1. Lecture 28: Anonymity on the Web Modified from Levente Buttyan, Michael K. Reiter and Aviel D. Rubin

2. User privacy – the problem private information is processed and stored extensively by various individuals and organizations – location of user  telecom operators – financial situation of user  banks, tax authorities – wealth of user  insurance companies – shopping information of user  credit card companies, retailers (via usage of fidelity cards) – illnesses of user  medical institutions –…–… complete and meaningful profiles on people can be created and abused information technology makes this easier – no compartmentalization of information – cost of storage and processing (data mining) decreases  technology is available to everyone 2

3. User privacy – the goal private data should be protected from abuse by unauthorized entities – transactional data access/usage logs at telecom operators, buildings, parking, public transport, … – data that reveals personal interests rentals, credit card purchases, click stream data (WWW), … – data that was disclosed for a well-defined purpose tax data revealed to tax authorities, health related data revealed to doctors, address information revealed in mail orders, … 3

4. User privacy – existing approaches data avoidance – “I don’t tell you, so you can’t abuse it.” – effective but not always applicable – often requires anonymity – examples: cash transactions, public phones data protection – “If ever you abuse it, you will be punished.” – well-established approach – difficult to define, enforce, and control – requires legislation or voluntary restrictions multilateral security – cooperation of more than two parties – shared responsibilities and partial knowledge combinations of the above 4

5. Anonymous Communication Concepts What do we want to hide? – sender anonymity attacker cannot determine who the sender of a particular message is – receiver anonymity attacker cannot determine who the intended receiver of a particular message is – unlinkability attacker may determine senders and receivers but not the associations between them (attacker doesn’t know who communicates with whom) From whom do we want to hide this? – communication partner (sender anonymity) – external attackers local eavesdropper (sniffing on a particular link (e.g., LAN)) global eavesdropper (observing traffic in the whole network) – internal attackers (colluding) compromised system elements (e.g., routers) 5

6. Types of attackers local eavesdropper – can observe communication to and from the users computer collaborating crowd members – crowd members that can pool their information and deviate from the protocol end server – the web server to which the transaction is directed 6

7. The sole mechanism of anonymity is blending and obfuscation. The Mix approach Obfuscate the data Blend the data with cover traffic The Onion Routing approach Obfuscate the data Use cell padding to make data look similar The Crowds approach Data may be in clear text Hide in a group and make everyone in the group equally responsible for an act Anonymity loves company

8. 1.User first joins a crowd of other users and he is represented by a jondo process on his local machine. He registers to a server machine which is called a Blender. 2.User configures his browser to use the local jondo as the proxy for all new services. 3.The blender sends the data of other nodes in the crowd to the local jondo. 4.All other members in the crowd go through a Join Commit. Crowds in operation : Setup

9. 1.User passes her request to a random member in the crowd. 2.The selected router flips a biased coin with forwarding probability p f. 3.With probability (1- p f ), it delivers the message directly to destination. Otherwise it forwards the message to a randomly selected next router. Crowds in operation : Communication

10. Use of encryption A single path key is used for end-to-end encryption At each node, path key is re-encrypted using link encryption Fast stream cipher for encrypting reply traffic Static Path Dynamic paths hurt the anonymity achieved Paths are changed during join and failure Protection against timing attacks Sender revealed if it is an immediate predecessor of malicious jondo. Introduce delays for thwarting attacks Distinct Characteristics of Crowds

11. Every node is a MIX Making the end nodes and the MIXes indistinguishable Distributed workload Used in MorphMix / Tarzan for Peer to Peer communication The leaky pipe architecture Any node is an exit node Used in Tor to provide better protection against Robustness No single point of failure Distributed Blender Anonymity loves company The more the user base, the better the anonymity Highly scalable Concepts coming out of Crowds

12. Content in plaintext Apply end-to-end encryption to protect content Limitation: Gathering multimedia content Restriction on using ActiveX controls etc. Current Internet landscape is different from this requirement Vulnerable to DoS attacks Malicious jondos can simply drop packets. Performance overhead Increased network traffic, increased retrieval time and load on jondos Deployment problem with firewalls Limitations of Crowds

13. Chaum MIX goal – sender anonymity (for communication partner) – unlinkability (for global eavesdropper) implementation { r, m } K MIX  MIX  m where m is the message and r is a random number 13 MIX - batches messages - discards repeats - changes order - changes encoding

14. MIX chaining defense against colluding compromised MIXes – if a single MIX behaves correctly, unlinkability is still achieved 14 MIX

15. A real-time MIX network – Onion routing general purpose infrastructure for anonymous comm. – supports several types of applications through the use of application specific proxies operates over a (logical) network of onion routers – onion routers are real-time Chaum MIXes messages are passed on nearly in real-time – this may limit mixing and weaken the protection! – onion routers are under the control of different administrative domains makes collusion less probable – anonymous connections through onion routers are built dynamically to carry application data distributed, fault tolerant, and secure 15

16. Overview of architecture 16 application (initiator) application (responder) onion router entry funnel - multiplexes connections from onion proxies exit funnel - demultiplexes connections from the OR network - opens connection to responder application and reports a one byte status msg back to the application proxy long-term socket connections application proxy - prepares the data stream for transfer - sanitizes appl. data - processes status msg sent by the exit funnel onion proxy - opens the anonymous connection via the OR network - encrypts/decrypts data

17. Onions an onion is a multi-layered data structure it encapsulates the route of the anonymous connection within the OR network each layer contains – backward crypto function (DES-OFB, RC4) – forward crypto function (DES-OFB, RC4) – IP address and port number of the next onion router – expiration time – key seed material used to generate the keys for the backward and forward crypto functions each layer is encrypted with the public key of the onion router for which data in that layer is intended 17 bwd fn | fwd fn | next = 0 | keysbwd fn | fwd fn | next = green | keysbwd fn | fwd fn | next = blue | keys

18. OR network setup and operation long-term socket connections between “neighboring” onion routers are established  links neighbors on a link setup two DES keys using the Station-to-Station protocol (one key in each direction) several anonymous connections are multiplexed on a link – connections are identified by a connection ID (ACI) – an ACI is unique on a link, but not globally every message is fragmented into fixed size cells (48 bytes) cells are encrypted with DES in OFB mode (null IV) – optimization: if the payload of a cell is already encrypted (e.g., it carries part of an onion) then only the cell header is encrypted cells of different connections are mixed – but order of cells of each connection is preserved 18 654321 4321 mixing 6543214321

19. Anonymous connection setup upon a new request, the application proxy – decides whether to accept the request – opens a socket connection to the onion proxy – passes a standard structure to the onion proxy – standard structure contains application type (e.g., HTTP, FTP, SMTP, …) retry count (number of times the exit funnel should retry connecting to the destination) format of address that follows (e.g., NULL terminated ASCII string) address of the destination (IP address and port number) – waits response from the exit funnel before sending application data 19

20. Anonymous connection setup upon reception of the standard structure, the onion proxy – decides whether to accept the request – establishes an anonymous connection through some randomly selected onion routers by constructing and passing along an onion – sends the standard structure to the exit funnel of the connection – after that, it relays data back and forth between the application proxy and the connection upon reception of the standard structure, the exit funnel – tries to open a socket connection to the destination – it sends back a one byte status message to the application proxy through the anonymous connection (in backward direction) – if the connection to the destination cannot be opened, then the anonymous connection is closed – otherwise, the application proxy starts sending application data through the onion proxy, entry funnel, anonymous connection, and exit funnel to the destination 20

21. Anonymous connection setup 21 application (responder) onion proxy onion

22. Anonymous connection setup 22 application (responder) onion proxy onion bwd: entry funnel, crypto fns and keys fwd: blue, ACI = 12, crypto fns and keys

23. Anonymous connection setup 23 application (responder) onion proxy onion ACI = 12

24. Anonymous connection setup 24 application (responder) onion proxy onion bwd: magenta, ACI = 12, crypto fns and keys fwd: green, ACI = 8, crypto fns and keys

25. Anonymous connection setup 25 application (responder) onion proxy onion ACI = 8

26. Anonymous connection setup 26 application (responder) onion proxy onion bwd: blue, ACI = 8, crypto fns and keys fwd: exit funnel

27. Anonymous connection setup 27 application (responder) onion proxy bwd: entry funnel, crypto fns and keys fwd: blue, ACI = 12, crypto fns and keys bwd: magenta, ACI = 12, crypto fns and keys fwd: green, ACI = 8, crypto fns and keys bwd: blue, ACI = 8, crypto fns and keys fwd: exit funnel standard structure status open socket

28. Data movement forward direction – the onion proxy adds all layers of encryption as defined by the anonymous connection – each onion router on route removes one layer of encryption – responder application receives plaintext data backward direction – the responder application sends plaintext data to the last onion router of the connection due to sender anonymity it doesn’t even know who is the real initiator application – each onion router adds one layer of encryption – the onion proxy removes all layers of encryption 28

29. Connection tear-down anonymous connections are terminated by the initiator, the responder, or one of the onion routers in the middle a special DESTROY message is propagated by the onion routers – if an onion router receives a DESTROY msg, it passes it along the route forward or backward – sends an acknowledgement to the onion router from which it received the DESTROY msg – if an onion router receives an acknowledgement for a DESTROY messages it frees up the corresponding ACI 29

30. Crowds and MIX solve different anonymity problems Crowds provide (probable innocence) sender anonymity MIX networks provide sender and receiver un-linkability Different type of protection against global passive eavesdropper Crowds provide no protection MIX networks provide protection Different approach in routing (Efficiency) In Crowds paths are selected randomly In a MIX, the circuit has to be determined first Crowds versus MIX networks

31. Anonymizer www.anonymizer.com special protection for HTTP traffic acts as a proxy for browser requests rewrites links in web pages and adds a form where URLs can be entered for quick jump disadvantages: – must be trusted – single point of failure/attack 31 browser anonymizer server request reply href =“http://anon.free.anonymizer.com/http://www.server.com/”  href =“http://www.server.com/”

32. Electronic Money

33. Narrow View of Term: – Tokens of Exchange transacted Only electronically – Examples: Facebook Gold, Digital Gold Currency, BitCoin, and other electronic currencies Broad Usage of Term includes Both: – Electronic Payment Authorization  Credit cards – Value Holding Electronic Tokens A currency has value by it being widely used. – Bitcoin is a startup currency with a deflationary bootstrapping economy What is Electronic Money? 33

34. It is simply a means of sending and receiving numbers to and from "addresses" An Open-Source Peer-To-Peer Payment Network – Using Digital Signatures & Encryption decentralization is the basis for Bitcoin's security and freedom Public –Private Key Encryption – Alice & Bob Illustration – Digital Certificate Blocking Chain http://www.weusecoins.com/ BitCoin 34

35. Bitcoin Governance - an open source community of developers backed by the Bitcoin Foundation. Democratic - if you don't like one of the changes, you are more than welcome to fork the chain and implement your own rules Money Creation - is given to the people, not to the central bankers. Deflationary by design - money supply cannot be manipulated and is fixed at 21 million coins, each divisible up to 8 decimal 35

36. How it works The block chain is the fundamental data structure of the Bitcoin protocol. It's a single data file participants pass around to each other. It allows them to know who owns what. Anyone can change it to send money to someone else. Other users mathematically verify the transaction to ensure it's validity. 36

37. How It Works It's essentially an accounting ledger: 1.3/3/13 Sally found : $15.00 2.3/3/13 Sally -> Bob : $10.00 3.3/4/13 Bob -> Jimmy : $4.00 4.3/4/13 Sally -> Barb : $4.00 5.3/4/13 Jimmy -> Sally : $2.00 How much money does Sally have in her wallet? – Sally had $15, then gave $10 to Bob, then $4 to Barb, then was given $2 from Jimmy. Sally has $3 as of right now. 37

38. Transactions 38 The block chain prevents the double spend attack by giving other nodes the power to verify that transaction inputs were not already spent somewhere else. Input contains 1) A public key that belongs to the redeemer of the output transaction. 2) An ECDSA hash over a hash of the transaction. Output contains 1) The actual amount being sent to the recipient. 2) The change amount being sent back to the original sender (if any) 3) The voluntary transaction fee attached to the output (if any).

39. Mining Miners collect the transactions on the network into large bundles called blocks – like "Alice pays Karim 10 bitcoins" and "Liam pays Sofia 8.3 bitcoins". These blocks are strung together into one continuous, authoritative record called the block chain, – which doesn't permit any conflicting transactions. – lets you know for sure exactly which transactions count and can be trusted (no double spending!). 39

40. Block Chain Bitcoin makes sure there is only one block chain by making blocks really hard to produce. miners have to compute a cryptographic hash of the block that meets certain criteria – difficulty of the criteria for the hash is adjusted based on how frequently blocks are appearing – also carefully validate all the transactions that go into their blocks Successful miners are rewarded some bitcoins according to a preset schedule 40

41. Fraud prevention Users can trust the block chain that was most difficult to produce – longest chain wins If there was a "fake" blockchain competing with the real ones the fraudster would have to do as much work as the rest of the network to make their block chain look as trustworthy – intense work that goes into finding blocks through hashing secures the network against fraud 41

42. BitCoin Mining 1.Collects transactions from the network 2.Validates them, and doesn't allow conflicting ones 3.Puts them into large bundles called blocks 4.Computes cryptographic hashes over and over until if finds one "good enough to count" 5.Then submits the block to the network, adding it to the block chain and earning a reward in return 42

43. Bitcoin Security Bitcoin addresses are RACE Integrity Primitives Evaluation Message Digest RIPEMD-160 of SHA-256 of an Elliptic Curve Digital Signature Algorithm public key any vulnerabilities in the algorithms would constitute a vulnerability in bitcoin itself An attacker with > 50% of hash power can – Double spend: Reverse transactions that he sends while he's in control – Prevent some or all transactions from gaining any confirmations – Prevent some or all other generators from getting any generations 43

44. Bitcoin Concerns Wallet Vulnerable To Theft Tracing a coin's history Packet sniffing Sybil attack (cancer nodes) No authentication for IP transfers – This attack is downright likely if you're using Tor Denial of Service (DoS) attacks Illegal content in the block chain Energy Consumption 44

45. Hash Rate 45

46. Market Price 46

47. Alternatives Litecoin (LTC) – transaction confirmation in 2.5 min – prevent ASICs PPCoin (PPC) – proof-of-stake – energy efficient NameCoin (NMC) – Decentralized DNS –.bit domain 47

48. Alternatives TerraCoin (TRC) NovaCoin (NVC) Yacoin (YAC) Primecoin (XPM) FeatherCoin (FTC) Anoncoin (ANC) 48 As of Dec 10, 2013 Currency BTCLTCPPCNMCTRCNVCFTCXPMYAC Value $918.10$33.28$5.21$7.44$5.00$20.25$0.47$7.80$0.15 Capitalization 9.3 b1 b43.3 m 4.7 m2.5 m2 m2.2 m3.6 m