Top Banner
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems
26

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Dec 15, 2015

Download

Documents

Graham Edginton
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10

Anonymity: Systems

Page 2: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Today’s Lecture

• Practical course issues.• Theoretical anonymity.

– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol

BREAK• Practical anonymous systems

– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet

Page 3: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Crowds

• A crowd is a group of n nodes• The initiator selects randomly a node (called

forwarder) and forwards the request to it• A forwarder:

– With prob. 1-pf selects

randomly a new node andforwards the request to him

– With prob. pf sends the

request to the server

server

Page 4: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Crowds

• The sender is beyond suspicion to the server.

• Some of the nodes could be corrupted.

• The initiator could forward the message to a corrupted node.

• The sender has probable innocence to other nodes.

Page 5: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Crowds

• Problem: many people won’t forward traffic for others.

• A practical system has to make forwarding traffic for others optional or controllable.

server

Page 6: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Onion Routing

• Each node makes its key public

• The initiator selects the whole route and encrypts the message with all keys in reverse order

• Each node unwraps a layer and forwards the message to the next one

{2,{3,{server,m}k3

}k2

}k1

1 2

3m

{3,{server,m}k3

}k2

{server,m}k3

server

Page 7: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Onion Routing

• Each node only learns the next one in the path

• End-users can run their own node– Better anonymity

• or use an existing one– More efficient– User's identity is revealed to the node

Page 8: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Tor

• Tor implement this protocol.

• Several hundred volunteer nodes.

• Firefox plug-in.

• Managed by the US navy.

Page 9: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Problems with Tor

• You reveal you IP to the first node and the last node see who you are talking to.

• If an attacker controls the first and the last node they may be able to match the packets using traffic analysis.

• No anonymity from an attacker that monitors the whole network.

• Some protocol broadcast their IP address

Page 10: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

MIXes

• MIXes are proxies that forward messages between them

• A user contacts a MIX to send a message

• The MIX waits until it has received a number of messages, then forwards them in different order

Page 11: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

MIXes

• It is difficult to trace the route of each message.

• May provide beyond suspicion S-R unlinkability even to a global attacker.

• Messages have to be delayed (can be solved with dummy traffic).

• More complicated when sending series of packets

Page 12: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Mutli-casting

• Broadcast the message to the whole network.

• Beyond suspicion for the receiver.

• No anonymity for the sender.

• Multicasting is a good technique for broadcasting messages .... but very inefficient to send just one message.

Page 13: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Spoofed UDP

• The from IP address is not used by routers, only by higher-level protocols such as TCP.

• UDP does not have to use this address.

• A random address can be used instead to provide sender anonymity.

• Method prohibited by many ISPs.

Page 14: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Anonymous File-Sharing system

800,000 downloads

Informal description

Source code

Appeal for donations

Page 15: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Peer-to-Peer File-Sharing

In newer networks peers record the IP address of other peers.

A searcher sends a request to all of it’s “neighbours”.

This is forwarded to all of there neighbours, up to a fixed hops.

A

Page 16: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Peer-to-Peer File-Sharing

The search request includes A’s IP address.

Any peer with the requested file contacts A directly.

Peer “A” may then request the file.

A

Page 17: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Peer-to-Peer File-Sharing

No anonymity from peers inside the network:

The search message gives the searcher’s IP address and name of the files they are looking for.

By requesting a file, you can find out the IP address of all peers that are offering the file. A

Page 18: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

MUTE• MUTE removes the IP address from the file exchange.

• Peers only know the IP address of their direct neighbours.

• Peers choose random “pseudo ID”.

• Files are not sent directly between peers. Instead files are sent via a number of peers.

• MUTE uses a version of the “Ants” ad-hoc routing protocol.

Page 19: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Anonymity Provided by MUTE

• MUTE makes it hard to link the IP address of a peer with its pseudo ID.

• Peers only know the ID address's of their direct neighbours, but not their pseudo ID.

• The network should provide enough cover to let a neighbour deny using a particular ID.

• If an attacker can completely surround a peer it looses anonymity.

Page 20: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

MUTE: Search

The search takes place as before, but this time the message uses its pseudo ID as the “from ID”.

Each peer builds a routing table by

records the ID and the connection.

A probabilistic time-to-live counter limits the search.

A

A

A

A

A

AA

AA

Page 21: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

MUTE: Reply

If B wants to reply it sends a message to A’s pseudo ID.

This message is routed using the ad-hoc routing table.

The route to B is also recorded

A

A

A

A

A

AA

AA

B

B

B

B

Page 22: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Un-forgeable Pseudo IDs

• MUTE using a hash of using authentication keys as the peers pseudo IDs.

• A peer generates a RSA signature key “kS” and an authentication key “kA”.

• The message header now has the form:

( to ID, #(kA), message ID-time_stamp,

FLAGS:(SkS(messageID-time_stamp), kA) )

Page 23: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Freenet and Free Haven

• There are a number of “anonymous publishing system”.

• For example Freenet and the MIX based Free Haven.

• These systems make the original author of a file anonymous, not the responder.

• Nodes will often cache files.Therefore you can “trick” a node into storing and “offering” a file.

Page 24: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Summary of methods

Page 25: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Some Kinds of Attack

• Timing attacks• System Membership• Time-to-Live Attacks (Mute, Mantis)• Multiple Attackers (Mute)• Statistical Attacks (MIXes)• Forced Repeat (Crowds)• Nodes Joining and Leaving• Denial of Service (Mute)

Page 26: Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Today’s Lecture

• Practical course issues.• Theoretical anonymity.

– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol

BREAK• Practical anonymous systems

– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet