1.45k likes | 1.7k Views
Towards a Theory of Onion Routing . Aaron Johnson Yale University 5/27/2008. Overview. Anonymous communication and onion routing Formally model and analyze onion routing ( Financial Cryptography 2007)
E N D
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008
Overview • Anonymous communication and onion routing • Formally model and analyze onion routing(Financial Cryptography 2007) • Probabilistic analysis of onion routing(Workshop on Privacy in the Electronic Society 2007) 1
Setting Anonymous Communication:What? 2
Setting Communication network Anonymous Communication:What? 2
Setting Communication network Adversary Anonymous Communication:What? 2
Setting Communication network Adversary Anonymity Anonymous Communication:What? 2
Setting Communication network Adversary Anonymity Sender anonymity Anonymous Communication:What? 2
Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? 2
Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? w.r.t. amessage 2
Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage 2
Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage w.r.t. all communication 2
Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Anonymous Communication:Why? 3
Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Interesting How to define? Possible in communication networks? Cryptography from anonymity Anonymous Communication:Why? 3
Anonymous Communication Protocols • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) 4
Anonymous Communication Protocols • Tarzan (2002) • Hordes (2002) • Salsa (2006) • ISDN,pool,Stop-and-Go,timed,cascademixes • etc. • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) • Crowds (1998) • PipeNet (1998) • Xor-trees (2000) 4
Deployed Anonymity Systems • anon.penet.fi • Freedom • Mixminion • Mixmaster • Tor • JAP • FreeNet • anonymizer.com and other single-hop proxies • I2P • MUTE • Nodezilla • etc. 5
Onion Routing • Practical design with low latency and overhead • Open source implementation (http://tor.eff.org) • Over 1000 volunteer routers • Estimated 200,000 users • Sophisticated design 6
Anonymous Communication Mix Networks Dining cryptographers Onion routing Anonymous buses Deployed Analyzed 7
A Model of Onion Routing with Provable AnonymityJohnson, Feigenbaum, and SyversonFinancial Cryptography 2007 • Formally model onion routing using input/output automata • Characterize the situations that provide possibilistic anonymity 8
How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d 9
How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u m d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. 9
How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. • Circuit is changed every few minutes. 9
How Onion Routing Works 1 2 u d 3 5 4 10
How Onion Routing Works 1 2 u d 3 5 4 11
How Onion Routing Works 1 2 u d 3 5 4 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11
How Onion Routing Works 1 2 u d 3 5 4 u 1 2 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11
Model • Constructed with I/O automata(Lynch & Tuttle, 1989) • Models asynchrony • Relies on abstract properties of cryptosystem • Simplified onion-routing protocol • Each user constructs a circuit to one destination • No separate destinations • No circuit teardowns • Circuit identifiers 12
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13
Automata Protocol u v w 13