Crowds: Anonymity for Web Transactions

1
Crowds Anonymity for Web Transactions
Michael K. Reiter Aviel D. Rubin
Jan 31, 2006
Presented by Munawar Hafiz
2
Crowds Anonymity for Web Transactions
Contributions Introduces
the concept of Degree of Anonymity
Introduces the concept of Crowds
Analyzes the implementation
Comparison with other methods
2
3
Degrees of Anonymity
Beyond Suspicion Sender appears no more
likely to be the originator of a sent message
than any other potential senders in the
system. Probable Innocence Sender appears
no more likely to be the originator than not to
be the originator. Possible Innocence
There is a nontrivial probability that the real
sender is someone else.
What type of privacy requirement is suitable for
a particular application?
3
4
Anonymity loves company
The sole mechanism of anonymity is blending and
obfuscation.
The Mix approach

• Obfuscate the data
• Blend the data with cover traffic

The Onion Routing approach

• Obfuscate the data
• Use cell padding to make data look similar

The Crowds approach

• Data may be in clear text
• Hide in a group and make everyone in the group
  equally responsible for an act.

4
5
Crowds in operation Setup

• Setup Phase
• User first joins a crowd of other users and he is
  represented by a jondo process on his local
  machine. He registers to a server machine which
  is called a Blender.
• User configures his browser to use the local
  jondo as the proxy for all new services.
• The blender sends the data of other nodes in the
  crowd to the local jondo.
• All other members in the crowd go through a Join
  Commit.

5
6
Crowds in operation Communication

• Communication Phase
• User passes her request to a random member in the
  crowd.
• The selected router flips a biased coin with
  forwarding probability pf .
• With probability (1- pf ) , it delivers the
  message directly to destination. Otherwise it
  forwards the message to a randomly selected next
  router.

6
7
Anonymity for Crowds approach
7
8
Distinct Characteristics of Crowds
Use of encryption A single path key is
used for end-to-end encryption At each
node, path key is re-encrypted using link
encryption Fast stream cipher for
encrypting reply traffic
Static Path Dynamic paths hurt the
anonymity achieved Paths are changed
during join and failure
Protection against timing attacks
Sender revealed if it is an immediate predecessor
of malicious jondo. Introduce delays
for thwarting attacks
8
9
Comparison with MIX networks
Crowds and MIX solve different anonymity
problems Crowds provide
(probable innocence) sender anonymity
MIX networks provide sender and
receiver un-linkability
Different type of protection against global
passive eavesdropper Crowds
provide no protection MIX
networks provide protection again global
eavesdropper
Performance Crowds provide
better performance Public
key encryptions and decryptions affect
performance.
Different approach in routing (Efficiency)
In Crowds paths are selected
randomly In a re-mailer, the
circuit has to be determined first.
9
10
Concepts coming out of Crowds
Every node is a MIX Making
the end nodes and the MIXes indistinguishable
Distributed workload
Used in MorphMix / Tarzan for Peer to
Peer communication
The leaky pipe architecture
Any node is an exit node
Used in Tor to provide better protection against
Robustness No single point
of failure Distributed
Blender ??
Anonymity loves company The
more the user base, the better the anonymity
Highly scalable
10
11
Limitations of Crowds

• Content in plaintext
• Apply end-to-end encryption to
  protect content
• Limitation Gathering
  multimedia content

• Restriction on using ActiveX controls etc.
• Current Internet landscape is
  different from this requirement

Break for brainstorming What type of
applications can use this approach ?

• Vulnerable to DoS attacks
• Malicious jondos can simply drop
  packets.

• Performance overhead
• Increased network traffic,
  increased retrieval time and load on jondos

• Deployment problem with firewalls

11
12
Crowds for Social Networking
A crowds network where all the participants know
each other and are therefore trusted.
Are you comfortable in a friendly crowd or
unfriendly crowd ?
A crowds network with trusted entities but not
friends / acquaintances.
A crowds network that includes adversaries and
honest nodes, all un-trusted.
Are you willing to take the risk of being logged
by server ?
What about content tampering risks ?
12
13
Discussion questions
Crowds provide better options for deployment than
an onion routing scheme like Tor. Yet you see Tor
deployed in two continents and crowds a research
prototype only. What is the reason?
What would happen if membership in the crowd is
controlled by the blender but in this case the
blender is using public key authentication. Would
the overall anonymity be improved?
What are the factors that hinder crowd
scalability?
The crowds approach limit the subset of users
that hides the message initiator. How does it
affect anonymity ?
Have we seen the end of crowds ?
13