Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Published byDoris Cooper Modified over 9 years ago

Similar presentations

Presentation on theme: "Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale."— Presentation transcript:

1 Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale University Aaron Johnson University of Texas at Austin Paul Syverson Naval Research Laboratory 1

2 Problem 2

3 UsersOnion Routers Destinations Onion routing suffers from timing attacks. Adversary 3

4 Problem UsersOnion Routers Destinations Onion routing suffers from timing attacks. Adversary 4 Encrypted Unencrypted

5 Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 5

6 Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 6

7 Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 7

8 Problem Onion Routers Onion routing suffers from timing attacks. Adversary UsersDestinations 8

9 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 9

10 Problem Padding Schemes 1.Constant-rate padding 2.Variable-rate padding 1 1. Timing analysis in low-latency mix networks: Attacks and defenses. Shmatikov & Wang, ESORICS 06. 2. Dependent link padding algorithms for low latency anonymity systems. Wang and Srinivasan, CCS 08. 3.Minimal padding 2 10

11 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 11

12 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 12

13 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 13

14 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Adversary UsersDestinations 14

15 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 15

16 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 16

17 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 17

18 Problem Onion Routers Onion routing suffers from timing attacks. Passive timing attack Active timing attack Adversary UsersDestinations 18

19 Problem Onion routing suffers from timing attacks. How bad is it? Tor: 250 guard routers 500 exit routers 7571 unique users daily per guard 1 Top 2% contribute 50% bandwidth 1 1. McCoy, Bauer, Grunwald, Kohno, and Sicker. Shining light in dark places: Understanding the Tor network. PETS 2008. Case 1: Adversary runs one guard and one exit. # comp. = 7571/500  15 Case 2: Adversary’s guard and exit are in top 2% of bandwidth. # users = 7571*.5/.02  189275 # comp. = 189275*.5/(500*.02)  9464 19

20 Results 20

21 Results 1.Protocol for defeating active timing attacks given a padding scheme Reduces active timing attacks to passive timing attacks Uses redundancy and timestamps 2.Provides a tradeoff between anonymity and performance 3.Protects against adversaries smaller than half of the network. This is optimal. 4.Measurements on Tor suggest it may be usable in practice. 21

22 Model 22

23 Model Users: U Routers: R Destinations: D Adversary: A  R, b = |A|/|R| Probabilistic delays – Random link delay: d(r,s), r,s  R – Random processing delay: d(r), r  R Synchronized clocks with tolerance  Padding scheme P(x) – Input: New connection information, x – Output: Timing patterns in both directions,  0,  1 – Provides S u  U, users with the same timing as u 23

24 Protocol 24

25 Protocol To the destination Multiple entry points One exit point Entering data encrypted Exiting data unencrypted From the destination Multiple exit points One entrance point Exiting data encrypted Entering data unencrypted 25

26 Protocol To the destination 26

27 Protocol To the destination 27

28 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 28

29 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 29

30 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 30

31 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 31

32 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) 32

33 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 k 33

34 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 34

35 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 35

36 Protocol To the destination Take 0 (onion routing): Pr[compromised] = b 2 Take 1 (two entry points): Pr[compromised] = b 3 (3-2b) Take 2 (k entry points): Pr[compromised] = b 2 (1-(1-b) k +(1-b)b k-1 )  b 2 Take 3 (layered mesh) logl l 36

37 Protocol To the destination Problem: Adversary can make delays more likely even if not certain. Solution: Use timestamps. Arrival prob.:.95 = Pr[d(r,s) + d(s)  d*(r,s)] ith send time: t i = t i-1 +max j,k d*(r (i-1)j,r i,k )+  37

38 Protocol From the destination 38

39 Protocol From the destination Path of length k Each router has and enforces timing pattern. 39

40 Protocol From the destination Path of length k Each router has and enforces timing pattern. 40

41 Protocol Setup (l,k,p,c) 1.Randomly select the routers for c fixed l  logl meshes with k-length return paths. 2.Determine delays d*(r,s) such that p = Pr[d(r,s) + d(r)  d*(r,s)] User 1.Choose (mesh,path) pair ( M, P ). 2.Obtain padding (  0,  1 ) = P(x). 3.Randomly select identifiers n s i. 4.Generate private keys k s i. 5.Send O(  1 ),n si, n si, k s i through M to s i  P. Network 41

42 Analysis 42

43 Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ 43

44 Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) 44

45 Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) Theorem 3: Let c(b) be the probability of compromise in some forwarding topology. If b 1-b-  (1-b)/b. 45

46 Analysis Theorem 1: lim l,k  Pr[compromise] = 0b < ½ ¼b = ½ bb > ½ Theorem 2: Pr[compromise] =  (l log(b)-log(1-b) ) Theorem 3: Let c(b) be the probability of compromise in some forwarding topology. If b 1-b-  (1-b)/b. Theorem 4: 1.Latency is (l+k+2). 2.# of messages is 2logl+(I-1)(logl) 2 +k+2. 46

47 Analysis MeshOnion Routing blwPr[comp.]MessagesPr[comp.]Messages.0533.000229.00258.0543.0000339.002510.143.000739.0110.2542.030322.062510 Mesh routing vs. Onion routing 47

48 Tor Measurements Measured delays in Tor for a month (3/09). Delays for new connections and 400-byte packets. Used empirical measurements for delay distributions per router per 6hr. Period. Analysis 48 Relative added connection delays (p=.95) Relative added packet delays (p=.95) p(50)  1.48 p(50)  2.95

49 Conclusion Reduced active timing attacks to designing padding schemes. Protocol allows system to trade off anonymity and performance. Future work – Usable padding scheme – Free routes – Protection from DOS attacks 49

50 Protocol To the destination Message Onion Message M Random numbers n r i, n s i Private key k r {M} r denotes encryption with r’s public key Destination d O(M) = {n r 1, t 1, {n r 2, t 2,  {n r, d, n s 1, k r, M} r  } r 2 } r 1 50

51 Protocol To the destination User Router r i 1.Let M be waiting message or dummy if none. 2.When pattern  0 instructs, send O(M) to each router in first mesh layer. 1.On incoming {n r i, t, M} r i, if n r i is previously unseen, send M at time t to each router in next layer. 51

52 Protocol From the destination {M} k denotes encryption with private key k. n s i, n s i+1 are identifiers given to s i by user k s i is private key given to s i by user  1 is return pattern given by user Router s i 1.On incoming, place into queue. 2.When pattern  1 instructs, take from queue (or dummy) send to s i+1. 52

Download ppt "Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale."

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.

PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.

LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.

Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
Privacy Protection In Grid Computing System Presented by Jiaying Shi.

Privacy Protection In Grid Computing System Presented by Jiaying Shi.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Similar presentations

Ads by Google