1 Anonymity
2 Overview What is anonymity? Why should anyone care about anonymity? Relationship with security and in particular identification Why anonymity and P2P? Simple model Parties exchange information in a P2P network Sender anonymity Receiver anonymity
Related notions Confidentiality Content of message is not known Typically achieved by encryption Is not an alternative to anonymity when the act of sending messages must be hidden or when the content of the message can be deduced Privacy In some works equated with anonymity Usually, protection of personal/secret data as opposed to hiding the identity 3
Definitions Following Pfitzmann and Hansen Subjects: senders and receivers Items of interest: messages The notion of anonymity set Anonymity: the property of not being identifiable within an anonymity set We are especially interested in sender anonymity and receiver anonymity 4
Unlinkability Let L be a relation between pairs of items L is the link relation Let D be the data that an adversary obtains by observing the system We say that two items a, b are unlinkable if Pr[L(a,b)|D]=Pr[L(a,b)] α-sender anonymity for a sender s and message m means: Pr[L(s,m)|D]=Pr[L(s,m)] > α 5
Unlinkability (cont.) α-receiver anonymity for a receiver r and message m means: Pr[L(m,r)|D]=Pr[L(m,r)] > α An α-anonymous communication system is a system in which every receiver and sender is α-anonymous for every message in any sequence of messages. Anonymity in this definition is a function of D We relax all definitions to be computational It is sufficient that the adversary is unable to distinguish between the probabilities 6
7 Who is the Adversary In the real world An organization such as RIAA or MPAA A government / intelligence service Police Potentially criminals An adversary model determines what capabilities the adversary has Monitoring links Operating “poisoned” peers Possibly, coercing peer to implicate itself or others
Some typical restrictions In many works the power of the adversary is limited in ways that are sometimes natural (but not always) Adversary can monitor up to given number of links in network Adversary can’t break encryption or forge signatures Adversary can monitor up to given number of links of specific sender Adversary can’t perform traffic analysis 8
9 Anonymizer Simply a proxy Accepts messages and resends them as if it is the source Sufficient for sender anonymity in some scenarios Risks It fails if all lines coming into and out of anonymizer are monitored The anonymizer itself may collude with the adversary Operators of botnets often use compromised servers as anonymizers (without the owners permission or awareness of the fact)
Mix Chaum - in the context of An anonymizer that tries to defeat monitoring of its lines Every incoming and outgoing message is encrypted. Let m be a message E k_in (m) is encryption of incoming message E k_out (m) is encryption of outgoing message Adversary can’t distinguish between the pairs and, for an arbitrary message p in a given domain. The mix changes the order, timing and length of outgoing packets compared to incoming packets. 10
Mix (cont.) Mix tries to defeat: Direct monitoring – by encrypting content Traffic analysis – by changing parameters of the traffic that are not affected by encryption Encryption adds to computational overhead Changing length, timing and order are not always possible Example: real-time traffic such as voice and video Mixes often have partial functionality An adversarial mix is still possible 11
12 Onion Routing - Overview Based on Chaum Mixes By Reed, Syverson, Goldschlag (1996) Objectives: Works with traffic that is almost real time (e.g. HTTP) Bi-directional traffic Provides sender anonymity Reduce effectiveness of traffic analysis All peers in network “know” each other’s public key End entities are not necessarily part of the network Network nodes are called Onion Routers (OR)
Preparation of onion Sender: Chooses a random path to the receiver Notation: Sender=OR 1, OR 2, …, OR n =Receiver Retrieves public keys of path from directory Onion includes n-1 layers Layer i, i=2, 3,…,n encrypts with public key of OR i Address of next onion router, OR i+1 Forward encryption / decryption algorithm E fi Forward encryption / decryption key K fi Backward encryption / decryption algorithm E bi Backward encryption / decryption key K bi Some additional information Layers i+1,…,n 13
Preparation of onion (cont.) Payload is encrypted in layers. The n-th layer encrypts the payload. The i-th layer encrypts layers i+1,…,n. The i-th layer, i=2,3,…,n includes encryption by E fi with key K fi. 14
Processing by Onion Routers OR i uses its private key to encrypt / decrypt the i-th layer of the onion. OR i uses E fi with key K fi to encrypt / decrypt i-th layer of the payload. OR i sends the onion and the payload after “peeling” off a layer to OR i+1. OR i retains onion for a time. 15
Response The receiver can send a reply message by the backward encryption algorithm and key. In the response, OR i encrypts the layered message it receives with encryption algorithm E bi and key K bi. Response relies on same route as original message. Sender uses stored list of E bi and key K bi to decrypt. Sender can prepare a route for a reply Same route can be used later Different route 16
Reply onion Layer i, i=1,2,3,…,n encrypts with public key of Or n+1-i Address of next onion router, Or n-i Backward encryption algorithm E bi Backward encryption key K bi Forward decryption algorithm E fi Forward decryption key K fi Some additional information Layers i+1,…,n The inner layer (encrypted with the sender’s key) includes E fi, E bi, K bi, K fi for all i. Each processor “adds” a layer of encryption to the message. The sender peels all the layers. 17
Additional Mechanisms Replay protection Each layer contains the expiration time. An OR stores the onion until the expiration time. If the same onion is sent within the expiration time then the OR discards it. If an expired onion is sent then the OR discards it. Padding Each OR adds random padding to the onion to compensate for removed layer Loose routing Sender defines list of ORs in path. OR i can send onion to OR i+1 by a route it chooses. 18
Anonymity analysis Onion routing provides sender anonymity. Reply onions can be used for some receiver anonymity Anonymity works against adversaries that: Monitor any number of links. Control ORs (at least one OR per path is not corrupted) Analyze message content and message length 19
Anonymity analysis (cont.) Anonymity does not work if adversary: Compares timing of packets at sender and receiver. Actively introduces timing signatures and compares the signature on the receiver side. Subverts public keys. Sybil attack Tags padding and looks for tag at the receiving end. Can compromise additional ORs over time. Adversary records traffic and decrypts it later. 20