200 likes | 319 Views
How Much Anonymity does Network Latency Leak?. Paper by: Nicholas Hopper, Eugene Vasserman , Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
E N D
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011
Goal of every anonymous communication scheme is to allow users to communicate while concealing information about who communicates with whom.
The Idea • Chaum proposed sending messages through a “Mix server” that mixes together messages from several senders before forwarding these messages to their destinations, concealing relationship between sender and receiver. • There are many schemes, yet all rely on “mixing” relays.
High-latency • Like Mixmaster and Mixminion • Deliver messages at a significant delay • Schemes implement countermeasures that increase delay • Pool Mixing • Consume Bandwidth • Cover Traffic
Low-Latency • Like Tor, I2P, AN.ON, Crowds, Anonymizer.com • Commercial proxy aggregators • Allows anonymous use of application services • Remote login and web browsing • Reduced anonymity guaranteed • Security against “local” adversary
Malicious servers acting as local adversaries can observe the network latency of a connection made over a Tor circuit • 3 experiments that measure the extent to which this information leakage compromises the anonymity of clients using a low-latency anonymity scheme • Analysis of noise-free anonymity leakage • A passive linkability attack • An active client-identification attack
Quick overview of Tor • Low-latency, bandwidth-efficient, anonymizing layer for TCP streams • With use of at least 3 nodes, no node knows the identities of both communicating parties
Latency without Noise • Anonymity circuit imposed no delay at all • Difference between connecting to a server normally and over the anonymity service is in the latter, the client’s IP address is missing • Best possible case for an attack based solely on Round-Trip Time (RTT) information. • Analyzed on MIT King Data Set and PlanetLab systems
Circuit Linking via Latency • 2 colluding servers both accept connections from the same exit node • The 2 servers try to determine whether they are communicating with different clients or the same client.
Are they the same? • The servers have to calculate the RTT between each node in the connection • The servers then have to calculate the “queueing” time for each node • Add everything to gether • If everything is equivalent, then it indicates probabilistically they are the same • If not, they come from different distributions
Attack by the server • Sends HTML with 1000 separate tags printing empty images. • Causes browser to make 1000 separate connections to server. • The amount of calls varies, but with a possible 24 concurrent connections, this requires about 42 “rounds” of connections.
2 different tests • Comparison of means • Confidence interval for the mean of each sample population with traversal at fixed time • Kolmogorov-Smirnov • Computes the largest difference in cumulative probability density between two sample sets • Receiver Operating Characteristic Curves • Each point corresponds to the true positive and false positive rates for one setting of the rejection thresholds
Client Location Via Latency • Adversary is three logical entities: Aserver, Aclient and Ator • Goal is to identify V’s network latency
The Attack • Basic Idea • Calculate the RTT between V and E • 3 steps • Measuring first hop latency • Estimating candidate RTTs • Eliminating Candidates
Measuring first hop latency • Aserver and Ator can determine circuit order after several iterations • Aclient connects using the circuit and calculates RTT • With information we can estimate the RTT from V to E
Estimating candidate RTTs • Need a method to obtain the RTT between two hosts without explicit cooperation of either • Vivaldi embedding algorithm • Ease of implementation • Disadvantage: in order to be accurate without cooperation, several nodes must be used for the service
Eliminating Candidates • Check all candidates to see if their RTTs are consistent with the estimated RTT between V and E • Accepting means the RTT is within 85% of the estimate RTT between V and E
Limitations • Limited data on conditional information gain • Client location attack assumes that a user repeatedly accesses a server from the same network location
Mitigation • Onion routing minimizes the success probability of Murdoch-Danezis’ clogging attack • Adding sufficient delays to make the RTT and timing characteristics of Tor servers independent of the underlying network topology
Thank you! • Questions?