of r.v. X • I(X : Y) is the mutual information between X and Y. • I(X : Y) = H(X) – H(X | Y) = x,y -Pr[X=xY=y] log(Pr[X=xY=y])

  25. Provable Anonymity in Synchronous Protocols Definition: The protocol is (N)-unlinkable if I(C : )  (N). Definition: An (N)-unlinkable protocol is efficient if: 1. It takes T(N) = O(polylog(N/(N))) rounds. 2. It uses O(NT(N)) messages. Theorem (Berman, Fiat, and Ta-Shma, 2004): The basic mixnet protocol is (N)-unlinkable and efficient whenT(N) = (log(N) log2(N/(N))).

  26. Outline • Anonymity: What and why • Examples of anonymity systems • Theory: Definition and proof • Practice: Onion Routing • Theory meets practice

  27. Onion Routing [GRS’96] • Practical design with low latency and overhead • Connection-oriented, two-way communication • Open source implementation (http://tor.eff.org) • Over 1000 volunteer routers • Estimated 200,000 users

  28. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destinationd 4 Routers running servers

  29. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.).

  30. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.).

  31. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.).

  32. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d.

  33. How Onion Routing Works {{{}3}4}1 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  34. How Onion Routing Works 1 2 u d 3 5 {{}3}4 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  35. How Onion Routing Works 1 2 u d 3 5 {}3 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  36. How Onion Routing Works 1 2 u  d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  37. How Onion Routing Works 1 2 u d ’ 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  38. How Onion Routing Works 1 2 u d 3 5 4 {’}3 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  39. How Onion Routing Works 1 2 u {{’}3}4 d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  40. How Onion Routing Works 1 2 {{{’}3}4}1 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged.

  41. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged. • Stream is closed.

  42. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers (u.a.r.). • u opens a stream in the circuit to d. • Data are exchanged. • Stream is closed. • Circuit is changed every few minutes.

  43. Adversary 1 2 u d 3 5 4 Active & Local

  44. Outline • Anonymity: What and why • Examples of anonymity systems • Theory: Definition and proof • Practice: Onion Routing • Theory meets practice

  45. Formal Analysis(F., Johnson, and Syverson, 2007) u 1 2 d v e 3 5 4 w f Timing attacks result in four cases:

  46. Formal Analysis(F., Johnson, and Syverson, 2007) u 1 2 d v e 3 5 4 w f Timing attacks result in four cases: • First router compromised

  47. Formal Analysis(F., Johnson, and Syverson, 2007) u 1 2 d v e 3 5 4 w f Timing attacks result in four cases: • First router compromised • Last router compromised

  48. Formal Analysis(F., Johnson, and Syverson, 2007) u 1 2 d v e 3 5 4 w f Timing attacks result in four cases: • First router compromised • Last router compromised • First and last compromised

  49. Formal Analysis(F., Johnson, and Syverson, 2007) u 1 2 d v e 3 5 4 w f Timing attacks result in four cases: • First router compromised • Last router compromised • First and last compromised • Neither first nor last compromised

  50. Black-Box, Onion-Routing Model Let U be the set of users. Let  be the set of destinations. Let the adversary control a fraction b of the routers. Configuration C • User destinations CD : U • Observed inputs CI : U{0,1} • Observed outputs CO : U{0,1} Let X be a random configuration such that: Pr[X=C] = u [puCD(u)][bCI(u)(1-b)1-CI(u)][bCO(u)(1-b)1-CO(u)]

More Related