Network Security: Anonymity · Mix is an anonymity service [Chaum 1981] Attacker sees both sent and received messages but cannot link them to each other Wsender anonymity, third-party
Post on 08-Jul-2020
2 Views
Preview:
Transcript
Network Security:Anonymity
Otto HuhtaT-110.5241 Network security
Aalto University, Nov-Dec 2014
2
Outline
1. Anonymity in general2. High-latency anonymous routing3. Low-latency anonymous routing — Tor
Anonymity
3
4
Definitions
Security:“free from danger or threat”
Privacy:“control over personal information or actions”
Anonymity: “unidentifiable”
5
PrivacyControl over personal information
Emphasized in EuropeGathering, disclosure and false representation of factsabout one’s personal life
Right to be left aloneEmphasized in AmericaAvoiding interference, control, discrimination, spam,censorship
Anonymity is a tool for achieving privacyBlending into the crowd
6
Anonymity (online) – Why?Protection against mass surveillanceCensorship resistance, freedom or speechProtection against discrimination, e.g. geographicaccess control or price differentiationBusiness intelligence, police investigation, politicaland military intelligenceWhistle blowing, crime reportingElectronic votingCyber war, crime, illegal and immoral activities?
7
Anonymity - terminologyIdentity, identifierAnonymity — they don’t know who you arePseudonymity — intentionally allow linking of someevents to each other
E.g. sessions, payment and service accessUnlinkability — they cannot link two events or actions(e.g. messages) with each otherAuthentication — strong verification of identityWeak identifier — not usable for strong authenticationbut may compromise privacy
E.g. nickname, IP address, SSID, service usage profileAuthorization — verification of access rights
Does not always imply authentication (remember SPKI)
8
Anonymity in communicationsAnonymity towards communication peers
Sender anonymity — receiver does not know who and wheresent the messageReceiver anonymity — can send a message to a recipientwithout knowing who and where they areBi-directional anonymity — neither sender nor recipient knoweach other’s identity
Third-party anonymity — an outside observer cannotknow who is talking to whom
Unobservability — an outside observer cannot tell whethercommunication takes place or notStrength depends on the capabilities of the adversary
Anonymity towards access networkAccess network does not know who is roaming there
Related concept: location privacy
9
Who is the adversary?Discussion: who could violate your privacy andanonymity?Global attacker, your government
e.g. retention of traffic data, NSA PRISMServers across the Internet, colluding commercialinterests
e.g. web cookies, trackers, advertisersCriminals
e.g. identity theftEmployerPeople close to you
e.g. stalkers, co-workers, neighbors, family members
10
? Strong anonymity?Anonymity and privacy of communicationsmechanisms are not strong in the same sense asstrong encryption or authenticationEven the strongest mechanisms have seriousweaknesses
Need to trust many others to be honestServices operated by volunteers and activistsSide-channel attacks
Anonymity tends to degrade over time forpersistent communication
11
Anonymity on the Internet
Problem: weak identifiersIP address, MAC address• IPv6 address can contain MAC addressTCP sequence number, IP Identifier fieldLocation/app data, browser plugins, languages, etc.
Simple solution: VPNsNeed to trust VPN providerSusceptible to Traffic analysisIP addresses can still leak information
Better: Mix Networks, Onion Routing
High-LatencyAnonymous Routing
13
Mix - Introduction
Threat model: Global adversaryCan observe all messages, all traffic
trivially learns sender & receiver
Goal: Break link between sender and receiver
Solution: Cryptographic relays
14
Mix (1)
Mix is an anonymity service [Chaum 1981]Attacker sees both sent and received messages but cannot linkthem to each other sender anonymity, third-party anonymityagainst a global observerThe mix receives encrypted messages (e.g. email), decrypts (or re-encrypts) them, and forwards to recipients
Decryption
15
Mix (2)
Attacker can see the input and output of the mixAttacker cannot see how messages are shuffled in the mixConcept: Anonymity set = all nodes that could have sent (orcould be recipients of) a particular message
Decryption
16
Mix (3)
Two security requirements:Bitwise unlinkability of input and output messages — cryptographicproperty; must resist active attacksResistance to traffic analysis — attacker can delay, drop or injectdummy messages
Basic securityRe-encryp on a ack Solu on: freshness (random string)Replay attack Solution: MIX discards repeated input messages
Examples of design mistakes:FIFO order of delivering messages; no freshness check at mix; norandom initialization vector for encryption; no padding to hidemessage length; malleable encryption
Decryption
17
Mixing in practiceMix strategies
Threshold mix — wait to receive k messages before delivering• Anonymity set size kPool mix — mix always buffers k messages, sends one when itreceives one
Both strategies add delay high latencyNot all senders and receivers are always active
In a closed system, injecting cover traffic can fix this(What about the Internet?)
Real communication (email, TCP packets) does notcomprise single, independent messages but commontraffic patterns such as connections
Attacker can observe beginning and end of connectionsAttacker can observe request and response pairs sta cal tra c analysis
18
Who sends to whom?
Threshold mix with threshold 3
19
Anonymity metricsSize of the anonymity set: k-anonymity
Suitable for one round of threshold mixingProblems with k-anonymity:
Mul ple rounds statistical analysis based on understandingcommon patterns of communications can reveal who talks to whom,even if k for each individual message is highPool mix k =
Entropy: E = i=1…n (pi log2pi)“Not all senders are always equally likely to have sent a message”Measures the amount of missing in information in bits: how muchdoes the attacker not knowCan measure entropy of the sender, recipient identity etc.
Problems with measuring anonymity:Anonymity of individual messages vs. anonymity in a systemDepends on the attacker’s capabilities and background informationAnonymity usually degrades over time as attacker collects morestatistics
20
Trusting the mixProblem: The mix must be honest!
Solution: Route packets through multiple mixesAttacker must compromise all mixes on the route
However compromising almost all the mixes may reducethe size of the anonymity set
Example: anonymous remailers for emailanon.penet.fi 1993–96
21
Mix networks (1)
22
Mix networks (2)
Mix network is just a distributed implementation of mix
23
Mix networks (3)
Mix cascade — all messages from all senders arerouted through the same sequence of mixes
Good anonymity, poor scalability, poor reliability
Free routing — each message is routedindependently via multiple mixes
Other policies between these two extremesBut remember that the choice of mixes could be a weakidentifier!
24
Mix networks (4)Concept: Onion encryption
Goal: only endpoints can see plaintext messageMultiple layers of PK-encryption:
Alice M1: EM1(M2, EM2(M3, EM3(Bob,M)))M1 M2: EM2(M3, EM3(Bob,M))M2 M3: EM3(Bob, M)M3 Bob: M
Encryption at every layer must provide bitwise unlinkability detect replays and check integrity in free rou ng, must keep message length constant
Re-encryption mix — special crypto that keeps themessage length constant with multiple layers ofencryption
25
Receiver anonymityAlice distributes a reply onion:EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K))))Messages from Bob to Alice:Bob M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), MM3 M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M)M2 M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M))M1 Alice: EAlice(K), Ek1(Ek2(Ek3(M)))
Alice can be memoryless: ki = h(K, i)
26
Sybil attackProblem: Mixes tend to be run by volunteers
Anyone can join the networkApplies in general to open systems which anyone can join
Attacker creates a large number of seemingly independentnodes, e.g. 50% o all nodes some routes will go through only attacker’s nodesDefence: increase the cost of joining the network:
Human verification that each mix is operated by a different person ororganizationThe IP address of each mix must be in a new domainRequire good reputation of a measurable kind that takes time andeffort to establishSelect mixes in a route to be at diverse locations
Sybil attacks are a danger to most P2P systems, not justanonymous routing
E.g. reputation systems, content distribution
27
Other attacksProblem 1: Who are the others in the network?(n-1) attack
Attacker blocks all but one honest sender, floods all mixes withits own messages, and finally allows one honest sender to getthough easy to trace because all other packets are theattacker’sPotential solutions: access control and rate limiting for senders,dummy traffic injection, attack detection
Problem 2: Anonymity degrades over timeStatistical attacks
Attacker may accumulate statistics about the communicationover time and reconstruct the sender-receiver pairs based onits knowledge of common traffic patterns
Low-LatencyAnonymous Routing
28
29
Tor
Problem with Mix networks: High-latencyToo slow for interactive use (e.g. web browsing)
Solution: Remove mixing at relays… But what about security?
More realistic(?) attacker model: can control some nodes, can sniffsome links, not everythingNew compromise between efficiency and anonymity:
No mixing at the onion routersAll packets in a session, in both directions, go through the same routersShort route, always three onion routersTunnels based on symmetric cryptographyNo cover trafficProtects against local observers at any part of the path, but vulnerable toa global attacker
“2nd generation onion router”
30
Tor overview5’000 relays, 2’000’000 daily users
Directory Servers hold list of all relays (incl. public keys)
Overlay networkRandomly chosen, but fixed circuits through 3 relays
Encryption:Onion encryption between user and last relayTLS encryption between relays (and user)
31
Tor – Building a circuit (1)
32
Tor – Building a circuit (2)
33
Tor – Building a circuit (3)
34
Tor – Building a circuit (4)
35
Circuits in TorAlice OR1 OR2 OR3 Bob
Authenticated DHAlice – OR1
Authenticated DH, Alice – OR2
K1
Encrypted with K1
K2
Authenticated DH, Alice – OR3Encrypted with K1, K2
Encrypted with K1, K2, K3
K3
[Danezis]
Last linkunencrypted
Alice notauthenticated,
only the ORs
K1
TCP connection Alice –Bob
K1,K2
K1,K2,K3
36
Circuits in TorAlice OR1 OR2 OR3 Bob
Authenticated DHAlice – OR1
Authenticated DH, Alice – OR2
K1
Encrypted with K1
K2
Authenticated DH, Alice – OR3Encrypted with K1, K2
Encrypted with K1, K2, K3
K3
[Danezis]
Last linkunencrypted
Alice notauthenticated,
only the ORs
K1
TCP connection Alice –Bob
K1,K2
K1,K2,K3 Additionally, linkwiseTLS connections:
Alice–OR1–OR2–OR3
37
Rough comparison: OR vs Mix networks
Mix Networks Onion Routing
Security from: Mixing at relays(+ maybe route unpredictability)
Route unpredictability(no mixing)
Threat model: Global adversary Non-global adversary
Performance High-Latency Low-Latency
Example use: Email Web browsing
Paul Syverson, 2009
38
Tor limitations (1)Traffic confirmation attacks
Scenario: adversary can monitor both endpoints can trivially con rm the endpoints are communica ng
Problem: relays don’t (significantly) alter trafficSolution: none (outside Tor threat model)
Traffic analysis attacksScenario: adversary controls/monitors part of user circuit (netw. links/relays)
Passive: can correlate tra c based on packet size, ming, volume, etc. Ac ve: can modify traffic (drop, delay, etc.) and look for traffic fingerprint
IF a acker controls rst and last relay again trivially con rm communication(Problem same as above)Solution: make it difficult to control relays, switch circuits (limited effect)
Note 1: Always a risk of compromiseClient chooses relays at randomSimplified: if c compromised relays out of n total• probability of choosing malicious relay c/n, and for both first and last relay (c/n)2
Why three routers, not two?
39
Tor limitations (2)Malicious exit relays
Problem: exit relay sees ‘unencrypted’ client trafficSolution: use TLS!
Information leak from browser, applications, OSProblem 1: Tor doesn’t anonymize traffic contentProblem 2: Other applications access Internet directlySolution: Tor browser bundle, disable JS, separate device
Blacklisting of entry or exit relaysProblem: Remote server sees IP of exit relaySolution (Exit relay): noneSolution (Entry relay): Bridges
40
Tor – Hidden ServicesServers running ‘inside’ the Tor network
Physical location hiddenTraffic under onion encryption all the way to server
Specific method for opening circuitsIntroduction and Rendezvous points
ExamplesSearch engines, file storage, Facebook, etc.WikiLeaksFinnish sites also: sipuliwiki, thorlautaIllegal activities
41
Other systems: FreenetFreenet is a DHT-based P2P content distributionsystemFocus on sensorship resistant publishing
Plausible deniability for content publishers andredistributorsNode itself cannot determine what content it stores
42
Conclusions: AnonymityAnonymity requires a crowdMix networks
Strong anonymity for messagingMixing reduces performance
Onion routingInteractive useAssumes a weaker adversaryTor widely deployed
43
ExercisesCompare k-anonymity for senders in threshold mix and pool mixWhat can a malicious Tor exit node achieve?Compare how the following affect anonymity level in Tor and high-latency email mixes:
Percentage of compromised mixesNumber of mixes in the routeChoosing a new random route periodically
Is it possible to provide anonymity to honest users without helpingcriminals?Learn about the latest attacks against Tor. New ones are publishedregularly. Why is this the case?Is Tor use unobservable? That is, can it be used safely in a country orworkplace where its use may be punished?Could malware or other software on your computer leak informationabout which web sites you access with Tor (or to whom you send emailthrough a mix network)?Will using Tor make you more or less vulnerable to monitoring bygovernements?
44
Optional readingMix networks:
A survey on mix networks and their secure applications(first few pages are very good)- K Sampigethaya, R Poovendran - Proceedings of the IEEE, 2006
Anonymity metrics:k-anonymity: A model for protecting privacy- L Sweeney - International Journal of Uncertainty, Fuzziness and …, 2002
Towards an information theoretic metric for anonymity- A Serjantov, G Danezis - Privacy Enhancing Technologies, 2003
Original Tor paperTor: The second-generation onion router- R Dingledine, N Mathewson, P Syverson - 2004
E.g. Tor threat model, more details on design choices, etc.
top related