Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Introducing Anonymous Communications

Properties, Threat Models, Systems & Attacks. . .

George Danezis

K.U. Leuven, ESAT/COSIC,Kasteelpark Arenberg 10,

B-3001 Leuven-Heverlee, Belgium.George.Danezis@esat.kuleuven.be

Heraclion, Sept. 2006

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Outline

1 Anonymity Related Properties

2 Threat Models

3 Systems for Anonymous Communications

4 Attacks & Traffic Analysis

5 Conclusions

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Why Anonymity in Communications?From the Department of Defence to you. . .

Military and Intelligence Applications

Tactical Radios, and Strategic Command and Control.

Identification & Location – Target Selection Resistance.

vs. Signals Intelligence.

Commercial, Infrastructure and Society

Research in Investment Banks and others. . .

Auctions and Share trading.

Police e-Investigations.

Elections, freedom of association, free speech,censorship-resistance.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Basic Anonymity PropertiesHiding senders, receivers or both.

Subtleties

Alice and Bob trust each other → 3rd party anonymity,traffic flow security or TAP.

But also they may want protection from each other.

Key Properties

Sender Anonymity – Alice sends to Bob, and Bob cannot traceAlice’s identity.

Receiver Anonymity – Bob can contact Alice, without knowingher identity.

Bi-directional Anonymity – Alice and Bob communicatewithout knowing each other’s identities.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

UnobservabilityHiding participation and transmission.

Information still leaks

Volume of information received or transmitted.

Type of traffic.

Time of communications, or presence.

⇒ Can be used for attacks, or Target Selection.

Solution: Unobservability

Presence is not visible (MS blocking pings)

Participation in, and volume of communications hidden.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Receipt-freeness and RobustnessElections and Coercion.

Selling and Buying Elections

Voters may be coerced to reveal their votes. . .

. . . or maybe tempted to sell them.

Any proof of voting, or the way they voted facilitates this.

Requirement: receipt-freeness.

Robustness

The voting system must not discard, add or modify votes!

It must output a proof of correct functioning.

Related: coercion resistance in encryption, forward security,censorship resistance.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

The Passive AdversariesGlobal, Partial, Local and Realistic.

Aims

Identify Alice, Bob or both.

Global Can observe all all communication channels, andlook at all traffic.

Partial Can observe some communication channels andtraffic. Adaptive or non-adaptive.

Local Controls the edge of the network (Alice’s ISP /Employer).

Realistic Take into account real network topologies(Dingledine and Feamster).

. . .

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Active AdversariesCryptographic manipulation and traffic injection.

Passive network adversaries that can:

Inject messages – at any point of the network (not just users).

Delete messages – for DoS and traffic analysis.

Modify messages – to help with tracing.

Cryptography is not a perfect solution: protects content butnot traffic.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Corrupt Participants & CoercionThe attacker is your “friend”.

Key Intuition: No one can be anonymous on their own /without help.

Corrupt Insiders

Some nodes in the anonymous communicationinfrastructure belong to the adversary.

They are partial passive and active adversaries.

They leak all the secrets they know and coordinate.

Coercion

Honest nodes may be forced to cooperate with theadversary. Blackmail, bribery, legal or physical threats.

They should be given the opportunity to lie.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Sybil AttacksPeer-to-Peer and Open Systems

Open Systems

Everyone can be on the Internet. . .

with 10k machines. (Botnets or China.)

What if the adversary floods the network?

Peer-to-Peer Systems

Every node in the network is also part of the infrastructure.

Good: high resilience, huge anonymity sets (theory)

Bad: Why trust all those nodes – are they all bad?

No easy (p2p) solution. . .

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Dining Cryptographers NetworksUnconditional Anonymity, at a high cost. (David Chaum ‘85)

Key ideas

Multiparty computation amongst N participants.

Architecture: key sharing graph, broadcast by eachparticipant and combination of shares.

Security: secure if the adversary cannot partition the keysharing graph. Information Theoretic!

Extensions

Key management: only share seed keys and use a streamcipher.

Dining Cryptographers in a Disco: resilient to collisionsand Denial of Service.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Dining Cryptographers NetworksIllustrated

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Buses for Anonymous Deliveryand other broadcast mechanisms. . .

Broadcast

Receiver Anonymity atcost O(N).

Buses

Based on a ‘Token Ring’architecture.

The bus has slots that areread and filled withmessages.

Hide modification.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Mix SystemsOverview (David Chaum ‘81)

What is a mix?

A message router that hides correspondences between

inputs and outputs.

Disrupt patterns in (1) content and (2) time.

How? (1) Public key crypto and decryption (2) Batchingand delaying (3) Padding (4) Avoid replays.

Secure against GPA + active.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Mix SystemsTopology and Other Issues

Distribute Mix functionality

Distribute Trust: Cascades.

Distribute Load: Arbitrary Graph.

How? nested layers of (special) encryption.

Hide path length, path position, . . .

Security: against fraction of corrupt nodes.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Anonymous RepliesTalking back to strangers.

Reply Blocks

A cryptographic address that routes the message back toAlice.

Constructed by Alice and sent (anonymously) to Bob.Uses Mix networks.

Indistinguishable from other messages.

Single use (Mixminion)

Nym Servers

A Bridge between email and receiver anonymity.

Implement using reply blocks or PIR.

Security: if compromized only DoS.

See “Mixminion”. . .George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Robust Mix-netsRe-encryption mix-nets, ZK proofs of shuffle, and Partial Checking

Techniques

Elections need high assurance and anonymity.

Technique 1: Re-encryption Mix Networks outputting ZKproofs of correct shuffle (fancy and expensive).

Technique 2: Random Partial Checking: each mixcommits to outputs and is challenged to reveal half.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Onion RoutingTheory

Mixing is expensive: public key operations for eachmessage.

Idea: use a mixed message to open a connection througha network of onion routers.

Stream data in both directions (with layered encryption)using the same route.

Security

Fails against GPA! Streams are linkable using timingattacks.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Onion RoutingFreedom, JAP and Tor

Real systems have been fielded:

Java Anon Proxy. University of Dresden. Collection of MixCascades. No cover traffic. Legal attacks.

ZK Freedom. Canadian company, commercial project. Failed inthe market place (.com boom). Defunct.

Tor. The Onion Router. ∼600 routers, ∼100k users, 3hop, free route. Strange threat model!

Security

None of them resists GPA.

JAP suffered from legal and compulsion attacks.

They withstand Local adversaries.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Simple Proxies and the Real WorldHow are the bad guys achieving anonymity

By design

Simple email replay: anon.penet.fi – legal attacks.

Anonymizer.com – SSL protected web proxy.

Crowds – pass the parcel anonymization.

What the bad guys use

Open WiFi replays.

Open SMTP relays and HTTP/SOCKS proxies.

Shared hotmail accounts.

Botnets and compromised machines.

Hit a kid on the head and steal their phone!

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Simple tracing and Sybil attacksGathering and using all the information.

Vanilla tracing

Gather all traces, and construct all possible scenarios ofwho is talking to whom, given the traffic.

Apply constrains: path lengths, who is on-line, . . . (NP!)

Generate probability distributions for each messagecorresponding to each sender.

Measuring anonymity: the min-Entropy of these is thesecurity offered by the system.

Get more information

Flood the networks with more corrupt nodes.

DoS good nodes or paths! (Tech and Legal)

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Long Term Intersection and Disclosure AttacksUncovering Alice’s long term friends.

Black-box attacks

Alice talks to Bob (and other friends) often!

Long term intersection attacks.

Record all possible recipients of Alice for manyinteractions: the actual ones will appear more frequently.

Disclosure attacks and statistical variants – black-boxeswith memory.

Corwds: Predecessor attacks

Crowds tries to hide who is the initiator.

Observe many interactions: the initiator will be the mostcommon node.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Tracing Streams of Data: attacking onion routingFrom matching streams to detecting stepping stones.

How to break Tor

Record the timing of input stream packets.

Create models of how their output will look.

Which model corresponds better to the observed output?

Many Twists!

Applications to intrusion detection (Stepping Stones)

Inject patterns that are easy to recognise.

Remote timing of streams (magic stuff)!

Compression of templates, and fast matching.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Tracing Streams of Data: attacking onion routingWhat the attacker sees. . .

0 200 400 600 800 10000

0.5

1

1.5

2Signal f(t)

0 100 200 300 4000

0.01

0.02

0.03

0.04Delay d(x)

0 200 400 600 800 10000

0.5

1

1.5

2

Output link 1, Xi

0 200 400 600 800 10000

1

2

3x 10

−3 Convolution (f*d)

0 200 400 600 800 10000

1

2

3

Output link 2, Yi

0 200 400 600 800 1000−0.01

0

0.01

0.02Decision

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Active Tagging AttacksCryptographic attacks, replay attacks

Tagging

Modify the input message, and try to detect acharacteristic!

Example: if stream cipher XOR a random string, anddetect it at the end.

Use integrity checks, and fragile encodings to protect.

Replay

Inject a message n times and observe the n outputs.

Replay prevention is expensive!

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

The State of the ArtWhere are we today?

Deployed systems

MixMaster/Mixminion for email. Mixing with replies, and Nymservers. Resists GPA + active + corrput. Fails onsybil, flooding, DoS, and useability.

Tor for TCP traffic. Resists Local adversaries +compulsion! Fails GPA, . . .

Moving Targets

Freenet, I2P, Gnutella – no clear specifications, codebasechanges all the time.

Anonymizer, SafeWeb – changing all the time, and singlepoints of failure.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Open problemsWhere do we want to go?

Trust: Why trust the same intermediaries?

How to do low latency?

How to manage the networks to avoid Sybils and DoS.

Usability and integration. Identity management andcontent filtering.

Incentives for deployment. Payment?

Protection from target selection?

Critical!

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

Future DirectionsHow to get there?

People are working on. . .

Using your friends to relay traffic.

Mixing same types of low latency traffic (IRC, . . . )

More is needed on. . .

Hiding usage patterns and unobservability!

Usability and integration with applications (firefox,thunderbird plug-ins?)

There is much more to research on Traffic Analysis, butwe are running out of targets.

George Danezis Anonymous Communications

Anonymous

Communica-

tions

George

Danezis

Anonymity

Related

Properties

Threat

Models

Systems for

Anonymous

Communica-

tions

Attacks &

Traffic

Analysis

Conclusions

ResourcesIf I saw far. . .

Warning

Mature field: If you attempt to make a system without readingthe literature it will be broken!

Venues and Resources:

PET Workshop (Next year in Ottawa, Canada). Ameeting place for all people working on anonymouscommunications.

WPES, always next to ACM CCS.

“Anonymity Bibliography” – freehaven.net/anonbib

Latest PhD Thesis: Claudia Diaz, Nikita Borisov, MatthewWright, Andrei Serjantov, George Danezis.

Talk to people – they are all passionate and will reply!

George Danezis Anonymous Communications