1 / 80

A Formal Analysis of Onion Routing 10/26/2007

A Formal Analysis of Onion Routing 10/26/2007. Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL). Papers. A Model of Onion Routing with Provable Anonymity Financial Cryptography and Data Security 2007

wharvey
Download Presentation

A Formal Analysis of Onion Routing 10/26/2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Formal Analysis of Onion Routing10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

  2. Papers • A Model of Onion Routing with Provable AnonymityFinancial Cryptography and Data Security 2007 • A Probabilistic Analysis of Onion Routing in a Black-box ModelWorkshop on Privacy in the Electronic Society 2007

  3. Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Relationship anonymity: Adversary can’t determine who talks to whom

  4. Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Relationship anonymity: Adversary can’t determine who talks to whom

  5. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers

  6. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  7. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  8. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  9. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d

  10. How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  11. How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  12. How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  13. How Onion Routing Works 1 2 u m d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  14. How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  15. How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  16. How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  17. How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  18. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed.

  19. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed. • Circuit is changed every few minutes.

  20. Results

  21. Results • Formally model onion routing using input/output automata

  22. Results • Formally model onion routing using input/output automata • Analyze relationship anonymity • Characterize situations with possibilistic anonymity • Bound probabilistic anonymity in worst-case and typical situations

  23. Related Work • A Formal Treatment of Onion RoutingJan Camenisch and Anna LysyanskayaCRYPTO 2005 • A formalization of anonymity and onion routingS. Mauw, J. Verschuren, and E.P. de VinkESORICS 2004 • Towards an Analysis of Onion Routing SecurityP. Syverson, G. Tsudik, M. Reed, and C. LandwehrPET 2000

  24. Model • Constructed with I/O automata • Models asynchrony • Relies on abstract properties of cryptosystem • Simplified onion-routing protocol • No key distribution • No circuit teardowns • No separate destinations • Each user constructs a circuit to one destination • Circuit identifiers

  25. Automata Protocol u v w

  26. Automata Protocol u v w

  27. Automata Protocol u v w

  28. Automata Protocol u v w

  29. Automata Protocol u v w

  30. Automata Protocol u v w

  31. Automata Protocol u v w

  32. Automata Protocol u v w

  33. Automata Protocol u v w

  34. Automata Protocol u v w

  35. Creating a Circuit u 1 2 3

  36. Creating a Circuit [0,{CREATE}1] u 1 2 3 • CREATE/CREATED

  37. Creating a Circuit u 1 2 3 [0,CREATED] • CREATE/CREATED

  38. Creating a Circuit u 1 2 3 • CREATE/CREATED

  39. Creating a Circuit [0,{[EXTEND,2,{CREATE}2]}1] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED

  40. Creating a Circuit [l1,{CREATE}2] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED

  41. Creating a Circuit u 1 2 3 [l1,CREATED] • CREATE/CREATED • EXTEND/EXTENDED

  42. Creating a Circuit u 1 2 3 [0,{EXTENDED}1] • CREATE/CREATED • EXTEND/EXTENDED

  43. Creating a Circuit [0,{{[EXTEND,3,{CREATE}3]}2}1] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  44. Creating a Circuit [l1,{[EXTEND,3,{CREATE}3]}2] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  45. Creating a Circuit [l2,{CREATE}3] u 1 2 3 • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  46. Creating a Circuit u 1 2 3 [l2,CREATED] • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  47. Creating a Circuit u 1 2 3 [l1,{EXTENDED}2] • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  48. Creating a Circuit u 1 2 3 [0,{{EXTENDED}2}1] • CREATE/CREATED • EXTEND/EXTENDED • [Repeat with layer of encryption]

  49. Adversary 1 2 u d 3 5 4 Active & Local

  50. Possibilistic Anonymity

More Related