View
217
Download
4
Tags:
Embed Size (px)
Citation preview
Building a Peer-to-Peer Anonymizing Network Layer
Michael J. Freedman
NYU Dept of Computer Science [email protected]
Public Design WorkshopSeptember 13, 2002
http://pdos.lcs.mit.edu/tarzan/
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 2
• Participant can communicate anonymously with non-participant
• User can talk to CNN.com
User
?
?
• Nobody knows who user is
The Grail of Anonymization
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 3
?=?
Should we offer anonymity?
Actions of user seeking anonymity
Method of observing
user’s identity
Legal Illegal
Legal
Illegal Definitely!
Yes
???
No (?)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 4
Our Vision for Anonymization
• Thousands of nodes participate• Bounce traffic off one another
• Mechanism to organize nodes: peer-to-peer• All applications can use: IP layer
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 5
Alternative 1: Proxy Approach
• Intermediate node to proxy traffic
• Completely trust the proxy
Anonymizer.com
User Proxy
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 6
Realistic Threat Model
• Corrupt proxy(s)
– Adversary runs proxy(s)
– Adversary targets proxy(s) and compromises,
possibly adaptively
• Network links observed
– Limited, localized network sniffing
– Wide-spread (even global) eavesdropping
e.g., Carnivore, Chinese firewall, ISP search warrants
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 7
Failures of Proxy Approach
User ProxyProxy
• Traffic analysis is easy
• Proxy reveals identity
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 8
Failures of Proxy Approach
User Proxy XX
• CNN blocks connections from proxy
• Traffic analysis is easy
• Adversary blocks access to proxy (DoS)
• Proxy reveals identity
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 9
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
Onion Routing, Freedom
Small-scale, static network
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 10
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
• Cover traffic among relays hides data traffic
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 11
Failures of Centralized Mixnet
Relay Relay Relay
• CNN blocks core routers
X
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 12
Relay Relay
Failures of Centralized Mixnet
• CNN blocks core routers
• Adversary targets core routers
RelayRelay
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 13
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 14
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
• Cover traffic doesn’t protect edges (n2)
X
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 15
Tarzan: Me Relay, You Relay
• Thousands of nodes participate
• Build tunnel over pseudorandom set of nodes
• Cover traffic covers edges
Crowds:
small-scale, not self-organizing, not a mixnet, no cover
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 16
Benefits of Peer-to-Peer Design
• No network edge to analyze:
First hop does not know he’s first
?
? ?? ?
• CNN cannot block everybody
• Adversary cannot target everybody
• Global eavesdropping gains little info
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 17
Managing Peers
• Requires a mechanism that
1. Discovers peers
2. Scalable
3. Robust against adversaries
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 18
• Adversary can join more than once
• Stop it from spoofing addresses outside of control?
Adversaries Can Join System
Contact peers directly to
– Validate IP address
– Learn public key
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 19
Adversaries Can Join System
• Adversary can join more than once
• Can control many addresses on each subnet!
Randomly select nodes by subnet “domain”,
not IP address
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 20
Tarzan: Joining the System
1. Contacts known peers to learn neighbor lists
2. Validates each peer by directly pinging
User
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 21
Tarzan: Discovering Peers
User
3. Nodes pair-wise choose (verifiable) mimics
4. Mimics begin passing cover traffic
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 22
Tarzan: Discovering Peers
User
5. Building tunnel:
Iteratively selects peers and builds tunnel
from among last-hop’s mimics
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 23
Tarzan: Building Tunnel
User
5. Building tunnel:
Public-key encrypts tunnel info during setup
Maps flowid session key, next hop IP addr
Tunnel Private AddressPublic Alias
Address
RealIP
Address
PNAT
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 24
IP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
Diverts packets to tunnel source router
IP
X
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 25
IP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
IPIP
NATs to private address space 192.168.x.x
Layer encrypts packet
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 26
Encapsulates in UDP and forwards packet
Strips off encryption, forwards to next hop
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
IPIPIP
APP
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 27
IPIP
NATs again to public alias address
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 28
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
Reads IP headers and sends accordingly
IP
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 29
Response repeats process in reverse
IPIP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
IPIPIPIP
APPIPIP
IP
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 30
Tarzan: Tunneling Data Traffic
Transparently supports anonymous servers
Can build double-blinded channels
Server
IPIPIPIP
APP
IPIP
IPIP IPIP
IPIP
IP IP IP IPIP
IP
ObliviousUser
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 31
Summary
• Gain anonymity:– Peer-to-peer: scalable, decentralized, secure
– Cover traffic over mimics
• Transparent IP-layer anonymization– Towards a critical mass of users
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 32
More information…
http://pdos.lcs.mit.edu/tarzan/