400 likes | 538 Views
Preserving Caller Anonymity in Voice-over-IP Networks. Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presenter: Bo Wu. Agenda. Voice-over-IP Caller Anonymity Threat Models Defending Methods Experimental Evaluation Conclusion. Phone. The history…. PSTN.
E N D
Preserving Caller Anonymity inVoice-over-IP Networks Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presenter: Bo Wu
Agenda • Voice-over-IP • Caller Anonymity • Threat Models • Defending Methods • Experimental Evaluation • Conclusion
PSTN • PSTN- stands for Public Switched Telephone Network • Circuit-based means reserving resources for each user • Kind of expensive
Voice-over-IP: another choice • Voice over Internet Protocol • “A method for taking analog audio signals, like the kind you hear when you talk on the phone, and turning them into digital data that can be transmitted over the Internet. “ • Also known as: • Voice over Packet (VoP) • IP Telephony (IPT)
Benefits • #1. SAVING MONEY! • Routing phone calls over existing data networks to avoid the need for separate voice and data networks. • VOIP offer features and services for free (or at little cost)
Benefits • Increased Agility • Tactical Advantages • Integrate things like: emails, phone, instant messages, etc.
Characteristics of VoIP network • P2P topology peer Internet peer peer peer peer
Characteristics of VoIP network • Additional QoS requirement • ITU (International Telecommunication Union) recommends up to 250ms one-way latency for interactive voice communication. People go mad due to bad quality
Anonymity in VoIP networks • What is anonymity? • NO leakage of information about identity • Why is it important? • Human rights • Sensitive applications
Where is the caller? • Source privacy • Hot topic in many kinds of networks: Ad hoc, Sensor networks, Mesh networks, …… • Papers published in: Infocom, ICDCS, CCS, Securecomm, S&P…
What’s the difficulties? • Strong ability of attackers • Content analysis • Timing analysis • Fully distributed • Link latency • ……
How VoIP works? • Establish routes: • Unstable topology • Routes across different ASPs • Sending messages • Comply to different application protocols • Confidentiality • Hop-by-hop encryption • End-to-end encryption
Establishing routes InitSearch: Zhenhua <SearchID, dest ID, start time> Bo
How does it work? • ProcessSearch Zhenhua Bo
How does it work? • FinSearch Zhenhua Bo
What’s the problem? Bad guys are there… Zhenhua Bad guy: Mr. Y Bad guy: Mr. X Bo
What’s the problem? Bad guys are there… Zhenhua Bad guy: Mr. Y Bad guy: Mr. X Bo
What’s the problem? What if Zhenhua is surrounded by bad guys? Bad guy: Mr. W Zhenhua Bad guy: Mr. Y Bad guy: Mr. Z Bad guy: Mr. X Bo
Threat model • Composed by assumptions and formulations • Three threat models: • Deterministic Triangulation Attack • Statistical Triangulation Attack • Differential Triangulation Attack
Deterministic Triangulation Attack • “Deterministic” means fixed latency for each link • Exploit two properties of the route set up protocol: • 1. It establishes the shortest route between the two nodes src and dst. • 2. Any node can estimate its distance from src => Each bad guy has the knowledge of its distance from any other node in the network
Deterministic Triangulation Attack Mr. Y Bo Mr. X
Deterministic Triangulation Attack • For each bad guy pi in network • If • Calculate the final score:
Statistical Triangulation Attack • “Statistical” means link latency follows some probabilistic distribution, say Gaussian distribution • Exploit one nice property of Gaussian distribution • X, Y follow Gaussian distribution • If Z = X + Y THEN E(Z) = E(X)+E(Y) • When calculating scores, use mean value
Differential Triangulation Attack • The mentioned two attacks relies on the time stamp in search packet to make the first estimation. • What if the source remove time stamp? • The attackers can still cooperate……
Differential Triangulation Attack Zhenhua Mr. Y Mr. Y Bo Dist(Bo, X)-Dist(Bo,Y) < Dist(Zhenhua, X)-Dist(Zhenhua, Y)
Topology discovery • All of the three threat models require global information like topology and link latency • Malicious nodes can collude to collect such information • Send ping messages with small TTL • Infer local topology and link latency through pong messages
Attack efficiency Deterministic Triangulation Statistical Triangulation
Attack efficiency Differential Triangulation
Defending algorithms • General idea: break the tight correlation of timing and distance • Random walk Search Algorithm • Best anonymity, worst QOS • Hybrid route set up • Tradeoff between anonymity and QOS
Random walk search algorithm • Basic idea: • Randomly select a neighbor to forward search request instead of broadcasting (Random walk is used in tens of papers to defend against traffic analysis.) • Why it works? • According to random walk theory:
Hybrid Route set up protocol • Controlled random walk • Two phases • Random walk search phase • Search dest node by random walk • Broadcast search phase • Search dest node by broadcast • One kind of probabilistic routing: • Start at random walk search phase • Remain in this phase with probability of p • Transfer to Braodcast search phase with probability of 1-p
Hybrid Route set up protocol • Multi-Agent Random Walk • Send out w search messages instead of one • Every search message performs random walk • Route established when the first search message arrives at dest node • Tradeoff when setting w • Bigger w means smaller latency • Bigger w also increases attacking efficiency
Simulation results Latency study:
Simulation results Anonymity study:
Comments • Brilliant Threat models • Capture key properties of broadcast • A small percentage of nodes can attack very accurately • Not quite novel defending methods • Random walk has been used by tens of (if not hundreds of) papers • No deep analysis of the performance
Conclusion • VoIP is gaining more and more popularity • Three threat models directly target at caller’s anonymity • Introduce randomness to defend against timing attack • Lesson: challenging problem to protect privacy as well as providing QoS