Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems
Today’s Lecture Practical course issues. Theoretical anonymity. –Dinning Cryptographers Protocol –Definitions of Anonymity –The Crowds Protocol BREAK Practical anonymous systems –Onion Routing and the Tor System –Mix Networks –Anonymous File-sharing Systems: MUTE –Anonymous Publishing: Freenet
Crowds A crowd is a group of n nodes The initiator selects randomly a node (called forwarder) and forwards the request to it A forwarder: –With prob. 1-p f selects randomly a new node and forwards the request to him –With prob. p f sends the request to the server server
Crowds The sender is beyond suspicion to the server. Some of the nodes could be corrupted. The initiator could forward the message to a corrupted node. The sender has probable innocence to other nodes.
Crowds Problem: many people won’t forward traffic for others. A practical system has to make forwarding traffic for others optional or controllable. server
Onion Routing Each node makes its key public The initiator selects the whole route and encrypts the message with all keys in reverse order Each node unwraps a layer and forwards the message to the next one {2,{3,{server,m} k3 } k2 } k m {3,{server,m} k3 } k2 {server,m} k3 server
Onion Routing Each node only learns the next one in the path End-users can run their own node –Better anonymity or use an existing one –More efficient –User's identity is revealed to the node
Tor Tor implement this protocol. Several hundred volunteer nodes. Firefox plug-in. Managed by the US navy.
Problems with Tor You reveal you IP to the first node and the last node see who you are talking to. If an attacker controls the first and the last node they may be able to match the packets using traffic analysis. No anonymity from an attacker that monitors the whole network. Some protocol broadcast their IP address
MIXes MIXes are proxies that forward messages between them A user contacts a MIX to send a message The MIX waits until it has received a number of messages, then forwards them in different order
MIXes It is difficult to trace the route of each message. May provide beyond suspicion S-R unlinkability even to a global attacker. Messages have to be delayed (can be solved with dummy traffic). More complicated when sending series of packets
Mutli-casting Broadcast the message to the whole network. Beyond suspicion for the receiver. No anonymity for the sender. Multicasting is a good technique for broadcasting messages.... but very inefficient to send just one message.
Spoofed UDP The from IP address is not used by routers, only by higher-level protocols such as TCP. UDP does not have to use this address. A random address can be used instead to provide sender anonymity. Method prohibited by many ISPs.
Anonymous File-Sharing system 800,000 downloads Informal description Source code Appeal for donations
Peer-to-Peer File-Sharing In newer networks peers record the IP address of other peers. A searcher sends a request to all of it’s “neighbours”. This is forwarded to all of there neighbours, up to a fixed hops. A
Peer-to-Peer File-Sharing The search request includes A’s IP address. Any peer with the requested file contacts A directly. Peer “A” may then request the file. A
Peer-to-Peer File-Sharing No anonymity from peers inside the network: The search message gives the searcher’s IP address and name of the files they are looking for. By requesting a file, you can find out the IP address of all peers that are offering the file. A
MUTE MUTE removes the IP address from the file exchange. Peers only know the IP address of their direct neighbours. Peers choose random “pseudo ID”. Files are not sent directly between peers. Instead files are sent via a number of peers. MUTE uses a version of the “Ants” ad-hoc routing protocol.
Anonymity Provided by MUTE MUTE makes it hard to link the IP address of a peer with its pseudo ID. Peers only know the ID address's of their direct neighbours, but not their pseudo ID. The network should provide enough cover to let a neighbour deny using a particular ID. If an attacker can completely surround a peer it looses anonymity.
MUTE: Search The search takes place as before, but this time the message uses its pseudo ID as the “from ID”. Each peer builds a routing table by records the ID and the connection. A probabilistic time-to-live counter limits the search. A A A A A A A A A
MUTE: Reply If B wants to reply it sends a message to A’s pseudo ID. This message is routed using the ad- hoc routing table. The route to B is also recorded A A A A A A A A A B B B B
Un-forgeable Pseudo IDs MUTE using a hash of using authentication keys as the peers pseudo IDs. A peer generates a RSA signature key “kS” and an authentication key “kA”. The message header now has the form: ( to ID, #(kA), message ID-time_stamp, FLAGS:(S kS (messageID-time_stamp), kA) )
Freenet and Free Haven There are a number of “anonymous publishing system”. For example Freenet and the MIX based Free Haven. These systems make the original author of a file anonymous, not the responder. Nodes will often cache files.Therefore you can “trick” a node into storing and “offering” a file.
Summary of methods
Some Kinds of Attack Timing attacks System Membership Time-to-Live Attacks (Mute, Mantis) Multiple Attackers (Mute) Statistical Attacks (MIXes) Forced Repeat (Crowds) Nodes Joining and Leaving Denial of Service (Mute)
Today’s Lecture Practical course issues. Theoretical anonymity. –Dinning Cryptographers Protocol –Definitions of Anonymity –The Crowds Protocol BREAK Practical anonymous systems –Onion Routing and the Tor System –Mix Networks –Anonymous File-sharing Systems: MUTE –Anonymous Publishing: Freenet