Anonymity – Generalizing Mixes

Slides:

Advertisements

Similar presentations

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Advertisements

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.

Reusable Anonymous Return Channels

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.

Multicast Communication Multicast is the delivery of a message to a group of receivers simultaneously in a single transmission from the source – The source.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

Slicing the Onion: Anonymity Using Unreliable Overlays Sachin Katti Jeffrey Cohen & Dina Katabi.

Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University.

Traffic Analysis Prevention Chris Conger CIS6935 – Cryptographic Protocols 11/16/2004.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

1 Quasi-Anonymous Channels Ira S. Moskowitz --- NRL Richard E. Newman --- UF Paul F. Syverson --- NRL Center for High Assurance Computer Systems Code 5540.

Anonymity on the Internet Presented by Randy Unger.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Anonymity – Crowds R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.

1 Anonymity and Covert Channels in Simple, Timed Mix-firewalls Richard E. Newman --- UF Vipan R. Nalla -- UF Ira S. Moskowitz --- NRL

Communication System A communication system can be represented as in Figure. A message W, drawn from the index set {1, 2,..., M}, results in the signal.

Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.

Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

Traffic Matrix Approach R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

Onion Routing R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Making the Neutral Traffic Matrix More Meaningful Joseph Choi.

Randomized Algorithms for Distributed Agreement Problems Peter Robinson.

1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 

ECE 544 Protocol Design Project 2016 Kiran Jatty Lasya Nandamuri Varun Vinnakota.

William Stallings Data and Computer Communications

Information Complexity Lower Bounds

Topics discussed in this section:

Anonymous Communication

Anonymity Metrics R. Newman.

CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head.

The Unbearable Futility of Data Privacy in Content-Centric Networking

Towards Measuring Anonymity

COT 5611 Operating Systems Design Principles Spring 2012

COT 5611 Operating Systems Design Principles Spring 2014

COS 463: Wireless Networks Lecture 9 Kyle Jamieson

Multiple Access Covert Channels

Cryptography Lecture 4.

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas.

An Introduction to Privacy and Anonymous Communication

0x1A Great Papers in Computer Security

Enhancing chaum mixes with randomness

Parallel and Distributed Algorithms

Cost to defeat the N-1 Attack

Free-route Mixes vs. Cascades

Communication operations

Multiple Access Covert Channels

Anonymous Communication

T305: Digital Communications

Capacity of Ad Hoc Networks

Cryptography Lecture 4.

Anonymity and Covert Channels in Simple, Timed Mix-firewalls

Modeling Entropy in Onion Routing Networks

Cryptography Lecture 3.

Anonymity – Chaum Mixes

Implementing Multicast

Anonymous Communication

Timing Channels, Anonymity, Mixes, and Spikes

Switch Performance Analysis and Design Improvements

Presentation transcript:

Anonymity – Generalizing Mixes R. Newman

Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Applications of anonymity technology

Mix Generics Mix must make input messages unlinkable with output messages Messages must all be same length Messages must all be encrypted so as to appear random Can't hide source/destination addresses along a single hop in path, but must hide sender and receiver, as well as distance along path Mix must randomize order of output Batching Strategy How does Mix collect messages for mixing How does Mix select and forward messages

Mix Triggers Timed mix Threshold mix Hybrid mix Pool mix Mix gathers messages for period T, then sends Threshold mix Mix gathers N messages, then sends Classic Chaum Mix Hybrid mix Mix sends when N messages or period T reached Pool mix Mix keeps pool of messages of size P, when pool reaches size N+P, N randomly chosen messages are sent Continuous mix Mix attaches random delay D from some distribution to each msg M, sends M when delay is reached

Mix Generics Function p: N -> [0,1] Threshold mix Timed mix p depends on number of messages, outputs fraction of messages that mix flushes When to execute p? Threshold mix Mix runs p when N messages are in batch p always returns 1 (all messages are sent) Timed mix Mix runs p every T seconds p(n) = 1 always (flush all messages)

Mix Generics Function p: N -> [0,1] Threshold Pool mix p depends on number of messages, outputs fraction of messages that mix flushes When to execute p? Threshold Pool mix Mix runs p when pool reaches size n = N+P p(n) = N/(N+P) = 1 – P/(N+P) (always leave P messages in pool) Timed Pool mix Mix runs p every T seconds p(n) = (n-P)/n = 1 – P/n

Measuring Anonymity Anonymity Set Size = number of input messages that could correspond to a given output message Threshold Mix: Anonymity set size is always N (threshold) Timed Mix: Anonymity set size depends on batch size Pool Mix: Message may remain in pool for some time Anonymity set size = number of messages that ever entered Mix! Not a good model!

Measuring Anonymity Anonymity Set Size = number of input messages that could correspond to a given output message Change to ”effective” AS size Use Entropy as measure H = - Sum [pi log pi ], pi is probability of ith item If N items, all have prob p = 1/N, then H = log N i.e., number of bits to specify which item out of N Here, pi is the probability that a particular input message i corresponds to an output message Effective AS size is 2H

Measuring Anonymity Timed Pool Mix Mix fires every T seconds ni msgs in pool in ith round ni – P messages are randomly selected Prob(msg is flushed) = pi = (ni–P)/ni Prob(msg that arrived in round r leaves in round i) = pr P [j = i to r-1] (1 – pj)

Measuring Anonymity Threshold Pool Mix Mix fires whenever n = N+P N messages are randomly selected Prob(msg is flushed) = N/(N+P) = 1 – P/(N+P) Prob(msg that arrived in round r leaves in round i) = [N/(N+P)] Prod [j = i to r-1] [N/(N+P)] Gain anonymity at cost of increasing delay Delay increased probabilistically according to exponential distribution

Binomial Mix Treat p(n) not as a (hard) fraction Treat as a probability instead Bias for coin to toss for each message in pool Decide whether to flush that message or not Now size of pool varies Let s = number of messages flushed On average, s = n p(n) But follows binomial distribution Variance = n p (1-p) Attacker gains less info about size of pool Practically can’t guess n with prob > 15%

Mix Padding In addition to padding messages to some constant length (and segmenting longer messages), mix may introduce dummy messages into traffic Dummy messages especially useful in timed mixes (may not have many messages to send) Strong resistance from network guys Increased network load! Research question: how much does this form of padding help, and what is the relationship between increase in anonymity and cost of padding?

Next Attacks on Mix networks Cost measures of Optimization Rerouting Message padding Optimization How to preserve anonymity at low (least?) cost Information leakage How much information is revealed? How? How to prevent? Treat as (covert) communication channel