Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Published byKory Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and."— Presentation transcript:

1 Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006

2 2 Goals of the Paper  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds

3 3 Onion Routing  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown

4 4 Setup Phase  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor

5 5 Transmission Phase  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!

6 6 Security Goals  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs

7 7 Network Assumptions 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random

8 8 Know Your Enemy…  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  Adversary distributions  Single  Multiple  Roving  Global Note: Authors claim that a group of roving compromised CORs is most powerful (and realistic) adversary model. Is this true?

9 9 Security Analysis

10 10 Analysis Parameters  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS

11 11 Important Cases  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties

12 12 Properties of Attacks R 1  CR n  CR 1 and R n  C Sender activityYesNoYes Receiver activityNoYes Sender contentNo Inferred Receiver contentNoYes S/D linkingNo Yes

13 13 The Attacker’s Game  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n

14 14 The Attacker’s Game (cont.)  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints

15 15 Example (n=6, r=10, c=2) Attacker Wins!

16 16 Thoughts on the “Game”  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?

17 17 Discussion Questions  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?

18 18 Discussion Questions (cont.)  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?

19 19 Discussion Questions (cont.)  Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.

Download ppt "Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and."

Similar presentations

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.

21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.
Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.

Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team 2009.07.20.

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Distributed Algorithms for Secure Multipath Routing

Distributed Algorithms for Secure Multipath Routing
Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.
Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.

Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.

The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Mobility (III) 12th Week 10.07.-13.07.2007.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Mobility (III) 12th Week
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.

Similar presentations

Ads by Google