Https://cybercamp.es#CyberCamp15 Deanonimization methods in Bitcoin Network Marko Marić.

Slides:



Advertisements
Similar presentations
The easy answers to the hard questions! WHAT IS BITCOIN?
Advertisements

Secure Multiparty Computations on Bitcoin
Internetworking II: MPLS, Security, and Traffic Engineering
Chapter 4 Distributed Bellman-Ford Routing
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Michal Kriziak MA1N0218 Financial Management The Bitcoin Currency.
MANETs Routing Dr. Raad S. Al-Qassas Department of Computer Science PSUT
 Review  Methodology –Dataset –Data Cleaning –Technology –Analysis Degree Distribution Hubs Top 100 Evolution Anonymous Users.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Gnutella 2 GNUTELLA A Summary Of The Protocol and it’s Purpose By
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
A Trust Based Assess Control Framework for P2P File-Sharing System Speaker : Jia-Hui Huang Adviser : Kai-Wei Ke Date : 2004 / 3 / 15.
The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.
Exploiting Content Localities for Efficient Search in P2P Systems Lei Guo 1 Song Jiang 2 Li Xiao 3 and Xiaodong Zhang 1 1 College of William and Mary,
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
1 Routing. 2 Routing is the act of deciding how each individual datagram finds its way through the multiple different paths to its destination. Routing.
Basic Web Applications 2. Search Engine Why we need search ensigns? Why we need search ensigns? –because there are hundreds of millions of pages available.
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
Freenet File sharing for a political world. Freenet: A Distributed Anonymous Information Storage and Retrieval System I. Clarke, O. Sandberg, B. Wiley,
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
1 Bitcoin A Digital Currency. Functions of Money.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
Intro to Block Chain Bitcoin. Blocks ●Ethereum - block chain ●Dogecoin - block chain ●Ripple - not a block chain ●Stellar - not a block chain ●Bitcoin.
Freenet “…an adaptive peer-to-peer network application that permits the publication, replication, and retrieval of data while protecting the anonymity.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
The Silk Road: An Online Marketplace
A Reputation-Based Approach for Choosing Reliable Resources in Peer-to-Peer Networks E. Damiani S. De Capitani di Vimercati S. Paraboschi P. Samarati F.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.
Bitcoin Tech Talk Zehady Abdullah Khan (Andy) Graduate Assistant, Computer Science Department, Purdue University.
Bitcoin is a cryptographic currency that has been in continuous operation over the last 3 years. It currently enjoys an exchange rate of $4.80 (as of April.
#ABATECHSHOW PRESENTED BY: The Deep Dark Web Presenters John Simek #Idon’tTweet Amanda
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
1 Bitcoin Bitcoin: A Peer-to-Peer Electronic Cash System – Satoshi Nakamoto A Fistful of Bitcoins: Characterizing Payments Among Men with No Names – Sarah.
First… What is Cryptocurrency? A Cryptocurrency is a digital currency that is created through mathematical engineering (algorithm). It is designed to.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Block Chain 101 May 2017.
Anonymous Communication
Bitcoin Explained in 2 Minutes
Anonymity vs. Privacy Campbell R. Harvey Duke University, NBER and
THE NETWORK LAYER.
Deanonymization of Clients in Bitcoin P2P Network

Deanonymisation of clients in Bitcoin P2P network
Anonymity vs. Privacy Campbell R. Harvey Duke University, NBER and
Campbell R. Harvey Duke University and NBER
Anonymous Communication
Bitcoin: Data flow.
Nonce Making Sense of Nonces.
Campbell R. Harvey Duke University and NBER
Campbell R. Harvey Duke University and NBER
Anonymous Communication
Campbell R. Harvey Duke University and NBER
Presentation transcript:

Deanonimization methods in Bitcoin Network Marko Marić

2 Index

3 Introduction Peer-to-peer network Peers are generating transactions and broadcast them on network Miners are peers that are collecting transactions and trying to generate block Block = collected transactions + proof-of-work Miner that first inserts proof-of-work in block is broadcasting block to network All peers are adding new blocks on top of previous ones - building it's own blockchain Block N Block N-1 Block 3 Block 2 Block 1 … Bitcoin network Blockchain

Transaction graph analysis  Blockchain transaction graph  Identity is hidden, but all transactions are public  Main concepts  Input = Output  Change address  Transaction fee 4

How to deanonimize using blockchain?  Wallets  Containers for private/public keys (not coins!) □ Implemented as structured files or simple database □ Managed by wallet software  Proof of shared control □ Asembling input of transaction from multiple addresses 5

How to deanonimize using blockchain?  „Tagged” users  Web crawling □ blockchain.info □ bitcointalk.org  Active collecting □ Mining pools □ Online wallets □ Exchanges □ Merchants □ Gambling 6

Clustering  Linking different inputs to same user  Transaction inputs with shared address can be link together □ 2 transactions with inputs (A, B) and (B, C) belongs to user that owns keys A, B, C □ Quick expansion of cluster  Tagging clusters  One tagged address in cluster tags all cluster  Combining clusters  Clusters with same tag combined in one cluster 7

Clustering experiment results  Meiklejohn et al., December 2013  Blockchain parsed and analyzed □ transactions, public keys □ clusters of users □ combined clusters (20 clusters tagged to Mt.Gox) □ Excluded „sink” addresses 8

Privacy recommendation  Use new addresses to receive payments  Use multiple wallets for different purposes  Bitcoin address should only be used once  generating new change address 9 Change returned to sending address -> Change returned to new address ->

Adding „change address” to inputs  Change address is hard to recognize  Depends on wallet software change-handling methods □ Single Address Wallets □ Random Address Pool Wallets □ Deterministic Address Pool Wallets  User settings  Heuristics  Users rarely issue transactions to two different users -> obsolete  Change address amount is not greater then lowest input amount -> obfuscated?  Change address is used in only one output over all past transactions -> is it safe? 10

Change address heuristic  Add to input list; address that is used only once in output over all past transactions  Discard coin generation transactions  Discard transactions with self-change address  Discard transactions that have more then one output met CA condition  Experiment results (Meiklejohn et al., December 2013)  4 million change addresses  false positives (13 percent) 11

Refining heuristic  12 percent are „payback” addresses  Reducing to 1 percent of false postivies  Waiting to label as change  1 day – false postivies to 0.28%  1 week – false postivies to 0.17%  Further refining (breaking mega cluster)  3.5 million change addresses  clusters  tagged clusters (1.8 million addresses) 12 End up with mega cluster containing Mt. Gox, Instawallet, BitPay, Silk Road! Started with tagged addresses

How this can help me?  Direct payments to/from servis  From observed Bitcoin address  To observed Bitcoin address  Indirect payments to/from servis  From observed Bitcoin address over anonymous transactions  To observed Bitcoin address over anonymous transactions 13

Real time network analysis  Linking Bitcoin addresses to IP addresses  Possible to distinguish different users behind NAT  Linking of different transactions to same user  Even if they look completely unrelated in transaction graph analysis  Problem – using proxies  VPNs, SOCKS proxy, TOR □ SOLUTION: Shutdown of Bitcoin over TOR! 14

„Clients” and „servers”  Each peer is trying to connect to 8 entry nodes  Network discovery  Servers  Receive incoming connections □ Max. 117 incoming connections  Clients  8 outgoing connections 15 SERVERSCLIENTS Peers are distinguished over set of it’s entry nodes!

Disconnecting TOR  Exploiting Bitcoin DOS protection  IP addresses delivering malformed messages are banned for 24 hours 16 Exit node 1 Exit node 2 Bann exit node 1 Bann exit node 2 Bann exit node 1 Bann exit node 2 Bann exit node 1 Bann exit node TOR exit nodes X 8000 Bitcoin servers GB of traffic

Address propagation  Keeps network alive  Nodes come and go  ADDR message  Peer advertises his address in network □ After connecting to another node □ Every 24 hours  Address propagation  Received address is stored to local database  Propagated to two responsible nodes 17 Address is not sent over this connections again !

Choosing responsible nodes  For each address X decide individually where to forward:  Calculate hash = H(addr X, salt, current day, &peer struct)  Sort 18 0x4b227777d4dd1fc61c… 0x4e bedb8b6f… 0x5feceb66ffc86f38d953… … 0xd4735e3a265e16eee0… 0xe7f6c011776e8db7cd2… 0xef2d127de37b942baa5… These two peers are responsible nodes for address X

Learning entry nodes 19 ATTACKERSERVERSCLIENTS C a entry nodes [2 C Entry nodes [2, 3, 4],3,4]

Problem 20 ATTACKERSERVERSCLIENTS C a entry nodes [1 C Entry nodes [2, 3, 4],3,4]

Solution  Based on fact that same address is never resent over same connection  History is cleared after 24 hours  Strategy  Periodically on all attacker peers: □ 1. Broadcast ADDR to deanonymize □ 2. Establish number of connections 21

Learning all entry nodes 22 ATTACKERSERVERSCLIENTS C a entry nodes [2 C Entry nodes [2, 3, 4],3,4]

Learning part of entry nodes 23 ATTACKERSERVERSCLIENTS C Entry nodes [2, 3, 4] C a entry nodes [3,4]

Metrics 24

What do we have?  What we have?  ADDR(C a ) = (3,5,11,13,17)  ADDR(C b ) = (5,7,13,9,2)  ADDR(C c ) = (1,7,4,5)  How to deanonymize transaction?  Client and attacker are connected with one hop over entry node  All other connections between them are 2 hops or more Attacker will see transaction coming from entry nodes before then from any others. 25

Transaction propagation 26  Client –> entry node -> attacker  (2 x INVENTORY, 2 x GETDATA, 1 x TRANSACTION) □ 5 messages, 16 checks, random trickling delay  Client –> entry node -> peer A -> attacker  (3 x INVENTORY, 3 x GETDATA, 2 x TRANSACTION) □ 8 messages, 32 checks, 2 random trickeling delays

How to deanonimize transaction?  Receiving transaction from different peers  Peers(Trans1): [, 19 …]  Checking transaction against different EN sets  ADDR(C a ) ∩ Peers(Trans1) =  ADDR(C b ) ∩ Peers(Trans1) =  ADDR(C c ) ∩ Peers(Trans1) = 27 Entry nodes (EN) sets: ADDR(C a ) = (3,5,11,13,17) ADDR(C b ) = (5,7,13,9,2) ADDR(C c ) = (1,7,4,5) It is ambiguous if C a or C b or C c generated transaction 3,5,10,8,1,2,12,17,6,14,11,9,7,4,13 (3,5,17,11,13) (5,2,9,7,13) (5,1,7,4) First 15 transactions

How to deanonimize transaction?  Receiving transaction from different peers  Peers(Trans1): [,12,17,6,14,11,9,7,4,13,19…]  Checking transaction against different EN sets  ADDR(C a ) ∩ Peers(Trans1) =  ADDR(C b ) ∩ Peers(Trans1) =  ADDR(C c ) ∩ Peers(Trans1) = 28 Entry nodes (EN) sets: ADDR(C a ) = (3,5,11,13,17) ADDR(C b ) = (5,7,13,9,2) ADDR(C c ) = (1,7,4,5) Not enough to distinguish client (3 nodes needed)! (3,5) (5,2), ℎℎ,, 2014: best balance is q=10 (5,1) 3,5,10,8,1,2 First 6 transactions

How to deanonimize transaction?  Receiving transaction from different peers  Peers(Trans1): [,,11,9,7,4,13,19…]  Checking transaction against different EN sets  ADDR(C a ) ∩ Peers(Trans1) =  ADDR(C b ) ∩ Peers(Trans1) =  ADDR(C c ) ∩ Peers(Trans1) = 29 Entry nodes (EN) sets: ADDR(C a ) = (3,5,11,13,17) ADDR(C b ) = (5,7,13,9,2) ADDR(C c ) = (1,7,4,5) Node Ca generated transaction (3,5, 17) (5,2) (5,1) 3,5,10,8,1,2,12,17,6,14 First 10 transactions

Experiment results (, ℎℎ,, 2014)  Bitcoin testnet  250 bitcoin servers  Custom attacker client  Bitcoin Core (Clients)  Metrics  Propagation of ADDR messages each 10 minutes  Count for only first 10 nodes to forward transaction  3 entry nodes for identification  Result % of transactions was successfully deanonymized

Conclusions  On real Bitcoin network - estimations  If attacker maintains 50 connections to servers  Successful deanonymization 31

How this can help me?  Direct deanonymization  Indirect deanonymization  Deanonymization of Bitcoin address that made/receive payment to/from target  Combining with transaction graph analysis  Linkage of Bitcoin addresses that are unrealted in transaction graph 32

Final words.. Network RT analysis requires IP address beforehand Estimated success rate is very poor Ethics 33