Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Similar presentations


Presentation on theme: "Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and."— Presentation transcript:

1 Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006

2 2 Goals of the Paper  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds

3 3 Onion Routing  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown

4 4 Setup Phase  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor

5 5 Transmission Phase  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!

6 6 Security Goals  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs

7 7 Network Assumptions 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random

8 8 Know Your Enemy…  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  Adversary distributions  Single  Multiple  Roving  Global Note: Authors claim that a group of roving compromised CORs is most powerful (and realistic) adversary model. Is this true?

9 9 Security Analysis

10 10 Analysis Parameters  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS

11 11 Important Cases  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties

12 12 Properties of Attacks R 1  CR n  CR 1 and R n  C Sender activityYesNoYes Receiver activityNoYes Sender contentNo Inferred Receiver contentNoYes S/D linkingNo Yes

13 13 The Attacker’s Game  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n

14 14 The Attacker’s Game (cont.)  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints

15 15 Example (n=6, r=10, c=2) Attacker Wins!

16 16 Thoughts on the “Game”  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?

17 17 Discussion Questions  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?

18 18 Discussion Questions (cont.)  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?

19 19 Discussion Questions (cont.)  Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.


Download ppt "Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and."

Similar presentations


Ads by Google