slicing the onion anonymous routing without pki l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Slicing the Onion: Anonymous Routing without PKI PowerPoint Presentation
Download Presentation
Slicing the Onion: Anonymous Routing without PKI

Loading in 2 Seconds...

play fullscreen
1 / 10

Slicing the Onion: Anonymous Routing without PKI - PowerPoint PPT Presentation


  • 539 Views
  • Uploaded on

CS 259 Slicing the Onion: Anonymous Routing without PKI http://nms.lcs.mit.edu/~sachin/slicing.html Saurabh Shrivastava Bob Na Nb Nd Nc Alice What is Onion Routing - packets are encrypted in layers - each node decrypts the packet using its key, figures out the next hop

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Slicing the Onion: Anonymous Routing without PKI' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slicing the onion anonymous routing without pki

CS 259

Slicing the Onion: Anonymous Routing without PKI

http://nms.lcs.mit.edu/~sachin/slicing.html

Saurabh Shrivastava

what is onion routing

Bob

Na

Nb

Nd

Nc

Alice

What is Onion Routing

- packets are encrypted in layers

- each node decrypts the packet using its key, figures out the next hop

- usually public/private key pairs used, but here symmetric keys will be used

- how to distribute the keys to nodes? use information slicing: split the key into lots of pieces, send them on disjoint paths to the respective target nodes

key distribution

Ic1Ic2Ia2Id1

Ia1Ia2Ic2IB2Ia1Id1

Id1Id2

Ne

Alice

Ie1

Nc

IB2Ia1

Id2

Na

Nd

IB1Id2

Ia1

Bob

Nb

Ib1Ib2Ic1IB1Ia2Id2

IB1IB2Ia1Id2

Ia1Ia2

Key Distribution
  • Bob reassembles message it received from Ne and Nb to yield IB1, IB2 meant for him and also Ia1 to be sent to Na, Id2 to be sent to Nd.
  • here there are 3 stages (L), split factor is 2 (d)
anonymity
Anonymity
  • Degree of Anonymity
    • Measured as entropy of the system
  • Unlinkability
    • … of different actions by a single user
  • Source/Destination anonymity
    • Source is hidden from all nodes including destination, (same argument for destination)
  • We will focus on Source anonymity
observations

Ic1Ic2Ia2Id1

Ia1Ia2Ic2IB2Ia1Id1

Id1Id2

Alice

Ie1

Ne

IB2Ia1

Id2

Nc

IB1Id2

Ia1

Bob

Na

Nd

Ib1Ib2Ic1IB1Ia2Id2

IB1IB2Ia1Id2

Ia1Ia2

Nb

Observations
  • If the adversary is in control of a stage, it can get all information about keys and nodes in subsequent stages
  • If the adversary doesn’t control all the nodes in a stage, it is as good as controlling only 1 node in that stage.
  • Adversary cannot correlate information if its nodes are not in consecutive stages
  • Best case scenario is when
    • 1st stage is compromised or else
    • the adversary has only 1 node in consecutive stages
adversary model

Nc

Ng

Nd

Ne

Alice

Ie1

Bob

Nf

Na

Nb

Adversary Model
  • Adversary controls a fraction of nodes in the graph
  • It is able to figure out if it has nodes in consecutive stages and if it has multiple nodes in some stage
  • It knows about the parameters L (number of stages) and d (splitting factor)
  • It tries to find the single largest chain of its nodes and tries to guess that the node prior to its chain head is the source (its guess will be good only if its chain head lies in the first stage)
analysis
Analysis
  • Given L, d, f, figure out all possible arrangements of adversary nodes in the graph (hard). More later.
  • For each arrangement figure out what is the longest chain of adversary nodes possible (easy)
  • Given the length of the chain, find out the likelihood of correct guess of the source (easy) e.g. if L is 10, chain length is 7, chances are 0.25 that the head is in stage 1
  • The authors did it differently: they assumed a network of N=100,000 nodes, of which fraction f were malicious, chose L*d nodes from N (some of which were malicious) and ran simulations to find chain lengths.
anonymity dependent on l
Anonymity: dependent on L
  • If L increases, the adversary nodes are spread out and it is more difficult to form unbroken chains with nodes in consecutive stages.
  • Broken chains render adversary nodes useless because it cannot correlate nodes if not part of the same chain
anonymity dependent on d
Anonymity: dependent on d
  • When f is low, increasing d creates more chances for the adversary to have nodes in consecutive stage
  • When f is high, there is high likelihood that adversary controls an entire stage, so increasing d will break this scenario
analysis 2
Analysis 2
  • Didn’t use Murphi, or any tool, used C++ programs to achieve the “hard” part (Given L, d, f, figure out all possible arrangements of adversary nodes in the graph)
  • given L (6) , d (4), f (.25), m (6) = L * d * f;
  • find all partitions of m such that none of the terms is > d
  • find out how many 1-chain, 2-chain, 3-chain .. m-chains can be made

$ ./arrangements 6 4 ../partitions/p6 m6d4

2 = 28 => given 2 stages with d=4, how many ways can we choose places for 6 adversary nodes (partitions used [2,4] [3,3] [4,2])

  • for all possible permutations of m adversary nodes in L*d nodes find out frequency of 1 chain, 2 chain 3 chain ... m-chain

$ ./chains 6 4 .25 L6d4f25

0xb 3 2 604800.000000 => 3 stages in which adversary nodes present (0 0 1 0 1 1) but the effective chain length is only 2. 604800 = all possible combinations of 6 adversary nodes when present in 3 stages with d=4.