Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

Published byMary Cobb Modified over 10 years ago

Similar presentations

Presentation on theme: "A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)"— Presentation transcript:

1 A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

2 Papers 1.A Model of Onion Routing with Provable Anonymity Financial Cryptography and Data Security 2007 2.A Probabilistic Analysis of Onion Routing in a Black-box Model Workshop on Privacy in the Electronic Society 2007

3 Anonymous Communication Sender anonymity: Adversary cant determine the sender of a given message Receiver anonymity: Adversary cant determine the receiver of a given message Relationship anonymity: Adversary cant determine who talks to whom

4 Anonymous Communication Sender anonymity: Adversary cant determine the sender of a given message Receiver anonymity: Adversary cant determine the receiver of a given message Relationship anonymity: Adversary cant determine who talks to whom

5 How Onion Routing Works User u running client Internet destination d Routers running servers ud 12 3 4 5

6 How Onion Routing Works ud 1.u creates 3-hop circuit through routers 12 3 4 5

7 How Onion Routing Works ud 1.u creates 3-hop circuit through routers 12 3 4 5

8 How Onion Routing Works ud 1.u creates 3-hop circuit through routers 12 3 4 5

9 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 12 3 4 5

10 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 } 1 12 3 4 5

11 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 } 4 12 3 4 5

12 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m} 3 12 3 4 5

13 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m 12 3 4 5

14 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged m 12 3 4 5

15 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {m} 3 12 3 4 5

16 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{m} 3 } 4 12 3 4 5

17 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged {{{m} 3 } 4 } 1 12 3 4 5

18 How Onion Routing Works ud 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed. 12 3 4 5

19 How Onion Routing Works u 1. u creates 3-hop circuit through routers 2. u opens a stream in the circuit to d 3.Data is exchanged. 4.Stream is closed. 5.Circuit is changed every few minutes. 12 3 4 5 d

20 Results

21 1.Formally model onion routing using input/output automata

22 Results 1.Formally model onion routing using input/output automata 2.Analyze relationship anonymity a.Characterize situations with possibilistic anonymity b.Bound probabilistic anonymity in worst-case and typical situations

23 Related Work A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya CRYPTO 2005 A formalization of anonymity and onion routing S. Mauw, J. Verschuren, and E.P. de Vink ESORICS 2004 Towards an Analysis of Onion Routing Security P. Syverson, G. Tsudik, M. Reed, and C. Landwehr PET 2000

24 Model Constructed with I/O automata –Models asynchrony –Relies on abstract properties of cryptosystem Simplified onion-routing protocol –No key distribution –No circuit teardowns –No separate destinations –Each user constructs a circuit to one destination –Circuit identifiers

25 Automata Protocol u v w

26 u v w

27 u v w

28 u v w

29 u v w

30 u v w

31 u v w

32 u v w

33 u v w

34 u v w

35 Creating a Circuit u123

36 [0,{CREATE} 1 ] 1.CREATE/CREATED u123

37 Creating a Circuit [0,CREATED] 1.CREATE/CREATED u123

38 Creating a Circuit 1.CREATE/CREATED u123

39 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{[EXTEND,2, {CREATE} 2 ]} 1 ] u123

40 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,{CREATE} 2 ] u123

41 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [l 1,CREATED] u123

42 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED [0,{EXTENDED} 1 ] u123

43 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{[EXTEND,3, {CREATE} 3 ]} 2 } 1 ] u123

44 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] u123 [l 1,{[EXTEND,3, {CREATE} 3 ]} 2 ]

45 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,{CREATE} 3 ] u123

46 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 2,CREATED] u123

47 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [l 1,{EXTENDED} 2 ] u123

48 Creating a Circuit 1.CREATE/CREATED 2.EXTEND/EXTENDED 3.[Repeat with layer of encryption] [0,{{EXTENDED} 2 } 1 ] u123

49 Adversary u 12 3 4 5 d Active & Local

50 Possibilistic Anonymity

51 Anonymity Let U be the set of users. Let R be the set of routers. Let l be the path length.

52 Anonymity Definition (configuration): A configuration is a function U R l mapping each user to his circuit. Let U be the set of users. Let R be the set of routers. Let l be the path length.

53 Anonymity Definition (indistinguishability): Executions and are indistinguishable to adversary A when his actions in are the same as in after possibly applying the following: : A permutation on the keys not held by A. : A permutation on the messages encrypted by a key not held by A. Definition (configuration): A configuration is a function U R l mapping each user to his circuit. Let U be the set of users. Let R be the set of routers. Let l be the path length.

54 Definition (relationship anonymity): u and d have relationship anonymity in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talks to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d. Anonymity Definition (fair): In fair executions actions enabled infinitely often occur infinitely often Definition (cryptographic): In cryptographic executions no encrypted control messages are sent before they are received unless the sender possesses the key

55 Theorem 1: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds.

56 C u v 12 3 4 5

57 u v 12 3 4 5 3 2 CD

58 u v 12 3 4 5 3 2 CD v u 225 4

59 u v 12 3 4 5 CD Theorem 1: Let C and D be configurations for which there exists a permutation : U U such that C i (u) = D i ( (u)) if C i (u) or D i ( (u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds. u v 12 3 4 5

60 Relationship anonymity Corollary : A user and destination have rel. anonymity iff:

61 Relationship anonymity 2 3 u 4? 5? The last router is unknown. Corollary : A user and destination have rel. anonymity iff:

62 OR Relationship anonymity 2 3 u 4? 5? The last router is unknown. 1 2 4 The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary : A user and destination have rel. anonymity iff:

63 OR 1 2 4 The user is unknown and another unknown user has a different destination. 5 1 2 Relationship anonymity 2 3 u 4? 5? The last router is unknown. 1 2 4 The user is unknown and another unknown user has an unknown destination. 5 2? 5? 4? Corollary : A user and destination have rel. anonymity iff:

64 Probabilistic Anonymity

65 Adding probability 1.To configurations a.User u selects destination d with probability p u d. b.Users select routers randomly. 2.To executions a.Each execution in a configuration is equally likely.

66 Definition (relationship anonymity): u and d have relationship anonymity in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talks to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d.

67 Probabilistic relationship anonymity metric: Let X be a random configuration. Let X D : U D be the destinations in X. The metric Y for the relationship anonymity of u and d in C is: Y(C) = Pr[X D (u)=d | X C]

68 Probabilistic Anonymity Other measures (e.g. entropy, min entropy) Measures effect on the individual user Exact Bayesian inference –Adversary after long-term intersection attack –Worst-case adversary

69 Probabilistic Anonymity 1. Fixing u and d doesnt determine C. 2. Y(C) thus has a distribution. 3.This distribution depends on each p v. 4. E[Y | X D (u)=d] a.Worst case b.Typical case

70 Worst-case Anonymity Theorem 2: The maximum of E[Y | X D (u)=d] over (p v ) v u occurs when 1. p v =1 for all v u OR 2. p v d =1 for all v u Let p u 1 p u 2 p u d-1 p u d+1 … p u

71 Worst-case Estimates Let n be the number of nodes. Let b be the fraction of compromised nodes.

72 Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

73 Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Theorem 4: When p v d =1 for all v u: E[Y | X D (u)=d] = b 2 + b(1-b)p u d + (1-b) p u d /(1-(1- p u d ) b ) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

74 Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] Let n be the number of nodes. Let b be the fraction of compromised nodes.

75 Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] b + (1-b) p u d Let n be the number of nodes. Let b be the fraction of compromised nodes.

76 Worst-case Estimates Theorem 3: When p v =1 for all v u: E[Y | X D (u)=d] = b + b(1-b)p u d + (1-b) 2 p u d [ (1-b)/(1-(1- p u ) b )) + O( logn/n) ] b + (1-b) p u d E[Y | X D (u)=d] b 2 + (1-b 2 ) p u d Let n be the number of nodes. Let b be the fraction of compromised nodes.

77 Typical Case Let each user select from the Zipfian distribution: p d i = 1/( i s ) Theorem 5: E[Y | X D (u)=d] = b 2 + (1 b 2 )p u d + O(1/n)

78 Typical Case Let each user select from the Zipfian distribution: p d i = 1/( i s ) Theorem 5: E[Y | X D (u)=d] = b 2 + (1 b 2 )p u d + O(1/n) E[Y | X D (u)=d] b 2 + ( 1 b 2 )p u d

79 Results 1.Formally model onion routing using input/output automata 2.Analyze relationship anonymity a.Characterize situations with possibilistic anonymity b.Bound probabilistic anonymity in worst-case and typical situations

80 Future Work 1.Extend analysis to other types of anonymity and to other systems. 2.Examine how quickly users distribution are learned. 3.Analyze timing attacks.

Download ppt "A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)"

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.

Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory.

Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory.
LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Daniel Moran & Marina Yatsina. Access control through encryption.

Daniel Moran & Marina Yatsina. Access control through encryption.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google