1 / 28

The Case for Network-Layer, Peer-to-Peer Anonymization

This paper presents the vision for network-layer, peer-to-peer anonymization, allowing users to communicate anonymously and securely. It discusses the limitations of proxy and centralized mixnet approaches, and introduces Tarzan, a peer-to-peer anonymization system.

khenthorn
Download Presentation

The Case for Network-Layer, Peer-to-Peer Anonymization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Case for Network-Layer,Peer-to-Peer AnonymizationMichael J. FreedmanEmil Sit, Josh Cates, Robert MorrisMIT Lab for Computer ScienceIPTPS’02 March 7, 2002http://pdos.lcs.mit.edu/tarzan/

  2. The Grail of Anonymization • Participant can communicate anonymously with non-participant • User can talk to CNN.com ? User • Nobody knows who user is The Case for Network-Layer, Peer-to-Peer Anonymization

  3. Our Vision for Anonymization • Millions of nodes participate • Bounce traffic off one another • Mechanism to organize nodes: peer-to-peer • All applications can use: IP layer The Case for Network-Layer, Peer-to-Peer Anonymization

  4. Proxy Alternative 1: Proxy Approach • Intermediate node to proxy traffic • Completely trust the proxy Anonymizer.com User The Case for Network-Layer, Peer-to-Peer Anonymization

  5. Global passive observer? • Adaptive active adversary? • Use cover network: a different paper Realistic Threat Model • Corrupt proxy • Adversary runs proxy • Adversary targets proxy and compromises • Limited, localized network sniffing The Case for Network-Layer, Peer-to-Peer Anonymization

  6. Proxy Proxy Failures of Proxy Approach User • Proxy reveals identity • Traffic analysis is easy The Case for Network-Layer, Peer-to-Peer Anonymization

  7. Proxy Failures of Proxy Approach • CNN blocks connections from proxy X User X • Proxy reveals identity • Traffic analysis is easy • Adversary blocks access to proxy (DoS) The Case for Network-Layer, Peer-to-Peer Anonymization

  8. Relay Relay Relay Alternative 2: Centralized Mixnet • MIX encoding creates encrypted tunnel of relays • Individual malicious relays cannot reveal identity • Packet forwarding through tunnel User Onion Routing, Freedom Small-scale, static network, not general-purpose The Case for Network-Layer, Peer-to-Peer Anonymization

  9. Relay Relay Relay Failures of Centralized Mixnet X • CNN blocks core routers The Case for Network-Layer, Peer-to-Peer Anonymization

  10. Relay Relay Relay Relay Failures of Centralized Mixnet • CNN blocks core routers • Adversary targets core routers The Case for Network-Layer, Peer-to-Peer Anonymization

  11. Relay Relay Relay Relay Failures of Centralized Mixnet • CNN blocks core routers • Adversary targets core routers • Allows network-edge analysis The Case for Network-Layer, Peer-to-Peer Anonymization

  12. Tarzan: Me Relay, You Relay • Millions of nodes participate • Build tunnel over random set of nodes Crowds: small-scale, not self-organizing, not a mixnet The Case for Network-Layer, Peer-to-Peer Anonymization

  13. ? ? ? ? ? Benefits of Peer-to-Peer Design • CNN cannot block everybody • Adversary cannot target everybody • No network edge to analyze: • First hop does not know he’s first The Case for Network-Layer, Peer-to-Peer Anonymization

  14. Managing Peers • Requires a mechanism that • Discovers peers • Scalable • Robust against adversaries The Case for Network-Layer, Peer-to-Peer Anonymization

  15. Adversaries Can Join System • Adversary can join more than once • Due to lack of central authentication • Try to prevent adversary from impersonating large address space The Case for Network-Layer, Peer-to-Peer Anonymization

  16. Stopping Evil Peers • Contact peers directly to • Validate IP address • Learn public key Adversary can only answer small address space The Case for Network-Layer, Peer-to-Peer Anonymization

  17. Tarzan: Joining the System 1. Contacts known peer in big (Chord) network 2. Learns of a few peers for routing queries User The Case for Network-Layer, Peer-to-Peer Anonymization

  18. Tarzan: Discovering Peers 3. Contacts random peers to learn {IP addr, PK} Performs Chord lookup(random) User The Case for Network-Layer, Peer-to-Peer Anonymization

  19. PNAT Real IP Address Public Alias Address Tunnel Private Address Tarzan: Building Tunnel User • 4. Iteratively selects peers and builds tunnel • Public-key encrypts tunnel info during setup • Maps flowid  session key, next hop IP addr The Case for Network-Layer, Peer-to-Peer Anonymization

  20. X IP IP Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP User Diverts packets to tunnel source router The Case for Network-Layer, Peer-to-Peer Anonymization

  21. IP IP IP Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP User • NATs to private address space 192.168.x.x • Layer encrypts packet The Case for Network-Layer, Peer-to-Peer Anonymization

  22. Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP IP IP IP User • Encapsulates in UDP and forwards packet • Strips off encryption, forwards to next hop The Case for Network-Layer, Peer-to-Peer Anonymization

  23. IP IP Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP User • NATs again to public alias address The Case for Network-Layer, Peer-to-Peer Anonymization

  24. IP Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP User • Reads IP headers and sends accordingly The Case for Network-Layer, Peer-to-Peer Anonymization

  25. IP IP IP IP IP IP Tarzan: Tunneling Data Traffic 5. Reroutes packets over this tunnel APP IP IP IP User • Response repeats process in reverse The Case for Network-Layer, Peer-to-Peer Anonymization

  26. IP IP IP IP IP IP IP IP IP IP IP IP Tarzan: Tunneling Data Traffic Transparently supports anonymous servers Can build double-blinded channels APP IP IP IP IP IP IP Server Oblivious User The Case for Network-Layer, Peer-to-Peer Anonymization

  27. Tarzan is Fast (Enough) • Prototype implementation in C++ • Setup time per hop: ~20 ms + transmission time • Packet forwarding per hop: < 1 ms + transmission time • Network latency dominates performance The Case for Network-Layer, Peer-to-Peer Anonymization

  28. Summary • Gain anonymity: • Millions of relays • No centralization Peer-to-Peer design • Transparent IP-layer anonymization • Towards a critical mass of users The Case for Network-Layer, Peer-to-Peer Anonymization

More Related