Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocols for Anonymous Communication

Published byEugene Hall Modified over 6 years ago

Similar presentations

Presentation on theme: "Protocols for Anonymous Communication"— Presentation transcript:

1 Protocols for Anonymous Communication
18734: Foundations of Privacy Protocols for Anonymous Communication Anupam Datta CMU Fall 2017

2 Privacy on Public Networks
Internet is designed as a public network Machines on your LAN may see your traffic, network routers see all traffic that passes through them Routing information is public IP packet headers identify source and destination Even a passive observer can easily figure out who is talking to whom Encryption does not hide identities Encryption hides payload, but not routing information Even IP-level encryption (tunnel-mode IPSec/ESP) reveals IP addresses of IPSec gateways Public networks are vulnerable to traffic analysis

3 Applications of Anonymity (I)
Privacy Hide online transactions, Web browsing, etc. from intrusive governments, marketers and archivists Untraceable electronic mail Corporate whistle-blowers Political dissidents Socially sensitive communications (online AA meeting) Confidential business negotiations Law enforcement and intelligence Sting operations and honeypots Secret communications on a public network

4 Applications of Anonymity (II)
Digital cash Electronic currency with properties of paper money (online purchases unlinkable to buyer’s identity) Anonymous electronic voting Censorship-resistant publishing

5 What is Anonymity? Anonymity is the state of being not identifiable within a set of subjects You cannot be anonymous by yourself! Hide your activities among others’ similar activities Unlinkability of action and identity For example, sender and his are no more related after observing communication than they were before Unobservability (hard to achieve) Any item of interest (message, event, action) is indistinguishable from any other item of interest

6 Attacks on Anonymity Passive traffic analysis Active traffic analysis
Infer from network traffic who is talking to whom To hide your traffic, must carry other people’s traffic! Active traffic analysis Inject packets or put a timing signature on packet flow Compromise of network nodes Attacker may compromise some routers It is not obvious which nodes have been compromised Attacker may be passively logging traffic Better not to trust any individual router Assume that some fraction of routers is good, don’t know which

7 Outline Protocols for anonymous communication High-latency Low-latency
Chaum Mixes as a building block, onion routing Low-latency Optimized Onion Routing and Tor Dining Cryptographers

8 Before spam, people thought anonymous email was a good idea 
Chaum’s Mix Early proposal for anonymous David Chaum. “Untraceable electronic mail, return addresses, and digital pseudonyms”. Communications of the ACM, February 1981. Public key crypto + trusted r er (Mix) Untrusted communication medium Public keys used as persistent pseudonyms Modern anonymity systems use Mix as the basic building block Before spam, people thought anonymous was a good idea 

9 Basic Mix Design Mix B A C E D {r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
{r3,M’}pk(E),E C {r2,{r3,M’}pk(E),E}pk(mix) E D {r4,{r5,M’’}pk(B),B}pk(mix) Mix Adversary knows all senders and all receivers, but cannot link a sent message with a received message

10 Anonymous Return Addresses
M includes {K1,A}pk(mix), K2 where K2 is a fresh public key {r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B B MIX A K1 is created by A and hence messahe can only be decryptrd by A. K2 is used for the secrecy of M’ . Response MIX {K1,A}pk(mix), {r2,M’}K2 A,{{r2,M’}K2}K1 Secrecy without authentication (good for an online confession service )

11 Mix Cascade Messages are sent through a sequence of mixes
Can also form an arbitrary network of mixes (“mixnet”) Some of the mixes may be controlled by attacker, but even a single good mix guarantees anonymity Pad and buffer traffic to foil correlation attacks

12 Idea: Randomized Routing
Hide message source by routing it randomly Popular technique: Crowds, Freenet, Onion routing Routers don’t know for sure if the apparent source of a message is the true sender or another router

13 R R R4 R R3 R R1 R R2 R Onion Routing
[Reed, Syverson, Goldschlag ’97] R R R4 R R3 R R1 R R2 Alice R Bob Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path

14 R2 R4 R3 R1 Route Establishment Alice Bob
{M}pk(B) Notice that as the onion is peeled, Alice establishes symmetric keys with each router {B,{ }} pk(R4) {R4, } } pk(R3) {R3 ,{ } }}pk(R2) {R2 ,{ }}pk(R1) Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

15 Disadvantages of Basic Mixnets/Onion Routing
Public-key encryption and decryption at each mix/router are computationally expensive Basic mixnets have high latency Ok for , not Ok for anonymous Web browsing Challenge: low-latency anonymity network Use public-key cryptography to establish a “circuit” with pairwise symmetric keys between hops on the circuit Then use symmetric decryption and re-encryption to move data messages along the established circuits Each node behaves like a mix; anonymity is preserved even if some nodes are compromised

16 Outline Protocols for anonymous communication High-latency Low-latency
Chaum Mixes as a building block Low-latency Onion Routing and Tor Dining Cryptographers

17 Tor Second-generation onion routing network Running since October 2003
Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically designed for low-latency anonymous Internet communications Running since October 2003 Thousands of nodes, 2MM+ users “Easy-to-use” client proxy Freely available, can use it for anonymous browsing

18 Tor Circuit Setup Client proxy establishes symmetric session keys with onion routers

19 Tor Circuit Setup (details)
Alice R3 Bob R1 {M}pk(B) {B,k4}pk(R4),{ }k4 Notice that as the onion is peeled, Alice establishes symmetric keys with each router {R4,k3}pk(R3),{ }k3 {R3,k2}pk(R2),{ }k2 {R2,k1}pk(R1),{ }k1 Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router and symmetric key with source

20 Using a Tor Circuit Client applications connect and communicate over the established Tor circuit Note onion now uses only symmetric keys for routers Client has established a symmetric key with each node in the circuit. It can form an “onion” only with these symmetric keys. At each node the onion is peeled using its symmetric key with Client. This is an improvement over old onions that use public key encryption to move data over the circuit.

21 Using a Tor Circuit(details)
Alice R3 Bob R1 {M}pk(B) Notice that as the onion is peeled, Alice establishes symmetric keys with each router {B,{ }}k4 {R4, } k3 {R3 ,{ }}k2 {R2 ,{ }}k1 Note onion now uses only symmetric keys for routers

22 Tor Management Issues Many applications can share one circuit
Multiple TCP streams over one anonymous connection Tor router doesn’t need root privileges Encourages people to set up their own routers More participants = better anonymity for everyone Directory servers Maintain lists of active onion routers, their locations, current public keys, etc. Control how new routers join the network “Sybil attack”: attacker creates a large number of routers Directory servers’ keys ship with Tor code

23 Deployed Anonymity Systems
Free Haven project has an excellent bibliography on anonymity Tor ( Overlay circuit-based anonymity network Best for low-latency applications such as anonymous Web browsing Mixminion ( Network of mixes Best for high-latency applications such as anonymous

24 Outline Protocols for anonymous communication High-latency Low-latency
Chaum Mixes as a building block Low-latency Onion Routing and Tor Dining Cryptographers

25 Dining Cryptographers
Clever idea how to make a message public in a perfectly untraceable manner David Chaum. “The dining cryptographers problem: unconditional sender and recipient untraceability.” Journal of Cryptology, 1988. Guarantees information-theoretic anonymity for message senders This is an unusually strong form of security: defeats adversary who has unlimited computational power Impractical, requires huge amount of randomness In group of size N, need N random bits to send 1 bit

26 Three-Person DC Protocol
Three cryptographers are having dinner. Either NSA is paying for the dinner, or one of them is paying, but wishes to remain anonymous. Each diner flips a coin and shows it to his left neighbor. Every diner will see two coins: his own and his right neighbor’s Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). Odd number of “same”  NSA is paying; even number of “same”  one of them is paying But a non-payer cannot tell which of the other two is paying! About 3. Odd number of “same” arises only if everyone tells the truth (non-payers tell the truth)

27 Non-Payer’s View: Same Coins
“different” ? “same” “different” ? payer payer Even number of “same” so I know someone is paying, but who? I cannot see inside the cloud. If it were H, then the one on the left must be lying, if T then the one on the right. But H and T are equally likely. Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

28 Non-Payer’s View: Different Coins
“same” “same” ? “same” ? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

29 Superposed Sending This idea generalizes to any group of size N
For each bit of the message, every user generates 1 random bit and sends it to 1 neighbor Every user learns 2 bits (his own and his neighbor’s) Each user announces own bit XOR neighbor’s bit Sender announces own bit XOR neighbor’s bit XOR message bit XOR of all announcements = message bit Every randomly generated bit occurs in this sum twice (and is canceled by XOR), message bit occurs once

30 DC-Based Anonymity is Impractical
Requires secure pairwise channels between group members Otherwise, random bits cannot be shared Requires massive communication overhead and large amounts of randomness DC-net (a group of dining cryptographers) is robust even if some members collude Guarantees perfect anonymity for the other members

31 Thanks! Questions Acknowledgement: This lecture uses a number of slides provided by Vitaly Shmatikov

32 Location Hidden Servers
Goal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it Accessible from anywhere Resistant to censorship Can survive full-blown DoS attack Resistant to physical attack Can’t find the physical server!

33 Creating a Location Hidden Server
Server creates onion routes to “introduction points” Client obtains service descriptor and intro point address from directory Server gives intro points’ descriptors and addresses to service lookup directory

34 Using a Location Hidden Server
Client creates onion route to a “rendezvous point” Rendezvous point mates the circuits from client & server If server chooses to talk to client, connect to rendezvous point Client sends address of the rendezvous point and any authorization, if needed, to server through intro point

35 A simple idea: Basic Anonymizing Proxy
Channels appear to come from proxy, not true originator Appropriate for Web connections etc.: SSL, TLS (Lower cost symmetric encryption) Example: The Anonymizer Simple, focuses lots of traffic for more anonymity Main disadvantage: Single point of failure, compromise, attack

Download ppt "Protocols for Anonymous Communication"

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.

Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Xinwen Fu Anonymous Communication & Computer Forensics 91.580.203 Computer & Network Forensics.

Xinwen Fu Anonymous Communication & Computer Forensics Computer & Network Forensics.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Protocol Examples: Key Establishment Anonymity

Protocol Examples: Key Establishment Anonymity
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.

Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Www.sti-innsbruck.at © Copyright 2012 STI INNSBRUCK www.sti-innsbruck.at Tor project: Anonymity online.

© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Privacy and Anonymity CS432 - Security in Computing Copyright © 2005, 2006 by Scott Orr and the Trustees of Indiana University.

Privacy and Anonymity CS432 - Security in Computing Copyright © 2005, 2006 by Scott Orr and the Trustees of Indiana University.

Similar presentations

Ads by Google