Cashmere: Resilient Anonymous Routing CS290F March 7, 2005

Anonymous Communication Source anonymity  protect identity of communication source Unlinkability  avoid association between endpoints

Anonymous Routing as Mechanism Large decentralized networks  lack of mutual trust, distributed domains Use as mechanism for secure communication  “test” other nodes without revealing your identity  e.g. are you pointing to me in your routing table?

Chaum-Mix Approaches Idea: forward message through static path of relay nodes downside: path is fragile and hard to maintain  once any node/link is broken, must rebuild entire path (expensive)  nodes in middle don’t know where to send error messages downside: computationally expensive  each message must be encrypted with layers of asymmetric encryption

Outline Motivation Cashmere Design Evaluation Summary

Flexible and Resilient Anonymity Use relay groups for routing resiliency  instead of single nodes to relay traffic, use groups of nodes  relay survives if at least 1 member of relay group is reachable P2P and prefix keys  leverage structured p2p routing  define relay group by all nodes sharing a prefix in their nodeID  encryption via prefix keys (public/private pairs) i.e would have keys for 1XXX, 12XX, 123X 302X013X 233X

Routing Overview Cannot simply route through groups to destination Sender A forwards traffic thru a number of relay groups  Receiver B is a member of one of the relay groups Per relay, the first member to receive the msg is the “root”  root node decrypts using its prefix private key, forwards payload to other members, then routes msg to next relay A (P1,M) (P2,M) (P3,M) (P4,M) M M M B M M M M Relay group for prefix 123 M M M M B (P2=123,M) (P3=230,M)

Enhancements for Performance Decouple path encryption and payload  encrypt path layer separately  include “keys” at each layer to match payload onion Remove asymmetric encryption from critical path  use session key (symmetric) to encrypt each msg  encrypt session key with destination pub key include inside path encryption layer  only true destination knows it’s the recepient

The Big Picture Path =P L-1 R L-2 K L-2 P L+1 R L K L P L R L-1 K L-1 PubKey(P) Payload = SymKey_B XOR: R L-1 XOR: R L-2 from last relay group to relay group P L-1 SymKey_B XOR: R L-1 Payload’ = Root of Relay Group P P L+1 R L K L P L R L-1 K L-1 Path’ = Path, PayloadPath’, Payload’ PrivKey(P) XOR(R L-2 ) Each node decrypts K L-2 with its own private key. Only the destination node will get SymKey_B and a flag indicating success. Member of P P L-1 R L-2 K L-2 Member of P Member of P Member of P

Selecting GroupID and Path Length Tradeoff between anonymity, resilience and messaging overhead Leverage random distribution of nodeIDs  predict expected size of relay group Can dynamically select prefix length to control relay group size (per session)

Cashmere Evaluation Measure anonymity using entropy metric  source anonymity identical to Chaum-mixes  destination anon. identical if  10% nodes are attackers Resilience  expected lifetimes of relay groups: 1 or 2 orders of magnitude > single relay nodes (avg |group| = 3-5) Performance  source encryption cost is 10% of CM, (if avg |group| = 3)  decryption cost at relays < 50% of CM, (|group| = 3) Result? Goals accomplished! Fully implemented: Tput  27Mb/s for 4K msgs

Entropy-based Anonymity Entropy of a system Entropy-based anonymity of the system

Source Anonymity

Unlinkability Anonymity

Expected Path Lifetimes exponentially distributed session times  median session time = 60 mins balanced node leave/joins

Path Duration w/ Intermittent Failures

Relative Computation Cost

Summary Resilience through relay groups Decouple path encryption from payload Questions?