Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 361S Anonymity Networks.

Published byMerryl Park Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 361S Anonymity Networks."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 361S Anonymity Networks

2 slide 2 Privacy on Public Networks uInternet is designed as a public network Machines on your LAN may see your traffic, network routers see all traffic that passes through them uRouting information is public IP packet headers identify source and destination Even a passive observer can easily figure out who is talking to whom uEncryption does not hide identities Encryption hides payload, but not routing information Even IP-level encryption (tunnel-mode IPsec/ESP) reveals IP addresses of IPsec gateways

3 slide 3 Applications of Anonymity (1) uPrivacy Hide Web browsing and other online behavior from intrusive governments, advertisers, archivists uUntraceable electronic mail Political dissidents Corporate whistle-blowers Socially sensitive communications (online AA meeting) Confidential business negotiations uLaw enforcement and intelligence Sting operations and honeypots Secret communications on a public network

4 slide 4 Applications of Anonymity (2) uDigital cash Electronic currency with properties of paper money (online purchases unlinkable to buyer’s identity) uAnonymous electronic voting uCensorship-resistant publishing uCrypto-anarchy “Some people say `anarchy won't work’. That's not an argument against anarchy; that's an argument against work.” – Bob Black

5 slide 5 What is Anonymity? uAnonymity Observer can see who is using the system and which actions take place (email sent, website visited, etc.), but cannot link any specific action to a participant Hide your activities among others’ similar activities –Anonymity is the state of being not identifiable within a set of subjects You cannot be anonymous by yourself! –Big difference between anonymity and confidentiality uUnobservability Observer cannot even tell whether a certain action took place or not

6 slide 6 Attacks on Anonymity uPassive traffic analysis Infer from network traffic who is talking to whom Consequence: to hide your traffic, must mix it with other people’s traffic uActive traffic analysis Inject packets or put a timing signature on packet flow uCompromise of network nodes (routers) It may not be obvious to a user which nodes have been compromised  better not to trust any individual node –Assume that some fraction of nodes is good, don’t know which

7 slide 7 Chaum’s Mix uEarly proposal for anonymous email David Chaum. “Untraceable electronic mail, return addresses, and digital pseudonyms”. Communications of the ACM, February 1981. uPublic key crypto + trusted re-mailer (Mix) Untrusted communication medium Public keys used as persistent pseudonyms uModern anonymity systems use Mix as the basic building block Before spam, people thought anonymous email was a good idea

8 slide 8 Basic Mix Design A C D E B Mix {r 1,{r 0,M} pk(B),B} pk(mix) {r 0,M} pk(B),B {r 2,{r 3,M’} pk(E),E} pk(mix) {r 4,{r 5,M’’} pk(B),B} pk(mix) {r 5,M’’} pk(B),B {r 3,M’} pk(E),E Adversary knows all senders and all receivers, but cannot link a sent message with a received message

9 slide 9 Anonymous Return Addresses A B MIX {r 1,{r 0,M} pk(B),B} pk(mix) {r 0,M} pk(B),B M includes {K 1,A} pk(mix), K 2 where K 2 is a fresh public key Response MIX {K 1,A} pk(mix), {r 2,M’} K 2 A,{{r 2,M’} K 2 } K 1 Secrecy without authentication (good for an online confession service )

10 slide 10 Mix Cascades and Mixnets uMessages are sent through a sequence of mixes Can also form an arbitrary network of mixes (“mixnet”) uSome of the mixes may be controlled by attacker, but even a single good mix ensures anonymity uPad and buffer traffic to foil correlation attacks

11 slide 11 Disadvantages of Basic Mixnets uPublic-key encryption and decryption at each mix are computationally expensive uBasic mixnets have high latency Ok for email, but not for Web browsing uChallenge: low-latency anonymity network Use public-key cryptography to establish a “circuit” with pairwise symmetric keys between hops on the circuit Then use symmetric decryption and re-encryption to move data messages along the established circuits Each node behaves like a mix; anonymity is preserved even if some nodes are compromised

12 slide 12 Onion Routing R R4R4 R1R1 R2R2 R R R3R3 Bob R R R uSender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path Alice [Reed, Syverson, Goldschlag 1997]

13 slide 13 Route Establishment R4R4 R1R1 R2R2 R3R3 Bob Alice {R 2,k 1 } pk(R 1 ),{ } k 1 {R 3,k 2 } pk(R 2 ),{ } k 2 {R 4,k 3 } pk(R 3 ),{ } k 3 {B,k 4 } pk(R 4 ),{ } k 4 {M} pk(B) Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

14 slide 14 Tor uSecond-generation onion routing network http://tor.eff.org Specifically designed for low-latency anonymous Internet communications (e.g., Web browsing) Running since October 2003 uHundreds of nodes on all continents uOver 2,500,000 users u“Easy-to-use” client Freely available, can use it for anonymous browsing

15 slide 15 Tor Circuit Setup (1) uClient proxy establishes a symmetric session key and circuit with Onion Router #1

16 slide 16 Tor Circuit Setup (2) uClient proxy extends the circuit by establishing a symmetric session key with Onion Router #2 Tunnel through Onion Router #1

17 slide 17 Tor Circuit Setup (3) uClient proxy extends the circuit by establishing a symmetric session key with Onion Router #3 Tunnel through Onion Routers #1 and #2

18 slide 18 Using a Tor Circuit uClient applications connect and communicate over the established Tor circuit Datagrams are decrypted and re-encrypted at each link

19 slide 19 Tor Management Issues uMany applications can share one circuit Multiple TCP streams over one anonymous connection uTor router doesn’t need root privileges Encourages people to set up their own routers More participants = better anonymity for everyone uDirectory servers Maintain lists of active onion routers, their locations, current public keys, etc. Control how new routers join the network –“Sybil attack”: attacker creates a large number of routers Directory servers’ keys ship with Tor code

20 slide 20 Location Hidden Services uGoal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it uAccessible from anywhere uResistant to censorship uCan survive a full-blown DoS attack uResistant to physical attack Can’t find the physical server!

21 slide 21 Creating a Location Hidden Server Server creates circuits to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

22 slide 22 Using a Location Hidden Server Client creates a circuit to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point splices the circuits from client & server

23 slide 23

24 slide 24 Silk Road Shutdown uRoss Ulbricht, alleged operator of the Silk Road Marketplace, arrested by the FBI on Oct 1, 2013 = ?

25 slide 25 Silk Road Shutdown Theories uA package of fake IDs from Canada traced to an apartment to San Francisco? uA fake murder-for-hire arranged by DPR? uA Stack Overflow question accidentally posted by Ulbricht under his real name? “How can I connect to a Tor hidden service using curl in php?” … a few seconds later, changed username to “frosty” … oh, and the encryption key on the Silk Road server ends with the substring "frosty@frosty" uProbably not weaknesses in Tor

26 slide 26 Dining Cryptographers uClever idea how to make a message public in a perfectly untraceable manner David Chaum. “The dining cryptographers problem: unconditional sender and recipient untraceability.” Journal of Cryptology, 1988. uGuarantees information-theoretic anonymity for message senders This is an unusually strong form of security: defeats adversary who has unlimited computational power uDifficult to make practical In a group of size N, need N random bits to send 1 bit

27 slide 27 Three-Person DC Protocol Three cryptographers are having dinner. Either NSA is paying for the dinner, or one of them is paying, but wishes to remain anonymous. 1.Each diner flips a coin and shows it to his left neighbor Every diner will see two coins: his own and his right neighbor’s 2.Each diner announces whether the two coins are the same; if he is the payer, he lies (says the opposite) 3.Odd number of “same”  NSA is paying Even number of “same”  one of them is paying But a non-payer cannot tell which of the other two is paying!

28 slide 28 ? Non-Payer’s View: Same Coins “same”“different” payer ? “same”“different” Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

29 slide 29 ? Non-Payer’s View: Different Coins “same” payer ? “same” Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

30 slide 30 Superposed Sending uThis idea generalizes to any group of size N uFor each bit of the message, every user generates 1 random bit and sends it to 1 neighbor Every user learns 2 bits (his own and his neighbor’s) uEach user announces (own bit XOR neighbor’s bit) uSender announces (own bit XOR neighbor’s bit XOR message bit) uXOR of all announcements = message bit Every randomly generated bit occurs in this sum twice (and is canceled by XOR), message bit occurs once

Download ppt "Slide 1 Vitaly Shmatikov CS 361S Anonymity Networks."

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.

Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.
The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.

The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Xinwen Fu Anonymous Communication & Computer Forensics 91.580.203 Computer & Network Forensics.

Xinwen Fu Anonymous Communication & Computer Forensics Computer & Network Forensics.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Key Distribution CS 470 Introduction to Applied Cryptography

Key Distribution CS 470 Introduction to Applied Cryptography

Similar presentations

Ads by Google