Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy: anonymous routing, mix nets (Tor), and user tracking.

Published byKelley Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy: anonymous routing, mix nets (Tor), and user tracking."— Presentation transcript:

1 Privacy: anonymous routing, mix nets (Tor), and user tracking

2 Anonymous web browsing Why? 1. Discuss health issues or financial matters anonymously 2. Bypass Internet censorship in parts of the world 3. Conceal interaction with gambling sites 4. Law enforcement Two goals: Hide user identity from target web site: (1), (4) Hide browsing pattern from employer or ISP: (2), (3) Stronger goal: mutual anonymity (e.g. remailers)

3 Current state of the world I ISPs tracking customer browsing habits: Sell information to advertisers Embed targeted ads in web pages (1.3%)  Example: MetroFi (free wireless) [Web Tripwires: Reis et al. 2008] Several technologies used for tracking at ISP: NebuAd, Phorm, Front Porch Bring together advertisers, publishers, and ISPs  At ISP: inject targeted ads into non-SSL pages Tracking technologies at enterprise networks: Vontu (symantec), Tablus (RSA), Vericept

4 Current state of the world II EU directive 2006/24/EC: 3 year data retention For ALL traffic, requires EU ISPs to record:  Sufficient information to identify endpoints (both legal entities and natural persons)  Session duration  … but not session contents Make available to law enforcement  … but penalties for transfer or other access to data For info on US privacy on the net: “privacy on the line” by W. Diffie and S. Landau

5 Part 1: network-layer privacy Goals: Hide user’s IP address from target web site Hide browsing destinations from network

6 1 st attempt: anonymizing proxy HTTPS:// anonymizer.com ? URL=target User 1 User 2 User 3 anonymizer.com Web 1 Web 2 Web 3 SSL HTTP

7 Anonymizing proxy: security Monitoring ONE link: eavesdropper gets nothing Monitoring TWO links: Eavesdropper can do traffic analysis More difficult if lots of traffic through proxy Trust: proxy is a single point of failure Can be corrupt or subpoenaed  Example: The Church of Scientology vs. anon.penet.fi Protocol issues: Long-lived cookies make connections to site linkable

8 How proxy works Proxy rewrites all links in response from web site Updated links point to anonymizer.com  Ensures all subsequent clicks are anonymized Proxy rewrites/removes cookies and some HTTP headers Proxy IP address: if a single address, could be blocked by site or ISP anonymizer.com consists of >20,000 addresses  Globally distributed, registered to multiple domains  Note: chinese firewall blocks ALL anonymizer.com addresses Other issues: attacks (click fraud) through proxy

9 2 nd Attempt: MIX nets Goal: no single point of failure

10 E pk 2 ( R 3, E pk 3 ( R 6, MIX nets [C’81] Every router has public/private key pair Sender knows all public keys To send packet: Pick random route: R 2  R 3  R 6  srvr Prepare onion packet: R3R3 R5R5 R4R4 R1R1 R2R2 R6R6 E pk 6 ( srvr, msg) msg srvr packet =

11 Eavesdropper’s view at a single MIX Eavesdropper observes incoming and outgoing traffic Crypto prevents linking input/output pairs Assuming enough packets in incoming batch If variable length packets then must pad all to max len Note: router is stateless user 1 user 2 user 3 RiRi batch

12 Performance Main benefit: Privacy as long as at least one honest router on path Problems: High latency (lots of public key ops)  Inappropriate for interactive sessions  May be OK for email (e.g. Babel system) No forward security Homework puzzle: how does server respond? hint: user includes “response onion” in forward packet R3R3 R2R2 R6R6 srvr

13 3 rd Attempt: Tor MIX circuit-based method Goals:privacy as long as one honest router on path, and reasonable performance

14 The Tor design Trusted directory contains list of Tor routers User’s machine preemptively creates a circuit Used for many TCP streams New circuit is created once a minute R1R1 R2R2 R3R3 R4R4 srvr 1 srvr 2 R5R5 R6R6 one minute later stream 1 stream 2

15 Creating circuits R1R1 R2R2 TLS encrypted Create C 1 D-H key exchange K1K1 K1K1 Relay C 1 Extend R 2 D-H key exchange K2K2 K2K2 Extend R 2

16 Once circuit is created User has shared key with each router in circuit Routers only know ID of successor and predecessor R1R1 R2R2 R3R3 R4R4 K 1, K 2, K 3, K 4 K1K1 K2K2 K3K3 K4K4

17 Sending data R1R1 R2R2 Relay C 1 Begin site:80 Relay C 2 Begin site:80 TCP handshake Relay C 1 data HTTP GET Relay C 2 data HTTP GET HTTP GET K1K1 K2K2 resp Relay C 2 data resp Relay C 1 data resp

18 Properties Performance: Fast connection time: circuit is pre-established Traffic encrypted with AES: no pub-key on traffic Tor crypto: provides end-to-end integrity for traffic Forward secrecy via TLS Downside: Routers must maintain state per circuit Each router can link multiple streams via CircuitID  all steams in one minute interval share same CircuitID

19 Privoxy Tor only provides network level privacy No application-level privacy  e.g. mail progs add “From: email-addr” to outgoing mail Privoxy: Web proxy for browser-level privacy Removes/modifies cookies Other web page filtering

20 Anonymity attacks: watermarking Goal: R 1 and R 3 want to test if user is communicating with server Basic idea: R 1 and R 3 share sequence:  1,  2, …,  n  {-10,…,10} R 1 : introduce inter-packet delay to packets leaving R 1 and bound for R 2. Packet i delayed by  i (ms) Detect signal at R 3 R1R1 R2R2 R3R3

21 Anonymity attacks: congestion Main idea: R 8 can send Tor traffic to R 1 and measure load on R 1 Exploit: malicious server wants to identify user Server sends burst of packets to user every 10 seconds R 8 identifies when bursts are received at R 1  Follow packets from R 1 to discover user’s ID R1R1 R2R2 R3R3 R8R8

22 Web-based user tracking Browser provides many ways to track users: 1. 3 rd party cookies ; Flash cookies 2. Tracking through the history file 3. Machine fingerprinting

23 3 rd party cookies What they are: User goes to site A. com ; obtains page Page contains Browser goes to B.com ; obtains page HTTP response contains cookie Cookie from B.com is called a 3 rd party cookie Tracking: User goes to site D.com D.com contains B.com obtains cookie set when visited A.com  B.com knows user visited A.com and D.com

24 Can we block 3 rd party cookies? Supported by most browsers IE and Safari:block set/write Ignore the “Set-Cookie” HTTP header from 3 rd parties  Site sets cookie as a 1 st party; will be given cookie when contacted as a 3 rd party Enabled by default in IE7 Firefox and Opera:block send/read Always implement “Set-Cookie”, but never send cookies to 3 rd party Breaks sess. mgmt. at several sites (off by default)

25 Effectiveness of 3 rd party blocking Ineffective for improving privacy 3 rd party can become first party and then set cookie Flash cookies not controlled by browser cookie policy Better proposal: Delete all browser state upon exit Supported as an option in IE7

26 26 Tracking through the history file Goal: site wishes to query user’s history file: a#visited {background: url(track.php?bank.com);} Hi Applications: Context aware phishing:  Phishing page tailored to victim Marketing Use browsing history as 2 nd factor authentication

27 27 Context-aware Phishing Stanford students see: Cal students see:

28 28 SafeHistory/SafeCache [JBBM’06] Define Same Origin Policy for all long term browser state history file and web cache Firefox extensions: SafeHistory and SafeCache Example: history Color link as visited only when site can tell itself that user previously visited link:  A same-site link, or  A cross-site link previously visited from this site

29 Machine fingerprinting Tracking using machine fingerptings User connects to site A.com Site builds a fingerprint of user’s machine Next time user visits A.com, site knows it is the same user

30 Machine fingerprints [Khono et al.’05] Content and order of HTTP headers  e.g. user-agent header: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Javascript and JVM can interrogate machine properties: Timezone, local time, local IP address TCP timestamp: exploiting clock skew TCP_timestamp option: peer embeds 32-bit time in every packet header. Accurate to ≈100ms fingerprint = (real-time ∆ between packets) (timestamp ∆ between-packets)

31 De-anonymizing data

32 Problem statement An organization collects private user data Wishes to make data available for research Individual identities should be hidden Examples: Search queries over a 3 month period (AOL) Netflix movie rentals Stanford boarder router traffic logs Census data Social networking data

33 Incorrect approach Replace “username” or “userID” by random value Dan  a56fd863ec John  87649dce63 Same value used for all appearances of userID Problem: often data can be de-anonymized by combining auxiliary information Examples:AOL search data census data

34 Correct approach Not in this course See: http://theory.stanford.edu/~rajeev/privacy.html

35 THE END

Download ppt "Privacy: anonymous routing, mix nets (Tor), and user tracking."

Similar presentations

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.

CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Similar presentations

Ads by Google