Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security: Anonymity

Published byBrenda Harmon Modified over 7 years ago

Similar presentations

Presentation on theme: "Network Security: Anonymity"— Presentation transcript:

1 Network Security: Anonymity
Tuomas Aura T Network security Aalto University, autumn 2015

2 Network Security Part 1: The Internet
July 2004, Shanghai Outline Anonymity and privacy High-latency anonymous routing Low-latency anonymous routing — Tor Tuomas Aura, Microsoft Research

3 Anonymity and privacy

4 Anonymity terminology
Identity, identifier Anonymity — they don’t know who you are Unlinkability — they cannot link two events or actions (e.g. messages) with each other Pseudonymity — intentionally allow linking of some events to each other E.g. sessions, payment and service access Authentication — strong verification of identity Weak identifier — not usable for strong authentication but may compromise privacy E.g. nickname, IP address, SSID, service usage profile Authorization — verification of access rights Does not always imply authentication (remember SPKI)

5 Anonymity in communications
Anonymity towards communication peers Sender anonymity — receiver does not know who and where sent the message Receiver anonymity — can send a message to a recipient without knowing who and where they are Third-party anonymity — an outside observer cannot know who is talking to whom Unobservability — an outside observer cannot tell whether communication takes place or not Strength depends on the capabilities of the adversary Anonymity towards access network Access network does not know who is roaming there Relate concepts: location privacy, censorship resistance

6 Privacy Control over personal information Right to be left alone
Emphasized in Europe Gathering, disclosure and false representation of facts about one’s personal life Right to be left alone Emphasized in America Avoiding interference, control, discrimination, spam, censorship Anonymity is a tool for achieving privacy Blending into the crowd

7 Who is the adversary? Discussion: who could violate your privacy and anonymity? Global attacker, your government e.g. total information awareness, retention of traffic data Servers across the Internet, colluding commercial interests e.g. web cookies, trackers, advertisers Criminals e.g. identity theft Employer People close to you e.g. stalkers, co-workers, neighbors, family members

8 Randomized identifiers
Replace permanent identifiers with random pseudonyms, e.g. TMSI in GSM Especially important below the encryption layer Random interface id in IPv6 address [RFC 4941] Random MAC addresses suggested Need to also consider weak identifiers i.e. implicit identifiers E.g., IPID, TCP sequence number

9 Strong anonymity? Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authentication Even the strongest mechanisms have serious weaknesses Need to trust many others to be honest Services operated by volunteers and activists Side-channel attacks Anonymity tends to degrade over time for persistent communication

10 Mixes: high-latency anonymous routing

11 Mix (1) Mix is an anonymity service [Chaum 1981]
Attacker sees both sent and received messages but cannot link them to each other → sender anonymity, third-party anonymity against a global observer The mix receives encrypted messages (e.g. ), decrypts them, and forwards to recipients

12 Mix (2) Attacker can see the input and output of the mix
Attacker cannot see how messages are shuffled in the mix Anonymity set = all nodes that could have sent (or could be recipients of) a particular message

13 ! Mix (3) Two security requirements: Not just basic encryption!
Bitwise unlinkability of input and output messages — cryptographic property of the encryption; must resist active attacks Resistance to traffic analysis — attacker adds delay or injects dummy messages Not just basic encryption! Must resist adaptive chosen-ciphertext attack (NM-CCA2) Replay prevention and integrity check needed at the mix Examples of design mistakes: FIFO order of delivering messages; no freshness check at mix; no random initialization vector for encryption; no padding to hide message length; malleable encryption NM-CCA2 = non-malleability under adaptive chosen ciphertext attack.

14 Mixing in practice ! Threshold mix — wait to receive k messages before delivering Anonymity set size k Pool mix — mix always buffers k messages, sends one when it receives one Both strategies add delay → high latency Not all senders and receivers are always active In a closed system, injecting cover traffic can fix this (What about the Internet?) Real communication ( , TCP packets) does not comprise single, independent messages but common traffic patterns such as connections Attacker can observe beginning and end of connections Attacker can observe request and response pairs → statistical traffic analysis is possible

15 Who sends to whom? Threshold mix with threshold 3

16 ! Anonymity metrics Size of the anonymity set: k-anonymity
Suitable for one round of threshold mixing Problems with k-anonymity: Multiple rounds → statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is high Pool mix: k approaches infinity Entropy: E = Σi=1…n (pi ∙ log2pi) Measures the average amount of missing in information in bits: how much does the attacker not know Can measure entropy of the sender, recipient identity etc. Some individuals may be disclosed even if the average entropy is high Problems with measuring anonymity: Anonymity of individual messages vs. anonymity in a system Depends on the attacker’s capabilities and background information Anonymity usually degrades over time as attacker collects more statistics

17 Anonymizing data (not really part of this course)
Anonymizing statistical and research data sets is a difficult problem e.g. medical research, Netfix competition Whether a query can be made without violating anonymity depends on previous queries made from the data and on the public information available Differential privacy means that the output of a statistical function M is unlikely to change because one individual is or is not included in the dataset: Pr[M(x)∈S] ≤ eε∙Pr[M(y)∈S]+δ when ∥x−y∥1 ≤1

18 Trusting the mix The mix must be honest
Example: anonymous r ers for anon.penet.fi 1993–96 → Route packets through multiple mixes to avoid single point of failure Attacker must compromise all mixes on the route Compromising almost all mixes may reduce the size of the anonymity set

19 Mix network (1)

20 Mix network (2) Mix network is a distributed implementation of mix

21 ! Onion encryption Onion encryption:
Alice → M1: EM1(M2,EM2(M3,EM3(Bob,M))) M1 → M2: EM2(M3,EM3(Bob,M)) M2 → M3: EM3(Bob,M) M3 → Bob: M Encryption at every layer must provide bitwise unlinkability → detect replays and check integrity → in free routing, must keep message length constant Re-encryption mix — special crypto that keeps the message length constant with multiple layers of encryption

22 Routing in mix networks
Mix cascade — all messages from all senders are routed through the same sequence of mixes Good anonymity, poor scalability, poor reliability Used in voting systems Free routing — each message is routed independently via multiple mixes Used in P2P systems Other policies between these two extremes But remember that the choice of mixes could be a weak identifier

23 ! Sybil attack Attack against open systems which anyone can join
Mixes tend to be run by volunteers Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes → some routes will go through only attacker’s nodes Defence: increase the cost of joining the network: Human verification that each mix is operated by a different person or organization The IP address of each mix must be in a new domain Require good reputation of a measurable kind that takes time and effort to establish Select mixes in a route to be at diverse locations Sybil attacks are a danger to most P2P systems, not just anonymous routing E.g. reputation systems, content distribution

24 Other attacks (n-1) attack Statistical attacks
Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though → easy to trace because all other packets are the attacker’s Potential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection Statistical attacks Attacker may accumulate statistics about the communication over time and reconstruct the sender-receiver pairs based on its knowledge of common traffic patterns

25 Receiver anonymity ! Alice distributes a reply onion: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))) Messages from Bob to Alice: Bob → M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), M M3 → M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M) M2 → M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M)) M1 → Alice: EAlice(K), Ek1(Ek2(Ek3(M))) Alice can be memoryless: ki = h(K, i)

26 Low-latency anonymous routing

27 Tor “2nd generation onion router”
Mix networks are ok for but too slow for interactive use like web browsing New trade-off between efficiency and anonymity: No mixing at the onion routers All packets in a session, in both directions, go through the same routers Short route, always three onion routers Tunnels based on symmetric cryptography No cover traffic Protects against local observers at any part of the path, but vulnerable to a global attacker More realistic attacker model: attacker can control some nodes, can sniff some links, not everything SOCKS interface at clients → works for any TCP connection

28 Alice not authenticated, only the ORs
Tunnels in Tor [Danezis] Alice OR1 OR2 OR3 Bob Authenticated DH Alice – OR1 K1 K1 Alice not authenticated, only the ORs Encrypted with K1 Authenticated DH, Alice – OR2 K1,K2 K2 Encrypted with K1, K2 Authenticated DH, Alice – OR3 K1,K2,K3 K3 Encrypted with K1, K2, K3 TCP connection Alice –Bob Last link unencrypted

29 ! Tunnels in Tor [Danezis] Alice OR1 OR2 OR3 Bob Authenticated DH
K1 K1 Alice not authenticated, only the ORs Encrypted with K1 Authenticated DH, Alice – OR2 K1,K2 K2 Encrypted with K1, K2 Authenticated DH, Alice – OR3 K1,K2,K3 K3 Additionally, linkwise TLS connections: Alice–OR1–OR2–OR3 Encrypted with K1, K2, K3 TCP connection Alice –Bob Last link unencrypted

30 Tor limitations (1) Identifying packet streams is very easy
Passive fingerprinting by packet size, timing Active traffic shaping (stream watermarking) → Anonymity compromised if attacker can see or control the first and last link Long routes don’t help if the attacker owns the first and last OR If c is the fraction of compromised ORs, probability of compromise is c2 Why three routers, not two? Out of habit? Attacker in control of first or last router cannot immediately go and compromise the other one when there is a middle router

31 Tor limitations (2) Client must know the addresses and public keys of all onion routers If client only knows a small subset of routers, it will always choose all three routers from this subset → implicit identifier E.g. client knows 10 out of 1000 routers = 1% → Attacker in control of the last router can narrow down the client identity to (0.01)2 = 0.01% of all clients → Attacker in control of two last routers can narrow the client identity down to (0.01)3 = % of all clients Blacklisting of entry or exit nodes

32 Freenet Freenet is a DHT-based P2P content distribution system
Focus on sensorship resistant publishing Plausible deniability for content publishers and redistributors Node itself cannot determine what content it stores

33 Applications of anonymous routing
Protection against mass surveillance Censorship resistance, freedom or speech Protection against discrimination, e.g. geographic access control or price differentiation Business intelligence, police investigation, political and military intelligence Whistle blowing, crime reporting Electronic voting Cyber war, crime, illegal and immoral activities?

34 Exercises Compare k-anonymity for senders in threshold mix and pool mix What can a malicious Tor exit node achieve? Compare how the following affect anonymity level in Tor and high-latency mixes: Percentage of compromised mixes Number of mixes in the route Choosing a new random route periodically Is it possible to provide anonymity to honest users without helping criminals? Learn about the latest attacks against Tor. New ones are published regularly. Why is this the case? Is Tor use unobservable? That is, can it be used safely in a country or workplace where its use may be punished? Could malware or other software on your computer leak information about which web sites you access with Tor (or to whom you send through a mix network)? Will using Tor make you more or less vulnerable to monitoring by governements?

Download ppt "Network Security: Anonymity"

Similar presentations

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Network Security: Anonymity Otto Huhta T-110.5241 Network security Aalto University, Nov-Dec 2014.

Network Security: Anonymity Otto Huhta T Network security Aalto University, Nov-Dec 2014.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.

Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.

The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.

I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.

Similar presentations

Ads by Google