A Tale of Research: From Crowds to Deeper Understandings Matthew Wright Jan. 25, : Adv. Network Security

Overview Act I: Hordes –Applying a tool elsewhere Act 2: The “Predecessor Attack” –How it works –Proof –Analysis –Simulation Act 3: (then) Future Directions

A New Application Brian Levine & Clay Shields –Multicast & Networking Properties of Multicast –many receivers –tree structure –subscription model Status is unknown to routers and hosts Bad for maintenance –efficient for streaming

One Issue w/ Crowds Crowds –Network costs are high –TCP over multiple hops is bad for streams I W R Z XY

Hordes Crowds 4 outgoing –(requests, ACKs) Multicast 4 incoming streams –Everyone joins multiple trees –Don’t know who’s on each tree –Don’t know who’s listening

Act I Lessons Understanding Prior Work –Find problems & try to solve them Apply New Tools –Rather, old tools, but new to the area

Act II: Another Issue w/ Crowds What does say? What does it not say?

Adding New Members If paths are maintained indefinitely, any member joining the group would be immediately identifiable as the initiator. Because of this, group joins occur in batches (e.g., once every hour). Each time new members are allowed in, new paths are created for all members.

W B Z Intuitive notion of passive attacks A E Y X T D C A

Attacking Crowds Paths change Attacker sees session-identifying info –Responder’s IP address –Cookie, login name, specific content Z I R Y X A

Attacking Crowds Paths change Attacker sees session-identifying info –Responder’s IP address –Cookie, login name, specific content Z I R Y X A

Log the node before the attacker –n Crowds nodes Attacking Crowds I 123L … When in this position prob=1 that initiator is predecessor. When in any of these positions, prob=1/n for any node as predecessor. node count I 41 X18 Y24 Z17

Question What are the contributions of WALS02?

Attacking in General Attack applies to any protocol for anonymity, provided that: –Paths* of proxies change –Uniformly random selection of paths –There exists a position of attackers: see the initiator send messages in the session determine the session information

Goal: Quantify time required for attack to succeed Notation – n is the number of Crowds nodes – c is the number of attackers nodes (c < n ) Observations – Probability of selecting an attacker for a given position: (c / n ) Crowds Analysis n - nodes c - attackers

Crowds Analysis ABIXYZ …… T rounds (path reformations) 1/2 E(I) No. of times each node is seen by the attackers

Crowds Analysis Chernoff bounds –Q: How big does T have to be? –A: The attacker must be in the first position on the initiator’s path several times c/n chance n/c expectation –O(n/c log n) times to get a high probability (n-2)/n n - nodes c - attackers

Initiator-chosen paths −Instead of flipping a coin, the Initiator chooses the entire path and builds an onion. I  X  Y  Z  R −Layered encryption of data using the public key of each proxy in the path. Onion Routing (GRS96) data{R,data} Kz+ {Z,{R,data} Kz+ } Ky+ {Y,{Z,{R,data} Kz+ } Ky+ } Kx+ Sending the onion I  X: {Y,{Z,{R,data} Kz+ } Ky+ } Kx+ X  Y: {Z,{R,data} Kz+ } Ky+ Y  Z: {R,data} Kz+ Z  R: data

Onion Routing A1DeltaA2 3:12:203:12:30 3:12:373:12:47 3:12:493:12:59 I A1 R A2 X 17 ms 12 ms Y

Mix-Nets (Ch81+) Same as Onion Routing Added –Dummy messages –Batching –Message reordering Stops Timing attacks

Insufficient to have just one node Timing analysis allows two attackers to link I and R The exponent is intuitively related to the number of positions on the path needed to mark an entry. O( (n/c) 2 log n) path resets Attacking Onion Routing I A1 R A2 XY n - nodes c - attackers

Attacking Mix-Nets Mixing –Reordering messages –Dummy messages –Delay Stops timing attacks –O.R. attack no longer works –Need the entire path to trace the message To attack Mix-nets, if the path is L nodes long, then L attackers have to appear in sequence. –In each round, chances are (c/n) L. O( (n/c) L log n) path resets n - nodes c - attackers

Summary of Predecessor Attacks Attack effects all systems of anonymous communications. Apparent trade-off between performance and security. ProtocolRounds Crowds, Hordes O(n/c log n) Onion Routing O((n/c) 2 log n) Mix-Nets O((n/c) L log n) DC-Ring O(n log n) DC-Full Requires c=n-1 attackers n - nodes c - attackers

Act II Lessons Answer open questions –Is it efficient enough for X application? –What are the tradeoffs here? Generalize solutions (or attacks) –Where else does this apply? –Can it be modified to apply to a group? With what costs/issues?

Act III: The next step What did WALS02 leave unanswered?

Questions (II) Consequences for users? –You’re not secure forever How tight are these bounds? Are there defenses?

Assumptions that can be broken We assumed that all nodes are chosen for each spot on the path with equal probability –What if nodes are chosen with a bias?