1 / 99

A Model of Onion Routing with Provable Anonymity Financial Cryptography ’07 2/12/07

A Model of Onion Routing with Provable Anonymity Financial Cryptography ’07 2/12/07. Aaron Johnson with Joan Feigenbaum Paul Syverson. 0. Overview. Formally model onion routing using input/output automata Characterize the situations that provide anonymity. 1. Anonymous Communication.

rosadoe
Download Presentation

A Model of Onion Routing with Provable Anonymity Financial Cryptography ’07 2/12/07

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Model of Onion Routing with Provable AnonymityFinancial Cryptography ’072/12/07 Aaron Johnson with Joan Feigenbaum Paul Syverson 0

  2. Overview • Formally model onion routing using input/output automata • Characterize the situations that provide anonymity 1

  3. Anonymous Communication • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) 2

  4. Anonymous Communication • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) 2

  5. Onion Routing • Practical design with low latency and overhead • Open source implementation (http://tor.eff.org) • Over 800 volunteer routers • Estimated 200,000 users 3

  6. Anonymous Communication Mix Networks Dining cryptographers Onion routing Anonymous buses Deployed Analyzed 4

  7. Related work • A Formal Treatment of Onion RoutingJan Camenisch and Anna LysyanskayaCRYPTO 2005 • A formalization of anonymity and onion routingS. Mauw, J. Verschuren, and E.P. de VinkESORICS 2004 • I/O Automaton Models and Proofs for Shared-Key Communication SystemsNancy LynchCSFW 1999 5

  8. Overview • Formally model onion routing using input/output automata • Characterize the situations that provide anonymity 6

  9. Overview • Formally model onion routing using input/output automata • Simplified onion-routing protocol • Non-cryptographic analysis • Characterize the situations that provide anonymity 6

  10. Overview • Formally model onion routing using input/output automata • Simplified onion-routing protocol • Non-cryptographic analysis • Characterize the situations that provide anonymity • Send a message, receive a message, communicate with a destination • Possibilistic anonymity 6

  11. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers 7

  12. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers 7

  13. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers 7

  14. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers 7

  15. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d 7

  16. How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  17. How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  18. How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  19. How Onion Routing Works 1 2 u m d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  20. How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  21. How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  22. How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  23. How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged 7

  24. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed. 7

  25. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed. • Circuit is changed every few minutes. 7

  26. How Onion Routing Works 1 2 u d 3 5 4 8

  27. How Onion Routing Works 1 2 u d 3 5 4 8

  28. How Onion Routing Works 1 2 u d 3 5 4 Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

  29. How Onion Routing Works 1 2 u d 3 5 4 u 1 2 Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

  30. Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Unlinkability: Adversary can’t determine who talks to whom 9

  31. Adversaries • Passive & Global • Active & Local 10

  32. Adversaries • Passive & Global • Active & Local 10

  33. Adversaries • Passive & Global • Active & Local 10

  34. Adversaries • Passive & Global • Active & Local 10

  35. Model • Constructed with I/O automata • Models asynchrony • Relies on abstract properties of cryptosystem • Simplified onion-routing protocol • No key distribution • No circuit teardowns • No separate destinations • No streams • No stream cipher • Each user constructs a circuit to one destination • Circuit identifiers 11

  36. Automata Protocol u v w 12

  37. Automata Protocol u v w 12

  38. Automata Protocol u v w 12

  39. Automata Protocol u v w 12

  40. Automata Protocol u v w 12

  41. Automata Protocol u v w 12

  42. Automata Protocol u v w 12

  43. Automata Protocol u v w 12

  44. Automata Protocol u v w 12

  45. Automata Protocol u v w 12

  46. Creating a Circuit u 1 2 3 13

  47. Creating a Circuit [0,{CREATE}1] u 1 2 3 • CREATE/CREATED 13

  48. Creating a Circuit u 1 2 3 [0,CREATED] • CREATE/CREATED 13

  49. Creating a Circuit u 1 2 3 • CREATE/CREATED 13

  50. Creating a Circuit [0,{[EXTEND,2,{CREATE}2]}1] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED 14

More Related