600 likes | 731 Views
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society. Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL). Contributions. Contributions.
E N D
A Probabilistic Analysis of Onion Routing in a Black-box Model10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Contributions • Use a black-box abstraction to create a probabilistic model of onion routing
Contributions • Use a black-box abstraction to create a probabilistic model of onion routing • Analyze unlinkability • Provide worst-case bounds • Examine a typical case
Related Work • A Model of Onion Routing with Provable AnonymityJ. Feigenbaum, A. Johnson, and P. SyversonFC 2007 • Towards an Analysis of Onion Routing SecurityP. Syverson, G. Tsudik, M. Reed, and C. LandwehrPET 2000 • An Analysis of the Degradation of Anonymous ProtocolsM. Wright, M. Adler, B. Levine, and C. ShieldsNDSS 2002
Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Unlinkability: Adversary can’t determine who talks to whom
Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Unlinkability: Adversary can’t determine who talks to whom
How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d
How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u m d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed.
How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed. • Circuit is changed every few minutes.
Adversary 1 2 u d 3 5 4 Active & Local
Anonymity u 1 2 d v e 3 5 4 w f
Anonymity u 1 2 d v e 3 5 4 w f • First router compromised
Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised
Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised
Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised • Neither first nor last compromised
Black-box Abstraction u d v e w f
Black-box Abstraction u d v e w f • Users choose a destination
Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed
Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed • Some outputs are observed
Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user.
Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.
Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.
Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.
Probabilistic Black-box u d v e w f
Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv
Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv • Inputs and outputs are observed independently with probability b
Probabilistic Anonymity u d v e w f u d u d u d v e v e v e w f w f w f Indistinguishable configurations
Probabilistic Anonymity u d v e w f u d u d u d v e v e v e w f w f w f Indistinguishable configurations Conditional distribution: Pr[ud] = 1
Black Box Model Let U be the set of users. Let be the set of destinations. Configuration C • User destinations CD : U • Observed inputs CI : U{0,1} • Observed outputs CO : U{0,1} Let X be a random configuration such that: Pr[X=C] = u puCD(u) bCI(u) (1-b)1-CI(u) bCO(u) (1-b)1-CO(u)
Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC]
Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] Note: There are several other candidates for a probabilistic anonymity metric, e.g. entropy
Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] • Exact Bayesian inference • Adversary after long-term intersection attack • Worst-case adversary
Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] • Exact Bayesian inference • Adversary after long-term intersection attack • Worst-case adversary Unlinkability given that u visits d: E[Y | XD(u)=d]
Worst-case Anonymity Let pu1 pu2 pud-1 pud+1 … pu Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when 1. pv=1 for all vu OR 2. pvd=1 for all vu
Worst-case Anonymity Let pu1 pu2 pud-1 pud+1 … pu Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when 1. pv=1 for all vu OR 2. pvd=1 for all vu Show max. occurs when ev=d for all vu, or whenev = for all vu. Show max. occurs when, for all vu,pvev = 1 for some ev. Show max. occurs when, for all vu,ev = d orev = .
Worst-case Estimates Let n be the number of users.