Download presentation

Presentation is loading. Please wait.

Published byAlexis McFadden Modified over 2 years ago

1
A Model of Onion Routing with Provable Anonymity Financial Cryptography 07 2/12/07 Aaron Johnson with Joan Feigenbaum Paul Syverson 0

2
Overview Formally model onion routing using input/output automata Characterize the situations that provide anonymity 1

3
Anonymous Communication Mix Networks (1981) Dining cryptographers (1988) Onion routing (1999) Anonymous buses (2002) 2

4
Anonymous Communication Mix Networks (1981) Dining cryptographers (1988) Onion routing (1999) Anonymous buses (2002) 2

5
Onion Routing Practical design with low latency and overhead Open source implementation (http://tor.eff.org) Over 800 volunteer routers Estimated 200,000 users 3

6
Anonymous Communication Mix Networks Dining cryptographers Onion routing Anonymous buses DeployedAnalyzed 4

7
Related work A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya CRYPTO 2005 A formalization of anonymity and onion routing S. Mauw, J. Verschuren, and E.P. de Vink ESORICS 2004 I/O Automaton Models and Proofs for Shared- Key Communication Systems Nancy Lynch CSFW

8
Overview Formally model onion routing using input/output automata Characterize the situations that provide anonymity 6

9
Overview Formally model onion routing using input/output automata –Simplified onion-routing protocol –Non-cryptographic analysis Characterize the situations that provide anonymity 6

10
Overview Formally model onion routing using input/output automata –Simplified onion-routing protocol –Non-cryptographic analysis Characterize the situations that provide anonymity –Send a message, receive a message, communicate with a destination –Possibilistic anonymity 6

11
How Onion Routing Works User u running client Internet destination d Routers running servers ud

12
How Onion Routing Works ud 1.u creates 3-hop circuit through routers

13
How Onion Routing Works ud 1.u creates 3-hop circuit through routers

14
How Onion Routing Works ud 1.u creates 3-hop circuit through routers

15
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d

16
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 }

17
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 }

18
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m}

19
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m

20
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m

21
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m}

22
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 }

23
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 }

24
How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed

25
How Onion Routing Works u 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed. 5.Circuit is changed every few minutes d 7

26
How Onion Routing Works u d 8

27
u d 8

28
u d Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

29
How Onion Routing Works u d Main theorem: Adversary can only determine parts of a circuit it controls or is next to. u12 8

30
Anonymous Communication Sender anonymity: Adversary cant determine the sender of a given message Receiver anonymity: Adversary cant determine the receiver of a given message Unlinkability: Adversary cant determine who talks to whom 9

31
Adversaries Passive & Global Active & Local 10

32
Adversaries Passive & Global Active & Local 10

33
Adversaries Passive & Global Active & Local 10

34
Adversaries Passive & Global Active & Local 10

35
Model Constructed with I/O automata –Models asynchrony –Relies on abstract properties of cryptosystem Simplified onion-routing protocol –No key distribution –No circuit teardowns –No separate destinations –No streams –No stream cipher –Each user constructs a circuit to one destination –Circuit identifiers 11

36
Automata Protocol u v w 12

37
Automata Protocol u v w 12

38
Automata Protocol u v w 12

39
Automata Protocol u v w 12

40
Automata Protocol u v w 12

41
Automata Protocol u v w 12

42
Automata Protocol u v w 12

43
Automata Protocol u v w 12

44
Automata Protocol u v w 12

45
Automata Protocol u v w 12

46
Creating a Circuit u123 13

47
Creating a Circuit [0,{CREATE} 1 ] 1.CREATE/CREATED u123 13

48
Creating a Circuit [0,CREATED] 1.CREATE/CREATED u123 13

49
Creating a Circuit 1.CREATE/CREATED u123 13

50
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{[EXTEND,2, {CREATE} 2 ]} 1 ] u123 14

51
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,{CREATE} 2 ] u123 14

52
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATED] u123 14

53
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{EXTENDED} 1 ] u123 14

54
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{[EXTEND,3, {CREATE} 3 ]} 2 } 1 ] u123 15

55
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] u123 [l 1,{[EXTEND,3, {CREATE} 3 ]} 2 ] 15

56
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,{CREATE} 3 ] u123 15

57
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATED] u123 15

58
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 1,{EXTENDED} 2 ] u123 15

59
Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{EXTENDED} 2 } 1 ] u123 15

60
Input/Ouput Automata States Actions –Input, ouput, internal –Actions transition between states Every state has enabled actions Input actions are always enabled Alternating state/action sequence is an execution In fair executions actions enabled infinitely often occur infinitely often In cryptographic executions no encrypted control messages are sent before they are received unless the sender possesses the key 16

61
I/O Automata Model Automata –User –Server –Fully-connected network of FIFO Channels –Adversary replaces some servers with arbitrary automata Notation –U is the set of users –R is the set of routers –N = U R is the set of all agents –A N is the adversary –K is the keyspace –l is the (fixed) circuit length –k(u,c,i) denotes the ith key used by user u on circuit c 17

62
User automaton 18

63
User automaton 18

64
User automaton 18

65
User automaton 18

66
User automaton 18

67
User automaton 18

68
User automaton 18

69
Server automaton 19

70
Server automaton 19

71
Server automaton 19

72
Server automaton 19

73
Server automaton 19

74
Server automaton 19

75
Server automaton 19

76
Server automaton 19

77
Anonymity Definition (configuration): A configuration is a function U R l mapping each user to his circuit. 20

78
Anonymity Definition (indistinguishability): Executions and are indistinguishable to adversary A when his actions in are the same as in after possibly applying the following: : A permutation on the keys not held by A. : A permutation on the messages encrypted by a key not held by A. Definition (configuration): A configuration is a function U R l mapping each user to his circuit. 20

79
Anonymity Definition (anonymity): User u performs action anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs, there exists an execution that is indistinguishable to A in which u does not perform. 21

80
Anonymity Definition (unlinkability): User u is unlinkable to d in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talk to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d. Definition (anonymity): User u performs action anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs, there exists an execution that is indistinguishable to A in which u does not perform. 21

81
Theorem: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds. 22

82
C u v Theorem: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds. 22

83
u v CD Theorem: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds. 22

84
u v CD v u Theorem: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds. 22

85
u v CD Theorem: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds. u v

86
Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

87
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

88
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

89
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: is fair: is cryptographic: is indistinguishable: Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

90
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C 1 (u), and C 1 (v) have been added. These actions are modified so that they remain valid. is fair: is cryptographic: is indistinguishable: Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

91
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C 1 (u), and C 1 (v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic: is indistinguishable: Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

92
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C 1 (u), and C 1 (v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic. is indistinguishable: Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

93
Proof: To construct : 1. Replace any message sent or received between u (v) and C 1 (u) (C 1 (v)) in with a message sent or received between v (u) and C 1 (u) (C 1 (v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C 1 (u), and C 1 (v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic. is indistinguishable:The permutation needed to make look like to A is just the reverse of the key permutation used to create. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A. 23

94
Unlinkability Corollary: A user is unlinkable to its destination when: 24

95
Unlinkability 2 3 u 4? 5? The last router is unknown. Corollary: A user is unlinkable to its destination when: 24

96
OR Unlinkability 2 3 u 4? 5? The last router is unknown The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary: A user is unlinkable to its destination when: 24

97
OR The user is unknown and another unknown user has a different destination Unlinkability 2 3 u 4? 5? The last router is unknown The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary: A user is unlinkable to its destination when: 24

98
Model Robustness Only single encryption still works Can remove circuit identifiers Can include stream ciphers May allow users to create multiple circuits 25

99
Future Work Construct better models of time Exhibit a cryptosystem with the desired properties Incorporate probabilistic behavior by users 26

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google