Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security: Anonymity Otto Huhta T-110.5241 Network security Aalto University, Nov-Dec 2014.

Published byDeclan Sherick Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security: Anonymity Otto Huhta T-110.5241 Network security Aalto University, Nov-Dec 2014."— Presentation transcript:

1 Network Security: Anonymity Otto Huhta T-110.5241 Network security Aalto University, Nov-Dec 2014

2 2 Outline 1.Anonymity in general 2.High-latency anonymous routing 3.Low-latency anonymous routing — Tor

3 Anonymity 3

4 4 Definitions Security: “free from danger or threat” Privacy: “control over personal information or actions” Anonymity: “unidentifiable”

5 5 Privacy Control over personal information Emphasized in Europe Gathering, disclosure and false representation of facts about one’s personal life Right to be left alone Emphasized in America Avoiding interference, control, discrimination, spam, censorship Anonymity is a tool for achieving privacy Blending into the crowd

6 6 Anonymity (online) – Why? Protection against mass surveillance Censorship resistance, freedom or speech Protection against discrimination, e.g. geographic access control or price differentiation Business intelligence, police investigation, political and military intelligence Whistle blowing, crime reporting Electronic voting Cyber war, crime, illegal and immoral activities?

7 7 Anonymity - terminology Identity, identifier Anonymity — they don’t know who you are Pseudonymity — intentionally allow linking of some events to each other E.g. sessions, payment and service access Unlinkability — they cannot link two events or actions (e.g. messages) with each other Authentication — strong verification of identity Weak identifier — not usable for strong authentication but may compromise privacy E.g. nickname, IP address, SSID, service usage profile Authorization — verification of access rights Does not always imply authentication (remember SPKI)

8 8 Anonymity in communications Anonymity towards communication peers Sender anonymity — receiver does not know who and where sent the message Receiver anonymity — can send a message to a recipient without knowing who and where they are Bi-directional anonymity — neither sender nor recipient know each other’s identity Third-party anonymity — an outside observer cannot know who is talking to whom Unobservability — an outside observer cannot tell whether communication takes place or not Strength depends on the capabilities of the adversary Anonymity towards access network Access network does not know who is roaming there Related concept: location privacy

9 9 Who is the adversary? Discussion: who could violate your privacy and anonymity? Global attacker, your government e.g. retention of traffic data, NSA PRISM Servers across the Internet, colluding commercial interests e.g. web cookies, trackers, advertisers Criminals e.g. identity theft Employer People close to you e.g. stalkers, co-workers, neighbors, family members

10 10 ? Strong anonymity? Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authentication Even the strongest mechanisms have serious weaknesses Need to trust many others to be honest Services operated by volunteers and activists Side-channel attacks Anonymity tends to degrade over time for persistent communication

11 11 Anonymity on the Internet Problem: weak identifiers IP address, MAC address IPv6 address can contain MAC address TCP sequence number, IP Identifier field Location/app data, browser plugins, languages, etc. Simple solution: VPNs Need to trust VPN provider Susceptible to Traffic analysis IP addresses can still leak information Better: Mix Networks, Onion Routing

12 High-Latency Anonymous Routing

13 13 Mix - Introduction Threat model: Global adversary Can observe all messages, all traffic → trivially learns sender & receiver Goal: Break link between sender and receiver Solution: Cryptographic relays

14 14 Mix (1) Mix is an anonymity service [Chaum 1981] Attacker sees both sent and received messages but cannot link them to each other → sender anonymity, third-party anonymity against a global observer The mix receives encrypted messages (e.g. email), decrypts (or re- encrypts) them, and forwards to recipients Decryption

15 15 Mix (2) Attacker can see the input and output of the mix Attacker cannot see how messages are shuffled in the mix Concept: Anonymity set = all nodes that could have sent (or could be recipients of) a particular message Decryption

16 16 Mix (3) Two security requirements: Bitwise unlinkability of input and output messages — cryptographic property; must resist active attacks Resistance to traffic analysis — attacker can delay, drop or inject dummy messages Basic security Re-encryption attack → Solution: freshness (random string) Replay attack → Solution: MIX discards repeated input messages Examples of design mistakes: FIFO order of delivering messages; no freshness check at mix; no random initialization vector for encryption; no padding to hide message length; malleable encryption Decryption

17 17 Mixing in practice Mix strategies Threshold mix — wait to receive k messages before delivering Anonymity set size k Pool mix — mix always buffers k messages, sends one when it receives one Both strategies add delay → high latency Not all senders and receivers are always active In a closed system, injecting cover traffic can fix this (What about the Internet?) Real communication (email, TCP packets) does not comprise single, independent messages but common traffic patterns such as connections Attacker can observe beginning and end of connections Attacker can observe request and response pairs → statistical traffic analysis

18 18 Who sends to whom? Threshold mix with threshold 3

19 19 Anonymity metrics Size of the anonymity set: k-anonymity Suitable for one round of threshold mixing Problems with k-anonymity: Multiple rounds → statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is high Pool mix → k = ∞ Entropy: E = Σ i=1…n (p i ∙ log 2 p i ) “Not all senders are always equally likely to have sent a message” Measures the amount of missing in information in bits: how much does the attacker not know Can measure entropy of the sender, recipient identity etc. Problems with measuring anonymity: Anonymity of individual messages vs. anonymity in a system Depends on the attacker’s capabilities and background information Anonymity usually degrades over time as attacker collects more statistics

20 20 Trusting the mix Problem: The mix must be honest! Solution: Route packets through multiple mixes → Attacker must compromise all mixes on the route However compromising almost all the mixes may reduce the size of the anonymity set Example: anonymous remailers for email anon.penet.fi 1993–96

21 21 Mix networks (1)

22 22 Mix networks (2) Mix network is just a distributed implementation of mix

23 23 Mix networks (3) Mix cascade — all messages from all senders are routed through the same sequence of mixes Good anonymity, poor scalability, poor reliability Free routing — each message is routed independently via multiple mixes Other policies between these two extremes But remember that the choice of mixes could be a weak identifier!

24 24 Mix networks (4) Concept: Onion encryption Goal: only endpoints can see plaintext message Multiple layers of PK-encryption: Alice→ M1:E M1 (M2, E M2 (M3, E M3 (Bob,M))) M1→ M2:E M2 (M3, E M3 (Bob,M)) M2→ M3:E M3 (Bob, M) M3→ Bob:M Encryption at every layer must provide bitwise unlinkability → detect replays and check integrity → in free routing, must keep message length constant Re-encryption mix — special crypto that keeps the message length constant with multiple layers of encryption

25 25 Receiver anonymity Alice distributes a reply onion: E M3 (M2,k3,E M2 (M1,k2,E M1 (Alice,k1,E Alice (K)))) Messages from Bob to Alice: Bob→ M3:E M3 (M2,k3,E M2 (M1,k2,E M1 (Alice,k1,E Alice (K)))), M M3→ M2:E M2 (M1,k2,E M1 (Alice,k1,E Alice (K))), E k3 (M) M2→ M1:E M1 (Alice,k1,E Alice (K)), E k2 (E k3 (M)) M1→ Alice: E Alice (K), E k1 (E k2 (E k3 (M))) Alice can be memoryless:ki = h(K, i)

26 26 Sybil attack Problem: Mixes tend to be run by volunteers Anyone can join the network Applies in general to open systems which anyone can join Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes → some routes will go through only attacker’s nodes Defence: increase the cost of joining the network: Human verification that each mix is operated by a different person or organization The IP address of each mix must be in a new domain Require good reputation of a measurable kind that takes time and effort to establish Select mixes in a route to be at diverse locations Sybil attacks are a danger to most P2P systems, not just anonymous routing E.g. reputation systems, content distribution

27 27 Other attacks Problem 1: Who are the others in the network? (n-1) attack Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though → easy to trace because all other packets are the attacker’s Potential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection Problem 2: Anonymity degrades over time Statistical attacks Attacker may accumulate statistics about the communication over time and reconstruct the sender-receiver pairs based on its knowledge of common traffic patterns

28 Low-Latency Anonymous Routing 28

29 29 Tor Problem with Mix networks: High-latency Too slow for interactive use (e.g. web browsing) Solution: Remove mixing at relays… → But what about security? More realistic(?) attacker model: can control some nodes, can sniff some links, not everything New compromise between efficiency and anonymity: No mixing at the onion routers All packets in a session, in both directions, go through the same routers Short route, always three onion routers Tunnels based on symmetric cryptography No cover traffic Protects against local observers at any part of the path, but vulnerable to a global attacker “2nd generation onion router”

30 30 Tor overview 5’000 relays, 2’000’000 daily users Directory Servers hold list of all relays (incl. public keys) Overlay network Randomly chosen, but fixed circuits through 3 relays Encryption: Onion encryption between user and last relay TLS encryption between relays (and user)

31 31 Tor – Building a circuit (1)

32 32 Tor – Building a circuit (2)

33 33 Tor – Building a circuit (3)

34 34 Tor – Building a circuit (4)

35 35 Circuits in Tor AliceOR 1 OR 2 OR 3 Bob Authenticated DH Alice – OR 1 Authenticated DH, Alice – OR 2 K1K1 Encrypted with K 1 K2K2 Authenticated DH, Alice – OR 3 Encrypted with K 1, K 2 Encrypted with K 1, K 2, K 3 K3K3 [Danezis] Last link unencrypted Alice not authenticated, only the ORs K1K1 TCP connection Alice –Bob K 1,K 2 K 1,K 2,K 3

36 36 Circuits in Tor AliceOR 1 OR 2 OR 3 Bob Authenticated DH Alice – OR 1 Authenticated DH, Alice – OR 2 K1K1 Encrypted with K 1 K2K2 Authenticated DH, Alice – OR 3 Encrypted with K 1, K 2 Encrypted with K 1, K 2, K 3 K3K3 [Danezis] Last link unencrypted Alice not authenticated, only the ORs K1K1 TCP connection Alice –Bob K 1,K 2 K 1,K 2,K 3 Additionally, linkwise TLS connections: Alice–OR 1 –OR 2 –OR 3

37 37 Rough comparison: OR vs Mix networks Mix NetworksOnion Routing Security from: Mixing at relays (+ maybe route unpredictability) Route unpredictability (no mixing) Threat model: Global adversaryNon-global adversary PerformanceHigh-LatencyLow-Latency Example use:EmailWeb browsing Paul Syverson, 2009

38 38 Tor limitations (1) Traffic confirmation attacks Scenario: adversary can monitor both endpoints → can trivially confirm the endpoints are communicating Problem: relays don’t (significantly) alter traffic Solution: none (outside Tor threat model) Traffic analysis attacks Scenario: adversary controls/monitors part of user circuit (netw. links/relays) → Passive: can correlate traffic based on packet size, timing, volume, etc. → Active: can modify traffic (drop, delay, etc.) and look for traffic fingerprint IF attacker controls first and last relay → again trivially confirm communication (Problem same as above) Solution: make it difficult to control relays, switch circuits (limited effect) Note 1: Always a risk of compromise Client chooses relays at random Simplified: if c compromised relays out of n total probability of choosing malicious relay c/n, and for both first and last relay (c/n) 2 Why three routers, not two?

39 39 Tor limitations (2) Malicious exit relays Problem: exit relay sees ‘unencrypted’ client traffic Solution: use TLS! Information leak from browser, applications, OS Problem 1: Tor doesn’t anonymize traffic content Problem 2: Other applications access Internet directly Solution: Tor browser bundle, disable JS, separate device Blacklisting of entry or exit relays Problem: Remote server sees IP of exit relay Solution (Exit relay): none Solution (Entry relay): Bridges

40 40 Tor – Hidden Services Servers running ‘inside’ the Tor network Physical location hidden Traffic under onion encryption all the way to server Specific method for opening circuits Introduction and Rendezvous points Examples Search engines, file storage, Facebook, etc. WikiLeaks Finnish sites also: sipuliwiki, thorlauta Illegal activities

41 41 Other systems: Freenet Freenet is a DHT-based P2P content distribution system Focus on sensorship resistant publishing Plausible deniability for content publishers and redistributors Node itself cannot determine what content it stores

42 42 Conclusions: Anonymity Anonymity requires a crowd Mix networks Strong anonymity for messaging Mixing reduces performance Onion routing Interactive use Assumes a weaker adversary Tor widely deployed

43 43 Exercises Compare k-anonymity for senders in threshold mix and pool mix What can a malicious Tor exit node achieve? Compare how the following affect anonymity level in Tor and high- latency email mixes: Percentage of compromised mixes Number of mixes in the route Choosing a new random route periodically Is it possible to provide anonymity to honest users without helping criminals? Learn about the latest attacks against Tor. New ones are published regularly. Why is this the case? Is Tor use unobservable? That is, can it be used safely in a country or workplace where its use may be punished? Could malware or other software on your computer leak information about which web sites you access with Tor (or to whom you send email through a mix network)? Will using Tor make you more or less vulnerable to monitoring by governements?

44 44 Optional reading Mix networks: A survey on mix networks and their secure applications (first few pages are very good) - K Sampigethaya, R Poovendran - Proceedings of the IEEE, 2006 Anonymity metrics: k-anonymity: A model for protecting privacy - L Sweeney - International Journal of Uncertainty, Fuzziness and …, 2002 Towards an information theoretic metric for anonymity - A Serjantov, G Danezis - Privacy Enhancing Technologies, 2003 Original Tor paper Tor: The second-generation onion router - R Dingledine, N Mathewson, P Syverson - 2004 E.g. Tor threat model, more details on design choices, etc.

Download ppt "Network Security: Anonymity Otto Huhta T-110.5241 Network security Aalto University, Nov-Dec 2014."

Similar presentations

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.

Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.

I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Similar presentations

Ads by Google