Aaron Johnson with Joan Feigenbaum Paul Syverson

Slides:



Advertisements
Similar presentations
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advertisements

Computer Networks TCP/IP Protocol Suite.
Virtual Trunk Protocol
Advanced Piloting Cruise Plot.
Analysis of Computer Algorithms
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Human Performance Improvement Process
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts
Year 6 mental test 5 second questions
ZMQS ZMQS
Correctness of Gossip-Based Membership under Message Loss Maxim GurevichIdit Keidar Technion.
Communicating over the Network
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
1 Communication in Distributed Systems REKs adaptation of Tanenbaums Distributed Systems Chapter 2.
ABC Technology Project
Chapter 9 -- Simplification of Sequential Circuits.
©2004 Brooks/Cole FIGURES FOR CHAPTER 7 MULTI-LEVEL GATE CIRCUITS NAND AND NOR GATES Click the mouse to move to the next page. Use the ESC key to exit.
COMP 482: Design and Analysis of Algorithms
Comp 122, Spring 2004 Graph Algorithms – 2. graphs Lin / Devi Comp 122, Fall 2004 Identification of Edges Edge type for edge (u, v) can be identified.
IP Multicast Information management 2 Groep T Leuven – Information department 2/14 Agenda •Why IP Multicast ? •Multicast fundamentals •Intradomain.
VOORBLAD.
Chapter 4 Gates and Circuits.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Squares and Square Root WALK. Solve each problem REVIEW:
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
© 2012 National Heart Foundation of Australia. Slide 2.
Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.
Chapter 5 Test Review Sections 5-1 through 5-4.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Addition 1’s to 20.
25 seconds left…...
Week 1.
We will resume in: 25 Minutes.
Mathematics1 Mathematics 1 Applied Informatics Štefan BEREŽNÝ.
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
©2004 Brooks/Cole FIGURES FOR CHAPTER 11 LATCHES AND FLIP-FLOPS Click the mouse to move to the next page. Use the ESC key to exit this chapter. This chapter.
Immunobiology: The Immune System in Health & Disease Sixth Edition
Off-the-Record Communication, or, Why Not To Use PGP
Modeling Main issues: What do we want to build How do we write this down.
Distributed Computing 5. Snapshot Shmuel Zaks ©
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Presentation transcript:

Aaron Johnson with Joan Feigenbaum Paul Syverson A Model of Onion Routing with Provable Anonymity Financial Cryptography ’07 2/12/07 Aaron Johnson with Joan Feigenbaum Paul Syverson

Overview Formally model onion routing using input/output automata Characterize the situations that provide anonymity 1

Anonymous Communication Mix Networks (1981) Dining cryptographers (1988) Onion routing (1999) Anonymous buses (2002) 2

Anonymous Communication Mix Networks (1981) Dining cryptographers (1988) Onion routing (1999) Anonymous buses (2002) 2

Onion Routing Practical design with low latency and overhead Open source implementation (http://tor.eff.org) Over 800 volunteer routers Estimated 200,000 users 3

Anonymous Communication Deployed Analyzed Mix Networks Dining cryptographers Onion routing Anonymous buses 4

Related work A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya CRYPTO 2005 A formalization of anonymity and onion routing S. Mauw, J. Verschuren, and E.P. de Vink ESORICS 2004 I/O Automaton Models and Proofs for Shared-Key Communication Systems Nancy Lynch CSFW 1999 5

Overview Formally model onion routing using input/output automata Characterize the situations that provide anonymity 6

Overview Formally model onion routing using input/output automata Simplified onion-routing protocol Non-cryptographic analysis Characterize the situations that provide anonymity 6

Overview Formally model onion routing using input/output automata Simplified onion-routing protocol Non-cryptographic analysis Characterize the situations that provide anonymity Send a message, receive a message, communicate with a destination Possibilistic anonymity 6

How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d 7

How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u d 3 5 {m}3 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u m d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u d m’ 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u d 3 5 4 {m’}3 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged. Stream is closed. 7

How Onion Routing Works 1 2 u d 3 5 4 u creates 3-hop circuit through routers u opens a stream in the circuit to d Data is exchanged. Stream is closed. Circuit is changed every few minutes. 7

How Onion Routing Works 1 2 u d 3 5 4 8

How Onion Routing Works 1 2 u d 3 5 4 8

How Onion Routing Works 1 2 u d 3 5 4 Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

How Onion Routing Works 1 2 u d 3 5 4 u 1 2 Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

Anonymous Communication Sender anonymity: Adversary can’t determine the sender of a given message Receiver anonymity: Adversary can’t determine the receiver of a given message Unlinkability: Adversary can’t determine who talks to whom 9

Adversaries Passive & Global Active & Local 10

Adversaries Passive & Global Active & Local 10

Adversaries Passive & Global Active & Local 10

Adversaries Passive & Global Active & Local 10

Model Constructed with I/O automata Simplified onion-routing protocol Models asynchrony Relies on abstract properties of cryptosystem Simplified onion-routing protocol No key distribution No circuit teardowns No separate destinations No streams No stream cipher Each user constructs a circuit to one destination Circuit identifiers 11

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Automata Protocol u v w 12

Creating a Circuit u 1 2 3 13

Creating a Circuit [0,{CREATE}1] u 1 2 3 CREATE/CREATED 13

Creating a Circuit u 1 2 3 [0,CREATED] CREATE/CREATED 13

Creating a Circuit u 1 2 3 CREATE/CREATED 13

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [0,{[EXTEND,2,{CREATE}2]}1] u 1 2 3 CREATE/CREATED EXTEND/EXTENDED 14

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l1,{CREATE}2] u 1 2 3 CREATE/CREATED EXTEND/EXTENDED 14

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l1,CREATED] 14

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED 14

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [0,{{[EXTEND,3,{CREATE}3]}2}1] u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l1,{[EXTEND,3,{CREATE}3]}2] u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l2,{CREATE}3] u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l2,CREATED] CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l1,{EXTENDED}2] CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [Repeat with layer of encryption] 15

Input/Ouput Automata States Actions Every state has enabled actions Input, ouput, internal Actions transition between states Every state has enabled actions Input actions are always enabled Alternating state/action sequence is an execution In fair executions actions enabled infinitely often occur infinitely often In cryptographic executions no encrypted control messages are sent before they are received unless the sender possesses the key 16

I/O Automata Model Automata Notation User Server Fully-connected network of FIFO Channels Adversary replaces some servers with arbitrary automata Notation U is the set of users R is the set of routers N = U  R is the set of all agents A  N is the adversary K is the keyspace l is the (fixed) circuit length k(u,c,i) denotes the ith key used by user u on circuit c 17

User automaton 18

User automaton 18

User automaton 18

User automaton 18

User automaton 18

User automaton 18

User automaton 18

Server automaton 19

Server automaton 19

Server automaton 19

Server automaton 19

Server automaton 19

Server automaton 19

Server automaton 19

Server automaton 19

Anonymity Definition (configuration): A configuration is a function URl mapping each user to his circuit. 20

Anonymity Definition (configuration): A configuration is a function URl mapping each user to his circuit. Definition (indistinguishability): Executions  and  are indistinguishable to adversary A when his actions in  are the same as in  after possibly applying the following: : A permutation on the keys not held by A. : A permutation on the messages encrypted by a key not held by A. 20

Anonymity Definition (anonymity): User u performs action  anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform . 21

Anonymity Definition (anonymity): User u performs action  anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform . Definition (unlinkability): User u is unlinkable to d in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talk to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d. 21

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. 22

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. C u 1 2 v 3 5 4 22

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. C D u 1 2 v 3 5 2 3 4 22

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable fair, cryptographic execution  of D. The converse also holds. C D u 1 2 v 2 5 2 v 3 5 u 4 2 3 4 22

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable fair, cryptographic execution  of D. The converse also holds. C D u u 1 2 1 2 v v 3 3 5 5 4 4 22

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys. 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D:  is fair:  is cryptographic:  is indistinguishable: 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair:  is cryptographic:  is indistinguishable: 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic:  is indistinguishable: 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic.  is indistinguishable: 23

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic.  is indistinguishable:The permutation needed to make  look like  to A is just the reverse of the key permutation used to create . 23

Unlinkability Corollary: A user is unlinkable to its destination when: 24

Unlinkability Corollary: A user is unlinkable to its destination when: 4? The last router is unknown. u 3 2 5? 24

Unlinkability Corollary: A user is unlinkable to its destination when: 4? The last router is unknown. u 3 2 5? OR The user is unknown and another unknown user has an unknown destination. 2 1 4 2? 5 4? 5? 24

Unlinkability Corollary: A user is unlinkable to its destination when: 4? The last router is unknown. u 3 2 5? OR The user is unknown and another unknown user has an unknown destination. 2 1 4 2? 5 4? 5? OR The user is unknown and another unknown user has a different destination. 2 1 4 5 2 1 24

Model Robustness Only single encryption still works Can remove circuit identifiers Can include stream ciphers May allow users to create multiple circuits 25

Future Work Construct better models of time Exhibit a cryptosystem with the desired properties Incorporate probabilistic behavior by users 26