Anonymous communication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 52

Anonymous Communication PowerPoint PPT Presentation


  • 140 Views
  • Uploaded on
  • Presentation posted in: General

Anonymous Communication. CSE 548 Lecture Prepared and presented by Vinayak Kandiah 10/08/07. Content Organization. Introduction to Anonymous Communication Introduction Anonymity using a Mix and Mix Networks Mix Network Classification Onion Routing Attacks on Mix Networks Split Mix

Download Presentation

Anonymous Communication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Anonymous communication

Anonymous Communication

CSE 548 Lecture

Prepared and presented by Vinayak Kandiah

10/08/07


Content organization

Content Organization

  • Introduction to Anonymous Communication

    • Introduction

    • Anonymity using a Mix and Mix Networks

    • Mix Network Classification

    • Onion Routing

    • Attacks on Mix Networks

  • Split Mix

  • Merge Mix

  • Using Split and Merge in Same Network.

  • C-Mix (a network coding type anonymous scheme)

  • Performance Evaluation

  • Conclusion

CSE 548 - Advanced Computer/Network Security


Introduction

Introduction

  • Message secrecy achieved by cryptography.

  • Identities of communicating users and path info need to be hidden.

    • Wireless environment - identity associated with location.

  • Anonymity of a node is the state of not being identifiable within a given set of nodes [1].

  • Different types of anonymity:

    • Source anonymity.

    • Destination anonymity.

    • Path anonymity.

CSE 548 - Advanced Computer/Network Security


Anonymity using a mix

Anonymity using a Mix

  • “Mix” technique proposed by Chaum in 1981 [2].

  • A single node called “Mix” re-orders and changes message appearances.

  • Uses some cryptographic operations.

  • Initially suggested as an anonymous re-mailer.

  • Obvious drawbacks – single point of failure, bottleneck, centralized secrets.

CSE 548 - Advanced Computer/Network Security


Mix networks

Mix Networks

  • Chaum’s idea expanded to anonymous network communication.

  • Mix networks use multiple nodes which perform mixing operations.

  • Heavily uses cryptographic operations.

  • Various design choices available (also used as a basis for classification).

CSE 548 - Advanced Computer/Network Security


Mix network classification

Mix Network Classification

Classified based on four main criteria [3]:

  • Node Operation

    • Continuous Mix:

      • Messages associated with random delay values.

      • Node holds for specified delay before forwarding.

      • Works with constant traffic rates.

    • Block\Pool Mix:

      • Messages held at node till a flushing condition is satisfied.

      • Flushing condition can be timed, threshold or hybrid.

      • Pool Mix – Not all messages are flushed every time.

      • Works even with variable traffic rates.

CSE 548 - Advanced Computer/Network Security


Mix network classification1

Mix Network Classification

  • Networking Framework

    • Asynchronous Model:

      • Message transmissions not restricted by timing constraints.

      • Route length independence.

      • Usually chosen for large, vast networks (Internet).

    • Synchronous Model:

      • Distinct rounds of communication.

      • Senders transmit messages at start of a time period.

      • Path lengths need to (fairly) same.

      • In a round, users participate as either sender or receiver NOT both.

CSE 548 - Advanced Computer/Network Security


Mix network classification2

Mix Network Classification

  • Cryptographic Sequence

    • Decryption Network:

      • Sender encrypts message multiple times.

      • Path nodes decrypt before forwarding (to change appearance).

    • Re-encryption Network:

      • Sender encrypts once and attaches a trapdoor for intended receiver.

      • Path nodes try to solve trapdoor or re-encrypt and forward.

      • Normally used in wireless environments (MANET).

CSE 548 - Advanced Computer/Network Security


Mix network classification3

Mix Network Classification

  • Routing Strategy

    • Source Routing:

      • Sender decides the path to the receiver.

      • Each path node only knows the previous and next nodes.

    • Loose Source Routing:

      • Sender specifies partial path to the destination.

      • Trusted intermediate nodes determine the remainder of the path.

      • Useful when sender doesn't know entire topology.

CSE 548 - Advanced Computer/Network Security


Onion routing

Onion Routing

  • An implementation of mixes for low latency networks.

  • Onion routing uses:

    • Pool mixes.

    • Asynchronous framework.

    • Decryption.

    • Source Routing.

  • Three phases: Circuit initiation, data transfer and circuit destruction.

  • For circuit init., sender selects route and prepares a repeatedly encrypted message.

  • Order of public key encryption is reverse of path.

CSE 548 - Advanced Computer/Network Security


Onion routing1

Onion Routing

  • Consider the sample network and path shown in the figure.

  • In this case, order of public key encryption is R2, M5, M2 and M1.

  • Before each encryption a header is added.

  • Each node prior to decryption obtains:

    {next, Kf, Kb, TTL, {payload}}MX

Sample Network with path for Onion Routing.

CSE 548 - Advanced Computer/Network Security


Onion routing2

Onion Routing

  • Each node knows previous and next hops, shared keys (Kf, Kb) and creates a VCI.

  • Receiver sends ACK on receiving the init onion.

  • Data Transfer:

    • Sender performs multiple symmetric encryptions using shared keys distributed.

    • Each node decrypts and forwards to corresponding VCI.

  • Message content and user identities are hidden.

  • Circuit destruction involves a KILL message to the path.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks

Attacks on Mix Networks

  • Several attacks to compromise anonymity of network.

    • Some attacks weaken anonymous schemes to be compromised by other attacks.

  • Different types of attacks based on certain properties.

  • Types of attacks are enumerated followed by selected examples.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks1

Attacks on Mix Networks

  • Passive vs. Active

    • Passive Attacks

      • The adversary does not interfere with communication.

      • Merely observes the network and performs analysis.

    • Active Attacks

      • Adversary modifies, removes or introduces messages in the network.

      • Can be detected in some cases.

  • Internal vs. External

    • Internal Attacks

      • Attacks where the operations performed inside a mix node are known.

      • Node either compromised or colludes with other nodes.

    • External Attacks

      • Operations performed by mix node are not revealed.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks2

Attacks on Mix Networks

  • Partial vs. Global

    • Partial Attacks

      • The adversary has access to only limited potion of the network.

      • Successful attack may however break anonymity of network nodes outside this area.

    • Global Attacks

      • Adversary is able to view and launch attack over the entire network.

  • Static vs. Adaptive

    • Static Attacks

      • The computational power and resources available to adversary are fixed.

    • Adaptive Attacks

      • Resources available to adversary increases as attacks progresses successfully.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks3

Attacks on Mix Networks

Traffic Analysis Attack

  • Passive attack, involves observation of messages and related data.

  • Correlation analysis on data to reveal peer relationships.

  • Various attack models for traffic analysis.

  • Special Attack model involving only end point observation [4] – Fundamental limits on Mix Technique.

  • Synchronous framework where attacker only observes links connected to end users.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks4

Attacks on Mix Networks

Traffic Analysis Attack

  • The attacker forms sender and receiver multisets for each round

    • Multiset is a generalization of a Set which can contain the same element multiple times.

    • Example: {S1,S2,S3}  <R1,R1,R4>

  • Attacker obtains a set of receiver multisets for each sender subset.

  • Two cases considered:

    • Closed Sender: all senders participate in all communication rounds

    • Open Sender: less than the total number of senders participate

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks5

Attacks on Mix Networks

Traffic Analysis Attack

  • Peer relationships can be depicted as a bipartite graph.

  • The bipartite graph in turn can be characterized by a matrix.

    • Column headings are senders and row headings are receiver subsets.

    • Sum of weights of any column is 1.

  • Calculations performed based on multiset observationsto obtain each weight in the matrix.

Bipartite graphs: Individual and combined peer relationships.

CSE 548 - Advanced Computer/Network Security


Attacks on mix networks6

Attacks on Mix Networks

Blending Attack

  • Attacker identifies a target message in the network and next mix node on its path.

  • Holds all messages from entering this node.

  • Attacker induces fake packets into this node.

  • All fake packets have a common next hop.

  • Now, the target message is mixed.

  • Only target message is forwarded to a different next hop.

CSE 548 - Advanced Computer/Network Security


Traffic re distribution

Traffic Re-distribution

  • Change traffic patterns in terms of number and size of messages.

  • Split messages to increase and merge to decrease number of messages.

  • Message size manipulation depends on padding policy.

  • For split mix, messages padded to conform to actual message size.

  • For merge mix, variable padding is applied (message size is multiple of a basic block size).

CSE 548 - Advanced Computer/Network Security


Split mix

Split Mix

  • Messages sent are split in the mix network.

  • Split messages follow different paths to the receiver.

  • Sender determines number of splits and splitting position in the network.

  • Sender prepares messages to be split in the network.

  • Only sender and splitting node knows details of splitting.

  • Originally proposed as Garlic Routing [5] to achieve better throughput and resilience.

CSE 548 - Advanced Computer/Network Security


Split mix1

Split Mix

  • Sender prepares message by using different keys for encryption.

  • Splitting node decrypts and forwards split messages to different nodes.

Example of Split Mix and associated Garlic Message format.

CSE 548 - Advanced Computer/Network Security


Split mix2

Split Mix

  • Split mix can be used to defeat traffic analysis attacks.

  • Split mix can confuse the attacker from obtaining correct multisets.

  • Attacker will observe several potentially correct multisets.

  • When using these multiple multisets in closed and open sender calculations, errors and/or multiple solutions are obtained.

CSE 548 - Advanced Computer/Network Security


Split mix3

Split Mix

  • Split Mix does not work when each receiver gets a message from only one sender.

  • As shown in the figure, even if messages are split, the multiset can be correctly obtained as <r1,r2,r3>.

CSE 548 - Advanced Computer/Network Security


Split mix4

Split Mix

  • However, when receivers get messages from multiple senders, split mix (with padding) obscures the correct multiset.

  • As shown in the figure, possible multisets are <r1,r1,r3> and <r1,r3,r3>.

CSE 548 - Advanced Computer/Network Security


Split mix5

Split Mix

  • When forming a multiset, it is obvious that each distinct receiver must appear at least once.

  • Remaining slots in the multiset equals difference between number of senders and receivers.

  • Assume a given no. of receivers (ndr) and remaining slots (slotsrem).

  • Maximum no. of multisets (Maxrm) will be obtained when number of splits for each message is greater than remaining slots.

CSE 548 - Advanced Computer/Network Security


Merge mix

Merge Mix

  • Merge mixing is also based on traffic re-distribution.

  • Combines messages in the mix network.

  • Merging is per-hop instead of end-to-end (like in split mix)

  • Merging cannot be end-to-end because:

    • Senders do not share path info

    • Merging node cannot know destination of packets

  • Merging messages is a decision made by mix node and not sender.

CSE 548 - Advanced Computer/Network Security


Merge mix1

Merge Mix

  • Links in an onion routing are TLS encrypted (using pair-wise keys).

  • To merge, mix node encrypts messages with same next hop with pair-wise shared key.

  • Figure shows examples of merge mix.

  • End to end merging can be obtained only two paths share a suffix.

CSE 548 - Advanced Computer/Network Security


Merge mix2

Merge Mix

  • Merge mix uses variable padding as shown in figure.

  • Merge mix obtains higher overall unlinkability at a mix node.

    • (ni-1)/2 times better (max), where ni is no. of input messages.

    • max is the scenario where no. of output = ni-1

  • It reaches a slightly lower level of per message unlinkability (for max).

    • 0.99 for ni > 20, where 1 is perfect unlinkability.

CSE 548 - Advanced Computer/Network Security


Using split and merge mixes in the same network

Using Split and Merge Mixes in the Same Network

  • Split and Merge mixes could be used together to mitigate blending attacks.

  • When the target message results in 2 messages at the output.

  • The increase may be due to splitting or due to separation of previously merged message.

  • Either way, attacker needs to track additional path.

CSE 548 - Advanced Computer/Network Security


Using split and merge mixes in the same network1

Using Split and Merge Mixes in the Same Network

  • Split and merge mixes used concurrently could have varied results in traffic analysis.

    • Figure (a) shows a beneficial scenario where the multiset is wrongly observed as <r1,r1,r2,r3>.

    • Figure (b) shows a detrimental scenario where the split and mix cancel each other out.

CSE 548 - Advanced Computer/Network Security


C mix

C-Mix

  • A technique to improve the computational efficiency of anonymous routing.

  • Based on properties of polynomial interpolation.

  • The message is reconstructed in a distributed manner (similar to network coding).

  • However, objective is to improve computational efficiency rather than communication efficiency.

CSE 548 - Advanced Computer/Network Security


C mix1

C-Mix

  • Polynomial Interpolation-Based Secret Sharing proposed by Shamir [6].

  • A dealer picks a polynomial equation of degree k-1 of the following form:

  • The secret S to be shared is a0 which is the y intercept of the curve.

  • Now the dealer derives n points from the curve.

CSE 548 - Advanced Computer/Network Security


C mix2

C-Mix

  • ‘k’ co-ordinates are needed to obtain the polynomial equation of degree ‘k-1’.

  • If a(x) = y, then ‘k’ points (x1, y1)…(xk, yk) can reconstruct polynomial by Lagrange Interpolation Formula.

  • All computation can be performed over a field Zp.

Polynomial equation of degree 4 and a0 = 2.

CSE 548 - Advanced Computer/Network Security


C mix3

C-Mix

  • A basic C-Mix scheme is described first to explain the working principles.

  • Then the basic C-Mix scheme is refined to be more anonymous and secure.

    Basic C-Mix:

  • For the circuit initiation phase, sender chooses a number K over the field Zp.

  • Sender constructs a polynomial with:

    • Degree = len (len is the no. of mix nodes in route).

    • a0 is K.

    • Values a1…alen are randomly chosen.

CSE 548 - Advanced Computer/Network Security


C mix4

C-Mix

  • Sender also chooses ‘len+1’ points on the curve needed.

  • Sender calculates

    for values 1≤ j ≤ len+1.

  • In the initial circuit setup phase the sender prepares headers in the form of an onion message.

  • Each layer of the header will have a (bj, yj) pair in addition to other details.

CSE 548 - Advanced Computer/Network Security


C mix5

C-Mix

  • Sender calculates b1.y1 and transmits the onion to the next hop.

  • This will continue till the receiver calculates blen+1.ylen+1.

  • a0 doesn’t mean anything in this circuit initiation phase.

  • But it can be seen that the receiver can reconstruct the secret a0.

    • This is possible if each node calculates bkyk and forwards it.

CSE 548 - Advanced Computer/Network Security


C mix6

C-Mix

  • For data transmission, the sender finds a curve of degree len+1 that shares len+1 points with the init curve and passes through the msg.

  • The only new point on the curve will be the point which the sender held in the circuit initiation.

  • In this way, the b values can be recalculated using the new x-coordinate and the receiver can reconstruct the message.

CSE 548 - Advanced Computer/Network Security


C mix7

C-Mix

Example of Basic C-Mix

  • Assume the path sd  M1  M2  dn, where sd is the sender and dn is the destination.

  • Let sender chosen polynomial for circuit initiation be

  • Let 3 points on the curve be {(1, 27),(2,40), (3, 59)}

  • Sender also calculates the values binit(1) = 3; binit(2) = -3; binit(dn) = 1.

  • Sender distributes the triplets {(1,27,3),(2,40,-3),(3,59, 1)} using onion routing.

CSE 548 - Advanced Computer/Network Security


C mix8

C-Mix

  • Now assume that the sender wishes to transmit 31 to the destination.

  • Sender chooses the following new curve which shares the 3 points from init and passes through (0,31).

  • Then new point (4,73) is found on the curve.

CSE 548 - Advanced Computer/Network Security


C mix9

C-Mix

  • The sender now calculates its new bsn(1) value as -1 and the payload as (-1)(73)= -73.

  • M1 receives this, updates its b1(1) value as 3((4/4-1)) = 4 and calculates new payload as -73+(4)(27)= 35.

  • This procedure continues as shown in figure and receiver derives the message as 31.

CSE 548 - Advanced Computer/Network Security


C mix10

C-Mix

  • The basic scheme has the following vulnerabilities

    • The sender picks a new point whose x-coordinate needs to be propagated to the nodes.

    • If the value is transmitted as plain text, the attacker can observe it and track paths.

    • If the same value is used every time, the sum added to the payload remains the same.

  • So it is necessary to ensure that nodes update their b values without being tracked.

CSE 548 - Advanced Computer/Network Security


C mix11

C-Mix

Globally determined x values

  • All nodes in the path keep track of the no. of messages sent through each VCI.

  • The sender uses this value and a global function to identify the new x-coordinate.

  • The path nodes can also determine this new value and update their b values.

  • An attacker cannot detect a circuit because all paths use the message count and the global function.

  • A maximum number of messages are allowed through a Virtual Circuit.

  • If the limit is reached, a new path is to be determined.

CSE 548 - Advanced Computer/Network Security


C mix12

C-Mix

Multiple points for each node

  • Consider a case where the attacker has observed the incoming and outgoing payloads at a node.

  • In the basic scheme, the attacker would be able to identify the nodes binit value (and calculate b values for forthcoming transmissions).

  • To mitigate this, each node receives multiple point triplets.

  • In this case, the degree of the curve used will be greater than the number of nodes.

  • The attacker on observing the incoming and outgoing packets can no longer obtain the secrets (because the number of points is hidden).

CSE 548 - Advanced Computer/Network Security


C mix13

C-Mix

Security Properties

  • The secrecy of the transmitted message is based on the properties of polynomial interpolation.

  • As the receiver also holds certain points on the curve, C-Mix is secure against these attacks:

    • Colluding attack where all path nodes share information.

    • Blending attack from sender to receiver.

    • Traffic analysis attack after the number of points at each node are revealed.

CSE 548 - Advanced Computer/Network Security


C mix14

C-Mix

Anonymity Properties

  • In case of a colluding attack

    • Path anonymity is maintained with at least one uncompromised node.

    • In a collusion by comparing global values, same anonymity as onion routing.

  • When a blending attack is carried out

    • The attacker needs to know the number of points at a node to identify the points.

    • Identifying the points in turn only lead to path information which is previously known.

  • Traffic Analysis Attack

    • Defeats simple schemes but is susceptible to long term traffic analysis like Hitting Set Attack.

    • Same level of anonymity as onion routing.

CSE 548 - Advanced Computer/Network Security


Performance evaluation

Performance Evaluation

Benchmark for Evaluation

  • The computation overhead introduced by split mix and efficiency of using C-Mix is evaluated.

  • Encryption/Decryption times for AES 256 observed using C++ cryptographic functions.

  • Time for multiplication and addition over a finite field Zp calculated using Maple 9.

CSE 548 - Advanced Computer/Network Security


Performance evaluation1

Performance Evaluation

  • Split Mix when used with padding introduces additional overhead into the network.

  • This is due to the additional data that needs to be decrypted in the network.

  • The various scenarios used for the computational overhead comparison is shown in the table.

  • Note that the case No Pad is the same as the time taken for onion routing.

CSE 548 - Advanced Computer/Network Security


Performance evaluation2

Performance Evaluation

  • The computation time taken by C-Mix is compared to onion routing for data transmission.

  • Different cases with different number of points in the network is considered.

  • First case assumes the message sizes to be same as the finite field size.

  • C-Mix is faster for up to 40 points when message size <4096 bits.

CSE 548 - Advanced Computer/Network Security


Performance evaluation3

Performance Evaluation

  • Comparison for a fixed 1024 bit field size with AES 256 and varying field sizes.

  • The number of points is fixed at 30.

  • When 1024 bit field is used, C-Mix is faster compared to AES 256 for all message sizes.

CSE 548 - Advanced Computer/Network Security


Conclusion

Conclusion

  • Split and Merge mixes are designed to defeat passive and active attacks.

    • It is necessary to reduce the overhead introduced by these techniques by decreasing padding.

    • Decrease in padding should not affect the anonymity.

    • Identify scenarios where split and merge cancel each other.

  • C-Mix is a computationally efficient anonymous scheme.

    • Deploying C-Mix in wireless environment has challenges.

    • A scheme to update b values without using global functions.

  • Implement and extensively test all schemes in Planet Lab [7].

    • A consortium that hosts a distributed network test-bed.

    • ASU has acquired membership with one working node.

CSE 548 - Advanced Computer/Network Security


References

References

  • A. Pfitzmann and M. Kohntopp. Anonymity, Unobservability, and Pseudonymity-A Proposal for Terminology. DIAU00, Lecture Notes in Computer Science, pages 1-9, 2000.

  • D.L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84-88, 1981.

  • C. Diaz and B. Preneel. Taxonomy of mixes and dummy traffic. Accepted submission at I-NetSec04: 3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems. Kluwer academic publishers, August, 2004.

  • D. Kesdogan, D. Agrawal, V. Pham, and D. Rautenbach. Fundamental Limits on the Anonymity Provided by the MIX Technique. Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06)-Volume 00, pages 86-99, 2006.

  • I2P Design Documents: Garlic Routing - http://www.i2p.net/how_garlicrouting.

  • A. Shamir. How to Share a Secret. Communications, 1979.

  • Planet Lab Consortium - http://www.planet-lab.org.

  • V. Kandiah, D. Huang, Split and merge mix, Technical report, 2006.

  • V. Kandiah, D. Huang, C-Mix: Network Coding Based Anonymous Routing Scheme, Technical report, 2007.

CSE 548 - Advanced Computer/Network Security


  • Login