Anonymity on the Web: Onion routing and Crowds - PowerPoint PPT Presentation

About This Presentation
Title:

Anonymity on the Web: Onion routing and Crowds

Description:

Anonymity on the Web: Onion routing and Crowds Outline the problem of user privacy basic concepts of anonymous communication MIXes Onion routing Anonymizer Crowds ... – PowerPoint PPT presentation

Number of Views:202
Avg rating:3.0/5.0
Slides: 37
Provided by: Levente1
Category:

less

Transcript and Presenter's Notes

Title: Anonymity on the Web: Onion routing and Crowds


1
Anonymity on the WebOnion routing and Crowds
2
Outline
  • the problem of user privacy
  • basic concepts of anonymous communication
  • MIXes
  • Onion routing
  • Anonymizer
  • Crowds

3
User privacy the problem
  • private information is processed and stored
    extensively by various individuals and
    organizations
  • location of user ? telecom operators
  • financial situation of user ? banks, tax
    authorities
  • wealth of user ? insurance companies
  • shopping information of user ? credit card
    companies, retailers (via usage of fidelity
    cards)
  • illnesses of user ? medical institutions
  • complete and meaningful profiles on people can be
    created and abused
  • information technology makes this easier
  • no compartmentalization of information
  • cost of storage and processing (data mining)
    decreases ? technology is available to everyone

4
I dont have anything to hide.
  • think again!
  • sexuality
  • pregnancy
  • illnesses
  • genetic predisposition
  • sins of youth
  • controversial activities
  • personal interests

5
User privacy the goal
  • private data should be protected from abuse by
    unauthorized entities
  • transactional data
  • e.g., access/usage logs at telecom operators,
    buildings, parking, public transport,
  • data that reveals personal interests
  • e.g., video rentals, credit card purchases, click
    stream data (WWW),
  • data that was disclosed for a well-defined
    purpose
  • e.g., tax data revealed to tax authorities,
    health related data revealed to doctors, address
    information revealed in mail orders,

6
User privacy existing approaches
  • data avoidance
  • I dont tell you, so you cant abuse it.
  • effective but not always applicable
  • often requires anonymity
  • examples cash transactions, public phones
  • data protection
  • If ever you abuse it, you will be punished.
  • well-established approach
  • difficult to define, enforce, and control
  • requires legislation or voluntary restrictions
  • multilateral security
  • cooperation of more than two parties (typically
    TTPs are involved)
  • shared responsibilities and partial knowledge
  • combinations of the above three

7
Basic concepts of anonymous communication
  • What do we want to hide?
  • sender anonymity
  • attacker cannot determine who the sender of a
    particular message is
  • receiver anonymity
  • attacker cannot determine who the intended
    receiver of a particular message is
  • unlinkability
  • attacker may determine senders and receivers but
    not the associations between them (attacker
    doesnt know who communicates with whom)
  • From whom do we want to hide this?
  • communication partner (sender anonymity)
  • external attackers
  • local eavesdropper (sniffing on a particular link
    (e.g., LAN))
  • global eavesdropper (observing traffic in the
    whole network)
  • internal attackers
  • (colluding) compromised system elements (e.g.,
    routers)

8
Chaum MIX
  • goal
  • sender anonymity (for communication partner)
  • unlinkability (for global eavesdropper)
  • implementation
  • r, m KMIX ? MIX ? m
  • where m is the message and r is a random number

MIX
  • batches messages
  • discards repeats
  • changes order
  • changes encoding

9
MIX chaining
  • defense against colluding compromised MIXes
  • if a single MIX behaves correctly, unlinkability
    is still achieved

MIX
MIX
MIX
10
A real-time MIX network Onion routing
  • general purpose infrastructure for anonymous
    communications over a public network (e.g.,
    Internet)
  • supports several types of applications (HTTP,
    FTP, SMTP, rlogin, telnet, ) through the use of
    application specific proxies
  • operates over a (logical) network of onion
    routers
  • onion routers are real-time Chaum MIXes (messages
    are passed on nearly in real-time ? this may
    limit mixing and weaken the protection!)
  • onion routers are under the control of different
    administrative domains ? makes collusion less
    probable
  • anonymous connections through onion routers are
    built dynamically to carry application data
  • distributed, fault tolerant, and secure

11
Overview of architecture
long-term socket connections
application (initiator)
onion router
application proxy - prepares the data
stream for transfer - sanitizes appl. data
- processes status msg sent by the
exit funnel
application (responder)
exit funnel - demultiplexes connections
from the OR network - opens connection to
responder application and reports a one
byte status msg back to the application
proxy
onion proxy - opens the anonymous
connection via the OR network -
encrypts/decrypts data
entry funnel - multiplexes connections
from onion proxies
12
OR network setup and operation
  • long-term socket connections between
    neighboring onion routers are established ?
    links
  • neighbors on a link setup two DES keys using the
    Station-to-Station protocol (one key in each
    direction)
  • several anonymous connections are multiplexed on
    a link
  • connections are identified by a connection ID
    (ACI)
  • an ACI is unique on a link, but not globally
  • every message is fragmented into fixed size cells
    (48 bytes)
  • cells are encrypted with DES in OFB mode (null
    IV)
  • optimization if the payload of a cell is already
    encrypted (e.g., it carries (part of) an onion)
    then only the cell header is encrypted
  • cells of different connections are mixed, but
    order of cells of each connection is preserved

6
5
4
3
2
1
6
5
4
3
2
1
4
3
2
1
mixing
4
3
2
1
13
Anonymous connection setup
  • the application is configured to connect to the
    application proxy instead of the real destination
  • upon a new request, the application proxy
  • decides whether to accept the request
  • opens a socket connection to the onion proxy
  • passes a standard structure to the onion proxy
  • standard structure contains
  • application type (e.g., HTTP, FTP, SMTP, )
  • retry count (number of times the exit funnel
    should retry connecting to the destination)
  • format of address that follows (e.g., NULL
    terminated ASCII string)
  • address of the destination (IP address and port
    number)
  • waits response from the exit funnel before
    sending application data

14
Anonymous connection setup contd
  • upon reception of the standard structure, the
    onion proxy
  • decides whether to accept the request
  • establishes an anonymous connection through some
    randomly selected onion routers by constructing
    and passing along an onion
  • sends the standard structure to the exit funnel
    of the connection
  • after that, it relays data back and forth between
    the application proxy and the connection
  • upon reception of the standard structure, the
    exit funnel
  • tries to open a socket connection to the
    destination
  • it sends back a one byte status message to the
    application proxy through the anonymous
    connection (in backward direction)
  • if the connection to the destination cannot be
    opened, then the anonymous connection is closed
  • otherwise, the application proxy starts sending
    application data through the onion proxy, entry
    funnel, anonymous connection, and exit funnel to
    the destination

15
Onions
  • an onion is a multi-layered data structure
  • it encapsulates the route of the anonymous
    connection within the OR network
  • each layer contains
  • backward crypto function (DES-OFB, RC4)
  • forward crypto function (DES-OFB, RC4)
  • IP address and port number of the next onion
    router
  • expiration time
  • key seed material
  • used to generate the keys for the backward and
    forward crypto functions
  • each layer is encrypted with the public key of
    the onion router for which data in that layer is
    intended

bwd fn fwd fn next 0 keys
bwd fn fwd fn next green keys
bwd fn fwd fn next blue keys
16
Anonymous connection setup illustrated
onion proxy
application (responder)
17
Anonymous connection setup illustrated
onion proxy
application (responder)
bwd entry funnel, crypto fns and keys
fwd blue, ACI 12, crypto fns and keys
18
Anonymous connection setup illustrated
onion proxy
application (responder)
19
Anonymous connection setup illustrated
onion proxy
application (responder)
bwd magenta, ACI 12, crypto fns and keys
fwd green, ACI 8, crypto fns and keys
20
Anonymous connection setup illustrated
onion proxy
application (responder)
21
Anonymous connection setup illustrated
onion proxy
application (responder)
bwd blue, ACI 8, crypto fns and keys
fwd exit funnel
22
Anonymous connection setup illustrated
bwd entry funnel, crypto fns and keys
fwd blue, ACI 12, crypto fns and keys
onion proxy
bwd blue, ACI 8, crypto fns and keys
fwd exit funnel
application (responder)
bwd magenta, ACI 12, crypto fns and keys
fwd green, ACI 8, crypto fns and keys
23
Data movement
  • forward direction
  • the onion proxy adds all layers of encryption as
    defined by the anonymous connection
  • each onion router on the route removes one layer
    of encryption
  • responder application receives plaintext data
  • backward direction
  • the responder application sends plaintext data to
    the last onion router of the connection (due to
    sender anonymity it doesnt even know who is the
    real initiator application)
  • each onion router adds one layer of encryption
  • the onion proxy removes all layers of encryption

24
Connection tear-down
  • anonymous connections are terminated by the
    initiator, the responder, or one of the onion
    routers in the middle
  • a special DESTROY message is propagated by the
    onion routers
  • if an onion router receives a DESTROY msg, it
    passes it along the route (forward or backward)
  • sends an acknowledgement to the onion router from
    which it received the DESTROY msg
  • if an onion router receives an acknowledgement
    for a DESTROY messages it frees up the
    corresponding ACI

25
Anonymizer
  • www.anonymizer.com
  • special protection for HTTP traffic
  • acts as a proxy for browser requests
  • rewrites links in web pages and adds a form where
    URLs can be entered for quick jump
  • disadvantages
  • must be trusted
  • single point of failure/attack

browser
anonymizer
server
request
request
reply
reply
href http//anon.free.anonymizer.com/http//www.
server.com/ ? href http//www.server.com/

26
Crowds
  • a crowd is a collection of users formed
    dynamically
  • each user runs a process called jondo on his
    computer
  • when the jondo is started it contacts a server
    called blender to request admittance to the crowd
  • if admitted, the blender reports the current
    membership of the crowd and sends information
    necessary to join the crowd (keys)
  • the user sets his browser to use his jondo as a
    web proxy
  • when the jondo receives the first request from
    the browser, it initiates the establishment of a
    random path of jondos in the crowd
  • the jondo picks a jondo (possibly itself) in the
    crowd at random, and forwards the request to it
    (after sanitizing it)
  • when this jondo receives the request it forwards
    it with probability pf (to a randomly selected
    jondo again) and submits the request to the
    destination server with probability 1-pf
  • subsequent requests follow the same path
  • the server replies traverse the same path (in
    reverse direction)
  • communication between jondos is encrypted

27
Examples
servers
crowd
28
Degrees of anonymity
absolute privacy
beyond suspicion
probable innocence
possible innocence
exposed
provably exposed
  • beyond suspicion
  • attacker can see evidence of a sent message, but
  • the sender appears no more likely to be the
    originator than any other potential sender in the
    system
  • probable innocence
  • the sender may be more likely the originator than
    any other potential sender, but
  • the sender appears no more likely to be the
    originator than to not be the originator
  • possible innocence
  • the sender appears more likely to be the
    originator than to not be the originator, but
  • theres still a non-trivial probability that the
    originator is someone else

29
Types of attackers
  • local eavesdropper
  • can observe communication to and from the users
    computer
  • collaborating crowd members
  • crowd members that can pool their information and
    deviate from the protocol
  • end server
  • the web server to which the transaction is
    directed

30
Security analysis local eavesdropper
  • a local eavesdropper can see that the user
    originated a request
  • sender is exposed
  • however, he typically cannot see the target of
    the request
  • requests are encrypted unless they are submitted
    to the target server
  • if request is encrypted, each end-server appears
    for the attacker equally likely to be the target
    of the request ? beyond suspicion anonymity
  • if the users own jondo submits the request, then
    the target is exposed the probability of this
    is 1/n where n is the size of the crowd
  • P( receiver / beyond suspicion ) ? 1 as n ?
    infinity

31
Security analysis end server
  • end-server is the target of the request
  • receiver anonymity is not possible
  • anonymity for the originator is strong
  • users jondo always forwards the request to a
    random member of the crowd ( hides user identity
    with a one-time pad)
  • ? the end-server is equally likely to receive the
    request from any crowd member
  • from the end-server perspective, each user is
    equally likely to be the originator ? sender /
    beyond suspicion anonymity guaranteed

32
Security analysis collaborating jondos
  • notation
  • Hi the event that the first collaborator on the
    path is in the i-th position
  • Hi Hi v Hi1 v Hi2 v
  • I the event that the first collaborator on the
    path is immediately preceded on the path by the
    initiator
  • definition
  • the path initiator has probable innocence if P( I
    H1 ) 1/2
  • theorem
  • if n ³ (c 1)pf / (pf 1/2), then the path
    initiator has probable innocence against c
    collaborators
  • in addition, P( absolute privacy ) ? 1 as n ?
    infinity both for sender and receiver anonymity

33
Overview of security offered by Crowds
attacker sender anonymity receiver anonymity
local eavesdropper exposed P( beyond suspicion) ? 1
c collaborating crowd members probable innocence P( absolute privacy ) ? 1 P( absolute privacy ) ? 1
end server beyond suspicion N/A
34
Timing attacks
  • HTML pages can include URLs that are
    automatically fetched by the browser (e.g.,
    images)
  • first collaborating jondo on the path can measure
    the time between seeing a page and seeing a
    subsequent automatic request
  • if the duration is short, then the predecessor on
    the route is likely to be the initiator
  • solution
  • last jondo on the path parses HTML pages and
    requests the URLs that the browser would request
    automatically
  • users jondo on the path returns HTML page,
    doesnt forward automatic requests, rather waits
    for the last jondo to supply the results

35
Limitations of Crowds
  • request contents are exposed to intermediate
    jondos
  • service can be circumvented by Java Applets and
    Active X controls
  • performance overhead (increased retrieval time,
    load on jondos)
  • no defense against DoS attacks mounted by
    malicious crowd members

36
Comparison with MIXes
  • Crowds
  • sender anonymity
  • no protection against global eavesdropper
  • uses symmetric key crypto
  • MIXes
  • unlinkability of sender and receiver
  • protection against global eavesdropper
  • use public key crypto (at least during connection
    setup)
Write a Comment
User Comments (0)
About PowerShow.com