1 / 19

Towards an Analysis of Onion Routing Security

Towards an Analysis of Onion Routing Security. Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006. Goals of the Paper. Overview of onion routing Explanation of security goals Description of network model & assumptions Discussion of adversary types

maurice
Download Presentation

Towards an Analysis of Onion Routing Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006

  2. Goals of the Paper • Overview of onion routing • Explanation of security goals • Description of network model & assumptions • Discussion of adversary types • Security analysis • Comparison with Crowds

  3. Onion Routing • Onion router ≈ real time Chaum mix • Store and forward with minimal delays • Onion routing connection phases • Setup • Transmission • Teardown

  4. Setup Phase • Connection initiator builds an onion • Layered cryptographic structure, specifying: • Path through network • Point-to-point symmetric encryption algorithms • Cryptographic keys • Structure not rigorously specified in paper • At each step • Router decrypts entire structure • Sets up encrypted channels to predecessor and successor nodes • Forwards new onion on to successor

  5. Transmission Phase • When connection initiator wants to send data • Break data into uniform (128 bit) blocks • Encrypt each block once for each router in the path • Note: Use symmetric encryption here • Send data to first onion router • All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!

  6. Security Goals • The goal is to hide • Sender activity • Receiver activity • Sender content • Receiver content • Source-destination pairs

  7. Network Assumptions • Onion routers are all fully connected • Links are padded or bandwidth-limited to a constant rate • Unrestricted exit policies • For each route, each hop is chosen at random • Number of nodes in a route is chosen at random

  8. 4 Types of adversaries Observer Disrupter Hostile user Compromised COR Adversary distributions Single Multiple Roving Global Know Your Enemy… Note: Authors claim that a group of roving compromised CORs is most powerful (and realistic) adversary model. Is this true?

  9. Security Analysis

  10. Analysis Parameters • r : number of CORs in the system • S : set of CORs in the system • n : route length • R = {R1, R2, …, Rn} : A specific route • c : maximum number of compromised CORs • C : set of compromised CORS

  11. Important Cases • Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider. • R1 C • Probability = c/r • Rn C • Probability = c/r • R1 and Rn C • Probability = c2/r2 • Each case has it’s own important properties

  12. Properties of Attacks

  13. The Attacker’s Game • Probability that at least one COR on the route is compromised a startup • 1 - Pr(R  C = ) = 1 - (r-c)n/rn • Adversary determines • Rs where s = min(j  [1 … n] and Rj R  C) • Re where e = max(j  [1 … n] and Rj R  C) • Attacker can easily test to see if Rs = Re, Rs = R1, or Re = Rn

  14. The Attacker’s Game (cont.) • At each time step • Move one step closer to R1 (e.g., Rs = Rs-1) • Move one step closer to Rn (e.g., Re = Re+1) • Compromise c-2 routers to try to find another link in the route • Unless one endpoint is found, then can compromise c-1 routers • Worst case: max(s, n-e) rounds to reach both endpoints • Don’t offer analytic solution to expected number of rounds to compromise both endpoints

  15. Example (n=6, r=10, c=2) Attacker Wins!

  16. Thoughts on the “Game” • What is a round? An attacker unit of time? A defender unit of time? • How long is a round? What does this analysis tell us without knowing that? • If compromising routers is as easy as jus doing it, what security at all does onion routing offer us? • Can we derive meaningful requirements from this analysis?

  17. Discussion Questions • What are the dangers of assumption 2 (constant bandwidth)? • Is the freedom to choose one’s routes through the network a double-edged sword?

  18. Discussion Questions (cont.) • Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same? • The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?

  19. Discussion Questions (cont.) • Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.

More Related