Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymity on the Web: Onion routing and Crowds. 2 Outline  the problem of user privacy  basic concepts of anonymous communication  MIXes  Onion routing.

Published byLenard Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "Anonymity on the Web: Onion routing and Crowds. 2 Outline  the problem of user privacy  basic concepts of anonymous communication  MIXes  Onion routing."— Presentation transcript:

1 Anonymity on the Web: Onion routing and Crowds

2 2 Outline  the problem of user privacy  basic concepts of anonymous communication  MIXes  Onion routing  Anonymizer  Crowds

3 3 User privacy – the problem  private information is processed and stored extensively by various individuals and organizations – location of user  telecom operators – financial situation of user  banks, tax authorities – wealth of user  insurance companies – shopping information of user  credit card companies, retailers (via usage of fidelity cards) – illnesses of user  medical institutions – …  complete and meaningful profiles on people can be created and abused  information technology makes this easier – no compartmentalization of information – cost of storage and processing (data mining) decreases  technology is available to everyone

4 4 “I don’t have anything to hide.”  think again! – sexuality – pregnancy – illnesses – genetic predisposition – sins of youth – controversial activities – personal interests – …

5 5 User privacy – the goal  private data should be protected from abuse by unauthorized entities – transactional data e.g., access/usage logs at telecom operators, buildings, parking, public transport, … – data that reveals personal interests e.g., video rentals, credit card purchases, click stream data (WWW), … – data that was disclosed for a well-defined purpose e.g., tax data revealed to tax authorities, health related data revealed to doctors, address information revealed in mail orders, …

6 6 User privacy – existing approaches  data avoidance – “I don’t tell you, so you can’t abuse it.” – effective but not always applicable – often requires anonymity – examples: cash transactions, public phones  data protection – “If ever you abuse it, you will be punished.” – well-established approach – difficult to define, enforce, and control – requires legislation or voluntary restrictions  multilateral security – cooperation of more than two parties (typically TTPs are involved) – shared responsibilities and partial knowledge  combinations of the above three

7 7 Basic concepts of anonymous communication  What do we want to hide? – sender anonymity attacker cannot determine who the sender of a particular message is – receiver anonymity attacker cannot determine who the intended receiver of a particular message is – unlinkability attacker may determine senders and receivers but not the associations between them (attacker doesn’t know who communicates with whom)  From whom do we want to hide this? – communication partner (sender anonymity) – external attackers local eavesdropper (sniffing on a particular link (e.g., LAN)) global eavesdropper (observing traffic in the whole network) – internal attackers (colluding) compromised system elements (e.g., routers)

8 8 Chaum MIX  goal – sender anonymity (for communication partner) – unlinkability (for global eavesdropper)  implementation { r, m } K MIX  MIX  m where m is the message and r is a random number MIX - batches messages - discards repeats - changes order - changes encoding

9 9 MIX chaining  defense against colluding compromised MIXes – if a single MIX behaves correctly, unlinkability is still achieved MIX

10 10 A real-time MIX network – Onion routing  general purpose infrastructure for anonymous communications over a public network (e.g., Internet)  supports several types of applications (HTTP, FTP, SMTP, rlogin, telnet, …) through the use of application specific proxies  operates over a (logical) network of onion routers – onion routers are real-time Chaum MIXes (messages are passed on nearly in real-time  this may limit mixing and weaken the protection!) – onion routers are under the control of different administrative domains  makes collusion less probable  anonymous connections through onion routers are built dynamically to carry application data  distributed, fault tolerant, and secure

11 11 Overview of architecture application (initiator) application (responder) onion router entry funnel - multiplexes connections from onion proxies exit funnel - demultiplexes connections from the OR network - opens connection to responder application and reports a one byte status msg back to the application proxy long-term socket connections application proxy - prepares the data stream for transfer - sanitizes appl. data - processes status msg sent by the exit funnel onion proxy - opens the anonymous connection via the OR network - encrypts/decrypts data

12 12 OR network setup and operation  long-term socket connections between “neighboring” onion routers are established  links  neighbors on a link setup two DES keys using the Station-to-Station protocol (one key in each direction)  several anonymous connections are multiplexed on a link – connections are identified by a connection ID (ACI) – an ACI is unique on a link, but not globally  every message is fragmented into fixed size cells (48 bytes)  cells are encrypted with DES in OFB mode (null IV) – optimization: if the payload of a cell is already encrypted (e.g., it carries (part of) an onion) then only the cell header is encrypted  cells of different connections are mixed, but order of cells of each connection is preserved 654321 4321 mixing 6543214321

13 13 Anonymous connection setup  the application is configured to connect to the application proxy instead of the real destination  upon a new request, the application proxy – decides whether to accept the request – opens a socket connection to the onion proxy – passes a standard structure to the onion proxy – standard structure contains application type (e.g., HTTP, FTP, SMTP, …) retry count (number of times the exit funnel should retry connecting to the destination) format of address that follows (e.g., NULL terminated ASCII string) address of the destination (IP address and port number) – waits response from the exit funnel before sending application data

14 14 Anonymous connection setup cont’d  upon reception of the standard structure, the onion proxy – decides whether to accept the request – establishes an anonymous connection through some randomly selected onion routers by constructing and passing along an onion – sends the standard structure to the exit funnel of the connection – after that, it relays data back and forth between the application proxy and the connection  upon reception of the standard structure, the exit funnel – tries to open a socket connection to the destination – it sends back a one byte status message to the application proxy through the anonymous connection (in backward direction) – if the connection to the destination cannot be opened, then the anonymous connection is closed – otherwise, the application proxy starts sending application data through the onion proxy, entry funnel, anonymous connection, and exit funnel to the destination

15 15 Onions  an onion is a multi-layered data structure  it encapsulates the route of the anonymous connection within the OR network  each layer contains – backward crypto function (DES-OFB, RC4) – forward crypto function (DES-OFB, RC4) – IP address and port number of the next onion router – expiration time – key seed material used to generate the keys for the backward and forward crypto functions  each layer is encrypted with the public key of the onion router for which data in that layer is intended bwd fn | fwd fn | next = 0 | keysbwd fn | fwd fn | next = green | keysbwd fn | fwd fn | next = blue | keys

16 16 Anonymous connection setup illustrated application (responder) onion proxy onion

17 17 Anonymous connection setup illustrated application (responder) onion proxy onion bwd: entry funnel, crypto fns and keys fwd: blue, ACI = 12, crypto fns and keys

18 18 Anonymous connection setup illustrated application (responder) onion proxy onion ACI = 12

19 19 Anonymous connection setup illustrated application (responder) onion proxy onion bwd: magenta, ACI = 12, crypto fns and keys fwd: green, ACI = 8, crypto fns and keys

20 20 Anonymous connection setup illustrated application (responder) onion proxy onion ACI = 8

21 21 Anonymous connection setup illustrated application (responder) onion proxy onion bwd: blue, ACI = 8, crypto fns and keys fwd: exit funnel

22 22 Anonymous connection setup illustrated application (responder) onion proxy bwd: entry funnel, crypto fns and keys fwd: blue, ACI = 12, crypto fns and keys bwd: magenta, ACI = 12, crypto fns and keys fwd: green, ACI = 8, crypto fns and keys bwd: blue, ACI = 8, crypto fns and keys fwd: exit funnel standard structure status open socket

23 23 Data movement  forward direction – the onion proxy adds all layers of encryption as defined by the anonymous connection – each onion router on the route removes one layer of encryption – responder application receives plaintext data  backward direction – the responder application sends plaintext data to the last onion router of the connection (due to sender anonymity it doesn’t even know who is the real initiator application) – each onion router adds one layer of encryption – the onion proxy removes all layers of encryption

24 24 Connection tear-down  anonymous connections are terminated by the initiator, the responder, or one of the onion routers in the middle  a special DESTROY message is propagated by the onion routers – if an onion router receives a DESTROY msg, it passes it along the route (forward or backward) – sends an acknowledgement to the onion router from which it received the DESTROY msg – if an onion router receives an acknowledgement for a DESTROY messages it frees up the corresponding ACI

25 25 Anonymizer  www.anonymizer.com  special protection for HTTP traffic  acts as a proxy for browser requests  rewrites links in web pages and adds a form where URLs can be entered for quick jump  disadvantages: – must be trusted – single point of failure/attack browser anonymizer server request reply href =“http://anon.free.anonymizer.com/http://www.server.com/”  href =“http://www.server.com/”

26 26 Crowds  a crowd is a collection of users formed dynamically  each user runs a process called jondo on his computer  when the jondo is started it contacts a server called blender to request admittance to the crowd  if admitted, the blender reports the current membership of the crowd and sends information necessary to join the crowd (keys)  the user sets his browser to use his jondo as a web proxy  when the jondo receives the first request from the browser, it initiates the establishment of a random path of jondos in the crowd – the jondo picks a jondo (possibly itself) in the crowd at random, and forwards the request to it (after sanitizing it) – when this jondo receives the request it forwards it with probability p f (to a randomly selected jondo again) and submits the request to the destination server with probability 1-p f  subsequent requests follow the same path  the server replies traverse the same path (in reverse direction)  communication between jondos is encrypted

27 27 Examples serverscrowd

28 28 Degrees of anonymity  beyond suspicion: – attacker can see evidence of a sent message, but – the sender appears no more likely to be the originator than any other potential sender in the system  probable innocence: – the sender may be more likely the originator than any other potential sender, but – the sender appears no more likely to be the originator than to not be the originator  possible innocence: – the sender appears more likely to be the originator than to not be the originator, but – there’s still a non-trivial probability that the originator is someone else absolute privacy beyond suspicion probable innocence possible innocence exposedprovably exposed

29 29 Types of attackers  local eavesdropper – can observe communication to and from the users computer  collaborating crowd members – crowd members that can pool their information and deviate from the protocol  end server – the web server to which the transaction is directed

30 30 Security analysis – local eavesdropper  a local eavesdropper can see that the user originated a request – sender is exposed  however, he typically cannot see the target of the request – requests are encrypted unless they are submitted to the target server – if request is encrypted, each end-server appears for the attacker equally likely to be the target of the request  beyond suspicion anonymity – if the user’s own jondo submits the request, then the target is exposed; the probability of this is 1/n where n is the size of the crowd – P( receiver / beyond suspicion )  1 as n  infinity

31 31 Security analysis – end server  end-server is the target of the request – receiver anonymity is not possible  anonymity for the originator is strong – user’s jondo always forwards the request to a random member of the crowd (~ hides user identity with a one-time pad)  the end-server is equally likely to receive the request from any crowd member – from the end-server perspective, each user is equally likely to be the originator  sender / beyond suspicion anonymity guaranteed

32 32 Security analysis – collaborating jondos  notation – H i – the event that the first collaborator on the path is in the i-th position – H i+ = H i v H i+1 v H i+2 v … – I – the event that the first collaborator on the path is immediately preceded on the path by the initiator  definition – the path initiator has probable innocence if P( I | H 1+ )  1/2  theorem – if n  (c + 1)p f / (p f – 1/2), then the path initiator has probable innocence against c collaborators  in addition, P( absolute privacy )  1 as n  infinity both for sender and receiver anonymity

33 33 Overview of security offered by Crowds attackersender anonymityreceiver anonymity local eavesdropper exposedP( beyond suspicion)  1 c collaborating crowd members probable innocence P( absolute privacy )  1 end server beyond suspicionN/A

34 34 Timing attacks  HTML pages can include URLs that are automatically fetched by the browser (e.g., images)  first collaborating jondo on the path can measure the time between seeing a page and seeing a subsequent automatic request  if the duration is short, then the predecessor on the route is likely to be the initiator  solution: – last jondo on the path parses HTML pages and requests the URLs that the browser would request automatically – user’s jondo on the path returns HTML page, doesn’t forward automatic requests, rather waits for the last jondo to supply the results

35 35 Limitations of Crowds  request contents are exposed to intermediate jondos  service can be circumvented by Java Applets and Active X controls  performance overhead (increased retrieval time, load on jondos)  no defense against DoS attacks mounted by malicious crowd members

36 36 Comparison with MIXes  Crowds – sender anonymity – no protection against global eavesdropper – uses symmetric key crypto  MIXes – unlinkability of sender and receiver – protection against global eavesdropper – use public key crypto (at least during connection setup)

Download ppt "Anonymity on the Web: Onion routing and Crowds. 2 Outline  the problem of user privacy  basic concepts of anonymous communication  MIXes  Onion routing."

Similar presentations

CCNA – Network Fundamentals

CCNA – Network Fundamentals
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.
Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.

Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.

Similar presentations

Ads by Google