Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

Slides:



Advertisements
Similar presentations
Aaron Johnson with Joan Feigenbaum Paul Syverson
Advertisements

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
Tor: The Second-Generation Onion Router
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
LASTor: A Low-Latency AS-Aware Tor Client
LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Dynamic Hypercube Topology Stefan Schmid URAW 2005 Upper Rhine Algorithms Workshop University of Tübingen, Germany.
Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.
I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.
Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Chapter 4.1 Interprocess Communication And Coordination By Shruti Poundarik.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
How to play ANY mental game
© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.
Dynamic Network Emulation Security Analysis for Application Layer Protocols.
Preserving Link Privacy in Social Network Based Systems Prateek Mittal University of California, Berkeley Charalampos Papamanthou.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Security Michael Foukarakis – 13/12/2004 A Survey of Peer-to-Peer Security Issues Dan S. Wallach Rice University,
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
Alternative Wide Block Encryption For Discussion Only.
© copyright NTT Information Sharing Platform Laboratories Cryptographic Approach to “Privacy-Friendly” Tags Miyako Ohkubo, Koutarou Suzuki, and Shingo.
The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.
Gergely Tóth, 23 September IWCIT’03, Gliwice, Poland, September 2003 Measure for Anonymity Gergely Tóth Budapest University of Technology and.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
The Silk Road: An Online Marketplace
The Tor Network BY: CONOR DOHERTY AND KENNETH CABRERA.
LASTor: A Low-Latency AS-Aware Tor Client. Tor  Stands for The Onion Router  Goals: Anonymity ○ Each hop only knows previous and next hop on a path.
Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.
Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.
Privacy Preserving in Social Network Based System PRENTER: YI LIANG.
Anonymous communication over social networks Shishir Nagaraja and Ross Anderson Security Group Computer Laboratory.
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.
Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.
Benjamin Knapic Nicholas Johnson.  “Tor is free software and an open network that helps you defend against a form of network surveillance that threatens.
Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum
Improving Tor’s Security with Trust-Aware Path Selection Aaron Johnson
PeerFlow: Secure Load Balancing in Tor Aaron Johnson1 Rob Jansen1 Aaron Segal2 Nicholas Hopper3 Paul Syverson1 1U.S. Naval Research Laboratory 2Yale.
CS590B/690B Detecting Network Interference (Fall 2016)
The Onion Router Hao-Lun Hsu
Safety in Numbers: Crowds
0x1A Great Papers in Computer Security
Anupam Das , Nikita Borisov
Anupam Das , Nikita Borisov
CS590B/690B Detecting network interference (Spring 2018)
Provable Security at Implementation-level
The “Taint” Leakage Model
Dynamic Distribution of SSM ranges.
Presentation transcript:

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research Laboratory Provable Privacy Workshop July 9, 2012

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

Solution ● Formalize abstract (black-box) model of onion routing in UC framework ● Focus on information leaked ● Anonymity analysis on earlier abstract model is inherited by UC version

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

I/O-automata model u d User u running client Internet destination d Onion routing relays Adversary controls relays Encrypted onion-routing hop Unencrypted onion-routing hop

I/O-automata model u d Main theorem: Adversary can only determine parts of a circuit it controls or is next to. u12

I/O-automata model u d v w e f

I/O-automata model u d 1.First router compromised v w e f

I/O-automata model u d 1.First router compromised 2.Last router compromised v w e f

I/O-automata model u d 1.First router compromised 2.Last router compromised 3.First and last compromised 4. v w e f

I/O-automata model u d 1.First router compromised 2.Last router compromised 3.First and last compromised 4.Neither first nor last compromised v w e f

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

Black-box Abstraction ud v w e f

ud v w e f 1. Users choose a destination

Black-box Abstraction ud v w e f 1. Users choose a destination 2.Some inputs are observed

Black-box Abstraction ud v w e f 1. Users choose a destination 2.Some inputs are observed 3.Some outputs are observed

Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user.

Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

Probabilistic Black-box ud v w e f

ud v w e f Each user v selects a destination from distribution p v pupu

Probabilistic Black-box ud v w e f Each user v selects a destination from distribution p v Inputs and outputs are observed independently with probability b pupu

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

Onion-Routing UC Ideal Functionality u with probability b ø with probability 1-b x y Upon receiving destination d from user U d with probability b ø with probability 1-b Send (x,y) to the adversary. F OR

Black-box Model ● Ideal functionality F OR ● Environment assumptions – Each user gets a destination – Destination for user u chosen from distribution p u ● Adversary compromises a fraction b of routers before execution

UC Formalization ● Captures necessary properties of any crytographic implementation ● Easy to analyze resulting information leaks ● Functionality is a composable primitive ● Anonymity results are valid in probabilistic version of I/O-automata model

Anonymity Analysis of Black Box ● Can lower bound expected anonymity with standard approximation: b 2 + (1-b 2 )p u d ● Worst case for anonymity is when user acts exactly unlike or exactly like others ● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)p u d ● Anonymity in typical situations approaches lower bound

Future Extensions ● Compromised links ● Non-uniform path selection ● Heterogeneous path selection ● Anonymity over time

Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

[BGKM12] Ideal Functionality ● Functionality can actually send messages ● Needs wrapper to hide irrelevant circuit-building options ● Shown to UC-emulate F OR

References [BGKM12] Provably Secure and Practical Onion Routing, by Michael Backes, Ian Goldberg, Aniket Kate, and Esfandiar Mohammadi, in CSF12. [CL05] A Formal Treatment of Onion Routing, by Jan Camenisch and Anna Lysyanskaya, in CRYPTO 05. [FJS07a] A Model of Onion Routing with Provable Anonymity, by Joan Feigenbaum, Aaron Johnson, and Paul Syverson, in FC07. [FJS07b] Probabilistic Analysis of Onion Routing in a Black-box Model, id., in WPES07. [FJS12] A Probabilistic Analysis of Onion Routing in a Black-box Model, id. in TISSEC (forthcoming)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.