Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

Similar presentations


Presentation on theme: "On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)"— Presentation transcript:

1 On the Anonymity of Anonymity Systems Andrei Serjantov schnur@gmail.com (anonymous)

2 Outline Anonymity informally –Anonymity Properties Anonymity of Existing Implementations –Analysis Probability, Entropy Attacks –Low Latency –Intersection Conclusion

3 What is Anonymity? Actually, we assume humans are tied to computers and anonymize those Anonymity does not hide the presence of the individuals/computers just their identity

4 Anonymity System This guy does not even know he is on the internet(!)

5 Anonymity Properties I: Receiver Untraceability Senders are observable – i.e. the attacker knows that A sent a message to someone Receivers are not observable – ie the attacker does not know if B received a message A B

6 Anonymity Properties II: Sender Untraceability Senders unobservable…. A B

7 Anonymity Properties III: Unlinkability Senders and Receivers are observable, but not clear who is talking to whom B A

8 Anonymous from Who? (threat model) The observer: –Can compromise (almost) everything but two users of the system –Observes and modifies all network traffic –Observes all network traffic Global Passive Adversary –Observes some network traffic –Is the service the user is accessing

9 Properties A mix cascade guarantees that a global active attacker cannot distinguish two honest users who send one message each between time t and t’. –e.g. mixing votes DC-net –(both sender and receiver anonymity) Can be expressed formally

10 Anonymity of Existing Implementations Mixes Mix Systems

11 Timed Mix

12 Mix System Sender M, 0101011 R Receiver M, 0101011 R R B B A R - Receiver A - Mix B - Mix A M, 0101011 R R B B

13 Doing Things Anonymously Can provide guarantees for those who wish to send one message < 32K, and suffer the consequences of it not reaching the receiver Real life is not like that –Anonymous email (Mixmaster, Mixminion) Send and receive anonymous emails –Web Browsing (JAP, TOR, Tarzan, Morphmix) Wide file size distribution Low latency

14 Anonymity Analysis of Existing Systems Define a system, and an adversary Take inputs into the system –e.g. web request message stream –Email interaction Compute observation Hence figure out how vulnerable the anonymity of a certain activity is to a particular adversary.

15 Inputs, Model, Observation M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M1M2 Sender 1 Sender 2 Sender 3 R2 R1 R3 System: Inputs: Attacker: Global Passive Adversary Observation: (transition semantics model of the mixes)

16 Mix Network Q R D B A C Traditionally {A,B,C,D}

17 Timed Mix A B C D {A,B,C,D}

18 Mix Network Q R D B The message arriving to R is much more likely to be from D than from A A C Traditionally {A,B,C,D}

19 Pool Mix N+MN+M N N M M messages stay in the mix at each round Messages to be sent are picked from both the N and the M A message might stay in the mix for an very long time (but the probability of this happening is very small) The anonymity set of a message leaving at round i includes the senders who sent messages processed during previous rounds

20 Adding Probabilities Let us add the probability of that event having occurred to each event Call this Anonymity Probability Distribution So {A,B,C,D} could become: –{(A,¼), (B, ¼),(C, ¼),(D, ¼)} –Or, {(A,0.5), (B,0.1),(C,0.1),(D,0.3)} The probability distribution you come up with will depend on your observation, (+ knowledge, computational power…)

21 Entropy Ok, what can we do with the probability distribution afterwards? From information theory, is the information content of a probability distribution Can use this for: –Measuring anonymity –Expressing new attacks (ones which do not modify the set, but modify the distribution) –Comparing effectiveness of attacks

22 Pool Mix Revisited Could not previously compare a pool mix with a other mixes Now we can! Compute the entropy of the geometric distribution Pool mix with 100 inputs and 10 “feedbacks” is equivalent to a standard mix with 140 inputs(!!!) But, average delay of a message going through a pool mix is greater In the above example, 9% chance “of staying for another round”

23 Mix Networks Can also compute the anonymity probability distribution in mix networks Model and details in [Ser04] {(A,0.125), (B,0.125), (C,0.25), (D,0.5)} Q R D B A C

24 Impact of Low Latency and Repeated Communication -Packet Counting -Intersection

25 Connection-based Anonymity Systems A number of nodes –Nodes do not mix, but do onion encryption Packets are forwarded along links All packets of a connection are forwarded via the same sequence of nodes “Classical” Network P2P anonymity system

26 The Packet Counting Attack I Connection-based Anonymity Systems split the data up into many fairly small packets <1K All packets of an anonymous connection travel down the same path Thus, counting the packets may reveal which connections go where Merely coarse-grained packet counting required

27 Packet Counting II Observe the mix for time t and count packets on each link Correlate incoming and outgoing links –1075 and 1076 3056 2748 1353 1076 1075 1804 2497 2850 Ok if: – d (mix delay) << t – t is much smaller than interval between new connections starting

28 Packet Counting – Key Observation Packet counting works if the whole connection is lone –i.e. if it is the only connection on all the links (from the client to the server) it passes through This case may be attackable, we consider it not to be

29 Packet Counting – Results Hence, we need 2 or more connections on as many links as possible In our paper (ESORICS 2003) we define this formally Then simulate, showing that –E.g. 100 nodes, 100 connections via 2-4 nodes  92% of connections are lone (p2p scenario) –E.g. 20 nodes, 200 connections via 2-4 nodes  2.5% of connections lone (classic network)

30 Threshold B+1 B Alice Steves M N To N To M Repeated Communication As seen by the attacker

31 The Model

32 Simplification introduced by the model Alice

33 The Results (1000 rounds, B=10) Receivers, r P(Estimate) Estimate of probability of Alice sending to r

34 The Results

35

36 Conclusions Anonymity is a security property –not just privacy Analysis of anonymity properties important –Has been a neglected area –Uses tools from other fields (graph theory, probability) Plenty of applications –Identity management –Electronic voting –Anonymous email (whistle blowing)


Download ppt "On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)"

Similar presentations


Ads by Google