Modelling and Analysing of Security Protocol: Lecture 10 ...

Modelling and Analysing ofSecurity Protocol: Lecture 10

Anonymity: Systems

Today’s Lecture

• Practical course issues.• Theoretical anonymity.

– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol

BREAK• Practical anonymous systems

– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE– Anonymous Publishing: Freenet

Crowds

• A crowd is a group of n nodes• The initiator selects randomly a node (calledforwarder) and forwards the request to it

• A forwarder:– With prob. 1-pf selects

randomly a new node andforwards the request to him

– With prob. pf sends therequest to the server

server

Crowds

• The sender is beyond suspicion to the server.

• Some of the nodes could be corrupted.

• The initiator could forward the message to acorrupted node.

• The sender has probable innocence to othernodes.

Crowds

• Problem: many people won’t forward traffic forothers.

• A practical system has to make forwardingtraffic for others optional or controllable.

server

Onion Routing• Each node makes its key public• The initiator selects the whole route and encrypts

the message with all keys in reverse order• Each node unwraps a layer and forwards the

message to the next one

{2,{3,{server,m}k3}k2}k11 2

3m

{3,{server,m}k3}k2

{server,m}k3

server

Onion Routing

• Each node only learns the next one in the path

• End-users can run their own node– Better anonymity

• or use an existing one– More efficient– User's identity is revealed to the node

Tor

• Tor implement this protocol.

• Several hundred volunteer nodes.

• Firefox plug-in.

• Managed by the US navy.

Problems with Tor• You reveal you IP to the first node and the

last node see who you are talking to.

• If an attacker controls the first and the lastnode they may be able to match the packetsusing traffic analysis.

• No anonymity from an attacker that monitorsthe whole network.

• Some protocol broadcast their IP address

MIXes• MIXes are proxies that forward messages

between them• A user contacts a MIX to send a message• The MIX waits until it has received a number of

messages, then forwards them in different order

MIXes• It is difficult to trace the route of each

message.

• May provide beyond suspicion S-Runlinkability even to a global attacker.

• Messages have to be delayed (can be solvedwith dummy traffic).

• More complicated when sending series ofpackets

Mutli-casting

• Broadcast the message to the whole network.

• Beyond suspicion for the receiver.

• No anonymity for the sender.

• Multicasting is a good technique forbroadcasting messages .... but very inefficientto send just one message.

Spoofed UDP

• The from IP address is not used by routers,only by higher-level protocols such as TCP.

• UDP does not have to use this address.

• A random address can be used instead toprovide sender anonymity.

• Method prohibited by many ISPs.

Anonymous File-Sharing system

800,000 downloads

Informal description

Source code

Appeal for donations

Peer-to-Peer File-Sharing

In newer networks peers recordthe IP address of other peers.

A searcher sends a request to allof it’s “neighbours”.

This is forwarded to all of thereneighbours, up to a fixed hops.

A

Peer-to-Peer File-Sharing

The search request includesA’s IP address.

Any peer with the requestedfile contacts A directly.

Peer “A” may then requestthe file.

A

Peer-to-Peer File-Sharing

No anonymity from peers insidethe network:

The search message gives thesearcher’s IP address and nameof the files they are looking for.

By requesting a file, you can findout the IP address of all peersthat are offering the file.A

MUTE• MUTE removes the IP address from the file

exchange.

• Peers only know the IP address of their directneighbours.

• Peers choose random “pseudo ID”.

• Files are not sent directly between peers. Insteadfiles are sent via a number of peers.

• MUTE uses a version of the “Ants” ad-hoc routingprotocol.

Anonymity Provided by MUTE• MUTE makes it hard to link the IP address of

a peer with its pseudo ID.

• Peers only know the ID address's of theirdirect neighbours, but not their pseudo ID.

• The network should provide enough cover tolet a neighbour deny using a particular ID.

• If an attacker can completely surround a peerit looses anonymity.

MUTE: Search

The search takes place as before, but thistime the message uses its pseudo IDas the “from ID”.

Each peer builds a routing table byrecords the ID and the connection.

A probabilistic time-to-live counter limitsthe search.

AA

A

A

A

AA

AA

MUTE: Reply

If B wants to reply it sends amessage to A’s pseudo ID.

This message is routed using the ad-hoc routing table.

The route to B is also recorded

AA

A

A

A

AA

AA

B

B

B

B

Un-forgeable Pseudo IDs

• MUTE using a hash of using authenticationkeys as the peers pseudo IDs.

• A peer generates a RSA signature key “kS” and anauthentication key “kA”.

• The message header now has the form:

( to ID, #(kA), message ID-time_stamp, FLAGS:(SkS(messageID-time_stamp), kA) )

Freenet and Free Haven• There are a number of “anonymous

publishing system”.

• For example Freenet and the MIX basedFree Haven.

• These systems make the original author of afile anonymous, not the responder.

• Nodes will often cache files.Therefore youcan “trick” a node into storing and “offering” afile.

Summary of methods

Some Kinds of Attack

• Timing attacks• System Membership• Time-to-Live Attacks (Mute, Mantis)• Multiple Attackers (Mute)• Statistical Attacks (MIXes)• Forced Repeat (Crowds)• Nodes Joining and Leaving• Denial of Service (Mute)

Today’s Lecture• Practical course issues.• Theoretical anonymity.

– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol

BREAK• Practical anonymous systems

– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE– Anonymous Publishing: Freenet