1 / 42

Participant can communicate anonymously with non-participant User can talk to CNN

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002 http://pdos.lcs.mit.edu/tarzan/. The Grail of Anonymization. Participant can communicate anonymously with non-participant User can talk to CNN.com. ?. User. Nobody knows who user is.

harlan-williams
Download Presentation

Participant can communicate anonymously with non-participant User can talk to CNN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tarzan: A Peer-to-Peer Anonymizing Network LayerMichael J. Freedman, NYURobert Morris, MITACM CCS 2002http://pdos.lcs.mit.edu/tarzan/

  2. The Grail of Anonymization • Participant can communicate anonymously with non-participant • User can talk to CNN.com ? User • Nobody knows who user is Tarzan: a Peer-to-Peer Anonymizing Network Layer

  3. Our Vision for Anonymization • Thousands of nodes participate • Bounce traffic off one another • Mechanism to organize nodes: peer-to-peer • All applications can use: IP layer Tarzan: a Peer-to-Peer Anonymizing Network Layer

  4. Proxy Alternative 1: Proxy Approach • Intermediate node to proxy traffic • Completely trust the proxy Anonymizer.com User Tarzan: a Peer-to-Peer Anonymizing Network Layer

  5. Threat model • Corrupt proxy(s) • Adversary runs proxy(s) • Adversary targets proxy(s) and compromises, possibly adaptively • Network links observed • Limited, localized network sniffing • Wide-spread (even global) eavesdropping • e.g., Carnivore, Chinese firewall, ISP search warrants Tarzan: a Peer-to-Peer Anonymizing Network Layer

  6. Proxy Proxy Failures of Proxy Approach User • Proxy reveals identity • Traffic analysis is easy Tarzan: a Peer-to-Peer Anonymizing Network Layer

  7. Proxy Failures of Proxy Approach • CNN blocks connections from proxy X User X • Proxy reveals identity • Traffic analysis is easy • Adversary blocks access to proxy (DoS) Tarzan: a Peer-to-Peer Anonymizing Network Layer

  8. Relay Relay Relay Relay Alternative 2: Centralized Mixnet • MIX encoding creates encrypted tunnel of relays • Individual malicious relays cannot reveal identity • Packet forwarding through tunnel User Onion Routing, Freedom Small-scale, static network Tarzan: a Peer-to-Peer Anonymizing Network Layer

  9. Relay Relay Relay Relay Failures of Centralized Mixnet User X • CNN blocks core routers Tarzan: a Peer-to-Peer Anonymizing Network Layer

  10. Relay Relay Relay Relay Relay Relay Relay Failures of Centralized Mixnet User • CNN blocks core routers • Adversary targets core routers Tarzan: a Peer-to-Peer Anonymizing Network Layer

  11. Relay Relay Relay Relay Relay Alternative 2: Centralized Mixnet User • CNN blocks core routers • Adversary targets core routers • So, add cover traffic between relays • Hides data traffic among cover Tarzan: a Peer-to-Peer Anonymizing Network Layer

  12. Relay Relay Relay Relay Relay Relay Failures of Centralized Mixnet User • CNN blocks core routers • Adversary targets core routers Tarzan: a Peer-to-Peer Anonymizing Network Layer

  13. Relay Relay Relay Relay Relay Relay Relay Relay Failures of Centralized Mixnet User • CNN blocks core routers • Adversary targets core routers • Still allows network-edge analysis Tarzan: a Peer-to-Peer Anonymizing Network Layer

  14. Relay Relay Relay Relay Relay Relay Relay Relay Relay Relay Failures of Centralized Mixnet User • Internal cover traffic does not protect edges • External cover traffic prohibitively expensive? • n2 communication complexity Tarzan: a Peer-to-Peer Anonymizing Network Layer

  15. Tarzan goals • No distinction between anon proxies and clients • Peer-to-peer model • Anonymity against corrupt relays • MIX-net encoding • Robust tunnel selection • Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping • Cover traffic protects all edges • Restrict topology to make cover practical • Choose neighbors in verifiably-random manner • Application-independence • Low-latency IP-layer redirection Tarzan: a Peer-to-Peer Anonymizing Network Layer

  16. Tarzan: Me Relay, You Relay • Thousands of nodes participate • CNN cannot block everybody • Adversary cannot target everybody Tarzan: a Peer-to-Peer Anonymizing Network Layer

  17. Tarzan: Me Relay, You Relay • Thousands of nodes participate • Cover traffic protects all nodes • Global eavesdropping gains little info Tarzan: a Peer-to-Peer Anonymizing Network Layer

  18. ? ? ? ? ? Benefits of Peer-to-Peer Design • Thousands of nodes participate • Cover traffic protects all nodes • All nodes also act as relays • No network edge to analyze • First hop does not know he’s first Tarzan: a Peer-to-Peer Anonymizing Network Layer

  19. Tarzan goals • No distinction between anon proxies and clients • Peer-to-peer model • Anonymity against corrupt relays • MIX-net encoding • Robust tunnel selection • Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping • Cover traffic protects all nodes • Restrict topology to make cover practical • Choose neighbors in verifiably-random manner • Application-independence • Low-latency IP-layer redirection Tarzan: a Peer-to-Peer Anonymizing Network Layer

  20. Tarzan: Joining the System 1. Contacts known peers to learn neighbor lists 2. Validates each peer by directly pinging User Tarzan: a Peer-to-Peer Anonymizing Network Layer

  21. User Tarzan: Generating Cover Traffic 4. Nodes begin passing cover traffic with mimics: • Nodes send at some traffic rate per time period • Traffic rate independent of actual demand • All packets are same length and link encrypted Tarzan: a Peer-to-Peer Anonymizing Network Layer

  22. PNAT Tarzan: Selecting tunnel nodes User 5. To build tunnel: Iteratively selects peers and builds tunnel from among last-hop’s mimics Tarzan: a Peer-to-Peer Anonymizing Network Layer

  23. PNAT But, Adversaries Can Join System User Tarzan: a Peer-to-Peer Anonymizing Network Layer

  24. PNAT But, Adversaries Can Join System User • Adversary can join more than once by spoofing addresses outside its control • Contact peers directly to validate IP addr and learn PK Tarzan: a Peer-to-Peer Anonymizing Network Layer

  25. PNAT But, Adversaries Can Join System User • Adversary can join more than once by running many nodes on each machine it controls • Randomly select by subnet “domain” (/16 prefix, not IP) Tarzan: a Peer-to-Peer Anonymizing Network Layer

  26. PNAT But, Adversaries Can Join System User • Adversary can join more than once by running many nodes on each machine it controls • Randomly select by subnet “domain” (/16 prefix, not IP) Tarzan: a Peer-to-Peer Anonymizing Network Layer

  27. PNAT But, Adversaries Can Join System User • Colluding adversary can only select each other as neighbors • Choose mimics in universally-verifiable random manner Tarzan: a Peer-to-Peer Anonymizing Network Layer

  28. K16 = H(H(U.IP/16)) lookup(K16) K32 = H(H(U.IP)) lookup(K32) H4(U.IP) H3(U.IP) A D Hi(A.IP) H2(U.IP) Hi(B.IP) Hi(C.IP) B C Tarzan: Selecting mimics H(18.26) H(216.16.108.10) H(216.165) H(216.16.31.13) User H(128.2) H(216.16.54.8) H(13.1) IP H(169.229) IP/16 3. Nodes pair-wise choose (verifiable) mimics Tarzan: a Peer-to-Peer Anonymizing Network Layer

  29. Tarzan goals • No distinction between anon proxies and clients • Peer-to-peer model • Anonymity against corrupt relays • MIX-net encoding • Robust tunnel selection • Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping • Cover traffic protects all nodes • Restrict topology to make cover practical • Choose neighbors in verifiably-random manner • Application-independence • Low-latency IP-layer redirection Tarzan: a Peer-to-Peer Anonymizing Network Layer

  30. User Real IP Address Public Alias Address Tunnel Private Address Tarzan: Building Tunnel PNAT • 5. To build tunnel: • Public-key encrypts tunnel info during setup • Maps flowid  session key, next hop IP addr Tarzan: a Peer-to-Peer Anonymizing Network Layer

  31. X IP PNAT IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP User Diverts packets to tunnel source router Tarzan: a Peer-to-Peer Anonymizing Network Layer

  32. IP IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP PNAT User • NATs to private address 192.168.x.x • Pads packet to fixed length Tarzan: a Peer-to-Peer Anonymizing Network Layer

  33. IP IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP IP PNAT User • Layer encrypts packet to each relay • Encapsulates in UDP, forwards to first hop Tarzan: a Peer-to-Peer Anonymizing Network Layer

  34. Tarzan: Tunneling Data Traffic Somebody (IP)speaking to CNN 6. Reroutes packets over this tunnel APP IP IP IP PNAT User • Strips off encryption • Forwards to next hop within cover traffic Tarzan: a Peer-to-Peer Anonymizing Network Layer

  35. IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP PNAT User • NATs again to public alias address Tarzan: a Peer-to-Peer Anonymizing Network Layer

  36. IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP PNAT User I’m speaking to PNAT • Reads IP headers and sends accordingly Tarzan: a Peer-to-Peer Anonymizing Network Layer

  37. IP IP IP IP IP IP Tarzan: Tunneling Data Traffic 6. Reroutes packets over this tunnel APP IP IP IP PNAT User • Response repeats process in reverse Tarzan: a Peer-to-Peer Anonymizing Network Layer

  38. Integrating Tarzan Speaking to PNAT Can build double-blinded channels Peer Speaking to Peer Use transparently with existing systems Tarzan: a Peer-to-Peer Anonymizing Network Layer

  39. Packet forwarding and tunnel setup • Tunnel Setup (public key ops) ~30 msec / hop latency + network delay • Packet forwarding (without cover traffic) pkt size latency throughput 64 bytes 250 µsec 7 Mbits/s 1024 bytes 600 µsec 60 MBits/s Tarzan: a Peer-to-Peer Anonymizing Network Layer

  40. Summary • Application-independence at IP layer • Previous systems for email, web, file-sharing, etc. • No network edge through peer-to-peer design • Core routers can be blocked, targetted, or black-box analyzed • Anonymity against corrupt relays and global eavesdropping • Cover traffic within restricted topology • MIX-net tunneling through verified mimics • Scale to thousands • Towards a critical mass of users Tarzan: a Peer-to-Peer Anonymizing Network Layer

  41. http://pdos.lcs.mit.edu/tarzan/ Tarzan: a Peer-to-Peer Anonymizing Network Layer

  42. Packet forwarding and tunnel setup (msec) Tarzan: a Peer-to-Peer Anonymizing Network Layer

More Related