Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.

Published byJanel Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory."— Presentation transcript:

1 Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory

2 Outline Mix Systems. Criticisms. –too strong threat model(!) –intersection attack when >1 msg (too much data) sent Weaker threat model Sending each message via random route – “non connection-based system” Empirical observations about Mixmaster Mixminion Characteristic delay function [Dan04] is difficult to esitmate

3 Mix Systems Well known to this audience Implemented –Mixmaster –Mixminion Threat Model –Global Passive Adversary (GPA) –GPA with some (all but one?) compromised mixes

4 Criticisms GPA does not exist –(a matter of some debate) The mix system (Chaum 81) allows one fixed- sized message to be sent anonymously –Great for votes –Ok for email –Bad for Web Browsing –Awful for Bit Torrent If >1 message (more than 32K data), anonymity is degraded

5 Intersection Attack A B C 2 2 2 1 1 1 1 1 1 D E F Mix 1 Mix 4 Mix 3 Mix 2 Senders Receivers Attacker

6 Traffic

7 Intersection Attack [BPS00] On the Disadvantages of Free Mix Routes (PET2001) [WALS02] An Analysis of the Degradation of Anonymous Protocols (NDSS’02) [KAP02] Limits of Anonymity in Open Environments (IH2002) [Dan03] Statistical Disclosure (I-NetSec03) [DS04] (IH2004) [Dan04] The traffic analysis of continuous- time mixes (PET2004) etc

8 The Common Wisdom Intersection attacks are: –Realistic –Powerful (reduce anonymity quickly) –Hard to protect against Require lots of dummy traffic

9 A Weaker Model A B C 1 2 Mix 3 Mix 4 Mix 1 Mix 2 D E F 1 2 1 2 Attacker observes: not all inputs not all outputs Not interesting

10 A Better Threat Model A Partial Adversary –Does not observe all Sender to Mix links –(alternatively not all mixes which senders can send to) –Ignore compromised mixes

11 Observed Mix A B D E Mix 1 Mix 2 Mix 3 Mix 4 1 2 1 2 1 2 Attacker sends all his messages via one single route theough the mix system

12 Splitting Data A B C Mix 3 Mix 1 Mix 4 Mix 2 E F 1 2 2 11 1 1 1 1 Sender B splits his stream of data and sends each message via a randomly chosen route The problem: how do you choose the first mix?

13 The Details Problem: – mixes to send to compromised, the rest not (but no idea which ones) –P packets –What are the s.t. a random subset (attacker) of size gives least information about –Note that (dummy traffic) –No proof or optimal solution in this paper! See one possible solution next

14 One possible scheme Pick (uniformly) at random a sequence of mixes Pick from a geometric distribution with mean. Set etc Another in the paper (with some analysis)

15 Part II (Looking at a particular intersection attack and finding it not as easy as it looks at first glance)

16 Another Intersection Attack Danezis 2004 (thanks for the diagrams) The Idea:

17 The Details

18 The Characteristic Delay Function What is this for –Mixes –Mixmaster –Mixminion –Tor This maybe unfair – Danezis intended his attack for lwo latency systems (Tor) Nevertheless interesting

19 The Characteristic Delay Function Theory: –What is the delay of a mix (cascade/network) –Can say not very much about it (as usual) Details in the paper Practice: –Steven wrote a disciplined pinger Does not ping too often, hope not to affect the results by sampling

20 Results

21

22 Comparing Nothing surprising –Mixmaster has longer delay –Heavy tails

23 Conclusions I It is well known that the intersection attack is powerful –No reason to abandon investigation! New interesting, mathematically well defined threat model Splitting traffic amongst first nodes –Does not have the efficiency of Tor or other connection-based systems –Does gain anonymity advantage (but only by means of a weaker threat model)

24 Conclusions II Characteristic function of Mixmaster, Mixminion difficult to work out in theory or estimate empirically Data at: All references at “Anonymity Bibliography” Thank you

25 The Anonymity Advantage The Network (Mixmaster) 100 17 10 5 87 The Network (Mixmaster) 100 170 10 5 87 Total observed packets Alice

26 Intersection Attack Senders Receivers Attacker Mixes

27 A Weaker Model Attacker observes: not all inputs not all outputs Not interesting

28 Observed Mix Attacker sends all his messages via one single route theough the mix system

29 Splitting Data Attacker splits his stream of data and sends each message via a randomly chosen route The problem: how do you choose The first mix?

30 Results

31

32 Comparing Nothing surprising –Mixmaster has longer delay –Heavy tails

Download ppt "Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory."

Similar presentations

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
we present SLIDEPLAYER.US

we present SLIDEPLAYER.US
we present SLIDEPLAYER.US

we present SLIDEPLAYER.US
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory.

Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

Similar presentations

Ads by Google