Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Introducing Anonymous Communications
Properties, Threat Models, Systems & Attacks. . .
George Danezis
K.U. Leuven, ESAT/COSIC,Kasteelpark Arenberg 10,
B-3001 Leuven-Heverlee, [email protected]
Heraclion, Sept. 2006
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Outline
1 Anonymity Related Properties
2 Threat Models
3 Systems for Anonymous Communications
4 Attacks & Traffic Analysis
5 Conclusions
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Why Anonymity in Communications?From the Department of Defence to you. . .
Military and Intelligence Applications
Tactical Radios, and Strategic Command and Control.
Identification & Location – Target Selection Resistance.
vs. Signals Intelligence.
Commercial, Infrastructure and Society
Research in Investment Banks and others. . .
Auctions and Share trading.
Police e-Investigations.
Elections, freedom of association, free speech,censorship-resistance.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Basic Anonymity PropertiesHiding senders, receivers or both.
Subtleties
Alice and Bob trust each other → 3rd party anonymity,traffic flow security or TAP.
But also they may want protection from each other.
Key Properties
Sender Anonymity – Alice sends to Bob, and Bob cannot traceAlice’s identity.
Receiver Anonymity – Bob can contact Alice, without knowingher identity.
Bi-directional Anonymity – Alice and Bob communicatewithout knowing each other’s identities.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
UnobservabilityHiding participation and transmission.
Information still leaks
Volume of information received or transmitted.
Type of traffic.
Time of communications, or presence.
⇒ Can be used for attacks, or Target Selection.
Solution: Unobservability
Presence is not visible (MS blocking pings)
Participation in, and volume of communications hidden.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Receipt-freeness and RobustnessElections and Coercion.
Selling and Buying Elections
Voters may be coerced to reveal their votes. . .
. . . or maybe tempted to sell them.
Any proof of voting, or the way they voted facilitates this.
Requirement: receipt-freeness.
Robustness
The voting system must not discard, add or modify votes!
It must output a proof of correct functioning.
Related: coercion resistance in encryption, forward security,censorship resistance.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
The Passive AdversariesGlobal, Partial, Local and Realistic.
Aims
Identify Alice, Bob or both.
Global Can observe all all communication channels, andlook at all traffic.
Partial Can observe some communication channels andtraffic. Adaptive or non-adaptive.
Local Controls the edge of the network (Alice’s ISP /Employer).
Realistic Take into account real network topologies(Dingledine and Feamster).
. . .
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Active AdversariesCryptographic manipulation and traffic injection.
Passive network adversaries that can:
Inject messages – at any point of the network (not just users).
Delete messages – for DoS and traffic analysis.
Modify messages – to help with tracing.
Cryptography is not a perfect solution: protects content butnot traffic.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Corrupt Participants & CoercionThe attacker is your “friend”.
Key Intuition: No one can be anonymous on their own /without help.
Corrupt Insiders
Some nodes in the anonymous communicationinfrastructure belong to the adversary.
They are partial passive and active adversaries.
They leak all the secrets they know and coordinate.
Coercion
Honest nodes may be forced to cooperate with theadversary. Blackmail, bribery, legal or physical threats.
They should be given the opportunity to lie.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Sybil AttacksPeer-to-Peer and Open Systems
Open Systems
Everyone can be on the Internet. . .
with 10k machines. (Botnets or China.)
What if the adversary floods the network?
Peer-to-Peer Systems
Every node in the network is also part of the infrastructure.
Good: high resilience, huge anonymity sets (theory)
Bad: Why trust all those nodes – are they all bad?
No easy (p2p) solution. . .
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Dining Cryptographers NetworksUnconditional Anonymity, at a high cost. (David Chaum ‘85)
Key ideas
Multiparty computation amongst N participants.
Architecture: key sharing graph, broadcast by eachparticipant and combination of shares.
Security: secure if the adversary cannot partition the keysharing graph. Information Theoretic!
Extensions
Key management: only share seed keys and use a streamcipher.
Dining Cryptographers in a Disco: resilient to collisionsand Denial of Service.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Dining Cryptographers NetworksIllustrated
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Buses for Anonymous Deliveryand other broadcast mechanisms. . .
Broadcast
Receiver Anonymity atcost O(N).
Buses
Based on a ‘Token Ring’architecture.
The bus has slots that areread and filled withmessages.
Hide modification.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Mix SystemsOverview (David Chaum ‘81)
What is a mix?
A message router that hides correspondences between
inputs and outputs.
Disrupt patterns in (1) content and (2) time.
How? (1) Public key crypto and decryption (2) Batchingand delaying (3) Padding (4) Avoid replays.
Secure against GPA + active.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Mix SystemsTopology and Other Issues
Distribute Mix functionality
Distribute Trust: Cascades.
Distribute Load: Arbitrary Graph.
How? nested layers of (special) encryption.
Hide path length, path position, . . .
Security: against fraction of corrupt nodes.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Anonymous RepliesTalking back to strangers.
Reply Blocks
A cryptographic address that routes the message back toAlice.
Constructed by Alice and sent (anonymously) to Bob.Uses Mix networks.
Indistinguishable from other messages.
Single use (Mixminion)
Nym Servers
A Bridge between email and receiver anonymity.
Implement using reply blocks or PIR.
Security: if compromized only DoS.
See “Mixminion”. . .George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Robust Mix-netsRe-encryption mix-nets, ZK proofs of shuffle, and Partial Checking
Techniques
Elections need high assurance and anonymity.
Technique 1: Re-encryption Mix Networks outputting ZKproofs of correct shuffle (fancy and expensive).
Technique 2: Random Partial Checking: each mixcommits to outputs and is challenged to reveal half.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Onion RoutingTheory
Mixing is expensive: public key operations for eachmessage.
Idea: use a mixed message to open a connection througha network of onion routers.
Stream data in both directions (with layered encryption)using the same route.
Security
Fails against GPA! Streams are linkable using timingattacks.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Onion RoutingFreedom, JAP and Tor
Real systems have been fielded:
Java Anon Proxy. University of Dresden. Collection of MixCascades. No cover traffic. Legal attacks.
ZK Freedom. Canadian company, commercial project. Failed inthe market place (.com boom). Defunct.
Tor. The Onion Router. ∼600 routers, ∼100k users, 3hop, free route. Strange threat model!
Security
None of them resists GPA.
JAP suffered from legal and compulsion attacks.
They withstand Local adversaries.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Simple Proxies and the Real WorldHow are the bad guys achieving anonymity
By design
Simple email replay: anon.penet.fi – legal attacks.
Anonymizer.com – SSL protected web proxy.
Crowds – pass the parcel anonymization.
What the bad guys use
Open WiFi replays.
Open SMTP relays and HTTP/SOCKS proxies.
Shared hotmail accounts.
Botnets and compromised machines.
Hit a kid on the head and steal their phone!
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Simple tracing and Sybil attacksGathering and using all the information.
Vanilla tracing
Gather all traces, and construct all possible scenarios ofwho is talking to whom, given the traffic.
Apply constrains: path lengths, who is on-line, . . . (NP!)
Generate probability distributions for each messagecorresponding to each sender.
Measuring anonymity: the min-Entropy of these is thesecurity offered by the system.
Get more information
Flood the networks with more corrupt nodes.
DoS good nodes or paths! (Tech and Legal)
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Long Term Intersection and Disclosure AttacksUncovering Alice’s long term friends.
Black-box attacks
Alice talks to Bob (and other friends) often!
Long term intersection attacks.
Record all possible recipients of Alice for manyinteractions: the actual ones will appear more frequently.
Disclosure attacks and statistical variants – black-boxeswith memory.
Corwds: Predecessor attacks
Crowds tries to hide who is the initiator.
Observe many interactions: the initiator will be the mostcommon node.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Tracing Streams of Data: attacking onion routingFrom matching streams to detecting stepping stones.
How to break Tor
Record the timing of input stream packets.
Create models of how their output will look.
Which model corresponds better to the observed output?
Many Twists!
Applications to intrusion detection (Stepping Stones)
Inject patterns that are easy to recognise.
Remote timing of streams (magic stuff)!
Compression of templates, and fast matching.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Tracing Streams of Data: attacking onion routingWhat the attacker sees. . .
0 200 400 600 800 10000
0.5
1
1.5
2Signal f(t)
0 100 200 300 4000
0.01
0.02
0.03
0.04Delay d(x)
0 200 400 600 800 10000
0.5
1
1.5
2
Output link 1, Xi
0 200 400 600 800 10000
1
2
3x 10
−3 Convolution (f*d)
0 200 400 600 800 10000
1
2
3
Output link 2, Yi
0 200 400 600 800 1000−0.01
0
0.01
0.02Decision
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Active Tagging AttacksCryptographic attacks, replay attacks
Tagging
Modify the input message, and try to detect acharacteristic!
Example: if stream cipher XOR a random string, anddetect it at the end.
Use integrity checks, and fragile encodings to protect.
Replay
Inject a message n times and observe the n outputs.
Replay prevention is expensive!
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
The State of the ArtWhere are we today?
Deployed systems
MixMaster/Mixminion for email. Mixing with replies, and Nymservers. Resists GPA + active + corrput. Fails onsybil, flooding, DoS, and useability.
Tor for TCP traffic. Resists Local adversaries +compulsion! Fails GPA, . . .
Moving Targets
Freenet, I2P, Gnutella – no clear specifications, codebasechanges all the time.
Anonymizer, SafeWeb – changing all the time, and singlepoints of failure.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Open problemsWhere do we want to go?
Trust: Why trust the same intermediaries?
How to do low latency?
How to manage the networks to avoid Sybils and DoS.
Usability and integration. Identity management andcontent filtering.
Incentives for deployment. Payment?
Protection from target selection?
Critical!
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
Future DirectionsHow to get there?
People are working on. . .
Using your friends to relay traffic.
Mixing same types of low latency traffic (IRC, . . . )
More is needed on. . .
Hiding usage patterns and unobservability!
Usability and integration with applications (firefox,thunderbird plug-ins?)
There is much more to research on Traffic Analysis, butwe are running out of targets.
George Danezis Anonymous Communications
Anonymous
Communica-
tions
George
Danezis
Anonymity
Related
Properties
Threat
Models
Systems for
Anonymous
Communica-
tions
Attacks &
Traffic
Analysis
Conclusions
ResourcesIf I saw far. . .
Warning
Mature field: If you attempt to make a system without readingthe literature it will be broken!
Venues and Resources:
PET Workshop (Next year in Ottawa, Canada). Ameeting place for all people working on anonymouscommunications.
WPES, always next to ACM CCS.
“Anonymity Bibliography” – freehaven.net/anonbib
Latest PhD Thesis: Claudia Diaz, Nikita Borisov, MatthewWright, Andrei Serjantov, George Danezis.
Talk to people – they are all passionate and will reply!
George Danezis Anonymous Communications