Systems Architecture Anonymous Key Agreement Dominik Oepen

2 May Systems Architecture Table of contents  Introduction  Key exchange in the original OR protocol  Telescoping  Bilinear pairings  Boneh-Franklin setup  Single pass protocol  Lambda pass protocol  Lessons learned

3 May Systems Architecture Introduction  Communication over the Internet is generally non anonymous  Techniques like SSL/TLS or SSH only protect the content of a message  Who is talking to whom can easily be deduced from the source and target IP address  Onion routing networks aim at protecting the users privacy by allowing him to communicate without revealing his identity

4 May Systems Architecture Onion routing networks  Onion routing networks protect their users identity by relaying traffic over various proxies, called onion router (OR)  The route of ORs is called a circuit Source:

5 May Systems Architecture Message encryption  The user shares a symmetric key with each OR  Each message is wrapped in one layer of encryption per OR (hence the name onion routing)  Every OR removes one layer of encryption  The last OR (called the exit node) forwards the message to its destination Source:

6 May Systems Architecture Onion Routing Networks  The ORs only know their predecessor and successor  Therefore the path of a packet cannot be reconstructed  The user remains anonymous  Other mechanisms need to be used to protect the message on its way from the exit node to the target (or from malicious exit nodes)

7 May Systems Architecture TOR  TOR = The onion Router  Probably the most widespread implementation of onion routing  Work on onion routing networks has been done since 1995  Work was funded among others by the DARPA  In 2003 “TOR: The second generation onion router” went online  Mastermind: Roger Dingledine

8 May Systems Architecture The TOR threat model  TOR does not protect against an adversary who controls the entire net  TOR aims at frustrating an adversary, who has control over a fraction of the network  Timing attacks might still be possible  TOR offers anonymity only at layer 3 (network layer)  Users need to take care of cookies, java script, http refer headers, etc.

9 May Systems Architecture Problems  How is the circuit constructed?  How are the keys exchanged between Alice and the ORs?  She has to exchange a key with each OR, but they may not learn her identity

10 May Systems Architecture The original onion routing approach

11 May Systems Architecture The original onion routing approach  Each OR has a private and a public key  Public keys and a list of available Onion routers are distributed via a directory server  The user obtains a signed list of ORs and corresponding public keys from a directory server  Then he randomly chooses nodes (normally three) for constructing a circuit

12 May Systems Architecture The original onion routing approach  He constructs a packet (called an onion) containing: - A symmetric key for each OR - The destination of the next node  Each layer of the onion is encrypted with the public key of the corresponding OR  Complexity: Encryptions

13 May Systems Architecture The original onion routing approach  Problem: - An attacker can record the encrypted traffic - He can than infiltrate the ORs of the circuit one by one learning their private keys - In the end he knows the route (and possibly the content of the messages)  We're looking for a protocol that provides forward secrecy - That means an attacker cannot learn the route of a packet by infiltrating the nodes at some later point in time

14 May Systems Architecture The original onion routing approach  The original onion routing protocol can easily be changed to provide forward secrecy  Nodes regularly have to generate new public/private keys and safely discard the old ones  This means, that the nodes and the users frequently have to contact the directory servers  This leads to high overhead and is therefore inefficient

15 May Systems Architecture Telescoping

16 May Systems Architecture The TOR approach  The (2 nd generation) TOR protocol tries to solve some issues of the original onion routing protocol  Lowers the load of the directory servers  Provides forward secrecy  The TOR circuit construction algorithm is called Telescoping  Uses the Diffie Hellmann key exchange

17 May Systems Architecture Diffie Hellmann  Establishing a shared secret between two parties, without sending it over the wire  Both parties contribute to the established key  An attacker cannot derive the key by eavesdropping on the communication  Based on the discrete logarithm problem

18 May Systems Architecture Diffie Hellmann – The math Source:

19 May Systems Architecture Telescoping  The user performs a Diffie Hellmann Key exchange with the first node, establishing a symmetric key  Using this key and relaying traffic over the first node, he performs a DH key exchange with the second node  He continues until the circuit is constructed

20 May Systems Architecture Telescoping  Merits: - Directory servers are only needed, so users can learn the addresses of the nodes => low load - If the nodes drop the established keys when the communication is finished, the route cannot be reconstructed => forward secrecy - Telescoping can handle nodes that are not accepting connections  Flaws: - High latency for circuit construction ( Encryptions) - A new circuit is constructed every time the users contacts another host - => Circuit construction latency is crucial for the performance of TOR

21 May Systems Architecture Bilinear Pairings

22 May Systems Architecture Bilinear Pairings  Consider two additive cyclic groups G and Ġ and a multiplicative cyclic group GT, all of the same prime order n.  A bilinear map e is a map e: G × Ġ → GT with the following properties: 1.Bilinearity: 2.Non-degeneracy: The map does not send all pairs in G × Ġ to unity in GT 3.Computability: There is an efficient algorithm to compute e(P, Q) for any P ∈ G and Q ∈ Ġ. Symmetric bilinear pairing: G = Ġ Example: The modified Weil pairing over elliptic curve groups

23 May Systems Architecture The bilinear Diffie Hellmann assumption  Given such a pairing, the bilinear Diffie-Hellman (BDH) problem is to compute ∈ GT given a generator P of G and elements  An equivalent formulation of the problem, due to the bilinearity of the map, is to compute given a generator P of G, and elements A, B and cP in G.  If there is no efficient algorithm to solve the BDH problem for G, GT, e, they are said to satisfy the BDH assumption.

24 May Systems Architecture Boneh-Franklin setup  Private Key generator (PKG) issues private keys to the nodes ,where s is a master secret, and H:{0,1}* → G*  Two nodes can compute a shared key: with  Only the two nodes and the PKG know this key

25 May Systems Architecture Boneh-Franklin setup  By replacing the IDs used in the Boneh-franklin setup with pseudonyms we can achieve anonymity  Pseudonym:,where is a random number out of  New corresponding private key:  Key exchange:  Compatible with non anonymous participants:  Implicit key authentication: Only the owners of and can compute the keys

26 May Systems Architecture Pairing based key agreement Single pass pairing based circuit construction

27 May Systems Architecture Pairing based onion routing  Two crucial time-scale parameters: - Master key validity period: Exposure time of the master secret s - Private key validity period: Exposure time of a circuit against compromise of the Ors  After each PKVP ORs drop their private keys, after each MKVP the master secret (and therefore all private keys) is discarded  PKVP approximately on the order of hours, MKVP on the order of days Forward secrecy in a pairing based onion routing network:

28 May Systems Architecture Pairing based onion routing  PKG setup: - Private/public keys for signatures - Bilinear pairing: Prime number n, Groups G, Ġ and GT, map e and Hash function H - For every MKVP the PKG generates a random master secret s, a random U ∈ G (shared value for all users of the system) and computes sU -It publishes the signed tupel A pairing based onion routing protocol:

29 May Systems Architecture Pairing based onion routing  User setup: -The user obtains from an OR or a website, where v m is a timestamp -Every PKVP v, the user computes: for each OR, with Q_vi = H(v | OR_i)

30 May Systems Architecture Pairing based onion routing  Circuit construction: - For each OR the user generates a random number generates a Pseudonym and dervies a forward key - He constructs the following onion to construct the circuit: - Any OR that receives the onion calculates: and derives the keys - The rest of the protocol works just like the TOR protocol

31 May Systems Architecture Pairing based onion routing

32 May Systems Architecture Single pass pairing based protocol  Merits: - Each user only needs to obtain one single authenticated value on his own => low load on service provider - Lower overhead than telescoping - Circuits can be changed on the fly  Flaws: - Role of the PKG need to be more trusted than TORs directory servers - Only eventual forward secrecy, not immediate

33 May Systems Architecture Distributed PKG  The PKG knows the master secret s and therefore can decrypt all messages in the system  Thus the PKG is a single point of failure  To mitigate this risk one can use a distributed PKG  Two possible solutions: - T out of m Shamir secret sharing: master secret is distributed among m PKGs, any t+1 can compute it or generate a clients private key - Completely distributed PKG: each of m PKGs provides a random share for the master secret, but at any given time only t+1 PKGs need to be online to retrieve a clients private key

34 May Systems Architecture Lambda pass circuit construction

35 May Systems Architecture Lambda pass circuit construction  Immediate forward secrecy: - Compromise of an ORs private key may not allow any information about the circuit path to be recovered - After the circuit is destroyed and the keys are dropped it should not be possible to reconstruct the key - Both parties should contribute randomness to the shared key  This is not possible in a single pass protocol  Therefore the single pass circuit scheme only provides eventual forward secrecy (forward secrecy is achieved after each PKVP)

36 May Systems Architecture Lambda pass circuit construction  To achieve immediate forward secrecy, we extend our single pass protocol to a lambda pass protocol  At the beginning of the circuit construction the chooses λ ORs (with λ < l)  The user forms a TLS connection with  The user forms an onion according to the single pass protocol with OR_λ2 as the exit node

37 May Systems Architecture Lambda pass circuit construction  OR_λ2 generates:  OR_λ2 sends a confirmation message along with his new pseudonym to the user and forgets  The user continues until he has established keys with all nodes

38 May Systems Architecture Lambda pass circuit construction

39 May Systems Architecture Lambda pass circuit construction  The reward: - Even if an attacker manages to corrupt some of the ORs private keys, he cannot link the λ parts of the circuits together -We achieve immediate forward secrecy at λ nodes

40 May Systems Architecture Performance considerations

41 May Systems Architecture Conclusions  The main drawback of today's onion routing techniques is performance  There are several methods for anonymous key agreement, which differ in performance, overhead and provided security  Bilinear pairings seem to offer a method for achieving good performance while keeping overhead low  Using a distributed PKG and a λ-pass circuit construction we can meet high security standards at a good performance level