Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Slides:



Advertisements
Similar presentations
Aaron Johnson with Joan Feigenbaum Paul Syverson
Advertisements

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Tor: The Second-Generation Onion Router
LASTor: A Low-Latency AS-Aware Tor Client
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
Privacy Protection In Grid Computing System Presented by Jiaying Shi.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
1 Lecture 24: Interconnection Networks Topics: communication latency, centralized and decentralized switches (Sections 8.1 – 8.5)
Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Distributed Quality-of-Service Routing of Best Constrained Shortest Paths. Abdelhamid MELLOUK, Said HOCEINI, Farid BAGUENINE, Mustapha CHEURFA Computers.
A Tale of Research: From Crowds to Deeper Understandings Matthew Wright Jan. 25, : Adv. Network Security.
Traffic Analysis Prevention Chris Conger CIS6935 – Cryptographic Protocols 11/16/2004.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.
Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Never Been KIST: Tor’s Congestion Management Blossoms with Kernel- Informed Socket Transport 23 rd USENIX Security Symposium August 20 th 2014 Rob JansenUS.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Security in Mobile Ad Hoc Networks: Challenges and Solutions (IEEE Wireless Communications 2004) Hao Yang, et al. October 10 th, 2006 Jinkyu Lee.
Guard Sets for Onion Routing JOSHUA FREE. Tor Most popular low-latency distributed anonymity network Controversial decisions of guard selection strategies.
Ways to reduce the risks of Crowds and further study of web anonymity By: Manasi N Pradhan.
The Silk Road: An Online Marketplace
Onion Routing R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.
Interconnect Networks Basics. Generic parallel/distributed system architecture On-chip interconnects (manycore processor) Off-chip interconnects (clusters.
The Tor Network BY: CONOR DOHERTY AND KENNETH CABRERA.
Victor Farbman and Maxim Trosman Under guidance of Amichai Shulman.
LASTor: A Low-Latency AS-Aware Tor Client. Tor  Stands for The Onion Router  Goals: Anonymity ○ Each hop only knows previous and next hop on a path.
Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.
Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.
PATH DIVERSITY WITH FORWARD ERROR CORRECTION SYSTEM FOR PACKET SWITCHED NETWORKS Thinh Nguyen and Avideh Zakhor IEEE INFOCOM 2003.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum
Chapter 3: Packet Switching (overview)
PeerFlow: Secure Load Balancing in Tor Aaron Johnson1 Rob Jansen1 Aaron Segal2 Nicholas Hopper3 Paul Syverson1 1U.S. Naval Research Laboratory 2Yale.
Anonymity Metrics R. Newman.
Anupam Das , Nikita Borisov
Free-route Mixes vs. Cascades
Anonymity – Generalizing Mixes
Presentation transcript:

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale University Aaron Johnson University of Texas at Austin Paul Syverson Naval Research Laboratory 1

Problem 2

UsersOnion Routers Destinations Onion routing suffers from timing attacks. Adversary 3

Problem UsersOnion Routers Destinations Onion routing suffers from timing attacks. Adversary 4 Encrypted Unencrypted

Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 5

Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 6

Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 7

Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 8

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 9

Problem Padding Schemes 1.Constant-rate padding 2.Variable-rate padding 1 1. Timing analysis in low-latency mix networks: Attacks and defenses. Shmatikov & Wang, ESORICS Dependent link padding algorithms for low latency anonymity systems. Wang and Srinivasan, CCS Minimal padding 2 10

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 11

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 12

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 13

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 14

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 15

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 16

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 17

Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 18

Problem Onion routing suffers from timing attacks. How bad is it? Tor: 250 guard routers 500 exit routers 7571 unique users daily per guard 1 Top 2% contribute 50% bandwidth 1 1. McCoy, Bauer, Grunwald, Kohno, and Sicker. Shining light in dark places: Understanding the Tor network. PETS Case 1: Adversary runs one guard and one exit. # comp. = 7571/500  15 Case 2: Adversary’s guard and exit are in top 2% of bandwidth. # users = 7571*.5/.02  # comp. = *.5/(500*.02) 

Results 20

Results 1.Protocol for defeating active timing attacks given a padding scheme Reduces active timing attacks to passive timing attacks Uses redundancy and timestamps 2.Provides a tradeoff between anonymity and performance 3.Protects against adversaries smaller than half of the network. This is optimal. 4.Measurements on Tor suggest it may be usable in practice. 21

Model 22

Model Users: U Routers: R Destinations: D Adversary: A  R, b = |A|/|R| Probabilistic delays – Random link delay: d(r,s), r,s  R – Random processing delay: d(r), r  R Synchronized clocks with tolerance  Padding scheme P(x) – Input: New connection information, x – Output: Timing patterns in both directions,  0,  1 – Provides S u  U, users with the same timing as u 23

Protocol 24

Protocol To the destination Multiple entry points One exit point Entering data encrypted Exiting data unencrypted From the destination Multiple exit points One entrance point Exiting data encrypted Entering data unencrypted 25

Protocol To the destination 26

Protocol To the destination 27

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 28

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 29

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 30

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 31

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 32

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 k 33

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 34

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 35

Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 36

Protocol To the destination Problem: Adversary can make delays more likely even if not certain. Solution: Use timestamps. Arrival prob.:.95 = Pr[d(r,s) + d(s)  d*(r,s)] ith send time: t i = t i-1 +max j,k d*(r (i-1)j,r i,k )+  37

Protocol From the destination 38

Protocol From the destination Path of length k Each router has and enforces timing pattern. 39

Protocol From the destination Path of length k Each router has and enforces timing pattern. 40

Protocol Setup (l,k,p,c) 1.Randomly select the routers for c fixed l  logl meshes with k-length return paths. 2.Determine delays d*(r,s) such that p = Pr[d(r,s) + d(r)  d*(r,s)] User 1.Choose (mesh,path) pair ( M, P ). 2.Obtain padding (  0,  1 ) = P(x). 3.Randomly select identifiers n s i. 4.Generate private keys k s i. 5.Send O(  1 ),n si, n si, k s i through M to s i  P. Network 41

Analysis 42

Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ 43

Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) 44

Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) Theorem 3: Let c(b) be the probability of compromise in some forwarding topology. If b 1-b-  (1-b)/b. 45

Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) Theorem 3: Let c(b) be the probability of compromise in some forwarding topology. If b 1-b-  (1-b)/b. Theorem 4: 1.Latency is (l+k+2). 2.# of messages is 2logl+(I-1)(logl) 2 +k+2. 46

Analysis MeshOnion Routing blwPr[comp.]MessagesPr[comp.]Messages Mesh routing vs. Onion routing 47

Tor Measurements Measured delays in Tor for a month (3/09). Delays for new connections and 400-byte packets. Used empirical measurements for delay distributions per router per 6hr. Period. Analysis 48 Relative added connection delays (p=.95) Relative added packet delays (p=.95) p(50)  1.48 p(50)  2.95

Conclusion Reduced active timing attacks to designing padding schemes. Protocol allows system to trade off anonymity and performance. Future work – Usable padding scheme – Free routes – Protection from DOS attacks 49

Protocol To the destination Message Onion Message M Random numbers n r i, n s i Private key k r {M} r denotes encryption with r’s public key Destination d O(M) = {n r 1, t 1, {n r 2, t 2,  {n r, d, n s 1, k r, M} r  } r 2 } r 1 50

Protocol To the destination User Router r i 1.Let M be waiting message or dummy if none. 2.When pattern  0 instructs, send O(M) to each router in first mesh layer. 1.On incoming {n r i, t, M} r i, if n r i is previously unseen, send M at time t to each router in next layer. 51

Protocol From the destination {M} k denotes encryption with private key k. n s i, n s i+1 are identifiers given to s i by user k s i is private key given to s i by user  1 is return pattern given by user Router s i 1.On incoming, place into queue. 2.When pattern  1 instructs, take from queue (or dummy) send to s i+1. 52