Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006

2 Goals of the Paper  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds  Overview of onion routing  Explanation of security goals  Description of network model & assumptions  Discussion of adversary types  Security analysis  Comparison with Crowds

3 Onion Routing  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown  Onion router ≈ real time Chaum mix  Store and forward with minimal delays  Onion routing connection phases  Setup  Transmission  Teardown

4 Setup Phase  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor  Connection initiator builds an onion  Layered cryptographic structure, specifying:  Path through network  Point-to-point symmetric encryption algorithms  Cryptographic keys  Structure not rigorously specified in paper  At each step  Router decrypts entire structure  Sets up encrypted channels to predecessor and successor nodes  Forwards new onion on to successor

5 Transmission Phase  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!  When connection initiator wants to send data  Break data into uniform (128 bit) blocks  Encrypt each block once for each router in the path  Note: Use symmetric encryption here  Send data to first onion router  All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!

6 Security Goals  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs  The goal is to hide  Sender activity  Receiver activity  Sender content  Receiver content  Source-destination pairs

7 Network Assumptions 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random 1.Onion routers are all fully connected 2.Links are padded or bandwidth-limited to a constant rate 3.Unrestricted exit policies 4.For each route, each hop is chosen at random 5.Number of nodes in a route is chosen at random

8 Know Your Enemy…  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  4 Types of adversaries  Observer  Disrupter  Hostile user  Compromised COR  Adversary distributions  Single  Multiple  Roving  Global Note: Authors claim that a group of roving compromised CORs is most powerful (and realistic) adversary model. Is this true?

9 Security Analysis

10 Analysis Parameters  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS  r : number of CORs in the system  S : set of CORs in the system  n : route length  R = {R 1, R 2, …, R n } : A specific route  c : maximum number of compromised CORs  C : set of compromised CORS

11 Important Cases  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties  Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider.  R 1  C  Probability = c/r  R n  C  Probability = c/r  R 1 and R n  C  Probability = c 2 /r 2  Each case has it’s own important properties

12 Properties of Attacks R 1  CR n  CR 1 and R n  C Sender activityYesNoYes Receiver activityNoYes Sender contentNo Inferred Receiver contentNoYes S/D linkingNo Yes

13 The Attacker’s Game  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n  Probability that at least one COR on the route is compromised a startup  1 - Pr(R  C =  ) = 1 - (r-c) n /r n  Adversary determines  R s where s = min(j  [1 … n] and R j  R  C)  R e where e = max(j  [1 … n] and R j  R  C)  Attacker can easily test to see if R s = R e, R s = R 1, or R e = R n

14 The Attacker’s Game (cont.)  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints  At each time step  Move one step closer to R 1 (e.g., R s = R s-1 )  Move one step closer to R n (e.g., R e = R e+1 )  Compromise c-2 routers to try to find another link in the route  Unless one endpoint is found, then can compromise c-1 routers  Worst case: max(s, n-e) rounds to reach both endpoints  Don’t offer analytic solution to expected number of rounds to compromise both endpoints

15 Example (n=6, r=10, c=2) Attacker Wins!

16 Thoughts on the “Game”  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?  What is a round? An attacker unit of time? A defender unit of time?  How long is a round? What does this analysis tell us without knowing that?  If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?  Can we derive meaningful requirements from this analysis?

17 Discussion Questions  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?  What are the dangers of assumption 2 (constant bandwidth)?  Is the freedom to choose one’s routes through the network a double-edged sword?

18 Discussion Questions (cont.)  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?  Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?  The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?

19 Discussion Questions (cont.)  Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.