Towards an Analysis of Onion Routing Security - PowerPoint PPT Presentation

About This Presentation
Title:

Towards an Analysis of Onion Routing Security

Description:

Towards an Analysis of Onion Routing Security. Syverson, Tsudik, Reed, and Landwehr ... Onion router real time Chaum mix. Store and forward with minimal delays ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 20
Provided by: adam93
Learn more at: http://hatswitch.org
Category:

less

Transcript and Presenter's Notes

Title: Towards an Analysis of Onion Routing Security


1
Towards an Analysis of Onion Routing Security
  • Syverson, Tsudik, Reed, and Landwehr
  • PET 2000
  • Presented by Adam Lee
  • 1/26/2006

2
Goals of the Paper
  • Overview of onion routing
  • Explanation of security goals
  • Description of network model assumptions
  • Discussion of adversary types
  • Security analysis
  • Comparison with Crowds

3
Onion Routing
  • Onion router real time Chaum mix
  • Store and forward with minimal delays
  • Onion routing connection phases
  • Setup
  • Transmission
  • Teardown

4
Setup Phase
  • Connection initiator builds an onion
  • Layered cryptographic structure, specifying
  • Path through network
  • Point-to-point symmetric encryption algorithms
  • Cryptographic keys
  • Structure not rigorously specified in paper
  • At each step
  • Router decrypts entire structure
  • Sets up encrypted channels to predecessor and
    successor nodes
  • Forwards new onion on to successor

5
Transmission Phase
  • When connection initiator wants to send data
  • Break data into uniform (128 bit) blocks
  • Encrypt each block once for each router in the
    path
  • Note Use symmetric encryption here
  • Send data to first onion router
  • All onion routers connected by persistent TCP
    thick pipes which add another layer of encryption
    on top of all of this encryption!

6
Security Goals
  • The goal is to hide
  • Sender activity
  • Receiver activity
  • Sender content
  • Receiver content
  • Source-destination pairs

7
Network Assumptions
  1. Onion routers are all fully connected
  2. Links are padded or bandwidth-limited to a
    constant rate
  3. Unrestricted exit policies
  4. For each route, each hop is chosen at random
  5. Number of nodes in a route is chosen at random

8
Know Your Enemy
  • 4 Types of adversaries
  • Observer
  • Disrupter
  • Hostile user
  • Compromised COR
  • Adversary distributions
  • Single
  • Multiple
  • Roving
  • Global

Note Authors claim that a group of roving
compromised CORs is most powerful (and realistic)
adversary model.
Is this true?
9
Security Analysis
10
Analysis Parameters
  • r number of CORs in the system
  • S set of CORs in the system
  • n route length
  • R R1, R2, , Rn A specific route
  • c maximum number of compromised CORs
  • C set of compromised CORS

11
Important Cases
  • Assume not all CORs are compromised (i.e., c lt
    n). There are three important cases to consider.
  • R1 ? C
  • Probability c/r
  • Rn ? C
  • Probability c/r
  • R1 and Rn ? C
  • Probability c2/r2
  • Each case has its own important properties

12
Properties of Attacks
R1 ? C Rn ? C R1 and Rn ? C
Sender activity Yes No Yes
Receiver activity No Yes Yes
Sender content No No Inferred
Receiver content No Yes Yes
S/D linking No No Yes
13
The Attackers Game
  • Probability that at least one COR on the route is
    compromised a startup
  • 1 - Pr(R ? C ?) 1 - (r-c)n/rn
  • Adversary determines
  • Rs where s min(j ? 1 n and Rj ? R ? C)
  • Re where e max(j ? 1 n and Rj ? R ? C)
  • Attacker can easily test to see if Rs Re, Rs
    R1, or Re Rn

14
The Attackers Game (cont.)
  • At each time step
  • Move one step closer to R1 (e.g., Rs Rs-1)
  • Move one step closer to Rn (e.g., Re Re1)
  • Compromise c-2 routers to try to find another
    link in the route
  • Unless one endpoint is found, then can compromise
    c-1 routers
  • Worst case max(s, n-e) rounds to reach both
    endpoints
  • Dont offer analytic solution to expected number
    of rounds to compromise both endpoints

15
Example (n6, r10, c2)
Attacker Wins!
16
Thoughts on the Game
  • What is a round? An attacker unit of time? A
    defender unit of time?
  • How long is a round? What does this analysis
    tell us without knowing that?
  • If compromising routers is as easy as jus doing
    it, what security at all does onion routing offer
    us?
  • Can we derive meaningful requirements from this
    analysis?

17
Discussion Questions
  • What are the dangers of assumption 2 (constant
    bandwidth)?
  • Is the freedom to choose ones routes through the
    network a double-edged sword?

18
Discussion Questions (cont.)
  • Assumption 4 says routes are chosen at random.
    From an probability standpoint, is this better or
    worse than everyone using the same route (e.g., a
    Hamiltonian path through the COR network)? Is it
    the same?
  • The title of this paper is Towards an Analysis
    of Onion Routing Security and it clearly makes a
    good first contribution to this area. How could
    this analysis be improved and/or made more
    comprehensive?

19
Discussion Questions (cont.)
  • Why would NRL fund this type of work? Contrast
    this with the previous work done in this area by
    groups such as the cypherpunks.
Write a Comment
User Comments (0)
About PowerShow.com