A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

Slides:



Advertisements
Similar presentations
Aaron Johnson with Joan Feigenbaum Paul Syverson
Advertisements

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Tor: The Second-Generation Onion Router
Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory.
LASTor: A Low-Latency AS-Aware Tor Client
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
CIS 5371 Cryptography 3b. Pseudorandomness.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Daniel Moran & Marina Yatsina. Access control through encryption.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.
Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University.
Traffic Analysis Prevention Chris Conger CIS6935 – Cryptographic Protocols 11/16/2004.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.
Preserving Link Privacy in Social Network Based Systems Prateek Mittal University of California, Berkeley Charalampos Papamanthou.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Mobile Traffic Sensor Network versus Motion-MIX: Tracing and Protecting Mobile Wireless Nodes JieJun Kong Dapeng Wu Xiaoyan Hong and Mario Gerla.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
An Analysis of Parallel Mixing with Attacker-Controlled Inputs Nikita Borisov formerly of UC Berkeley.
1 Information Theory Nathanael Paul Oct. 09, 2002.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
The Silk Road: An Online Marketplace
The Tor Network BY: CONOR DOHERTY AND KENNETH CABRERA.
Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.
Anonymous communication over social networks Shishir Nagaraja and Ross Anderson Security Group Computer Laboratory.
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum
The Onion Router Hao-Lun Hsu
What's the buzz about HORNET?
Modern symmetric-key Encryption
Chapter 5 Network and Transport Layers
0x1A Great Papers in Computer Security
Free-route Mixes vs. Cascades
Modeling Entropy in Onion Routing Networks
Anonymity – Generalizing Mixes
Presentation transcript:

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

Papers 1.A Model of Onion Routing with Provable Anonymity Financial Cryptography and Data Security A Probabilistic Analysis of Onion Routing in a Black-box Model Workshop on Privacy in the Electronic Society 2007

Anonymous Communication Sender anonymity: Adversary cant determine the sender of a given message Receiver anonymity: Adversary cant determine the receiver of a given message Relationship anonymity: Adversary cant determine who talks to whom

Anonymous Communication Sender anonymity: Adversary cant determine the sender of a given message Receiver anonymity: Adversary cant determine the receiver of a given message Relationship anonymity: Adversary cant determine who talks to whom

How Onion Routing Works User u running client Internet destination d Routers running servers ud

How Onion Routing Works ud 1.u creates 3-hop circuit through routers

How Onion Routing Works ud 1.u creates 3-hop circuit through routers

How Onion Routing Works ud 1.u creates 3-hop circuit through routers

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 }

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 }

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m}

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m}

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 }

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 }

How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed

How Onion Routing Works u 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed. 5.Circuit is changed every few minutes d

Results

1.Formally model onion routing using input/output automata

Results 1.Formally model onion routing using input/output automata 2.Analyze relationship anonymity a.Characterize situations with possibilistic anonymity b.Bound probabilistic anonymity in worst-case and typical situations

Related Work A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya CRYPTO 2005 A formalization of anonymity and onion routing S. Mauw, J. Verschuren, and E.P. de Vink ESORICS 2004 Towards an Analysis of Onion Routing Security P. Syverson, G. Tsudik, M. Reed, and C. Landwehr PET 2000

Model Constructed with I/O automata –Models asynchrony –Relies on abstract properties of cryptosystem Simplified onion-routing protocol –No key distribution –No circuit teardowns –No separate destinations –Each user constructs a circuit to one destination –Circuit identifiers

Automata Protocol u v w

u v w

u v w

u v w

u v w

u v w

u v w

u v w

u v w

u v w

Creating a Circuit u123

[0,{CREATE} 1 ] 1.CREATE/CREATED u123

Creating a Circuit [0,CREATED] 1.CREATE/CREATED u123

Creating a Circuit 1.CREATE/CREATED u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{[EXTEND,2, {CREATE} 2 ]} 1 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,{CREATE} 2 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATED] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{EXTENDED} 1 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{[EXTEND,3, {CREATE} 3 ]} 2 } 1 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] u123 [l 1,{[EXTEND,3, {CREATE} 3 ]} 2 ]

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,{CREATE} 3 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATED] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 1,{EXTENDED} 2 ] u123

Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{EXTENDED} 2 } 1 ] u123

Adversary u d Active & Local

Possibilistic Anonymity

Anonymity Let U be the set of users. Let R be the set of routers. Let l be the path length.

Anonymity Definition (configuration): A configuration is a function U R l mapping each user to his circuit. Let U be the set of users. Let R be the set of routers. Let l be the path length.

Anonymity Definition (indistinguishability): Executions and are indistinguishable to adversary A when his actions in are the same as in after possibly applying the following: : A permutation on the keys not held by A. : A permutation on the messages encrypted by a key not held by A. Definition (configuration): A configuration is a function U R l mapping each user to his circuit. Let U be the set of users. Let R be the set of routers. Let l be the path length.

Definition (relationship anonymity): u and d have relationship anonymity in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talks to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d. Anonymity Definition (fair): In fair executions actions enabled infinitely often occur infinitely often Definition (cryptographic): In cryptographic executions no encrypted control messages are sent before they are received unless the sender possesses the key

Theorem 1: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds.

C u v

u v CD

u v CD v u 225 4

u v CD Theorem 1: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds. u v

Relationship anonymity Corollary : A user and destination have rel. anonymity iff:

Relationship anonymity 2 3 u 4? 5? The last router is unknown. Corollary : A user and destination have rel. anonymity iff:

OR Relationship anonymity 2 3 u 4? 5? The last router is unknown The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary : A user and destination have rel. anonymity iff:

OR The user is unknown and another unknown user has a different destination Relationship anonymity 2 3 u 4? 5? The last router is unknown The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary : A user and destination have rel. anonymity iff:

Probabilistic Anonymity

Adding probability 1.To configurations a.User u selects destination d with probability p u d. b.Users select routers randomly. 2.To executions a.Each execution in a configuration is equally likely.

Definition (relationship anonymity): u and d have relationship anonymity in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talks to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d.

Probabilistic relationship anonymity metric: Let X be a random configuration. Let X D : U D be the destinations in X. The metric Y for the relationship anonymity of u and d in C is: Y(C) = Pr[X D (u)=d | X C]

Probabilistic Anonymity Other measures (e.g. entropy, min entropy) Measures effect on the individual user Exact Bayesian inference –Adversary after long-term intersection attack –Worst-case adversary

Probabilistic Anonymity 1. Fixing u and d doesnt determine C. 2. Y(C) thus has a distribution. 3.This distribution depends on each p v. 4. E[Y | X D (u)=d] a.Worst case b.Typical case

Worst-case Anonymity Theorem 2: The maximum of E[Y | X D (u)=d] over (p v ) v u occurs when 1. p v =1 for all v u OR 2. p v d =1 for all v u Let p u 1 p u 2 p u d-1 p u d+1 … p u

Worst-case Estimates Let n be the number of nodes. Let b be the fraction of compromised nodes.

Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Theorem 4: When p v d =1 for all v u: E[Y | X D (u)=d] = b 2 + b(1-b)p u d + (1-b) p u d /(1-(1- p u d ) b ) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] b + (1-b) p u d Let n be the number of nodes. Let b be the fraction of compromised nodes.

Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] b + (1-b) p u d E[Y | X D (u)=d] b 2 + (1-b 2 ) p u d Let n be the number of nodes. Let b be the fraction of compromised nodes.

Typical Case Let each user select from the Zipfian distribution: p d i = 1/( i s ) Theorem 5: E[Y | X D (u)=d] = b 2 + (1 b 2 )p u d + O(1/n)

Typical Case Let each user select from the Zipfian distribution: p d i = 1/( i s ) Theorem 5: E[Y | X D (u)=d] = b 2 + (1 b 2 )p u d + O(1/n) E[Y | X D (u)=d] b 2 + ( 1 b 2 )p u d

Results 1.Formally model onion routing using input/output automata 2.Analyze relationship anonymity a.Characterize situations with possibilistic anonymity b.Bound probabilistic anonymity in worst-case and typical situations

Future Work 1.Extend analysis to other types of anonymity and to other systems. 2.Examine how quickly users distribution are learned. 3.Analyze timing attacks.