Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259"— Presentation transcript:

1 Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259 http://nms.lcs.mit.edu/~sachin/slicing.html

2 What is Onion Routing Bob Alice Na Nb Nc Nd - packets are encrypted in layers - each node decrypts the packet using its key, figures out the next hop - usually public/private key pairs used, but here symmetric keys will be used - how to distribute the keys to nodes? use information slicing: split the key into lots of pieces, send them on disjoint paths to the respective target nodes

3 Key Distribution -Bob reassembles message it received from Ne and Nb to yield I B1, I B2 meant for him and also I a1 to be sent to Na, I d2 to be sent to Nd. -here there are 3 stages (L), split factor is 2 (d) Alice Ne Nc Na Nb Ie1 I a1 I a2 I c1 I c2 I a2 I d1 I B1 I B2 I a1 I d2 I b1 I b2 I c1 I B1 I a2 I d2 I a1 I a2 I c2 I B2 I a1 I d1 I d1 I d2 Bob Nd I B1 I d2 I B2 I a1 I d2 I a1

4 Anonymity u Degree of Anonymity -Measured as entropy of the system u Unlinkability -… of different actions by a single user u Source/Destination anonymity -Source is hidden from all nodes including destination, (same argument for destination) u We will focus on Source anonymity

5 Observations -If the adversary is in control of a stage, it can get all information about keys and nodes in subsequent stages -If the adversary doesn’t control all the nodes in a stage, it is as good as controlling only 1 node in that stage. -Adversary cannot correlate information if its nodes are not in consecutive stages -Best case scenario is when -1st stage is compromised or else -the adversary has only 1 node in consecutive stages Alice Ne Nc Na Nb Ie1 I a1 I a2 I c1 I c2 I a2 I d1 I B1 I B2 I a1 I d2 I b1 I b2 I c1 I B1 I a2 I d2 I a1 I a2 I c2 I B2 I a1 I d1 I d1 I d2 Bob Nd I B1 I d2 I B2 I a1 I d2 I a1

6 Adversary Model Adversary controls a fraction of nodes in the graph It is able to figure out if it has nodes in consecutive stages and if it has multiple nodes in some stage It knows about the parameters L (number of stages) and d (splitting factor) It tries to find the single largest chain of its nodes and tries to guess that the node prior to its chain head is the source (its guess will be good only if its chain head lies in the first stage) Alice Ne Nc Na Nb Ie1 Bob Nd Ng Nf

7 Analysis Given L, d, f, figure out all possible arrangements of adversary nodes in the graph (hard). More later. For each arrangement figure out what is the longest chain of adversary nodes possible (easy) Given the length of the chain, find out the likelihood of correct guess of the source (easy) e.g. if L is 10, chain length is 7, chances are 0.25 that the head is in stage 1 The authors did it differently: they assumed a network of N=100,000 nodes, of which fraction f were malicious, chose L*d nodes from N (some of which were malicious) and ran simulations to find chain lengths.

8 Anonymity: dependent on L If L increases, the adversary nodes are spread out and it is more difficult to form unbroken chains with nodes in consecutive stages. Broken chains render adversary nodes useless because it cannot correlate nodes if not part of the same chain

9 Anonymity: dependent on d When f is low, increasing d creates more chances for the adversary to have nodes in consecutive stage When f is high, there is high likelihood that adversary controls an entire stage, so increasing d will break this scenario

10 Analysis 2 Didn’t use Murphi, or any tool, used C++ programs to achieve the “hard” part (Given L, d, f, figure out all possible arrangements of adversary nodes in the graph) given L (6), d (4), f (.25), m (6) = L * d * f; find all partitions of m such that none of the terms is > d find out how many 1-chain, 2-chain, 3-chain.. m-chains can be made $./arrangements 6 4../partitions/p6 m6d4 2 = 28 => given 2 stages with d=4, how many ways can we choose places for 6 adversary nodes (partitions used [2,4] [3,3] [4,2]) for all possible permutations of m adversary nodes in L*d nodes find out frequency of 1 chain, 2 chain 3 chain... m-chain $./chains 6 4.25 L6d4f25 0xb 3 2 604800.000000 => 3 stages in which adversary nodes present (0 0 1 0 1 1) but the effective chain length is only 2. 604800 = all possible combinations of 6 adversary nodes when present in 3 stages with d=4.

Download ppt "Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259"

Similar presentations

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.

Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
1 A Scalable Content- Addressable Network S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Shenker Proceedings of ACM SIGCOMM ’01 Sections: 3.5 & 3.7.

1 A Scalable Content- Addressable Network S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Shenker Proceedings of ACM SIGCOMM ’01 Sections: 3.5 & 3.7.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Similar presentations

Ads by Google