Cashmere: Resilient Anonymous Routing

1
Cashmere Resilient Anonymous Routing

• CS290F
• March 7, 2005

2
Anonymous Communication

• Source anonymity
• protect identity of communication source
• Unlinkability
• avoid association between endpoints

3
Anonymous Routing as Mechanism

• Large decentralized networks
• lack of mutual trust, distributed domains
• Use as mechanism for secure communication
• test other nodes without revealing your
  identity
• e.g. are you pointing to me in your routing table?

4
Chaum-Mix Approaches

• Idea forward message through static path of
  relay nodes
• downside path is fragile and hard to maintain
• once any node/link is broken, must rebuild entire
  path (expensive)
• nodes in middle dont know where to send error
  messages
• downside computationally expensive
• each message must be encrypted with layers of
  asymmetric encryption

5
Outline

• Motivation
• Cashmere Design
• Evaluation
• Summary

6
Flexible and Resilient Anonymity

• Use relay groups for routing resiliency
• instead of single nodes to relay traffic, use
  groups of nodes
• relay survives if at least 1 member of relay
  group is reachable
• P2P and prefix keys
• leverage structured p2p routing
• define relay group by all nodes sharing a prefix
  in their nodeID
• encryption via prefix keys (public/private pairs)
• i.e. 1234 would have keys for 1XXX, 12XX, 123X

302X
013X
233X
7
Routing Overview
A

• Cannot simply route through groups to destination
• Sender A forwards traffic thru a number of relay
  groups
• Receiver B is a member of one of the relay groups
• Per relay, the first member to receive the msg is
  the root
• root node decrypts using its prefix private key,
  forwards payload to other members, then routes
  msg to next relay

8
Enhancements for Performance

• Decouple path encryption and payload
• encrypt path layer separately
• include keys at each layer to match payload
  onion
• Remove asymmetric encryption from critical path
• use session key (symmetric) to encrypt each msg
• encrypt session key with destination pub
  keyinclude inside path encryption layer
• only true destination knows its the recepient

9
The Big Picture
Root ofRelay Group P
from last relay group
to relaygroup PL-1
PL-1 RL-2 KL-2
Each node decrypts KL-2 with its own private key.
Only the destination node will get SymKey_B and a
flag indicating success.
10
Selecting GroupID and Path Length

• Tradeoff between anonymity, resilience and
  messaging overhead
• Leverage random distribution of nodeIDs
• predict expected size of relay group
• Can dynamically select prefix length to control
  relay group size (per session)

11
Cashmere Evaluation

• Measure anonymity using entropy metric
• source anonymity identical to Chaum-mixes
• destination anon. identical if ?10 nodes are
  attackers
• Resilience
• expected lifetimes of relay groups 1 or 2
  orders of magnitude gt single relay nodes (avg
  group 3-5)
• Performance
• source encryption cost is 10 of CM, (if avg
  group 3)
• decryption cost at relays lt 50 of CM, (group
  3)
• Result? Goals accomplished!
• Fully implemented Tput ? 27Mb/s for 4K msgs

12
Entropy-based Anonymity

• Entropy of a system
• Entropy-based anonymity of the system

13
Source Anonymity
14
Unlinkability Anonymity
15
Expected Path Lifetimes

• exponentially distributed session times
• median session time 60 mins
• balanced node leave/joins

16
Path Duration w/ Intermittent Failures
17
Relative Computation Cost
18
Summary

• Resilience through relay groups
• Decouple path encryption from payload
• Questions?