Computer Science Graduate Student Jinhae Kim Tarzan: A Peer-to-peer Anonymizing Network Layer by Michael J.Freedman, Robert Morris Computer Science Graduate Student Jinhae Kim

Contents Introduction Design Goals Network Model Architecture Details of Design Security Analysis Conclusion

Traffic Analysis Reveals Identities Who is talking to whom may be confidential or private: Who is searching a public database? Which companies are collaborating? Who are you talking to via e-mail? Where do you shop on-line?

Introduction Internet Anonymization Anonymizer.Com Without revealing own ID, a host can communicate with an arbitrary server. Anonymizer.Com A host sends messages to a server through a proxy. Anonymous remailer system, Onion Routing, and Zero-Knowledge’s Freedom A host connects to a server through a set of mix relays.

Introduction - Problems Proxy server Dos attacks Single point of failure A set of mix relay Network edge traffic analysis

Introduction - Tarzan Sequence of mix relay No centralized (equal peer) Hide the originator Each node can be a originator and/or relay Prevent edge analysis Construct a tunnel with sequence of Tarzan peer using layered encryption Ensure the anonymity in network layer

Design Goals Application independence Anonymity against malicious nodes Fault-tolerance and availability Performance Anonymity against a global eavesdropper

Network Model unswitched LAN honest routers local subnet malicious routers corrupted domains honest nodes border gateway malicious nodes spoofed nodes X In relation to node X, adversarial machines can control address spaces and can spoof virtual nodes within corrupted domains

Architecture Overview Internet Dest Client app initiator PNAT relayd relayd (AppPriv) (PrivPNAT) src: PNAT dst: Dest kernel divert (31  17) (17  59) Tag: 31 Tag: 17 Tag: 59 src: App dst: Dest relayd relayd src: Priv dst: Dest src: Priv dst: Dest src: Priv dst: Dest An IP packet is diverted to the local tunnel initiator. Translate to a private address space, wrap in several layers of encryption, and send to the first relay in UDP. Decrypts one layer and send to the next relay. PNAT extracts the original IP packet, NATs the packet to its own public address, and writes the raw packet to the internet.

Packet Relay A flow tag uniquely identifies each link of each tunnel. Symmetric encryption hides data. A MAC protects its integrity. Separate keys are used in each direction of each relay. The tunnel initiator clear each IP packet’s source address field. perform a nested encoding for each tunnel relay. encapsulates the result in a UDP packet.

Packet Relay - Encoding T = (h1, h2,…,hl, hpnat) : A sequence of nodes ekhi , ikhi : Forward encryption and integrity keys seq : packet sequence number An initiator produces block Bi for each relay hi, starting with hpnat ci = ENC (ekhi, {Bi+1}) ai = MAC (ikhi, {seq, ci}) Bi = {seq, ci, ai}

Tunnel Setup A Tarzan node pseudo-randomly selects a series of nodes. The initiator iteratively setup the entire tunnel hop by hop. Generate and Distribute the symmetric keys encrypted under the relays’ public keys.

…. Tunnel Setup Protocol h0(initiator) h1 h2 hpnat h1 R {h0.neighbors} h2 R {h1.neighbors} establish_request(h0,h2) establish_response h3 R {h2.neighbors} …. establish_request(h1,h3) !ok or timeout h3 R {h2.neighbors} reset_forward_request(h3) reset_forward_response establish_response(hl) h0(initiator) h1 h2 hpnat

IP Packet Forwarding Create a generic anonymizing IP tunnel IP forwarder: divert certain packets and ships them over a Tarzan tunnel. Client forwarder: replace real address with a random address PNAT (Pseudonymous Network Address Translator) Remote hosts can communicate with PNAT normally. Double-blinded channel: achieve both sender and recipient anonymity (using different PNAT)

Tunnel Failure and Reconstruction The initiator regularly sends ping to the PNAT. PNAT failure: select a new hpnat for the tunnel. Otherwise: attempt to rebuild the tunnel to the original PNAT. Higher-level connections don’t die upon tunnel failure.

Peer Discovery A Tarzan node requires some means to learn about all other nodes. Use a simple gossip-based protocol for peer discovery. The Tarzan discovery protocol supports three related operations. Initialization: allow fast information propagation. Redirection: allow nodes to shed load. Maintenance: provide an incremental update a node’s peer database with only new information.

Peer Discovery Protocol Ua, Va: the set of a’s unvalidated/validated known peers A new node a contacts existing node b to discover Ua . Node a validates b once a receives a response. Node a successively contacts the new neighbors in Ua . Retrying neighbors in Va . If the difference between Va and Vb is big: b is busy: a.redirect (b), otherwise: a.initialize (b) Otherwise: a.maintain (b); b.maintain(a)

Peer Selection Three-level hierarchy: /16, /24 subnets, and relevant IP addresses The leading d-bits of a node’s IP address are transformed to an identifier via hash (ipaddr/d, date) Lookup (key) method: generate id16 via hash (key/16, date) and find the smallest identifier ≥ id16 on the /0 identifier ring; and so on… Example: Lookup (key) with id16 = 541A, id24 = 82F1, and id32 = 261B. This ultimately maps to the hash value 4F9A, which yields IP address 18.26.4.9 /0 18D3 18.26/16 3CB8 21F8 49A1 3A25 58E2 45F1 18.26.4/24 712F 5212 23A5 9D37 7C38 4F9A B541 94D1 61D1 CA13 B1E3 974F F72A E436 B11A

Cover Traffic and Link Encoding Use of cover traffic to provide more time-invariant traffic patterns independent of bandwidth demands. A traffic mimics: traffic invariants between a node and mimics that protect against information leakage.

Selecting Mimics Upon joining the network, node a asks k other nodes to exchange mimic traffic with it. Mimic relationship must be symmetric. Mai: i th mimic of node a, as the peer returned by lookupi (a.ipaddr). lookupi (a.ipaddr): similar to peer selection except the identifier idid is generated by recursively applying the cryptographic hash function i times to {a.ipaddr/d, date}, i ≤ (k+1). Node a sends to Mai a mimic request, including the tuple {a.ipaddr/d, date}. Accept condition 1< i ≤ (k+1) Mai.lookupi (a.ipaddr) = Mai

Tunneling Through Mimics Choice of relay: mimics of the previous hop PNAT Mimic topology and traffic flows for k = 3 Each node has ҡ ≈ 6 mimics. Tunnel: arrows in bold a random PNAT: dotted line

Unifying Traffic Patterns The packet headers, sizes, and rates of a node’s incoming traffic from its mimics must be identical to its outgoing traffic. All packets along mimics links are symmetrically encrypted. Encrypted packets along links are padded to be all the same size. A node generates and distributes symmetric keys when it connects with a new mimic.

Security Analysis Adversary Tarzan Break sender anonymity by back-tracing observed messages to their source. Watching traffic patterns or message encodings. Trace a message forward to its egress from a PNAT to compromise the recipient anonymity of non-participating servers. Tarzan P2P design: expose less identifying topological information. Resist powerful traffic-analysis attacks.

Comparing Anonymity Properties information exposed? Bad first relay Bad intermediate relay Bad last relay Bad first and last relays OR Crowds Tarzan sender activity recipient activity sender content recipient content Yes No Maybe Tarzan’s model: P2P, layered encryption Onion Routing: network core, layered encryption Crowds: P2P, link encryption only

Onion Routing Define Route Construct the anonymous connection Initiator and responder interface onion routing proxies Construct the anonymous connection Move data through the connection Using layered encryption Destroy the anonymous connection Reference: http://www.onion-router.net/Publications.html

Crowds “blending into a crowd”: operate by grouping users into a large and geographically diverse group (crowd) Collaborating crowd members cannot distinguish the originator from a member who is merely forwarding.

Crowds – Path in a Crowds Web Servers 1 6 3 5 1 5 6 2 2 4 3 4 Reference http://avirubin.com/crowds.pdf

Static Vs. Adaptive Adversaries Static adversary Corrupt some number of independent physical machines Read packets and analyze the contents, sizes, rates, and volumes of packets addressed to machines under its control Use timing analysis to determine whether packets seen at different relays belong to the same tunnel Time-bounded adaptive adversary Pick-and-choose which machines to compromise after it joins the system But Time-bounded…

Considering Adaptive Adversaries Protect against an adaptive adversary The period to compromise all tunnel relays must be longer than the tunnel’s duration. Tunnels should not be repeatedly constructed through the same small set of largely-compromised relays. Tarzan randomly choosing Node-selection mechanism: host diversity Honest nodes store tunnel keys and routing tables only in memory: disable core dumps and process tracing. Scalable architecture: offer a large choice of nodes. Mimic reassignment: ensure set of relays changes daily.

Defining Probability of Failure An adversary compromises M gateway routers or LAN machines. An adversary run m malicious node within each of these M corrupted domains. The network size is n, N-domain system. CLAIM 1. A node selects a malicious mimic with prob. M/N. CLAIM 2. Nobody can bias an initiator’s choice of relays. To achieve claims, a node must select its mimics uniformly over the entire set of domains.

Malicious Nodes Attempt… Corrupt gossiping Gossip addresses that do net exist or only returns malicious nodes. Leverage open admission Try to control “important” IP addresses or run multiple nodes. Ignore neighbor-selection algorithm Attempt to select malicious nodes as its mimic.

Security Enforcement Securing Resource Discovery Protect against fake entries: Tarzan differentiates between unvalidated and validated addresses in the peer-discovery and selection process. Hardening the Open Admissions Policy Distribute keys indirectly through a gossiping protocol. Tunnel initiators choose mimics by selecting uniformly at random from among available domains. Enforcing Proper Mimic Selection Tunnel should be constructed through nodes selected in an unbiased and random fashion.

Traffic Analysis Attacks Information leakage in tunnels Prevent global eavesdropper: Cover traffic Information leakage at network exit points Network-edge attack: packet replay, tagging, reordering, and flooding Prevention: Seq. no, buffering incoming packets, encrypting messages, cover traffic

Conclusion Tarzan provides a flexible layer for sender, recipient Sustain anonymity in hostile environments, against both malicious participants and global eavesdroppers Transparent to internet application P2P design: decentralized, highly scalable, and easy to manage. Lack of network core: increase fault-tolerance to individual relay failure