Message splitting against the partial adversary
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Message Splitting Against the Partial Adversary PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Message Splitting Against the Partial Adversary. Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory. Outline. Mix Systems. Criticisms. too strong threat model(!) intersection attack when >1 msg (too much data) sent Weaker threat model

Download Presentation

Message Splitting Against the Partial Adversary

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Message splitting against the partial adversary

Message Splitting Against the Partial Adversary

Andrei Serjantov

The Free Haven Project (UK)

Steven J Murdoch

University of Cambridge Computer Laboratory


Outline

Outline

  • Mix Systems. Criticisms.

    • too strong threat model(!)

    • intersection attack when >1 msg (too much data) sent

  • Weaker threat model

  • Sending each message via random route

    • “non connection-based system”

  • Empirical observations about Mixmaster Mixminion

  • Characteristic delay function [Dan04] is difficult to esitmate


Mix systems

Mix Systems

  • Well known to this audience

  • Implemented

    • Mixmaster

    • Mixminion

  • Threat Model

    • Global Passive Adversary (GPA)

    • GPA with some (all but one?) compromised mixes


Criticisms

Criticisms

  • GPA does not exist

    • (a matter of some debate)

  • The mix system (Chaum 81) allows one fixed-sized message to be sent anonymously

    • Great for votes

    • Ok for email

    • Bad for Web Browsing

    • Awful for Bit Torrent

  • If >1 message (more than 32K data), anonymity is degraded


Intersection attack

1

1

1

D

A

Mix 3

Mix 1

1

1

E

B

1

2

Mix 2

2

2

Mix 4

F

C

Intersection Attack

Receivers

Senders

Attacker


Traffic

Traffic


Intersection attack1

Intersection Attack

  • [BPS00] On the Disadvantages of Free Mix Routes (PET2001)

  • [WALS02] An Analysis of the Degradation of Anonymous Protocols (NDSS’02)

  • [KAP02] Limits of Anonymity in Open Environments (IH2002)

  • [Dan03] Statistical Disclosure (I-NetSec03)

    • [DS04] (IH2004)

  • [Dan04] The traffic analysis of continuous-time mixes (PET2004)

    etc


  • The common wisdom

    The Common Wisdom

    • Intersection attacks are:

      • Realistic

      • Powerful (reduce anonymity quickly)

      • Hard to protect against

        • Require lots of dummy traffic


    A weaker model

    Attacker observes:

    not all inputs

    not all outputs

    Not

    interesting

    A Weaker Model

    1

    1

    1

    A

    D

    Mix 1

    2

    Mix 2

    2

    2

    E

    B

    Mix 3

    Mix 4

    F

    C


    A better threat model

    A Better Threat Model

    • A Partial Adversary

      • Does not observe all Sender to Mix links

      • (alternatively not all mixes which senders can send to)

      • Ignore compromised mixes


    Observed mix

    Observed Mix

    Attacker sends all his messages via one single route theough

    the mix system

    1

    1

    1

    A

    D

    Mix 1

    Mix 2

    2

    2

    2

    B

    Mix 3

    E

    Mix 4


    Splitting data

    Splitting Data

    Sender B splits his stream of data and sends each message via a

    randomly chosen route

    1

    1

    1

    A

    E

    Mix 1

    Mix 2

    2

    1

    1

    2

    Mix 3

    1

    Mix 4

    B

    F

    1

    The problem: how do you choose

    the first mix?

    C


    The details

    The Details

    • Problem:

      • mixes to send to

        • compromised, the rest not (but no idea which ones)

      • P packets

      • What are the s.t. a random subset (attacker)

        of size gives least information about

      • Note that (dummy traffic)

      • No proof or optimal solution in this paper!

        • See one possible solution next


    One possible scheme

    One possible scheme

    • Pick (uniformly) at random a sequence of mixes

    • Pick from a geometric distribution with mean . Set

    • Pick from a geometric distribution with mean . Set

    • etc

    • Another in the paper (with some analysis)


    Part ii

    Part II

    • (Looking at a particular intersection attack and finding it not as easy as it looks at first glance)


    Another intersection attack

    Another Intersection Attack

    • Danezis 2004 (thanks for the diagrams)

    • The Idea:


    The details1

    The Details


    The characteristic delay function

    The Characteristic Delay Function

    • What is this for

      • Mixes

      • Mixmaster

      • Mixminion

      • Tor

    • This maybe unfair – Danezis intended his attack for lwo latency systems (Tor)

    • Nevertheless interesting


    The characteristic delay function1

    The Characteristic Delay Function

    • Theory:

      • What is the delay of a mix (cascade/network)

      • Can say not very much about it (as usual)

        • Details in the paper

    • Practice:

      • Steven wrote a disciplined pinger

        • Does not ping too often, hope not to affect the results by sampling


    Results

    Results


    Results1

    Results


    Comparing

    Comparing

    • Nothing surprising

      • Mixmaster has longer delay

      • Heavy tails


    Conclusions i

    Conclusions I

    • It is well known that the intersection attack is powerful

      • No reason to abandon investigation!

    • New interesting, mathematically well defined threat model

    • Splitting traffic amongst first nodes

      • Does not have the efficiency of Tor or other connection-based systems

      • Does gain anonymity advantage (but only by means of a weaker threat model)


    Conclusions ii

    Conclusions II

    • Characteristic function of Mixmaster, Mixminion difficult to work out in theory or estimate empirically

    • Data at:

    • All references at “Anonymity Bibliography”

      Thank you


    The anonymity advantage

    The Anonymity Advantage

    100

    The Network

    (Mixmaster)

    17

    Alice

    10

    87

    5

    Total observed packets

    100

    The Network

    (Mixmaster)

    170

    10

    87

    Alice

    5


    Intersection attack2

    Attacker

    Intersection Attack

    Receivers

    Senders

    Mixes


    A weaker model1

    Attacker observes:

    not all inputs

    not all outputs

    Not

    interesting

    A Weaker Model


    Observed mix1

    Observed Mix

    Attacker sends all his messages via one single route theough

    the mix system


    Splitting data1

    Splitting Data

    Attacker splits his stream of data and sends each message via a

    randomly chosen route

    The problem: how do you choose

    The first mix?


    Results2

    Results


    Results3

    Results


    Comparing1

    Comparing

    • Nothing surprising

      • Mixmaster has longer delay

      • Heavy tails


  • Login