1 / 142

Towards a Theory of Onion Routing

Towards a Theory of Onion Routing . Aaron Johnson Yale University 5/27/2008. Overview. Anonymous communication and onion routing Formally model and analyze onion routing ( Financial Cryptography 2007)

eadoin
Download Presentation

Towards a Theory of Onion Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008

  2. Overview • Anonymous communication and onion routing • Formally model and analyze onion routing(Financial Cryptography 2007) • Probabilistic analysis of onion routing(Workshop on Privacy in the Electronic Society 2007) 1

  3. Setting Anonymous Communication:What? 2

  4. Setting Communication network Anonymous Communication:What? 2

  5. Setting Communication network Adversary Anonymous Communication:What? 2

  6. Setting Communication network Adversary Anonymity Anonymous Communication:What? 2

  7. Setting Communication network Adversary Anonymity Sender anonymity Anonymous Communication:What? 2

  8. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? 2

  9. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? w.r.t. amessage 2

  10. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage 2

  11. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage w.r.t. all communication 2

  12. Anonymous Communication:Why? 3

  13. Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Anonymous Communication:Why? 3

  14. Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Interesting How to define? Possible in communication networks? Cryptography from anonymity Anonymous Communication:Why? 3

  15. Anonymous Communication Protocols • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) 4

  16. Anonymous Communication Protocols • Tarzan (2002) • Hordes (2002) • Salsa (2006) • ISDN,pool,Stop-and-Go,timed,cascademixes • etc. • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) • Crowds (1998) • PipeNet (1998) • Xor-trees (2000) 4

  17. Deployed Anonymity Systems • anon.penet.fi • Freedom • Mixminion • Mixmaster • Tor • JAP • FreeNet • anonymizer.com and other single-hop proxies • I2P • MUTE • Nodezilla • etc. 5

  18. Onion Routing • Practical design with low latency and overhead • Open source implementation (http://tor.eff.org) • Over 1000 volunteer routers • Estimated 200,000 users • Sophisticated design 6

  19. Anonymous Communication Mix Networks Dining cryptographers Onion routing Anonymous buses Deployed Analyzed 7

  20. A Model of Onion Routing with Provable AnonymityJohnson, Feigenbaum, and SyversonFinancial Cryptography 2007 • Formally model onion routing using input/output automata • Characterize the situations that provide possibilistic anonymity 8

  21. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers 9

  22. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  23. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  24. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  25. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d 9

  26. How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  27. How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  28. How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  29. How Onion Routing Works 1 2 u m d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  30. How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  31. How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  32. How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  33. How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  34. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. 9

  35. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. • Circuit is changed every few minutes. 9

  36. How Onion Routing Works 1 2 u d 3 5 4 10

  37. How Onion Routing Works 1 2 u d 3 5 4 11

  38. How Onion Routing Works 1 2 u d 3 5 4 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11

  39. How Onion Routing Works 1 2 u d 3 5 4 u 1 2 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11

  40. Model • Constructed with I/O automata(Lynch & Tuttle, 1989) • Models asynchrony • Relies on abstract properties of cryptosystem • Simplified onion-routing protocol • Each user constructs a circuit to one destination • No separate destinations • No circuit teardowns • Circuit identifiers 12

  41. Automata Protocol u v w 13

  42. Automata Protocol u v w 13

  43. Automata Protocol u v w 13

  44. Automata Protocol u v w 13

  45. Automata Protocol u v w 13

  46. Automata Protocol u v w 13

  47. Automata Protocol u v w 13

  48. Automata Protocol u v w 13

  49. Automata Protocol u v w 13

  50. Automata Protocol u v w 13

More Related