1 / 60

Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society. Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL). Contributions. Contributions.

leamcclellan
Download Presentation

Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Probabilistic Analysis of Onion Routing in a Black-box Model10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

  2. Contributions

  3. Contributions • Use a black-box abstraction to create a probabilistic model of onion routing

  4. Contributions • Use a black-box abstraction to create a probabilistic model of onion routing • Analyze unlinkability • Provide worst-case bounds • Examine a typical case

  5. Related Work • A Model of Onion Routing with Provable AnonymityJ. Feigenbaum, A. Johnson, and P. SyversonFC 2007 • Towards an Analysis of Onion Routing SecurityP. Syverson, G. Tsudik, M. Reed, and C. LandwehrPET 2000 • An Analysis of the Degradation of Anonymous ProtocolsM. Wright, M. Adler, B. Levine, and C. ShieldsNDSS 2002

  6. Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Unlinkability: Adversary can’t determine who talks to whom

  7. Anonymous Communication • Sender anonymity: Adversary can’t determine the sender of a given message • Receiver anonymity: Adversary can’t determine the receiver of a given message • Unlinkability: Adversary can’t determine who talks to whom

  8. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers

  9. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  10. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  11. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers

  12. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d

  13. How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  14. How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  15. How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  16. How Onion Routing Works 1 2 u m d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  17. How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  18. How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  19. How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  20. How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged

  21. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed.

  22. How Onion Routing Works 1 2 u d 3 5 4 • u creates 3-hop circuit through routers • u opens a stream in the circuit to d • Data is exchanged. • Stream is closed. • Circuit is changed every few minutes.

  23. Adversary 1 2 u d 3 5 4 Active & Local

  24. Anonymity u 1 2 d v e 3 5 4 w f

  25. Anonymity u 1 2 d v e 3 5 4 w f • First router compromised

  26. Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised

  27. Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised

  28. Anonymity u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised • Neither first nor last compromised

  29. Black-box Abstraction u d v e w f

  30. Black-box Abstraction u d v e w f • Users choose a destination

  31. Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed

  32. Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed • Some outputs are observed

  33. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user.

  34. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  35. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  36. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  37. Probabilistic Black-box u d v e w f

  38. Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv

  39. Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv • Inputs and outputs are observed independently with probability b

  40. Probabilistic Anonymity u d v e w f u d u d u d v e v e v e w f w f w f Indistinguishable configurations

  41. Probabilistic Anonymity u d v e w f u d u d u d v e v e v e w f w f w f Indistinguishable configurations Conditional distribution: Pr[ud] = 1

  42. Black Box Model Let U be the set of users. Let  be the set of destinations. Configuration C • User destinations CD : U • Observed inputs CI : U{0,1} • Observed outputs CO : U{0,1} Let X be a random configuration such that: Pr[X=C] = u puCD(u) bCI(u) (1-b)1-CI(u) bCO(u) (1-b)1-CO(u)

  43. Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC]

  44. Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] Note: There are several other candidates for a probabilistic anonymity metric, e.g. entropy

  45. Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] • Exact Bayesian inference • Adversary after long-term intersection attack • Worst-case adversary

  46. Probabilistic Anonymity The metric Y for the unlinkability of u and d in C is: Y(C) = Pr[XD(u)=d | XC] • Exact Bayesian inference • Adversary after long-term intersection attack • Worst-case adversary Unlinkability given that u visits d: E[Y | XD(u)=d]

  47. Worst-case Anonymity

  48. Worst-case Anonymity Let pu1 pu2  pud-1  pud+1 …  pu Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when 1. pv=1 for all vu OR 2. pvd=1 for all vu

  49. Worst-case Anonymity Let pu1 pu2  pud-1  pud+1 …  pu Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when 1. pv=1 for all vu OR 2. pvd=1 for all vu Show max. occurs when ev=d for all vu, or whenev =  for all vu. Show max. occurs when, for all vu,pvev = 1 for some ev. Show max. occurs when, for all vu,ev = d orev = .

  50. Worst-case Estimates Let n be the number of users.

More Related