Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems
Dec 15, 2015
Modelling and Analysing of Security Protocol: Lecture 10
Anonymity: Systems
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet
Crowds
• A crowd is a group of n nodes• The initiator selects randomly a node (called
forwarder) and forwards the request to it• A forwarder:
– With prob. 1-pf selects
randomly a new node andforwards the request to him
– With prob. pf sends the
request to the server
server
Crowds
• The sender is beyond suspicion to the server.
• Some of the nodes could be corrupted.
• The initiator could forward the message to a corrupted node.
• The sender has probable innocence to other nodes.
Crowds
• Problem: many people won’t forward traffic for others.
• A practical system has to make forwarding traffic for others optional or controllable.
server
Onion Routing
• Each node makes its key public
• The initiator selects the whole route and encrypts the message with all keys in reverse order
• Each node unwraps a layer and forwards the message to the next one
{2,{3,{server,m}k3
}k2
}k1
1 2
3m
{3,{server,m}k3
}k2
{server,m}k3
server
Onion Routing
• Each node only learns the next one in the path
• End-users can run their own node– Better anonymity
• or use an existing one– More efficient– User's identity is revealed to the node
Tor
• Tor implement this protocol.
• Several hundred volunteer nodes.
• Firefox plug-in.
• Managed by the US navy.
Problems with Tor
• You reveal you IP to the first node and the last node see who you are talking to.
• If an attacker controls the first and the last node they may be able to match the packets using traffic analysis.
• No anonymity from an attacker that monitors the whole network.
• Some protocol broadcast their IP address
MIXes
• MIXes are proxies that forward messages between them
• A user contacts a MIX to send a message
• The MIX waits until it has received a number of messages, then forwards them in different order
MIXes
• It is difficult to trace the route of each message.
• May provide beyond suspicion S-R unlinkability even to a global attacker.
• Messages have to be delayed (can be solved with dummy traffic).
• More complicated when sending series of packets
Mutli-casting
• Broadcast the message to the whole network.
• Beyond suspicion for the receiver.
• No anonymity for the sender.
• Multicasting is a good technique for broadcasting messages .... but very inefficient to send just one message.
Spoofed UDP
• The from IP address is not used by routers, only by higher-level protocols such as TCP.
• UDP does not have to use this address.
• A random address can be used instead to provide sender anonymity.
• Method prohibited by many ISPs.
Anonymous File-Sharing system
800,000 downloads
Informal description
Source code
Appeal for donations
Peer-to-Peer File-Sharing
In newer networks peers record the IP address of other peers.
A searcher sends a request to all of it’s “neighbours”.
This is forwarded to all of there neighbours, up to a fixed hops.
A
Peer-to-Peer File-Sharing
The search request includes A’s IP address.
Any peer with the requested file contacts A directly.
Peer “A” may then request the file.
A
Peer-to-Peer File-Sharing
No anonymity from peers inside the network:
The search message gives the searcher’s IP address and name of the files they are looking for.
By requesting a file, you can find out the IP address of all peers that are offering the file. A
MUTE• MUTE removes the IP address from the file exchange.
• Peers only know the IP address of their direct neighbours.
• Peers choose random “pseudo ID”.
• Files are not sent directly between peers. Instead files are sent via a number of peers.
• MUTE uses a version of the “Ants” ad-hoc routing protocol.
Anonymity Provided by MUTE
• MUTE makes it hard to link the IP address of a peer with its pseudo ID.
• Peers only know the ID address's of their direct neighbours, but not their pseudo ID.
• The network should provide enough cover to let a neighbour deny using a particular ID.
• If an attacker can completely surround a peer it looses anonymity.
MUTE: Search
The search takes place as before, but this time the message uses its pseudo ID as the “from ID”.
Each peer builds a routing table by
records the ID and the connection.
A probabilistic time-to-live counter limits the search.
A
A
A
A
A
AA
AA
MUTE: Reply
If B wants to reply it sends a message to A’s pseudo ID.
This message is routed using the ad-hoc routing table.
The route to B is also recorded
A
A
A
A
A
AA
AA
B
B
B
B
Un-forgeable Pseudo IDs
• MUTE using a hash of using authentication keys as the peers pseudo IDs.
• A peer generates a RSA signature key “kS” and an authentication key “kA”.
• The message header now has the form:
( to ID, #(kA), message ID-time_stamp,
FLAGS:(SkS(messageID-time_stamp), kA) )
Freenet and Free Haven
• There are a number of “anonymous publishing system”.
• For example Freenet and the MIX based Free Haven.
• These systems make the original author of a file anonymous, not the responder.
• Nodes will often cache files.Therefore you can “trick” a node into storing and “offering” a file.
Summary of methods
Some Kinds of Attack
• Timing attacks• System Membership• Time-to-Live Attacks (Mute, Mantis)• Multiple Attackers (Mute)• Statistical Attacks (MIXes)• Forced Repeat (Crowds)• Nodes Joining and Leaving• Denial of Service (Mute)
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet