1 Anonymity

2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification  Why anonymity and P2P?  Simple model  Parties exchange information in a P2P network  Sender anonymity  Receiver anonymity

Related notions  Confidentiality  Content of message is not known  Typically achieved by encryption  Is not an alternative to anonymity when the act of sending messages must be hidden or when the content of the message can be deduced  Privacy  In some works equated with anonymity  Usually, protection of personal/secret data as opposed to hiding the identity 3

Definitions  Following Pfitzmann and Hansen  Subjects: senders and receivers  Items of interest: messages  The notion of anonymity set  Anonymity: the property of not being identifiable within an anonymity set  We are especially interested in sender anonymity and receiver anonymity 4

Unlinkability  Let L be a relation between pairs of items  L is the link relation  Let D be the data that an adversary obtains by observing the system  We say that two items a, b are unlinkable if Pr[L(a,b)|D]=Pr[L(a,b)]  α-sender anonymity for a sender s and message m means:  Pr[L(s,m)|D]=Pr[L(s,m)] > α 5

Unlinkability (cont.)  α-receiver anonymity for a receiver r and message m means:  Pr[L(m,r)|D]=Pr[L(m,r)] > α  An α-anonymous communication system is a system in which every receiver and sender is α-anonymous for every message in any sequence of messages.  Anonymity in this definition is a function of D  We relax all definitions to be computational  It is sufficient that the adversary is unable to distinguish between the probabilities 6

7 Who is the Adversary  In the real world  An organization such as RIAA or MPAA  A government / intelligence service  Police  Potentially criminals  An adversary model determines what capabilities the adversary has  Monitoring links  Operating “poisoned” peers  Possibly, coercing peer to implicate itself or others

Some typical restrictions  In many works the power of the adversary is limited in ways that are sometimes natural (but not always)  Adversary can monitor up to given number of links in network  Adversary can’t break encryption or forge signatures  Adversary can monitor up to given number of links of specific sender  Adversary can’t perform traffic analysis 8

9 Anonymizer  Simply a proxy  Accepts messages and resends them as if it is the source  Sufficient for sender anonymity in some scenarios  Risks  It fails if all lines coming into and out of anonymizer are monitored  The anonymizer itself may collude with the adversary  Operators of botnets often use compromised servers as anonymizers (without the owners permission or awareness of the fact)

Mix  Chaum - in the context of  An anonymizer that tries to defeat monitoring of its lines  Every incoming and outgoing message is encrypted. Let m be a message  E k_in (m) is encryption of incoming message  E k_out (m) is encryption of outgoing message  Adversary can’t distinguish between the pairs and, for an arbitrary message p in a given domain.  The mix changes the order, timing and length of outgoing packets compared to incoming packets. 10

Mix (cont.)  Mix tries to defeat:  Direct monitoring – by encrypting content  Traffic analysis – by changing parameters of the traffic that are not affected by encryption  Encryption adds to computational overhead  Changing length, timing and order are not always possible  Example: real-time traffic such as voice and video  Mixes often have partial functionality  An adversarial mix is still possible 11

12 Onion Routing - Overview  Based on Chaum Mixes  By Reed, Syverson, Goldschlag (1996)  Objectives:  Works with traffic that is almost real time (e.g. HTTP)  Bi-directional traffic  Provides sender anonymity  Reduce effectiveness of traffic analysis  All peers in network “know” each other’s public key  End entities are not necessarily part of the network  Network nodes are called Onion Routers (OR)

Preparation of onion  Sender:  Chooses a random path to the receiver  Notation: Sender=OR 1, OR 2, …, OR n =Receiver  Retrieves public keys of path from directory  Onion includes n-1 layers  Layer i, i=2, 3,…,n encrypts with public key of OR i  Address of next onion router, OR i+1  Forward encryption / decryption algorithm E fi  Forward encryption / decryption key K fi  Backward encryption / decryption algorithm E bi  Backward encryption / decryption key K bi  Some additional information  Layers i+1,…,n 13

Preparation of onion (cont.)  Payload is encrypted in layers.  The n-th layer encrypts the payload.  The i-th layer encrypts layers i+1,…,n.  The i-th layer, i=2,3,…,n includes encryption by E fi with key K fi. 14

Processing by Onion Routers  OR i uses its private key to encrypt / decrypt the i-th layer of the onion.  OR i uses E fi with key K fi to encrypt / decrypt i-th layer of the payload.  OR i sends the onion and the payload after “peeling” off a layer to OR i+1.  OR i retains onion for a time. 15

Response  The receiver can send a reply message by the backward encryption algorithm and key.  In the response, OR i encrypts the layered message it receives with encryption algorithm E bi and key K bi.  Response relies on same route as original message.  Sender uses stored list of E bi and key K bi to decrypt.  Sender can prepare a route for a reply  Same route can be used later  Different route 16

Reply onion  Layer i, i=1,2,3,…,n encrypts with public key of Or n+1-i  Address of next onion router, Or n-i  Backward encryption algorithm E bi  Backward encryption key K bi  Forward decryption algorithm E fi  Forward decryption key K fi  Some additional information  Layers i+1,…,n  The inner layer (encrypted with the sender’s key) includes E fi, E bi, K bi, K fi for all i.  Each processor “adds” a layer of encryption to the message.  The sender peels all the layers. 17

Additional Mechanisms  Replay protection  Each layer contains the expiration time.  An OR stores the onion until the expiration time.  If the same onion is sent within the expiration time then the OR discards it.  If an expired onion is sent then the OR discards it.  Padding  Each OR adds random padding to the onion to compensate for removed layer  Loose routing  Sender defines list of ORs in path.  OR i can send onion to OR i+1 by a route it chooses. 18

Anonymity analysis  Onion routing provides sender anonymity.  Reply onions can be used for some receiver anonymity  Anonymity works against adversaries that:  Monitor any number of links.  Control ORs (at least one OR per path is not corrupted)  Analyze message content and message length 19

Anonymity analysis (cont.)  Anonymity does not work if adversary:  Compares timing of packets at sender and receiver.  Actively introduces timing signatures and compares the signature on the receiver side.  Subverts public keys.  Sybil attack  Tags padding and looks for tag at the receiving end.  Can compromise additional ORs over time. Adversary records traffic and decrypts it later. 20