Reliable MIX Cascade Networks through Reputation

1
Reliable MIX Cascade Networks through Reputation

• By
• Roger Dingledine and Paul Syverson
• Presented by
• Viswanath Vankadaru
• Shiva Krishna Neeli

2
Overview

• What is anonymity?
• Previous mechanisms
• How to build a Mix Cascade?
• Reputation system
• The cascade protocol
• Attacks we can defend
• Conclusions and Future work

3
What is Anonymity?

• Anonymity is the state of being non identifiable
  within a set of subjects, the anonymity set
• Classification
• Sender anonymity
• Recipient anonymity
• Relationship anonymity

4
Anonymity (contd)

• Pseudonymity is the use of pseudonyms as IDs
• Less secure
• Classification
• Sender pseudonym
• Receiver pseudonym
• Digital pseudonym

5
Applications of Anonymity

• Electronic voting
• Electronic payments
• Anonymous e-mail
• Anonymous publishing etc.,

6
How Anonymity is Achieved?

• A mix node is a processor that takes input a
  certain number of messages which it modifies and
  outputs in a random order
• Because of the unlinkability property of mixes,
  neither server nor any other party will know the
  identity of the sender

7
Types of Mix

• Timed mix
• Timed pool mix
• Timed dynamic pool mix
• Threshold mix
• Stop and go mix

8
Problems with Single Mix

• Message size
• Replay
• Manipulation of messages
• Blocking of messages

9
Mix Configurations

• Mix Network
• A network of freely usable Mixes
• Mix Cascade
• A single valid chain of Mixes

10
Threat Model

• Anonymity breaking adversary
• Identify the sender or receiver
• Reliability breaking adversary
• Deny service to users
• An adversary can
• Passively read all traffic
• Compromise some fraction of the Mixes
• (Insert, modify, delay or drop messages)

11
Mix Network

• A network of freely usable Mixes (user picks the
  path)
• Suffers from Intersection attacks
• Unreliable
• Ex Mix minion, Mix master

12
Problems with Mix Networks

• Assumptions
• One trust worthy Mix
• Constant route length
• Routing position of user messages is known

13
Intersection Attacks

• If the user chooses different routes for each
  message, different anonymity groups arise
• Attacker calculates the intersection of these
  anonymity groups

14
Another Problem with Mix Networks

• Unreliable structure
• Unreliability decreases anonymity
• Many dropped and repeated messages
• Attracts few users

15
Ways of Improving Mix-net Reliability

• Protocol based approach Mix-net delivers
  correctly if no more than half of its nodes are
  correct
• Reputation system

16
Mix Cascade

• A single valid chain of Mixes for a group of
  participants
• No intersection attacks
• Unreliable
• Ex Web Mix, Java Anon Proxy (JAP)

17
Example for Mix Cascade (JAP)
18
How to Randomly Self-build Cascades

• Cascades re-arrange periodically
• By T-a-b commitments are sent to the CS
• N sign (N,N, IP, port, bandwidthpledge, tsbc
  (rand))
• At T-a-b commitments are published
• At T-b commitments are revealed
• N sign (N,N, IP, port, bandwidthpledge,
  (rand))
• At T reveals are published along with
  configuration of cascades

19
Communal Randomness

• Cascades are built using an un predictable value
  communally generated by nodes
• Obtained by combining random values of Mixes
• All nodes commit, then all reveal
• TSBC( rand)enc( k, rand), w (k)
• But nodes can influence communal value by not
  revealing
• Solution is temporarily secret commitment
• The outcome is secret in a way that is breakable
  after a predictable amount of computation Ex
  Lottery

20
Reputation System

• For all nodes in the cascade
• if (failed) node.reputation --
• if( successful) node.reputation
• Creeping Death Attack
• Adversary strategy Fail cascade if more damage
  to good nodes than bad nodes
• Adversary can get to any point in reputation
  spectrum
• Attack can be minimized by choosing cascade nodes
  randomly, but still of highest possible
  reputation.

21
Reputation System (contd)

• Adversary with many nodes can still succeed
• Limit the number of nodes adversary can get
  certified using web of trust like Advagato
• Advagatos trust metric
• Number of bad nodes certified is based on number
  of confused nodes (good nodes that might certify
  bad nodes)

22
Advagatos Trust metric

• Number of bad nodes is limited by number of
  confused nodes

23
Building Cascades

• Order nodes by reputation
• Choose first cascade randomly from large enough
  pool of high reputation nodes
• Replace chosen nodes to maintain pool size
• Continue the process till the last cascade for
  which an adequate pool size can be maintained

24
How do we decide the pool size?

• p Fraction of nodes that are bad, e.g. 20
• s Scare factor acceptable risk of bad path,
  e.g. 10-5
• l Length of a cascade, e.g. 4
• c Chain length, e.g. 3
• r Range size of pool

25
Cascade Protocol

• Opportunities for misbehavior
• Entry point Incoming messages rejected?
• Inside cascade Messages replaced with dummy
  messages?
• Exit point Messages not delivered?

26
Detecting Misbehavior (contd)

• Head Where cascade starts stripping layers of
  encryption
• Tail Last node to strip layers of encryption
• Each Mix can test its cascade by sending and
  receiving messages
• All nodes accept the traffic and deliver the
  message to the head
• Head publishes the snapshot of the batch (hashes
  of messages)

27
Detecting Misbehavior at Entry Point

• Sender can send message to any node. All nodes
  deliver to the head and give sender a receipt
• Head publishes batch snapshot
• Sender checks in the batch for his message
• If not found, he broadcasts the message with the
  receipt to other nodes in the cascade
• An honest cascade member then fails the cascade

28
Detecting Misbehavior Inside Cascade

• A dishonest head can publish a correct batch but
  replace its portion with dummy messages
• Sender might become suspicious and send a test
  message
• Sender also reveals the decryption to everyone
• An honest node will check and fail the cascade

29
Detecting Misbehavior at Exit Point

• Message recipients give tail (T) a receipt
• (or)
• If tail does not get a receipt, it can broadcast
  the message to the other members of the cascade
• Sender might become suspicious and contact a node
  (N) and complain about T, along with the
  decryption
• N already knows from broadcast
• (or)
• If receipt not found at T, N fails the cascade

30
Attacks we Can Defend

• Attacks on Anonymity
• Have enough nodes to own an entire cascade
• Gain high reputation to read more traffic
• Replay attack, message delaying
• Trickle attack
• Intersection attack
• Influence cascade configuration externally
• Compromise the cascade configuration externally
• Knock down uncompromised cascades to get more
  traffic

31
Attacks we Can Defend (contd)

• Attacks on Capacity and Reliability
• Flood nodes with messages
• Knockdown many cascades
• Block commitments to the Configuration Server
• Flood the CS with commits
• Refuse commitments at the configuration server
• Refuse incoming messages as a cascade member
• Selectively process only test messages

32
Attacks we Can Defend (contd)

• Attacks on Reputations
• Beat the web of trust
• Internal selective DoS
• External selective DoS

33
Conclusion

• Protocol for improving reliability of anonymous
  communication networks,
• based on a MIX cascade design and
• a simple reputation system

34
Future Work

• Preventing cascades from DoS attacks
• Better bandwidth use
• Improved cascade configuration algorithms
• More research on creeping death
• Better reputation system
• Adapting this design in the current remailer
  system

35
References

• Paul Syverson. Weakly secret bit commitment
  Applications to lotteries and fair exchange
• Raph Levien. Advogatos trust metric
• http//www. advogato.org/trust-metric.html
• Roger Dingledine, Michael J. Freedman, David
  Hopwood, and David Molnar. A Reputation System
  to Increase MIX-net Reliability
• Oliver Berthold, Andreas Pfitzmann, and Ronny
  Standtke.
• The disadvantages of free MIX routes and how to
  overcome them

36
References

• Roger Dingledine, Michael J. Freedman, David
  Hopwood, and David Molnar. A Reputation System
  to Increase MIX-net Reliability
• APES Anonymity and Privacy in Electronic
  Services
• www.cosic.esat.kuleuven.ac.be/apes/docs/d2_final.p
  df
• Claudia Diaz and Andrej Serjantov. Generalizing
  Mixes- Work shop on privacy enhancing
  technologies-2003

37
My protocol
38
Thank you

• For listening, Asking/Not asking