Message Splitting Against the Partial Adversary

1
Message Splitting Against the Partial Adversary

• Andrei Serjantov
• The Free Haven Project (UK)
• Steven J Murdoch
• University of Cambridge Computer Laboratory

2
Outline

• Mix Systems. Criticisms.
• too strong threat model(!)
• intersection attack when 1 msg (too much data)
  sent
• Weaker threat model
• Sending each message via random route
• non connection-based system
• Empirical observations about Mixmaster Mixminion
• Characteristic delay function Dan04 is
  difficult to esitmate

3
Mix Systems

• Well known to this audience
• Implemented
• Mixmaster
• Mixminion
• Threat Model
• Global Passive Adversary (GPA)
• GPA with some (all but one?) compromised mixes

4
Criticisms

• GPA does not exist
• (a matter of some debate)
• The mix system (Chaum 81) allows one fixed-sized
  message to be sent anonymously
• Great for votes
• Ok for email
• Bad for Web Browsing
• Awful for Bit Torrent
• If 1 message (more than 32K data), anonymity is
  degraded

5
Intersection Attack
Receivers
Senders
Attacker
6
Traffic
7
Intersection Attack

• BPS00 On the Disadvantages of Free Mix Routes
  (PET2001)
• WALS02 An Analysis of the Degradation of
  Anonymous Protocols (NDSS02)
• KAP02 Limits of Anonymity in Open Environments
  (IH2002)
• Dan03 Statistical Disclosure (I-NetSec03)
• DS04 (IH2004)
• Dan04 The traffic analysis of continuous-time
  mixes (PET2004)
• etc

8
The Common Wisdom

• Intersection attacks are
• Realistic
• Powerful (reduce anonymity quickly)
• Hard to protect against
• Require lots of dummy traffic

9
A Weaker Model
1
1
1
A
D
Mix 1
2
Mix 2
2
2
E
B
Mix 3
Mix 4
F
C
10
A Better Threat Model

• A Partial Adversary
• Does not observe all Sender to Mix links
• (alternatively not all mixes which senders can
  send to)
• Ignore compromised mixes

11
Observed Mix
Attacker sends all his messages via one single
route theough the mix system
1
1
1
A
D
Mix 1
Mix 2
2
2
2
B
E
Mix 3
Mix 4
12
Splitting Data
Sender B splits his stream of data and sends each
message via a randomly chosen route
1
1
1
A
E
Mix 1
Mix 2
2
1
1
2
Mix 3
Mix 4
1
B
F
1
The problem how do you choose the first mix?
C
13
The Details

• Problem
• mixes to send to
• compromised, the rest not (but no idea which
  ones)
• P packets
• What are the s.t. a random subset (attacker)
• of size gives least information about
• Note that (dummy traffic)
• No proof or optimal solution in this paper!
• See one possible solution next

14
One possible scheme

• Pick (uniformly) at random a sequence of mixes
• Pick from a geometric distribution with mean .
  Set
• Pick from a geometric distribution with mean
  . Set
• etc
• Another in the paper (with some analysis)

15
Part II

• (Looking at a particular intersection attack and
  finding it not as easy as it looks at first
  glance)

16
Another Intersection Attack

• Danezis 2004 (thanks for the diagrams)

• The Idea

17
The Details
18
The Characteristic Delay Function

• What is this for
• Mixes
• Mixmaster
• Mixminion
• Tor
• This maybe unfair Danezis intended his attack
  for lwo latency systems (Tor)
• Nevertheless interesting

19
The Characteristic Delay Function

• Theory
• What is the delay of a mix (cascade/network)
• Can say not very much about it (as usual)
• Details in the paper
• Practice
• Steven wrote a disciplined pinger
• Does not ping too often, hope not to affect the
  results by sampling

20
Results
21
Results
22
Comparing

• Nothing surprising
• Mixmaster has longer delay
• Heavy tails

23
Conclusions I

• It is well known that the intersection attack is
  powerful
• No reason to abandon investigation!
• New interesting, mathematically well defined
  threat model
• Splitting traffic amongst first nodes
• Does not have the efficiency of Tor or other
  connection-based systems
• Does gain anonymity advantage (but only by means
  of a weaker threat model)

24
Conclusions II

• Characteristic function of Mixmaster, Mixminion
  difficult to work out in theory or estimate
  empirically
• Data at
• All references at Anonymity Bibliography
• Thank you

25
The Anonymity Advantage
100
The Network (Mixmaster)
17
Alice
10
87
5
Total observed packets
100
The Network (Mixmaster)
170
10
87
Alice
5
26
Intersection Attack
Receivers
Senders
Mixes
27
A Weaker Model
28
Observed Mix
Attacker sends all his messages via one single
route theough the mix system
29
Splitting Data
Attacker splits his stream of data and sends each
message via a randomly chosen route
The problem how do you choose The first mix?
30
Results
31
Results
32
Comparing

• Nothing surprising
• Mixmaster has longer delay
• Heavy tails