1 / 52

Anonymous Communication

Anonymous Communication. CSE 548 Lecture Prepared and presented by Vinayak Kandiah 10/08/07. Content Organization. Introduction to Anonymous Communication Introduction Anonymity using a Mix and Mix Networks Mix Network Classification Onion Routing Attacks on Mix Networks Split Mix

belle
Télécharger la présentation

Anonymous Communication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymous Communication CSE 548 Lecture Prepared and presented by Vinayak Kandiah 10/08/07

  2. Content Organization • Introduction to Anonymous Communication • Introduction • Anonymity using a Mix and Mix Networks • Mix Network Classification • Onion Routing • Attacks on Mix Networks • Split Mix • Merge Mix • Using Split and Merge in Same Network. • C-Mix (a network coding type anonymous scheme) • Performance Evaluation • Conclusion CSE 548 - Advanced Computer/Network Security

  3. Introduction • Message secrecy achieved by cryptography. • Identities of communicating users and path info need to be hidden. • Wireless environment - identity associated with location. • Anonymity of a node is the state of not being identifiable within a given set of nodes [1]. • Different types of anonymity: • Source anonymity. • Destination anonymity. • Path anonymity. CSE 548 - Advanced Computer/Network Security

  4. Anonymity using a Mix • “Mix” technique proposed by Chaum in 1981 [2]. • A single node called “Mix” re-orders and changes message appearances. • Uses some cryptographic operations. • Initially suggested as an anonymous re-mailer. • Obvious drawbacks – single point of failure, bottleneck, centralized secrets. CSE 548 - Advanced Computer/Network Security

  5. Mix Networks • Chaum’s idea expanded to anonymous network communication. • Mix networks use multiple nodes which perform mixing operations. • Heavily uses cryptographic operations. • Various design choices available (also used as a basis for classification). CSE 548 - Advanced Computer/Network Security

  6. Mix Network Classification Classified based on four main criteria [3]: • Node Operation • Continuous Mix: • Messages associated with random delay values. • Node holds for specified delay before forwarding. • Works with constant traffic rates. • Block\Pool Mix: • Messages held at node till a flushing condition is satisfied. • Flushing condition can be timed, threshold or hybrid. • Pool Mix – Not all messages are flushed every time. • Works even with variable traffic rates. CSE 548 - Advanced Computer/Network Security

  7. Mix Network Classification • Networking Framework • Asynchronous Model: • Message transmissions not restricted by timing constraints. • Route length independence. • Usually chosen for large, vast networks (Internet). • Synchronous Model: • Distinct rounds of communication. • Senders transmit messages at start of a time period. • Path lengths need to (fairly) same. • In a round, users participate as either sender or receiver NOT both. CSE 548 - Advanced Computer/Network Security

  8. Mix Network Classification • Cryptographic Sequence • Decryption Network: • Sender encrypts message multiple times. • Path nodes decrypt before forwarding (to change appearance). • Re-encryption Network: • Sender encrypts once and attaches a trapdoor for intended receiver. • Path nodes try to solve trapdoor or re-encrypt and forward. • Normally used in wireless environments (MANET). CSE 548 - Advanced Computer/Network Security

  9. Mix Network Classification • Routing Strategy • Source Routing: • Sender decides the path to the receiver. • Each path node only knows the previous and next nodes. • Loose Source Routing: • Sender specifies partial path to the destination. • Trusted intermediate nodes determine the remainder of the path. • Useful when sender doesn't know entire topology. CSE 548 - Advanced Computer/Network Security

  10. Onion Routing • An implementation of mixes for low latency networks. • Onion routing uses: • Pool mixes. • Asynchronous framework. • Decryption. • Source Routing. • Three phases: Circuit initiation, data transfer and circuit destruction. • For circuit init., sender selects route and prepares a repeatedly encrypted message. • Order of public key encryption is reverse of path. CSE 548 - Advanced Computer/Network Security

  11. Onion Routing • Consider the sample network and path shown in the figure. • In this case, order of public key encryption is R2, M5, M2 and M1. • Before each encryption a header is added. • Each node prior to decryption obtains: {next, Kf, Kb, TTL, {payload}}MX Sample Network with path for Onion Routing. CSE 548 - Advanced Computer/Network Security

  12. Onion Routing • Each node knows previous and next hops, shared keys (Kf, Kb) and creates a VCI. • Receiver sends ACK on receiving the init onion. • Data Transfer: • Sender performs multiple symmetric encryptions using shared keys distributed. • Each node decrypts and forwards to corresponding VCI. • Message content and user identities are hidden. • Circuit destruction involves a KILL message to the path. CSE 548 - Advanced Computer/Network Security

  13. Attacks on Mix Networks • Several attacks to compromise anonymity of network. • Some attacks weaken anonymous schemes to be compromised by other attacks. • Different types of attacks based on certain properties. • Types of attacks are enumerated followed by selected examples. CSE 548 - Advanced Computer/Network Security

  14. Attacks on Mix Networks • Passive vs. Active • Passive Attacks • The adversary does not interfere with communication. • Merely observes the network and performs analysis. • Active Attacks • Adversary modifies, removes or introduces messages in the network. • Can be detected in some cases. • Internal vs. External • Internal Attacks • Attacks where the operations performed inside a mix node are known. • Node either compromised or colludes with other nodes. • External Attacks • Operations performed by mix node are not revealed. CSE 548 - Advanced Computer/Network Security

  15. Attacks on Mix Networks • Partial vs. Global • Partial Attacks • The adversary has access to only limited potion of the network. • Successful attack may however break anonymity of network nodes outside this area. • Global Attacks • Adversary is able to view and launch attack over the entire network. • Static vs. Adaptive • Static Attacks • The computational power and resources available to adversary are fixed. • Adaptive Attacks • Resources available to adversary increases as attacks progresses successfully. CSE 548 - Advanced Computer/Network Security

  16. Attacks on Mix Networks Traffic Analysis Attack • Passive attack, involves observation of messages and related data. • Correlation analysis on data to reveal peer relationships. • Various attack models for traffic analysis. • Special Attack model involving only end point observation [4] – Fundamental limits on Mix Technique. • Synchronous framework where attacker only observes links connected to end users. CSE 548 - Advanced Computer/Network Security

  17. Attacks on Mix Networks Traffic Analysis Attack • The attacker forms sender and receiver multisets for each round • Multiset is a generalization of a Set which can contain the same element multiple times. • Example: {S1,S2,S3}  <R1,R1,R4> • Attacker obtains a set of receiver multisets for each sender subset. • Two cases considered: • Closed Sender: all senders participate in all communication rounds • Open Sender: less than the total number of senders participate CSE 548 - Advanced Computer/Network Security

  18. Attacks on Mix Networks Traffic Analysis Attack • Peer relationships can be depicted as a bipartite graph. • The bipartite graph in turn can be characterized by a matrix. • Column headings are senders and row headings are receiver subsets. • Sum of weights of any column is 1. • Calculations performed based on multiset observationsto obtain each weight in the matrix. Bipartite graphs: Individual and combined peer relationships. CSE 548 - Advanced Computer/Network Security

  19. Attacks on Mix Networks Blending Attack • Attacker identifies a target message in the network and next mix node on its path. • Holds all messages from entering this node. • Attacker induces fake packets into this node. • All fake packets have a common next hop. • Now, the target message is mixed. • Only target message is forwarded to a different next hop. CSE 548 - Advanced Computer/Network Security

  20. Traffic Re-distribution • Change traffic patterns in terms of number and size of messages. • Split messages to increase and merge to decrease number of messages. • Message size manipulation depends on padding policy. • For split mix, messages padded to conform to actual message size. • For merge mix, variable padding is applied (message size is multiple of a basic block size). CSE 548 - Advanced Computer/Network Security

  21. Split Mix • Messages sent are split in the mix network. • Split messages follow different paths to the receiver. • Sender determines number of splits and splitting position in the network. • Sender prepares messages to be split in the network. • Only sender and splitting node knows details of splitting. • Originally proposed as Garlic Routing [5] to achieve better throughput and resilience. CSE 548 - Advanced Computer/Network Security

  22. Split Mix • Sender prepares message by using different keys for encryption. • Splitting node decrypts and forwards split messages to different nodes. Example of Split Mix and associated Garlic Message format. CSE 548 - Advanced Computer/Network Security

  23. Split Mix • Split mix can be used to defeat traffic analysis attacks. • Split mix can confuse the attacker from obtaining correct multisets. • Attacker will observe several potentially correct multisets. • When using these multiple multisets in closed and open sender calculations, errors and/or multiple solutions are obtained. CSE 548 - Advanced Computer/Network Security

  24. Split Mix • Split Mix does not work when each receiver gets a message from only one sender. • As shown in the figure, even if messages are split, the multiset can be correctly obtained as <r1,r2,r3>. CSE 548 - Advanced Computer/Network Security

  25. Split Mix • However, when receivers get messages from multiple senders, split mix (with padding) obscures the correct multiset. • As shown in the figure, possible multisets are <r1,r1,r3> and <r1,r3,r3>. CSE 548 - Advanced Computer/Network Security

  26. Split Mix • When forming a multiset, it is obvious that each distinct receiver must appear at least once. • Remaining slots in the multiset equals difference between number of senders and receivers. • Assume a given no. of receivers (ndr) and remaining slots (slotsrem). • Maximum no. of multisets (Maxrm) will be obtained when number of splits for each message is greater than remaining slots. CSE 548 - Advanced Computer/Network Security

  27. Merge Mix • Merge mixing is also based on traffic re-distribution. • Combines messages in the mix network. • Merging is per-hop instead of end-to-end (like in split mix) • Merging cannot be end-to-end because: • Senders do not share path info • Merging node cannot know destination of packets • Merging messages is a decision made by mix node and not sender. CSE 548 - Advanced Computer/Network Security

  28. Merge Mix • Links in an onion routing are TLS encrypted (using pair-wise keys). • To merge, mix node encrypts messages with same next hop with pair-wise shared key. • Figure shows examples of merge mix. • End to end merging can be obtained only two paths share a suffix. CSE 548 - Advanced Computer/Network Security

  29. Merge Mix • Merge mix uses variable padding as shown in figure. • Merge mix obtains higher overall unlinkability at a mix node. • (ni-1)/2 times better (max), where ni is no. of input messages. • max is the scenario where no. of output = ni-1 • It reaches a slightly lower level of per message unlinkability (for max). • 0.99 for ni > 20, where 1 is perfect unlinkability. CSE 548 - Advanced Computer/Network Security

  30. Using Split and Merge Mixes in the Same Network • Split and Merge mixes could be used together to mitigate blending attacks. • When the target message results in 2 messages at the output. • The increase may be due to splitting or due to separation of previously merged message. • Either way, attacker needs to track additional path. CSE 548 - Advanced Computer/Network Security

  31. Using Split and Merge Mixes in the Same Network • Split and merge mixes used concurrently could have varied results in traffic analysis. • Figure (a) shows a beneficial scenario where the multiset is wrongly observed as <r1,r1,r2,r3>. • Figure (b) shows a detrimental scenario where the split and mix cancel each other out. CSE 548 - Advanced Computer/Network Security

  32. C-Mix • A technique to improve the computational efficiency of anonymous routing. • Based on properties of polynomial interpolation. • The message is reconstructed in a distributed manner (similar to network coding). • However, objective is to improve computational efficiency rather than communication efficiency. CSE 548 - Advanced Computer/Network Security

  33. C-Mix • Polynomial Interpolation-Based Secret Sharing proposed by Shamir [6]. • A dealer picks a polynomial equation of degree k-1 of the following form: • The secret S to be shared is a0 which is the y intercept of the curve. • Now the dealer derives n points from the curve. CSE 548 - Advanced Computer/Network Security

  34. C-Mix • ‘k’ co-ordinates are needed to obtain the polynomial equation of degree ‘k-1’. • If a(x) = y, then ‘k’ points (x1, y1)…(xk, yk) can reconstruct polynomial by Lagrange Interpolation Formula. • All computation can be performed over a field Zp. Polynomial equation of degree 4 and a0 = 2. CSE 548 - Advanced Computer/Network Security

  35. C-Mix • A basic C-Mix scheme is described first to explain the working principles. • Then the basic C-Mix scheme is refined to be more anonymous and secure. Basic C-Mix: • For the circuit initiation phase, sender chooses a number K over the field Zp. • Sender constructs a polynomial with: • Degree = len (len is the no. of mix nodes in route). • a0 is K. • Values a1…alen are randomly chosen. CSE 548 - Advanced Computer/Network Security

  36. C-Mix • Sender also chooses ‘len+1’ points on the curve needed. • Sender calculates for values 1≤ j ≤ len+1. • In the initial circuit setup phase the sender prepares headers in the form of an onion message. • Each layer of the header will have a (bj, yj) pair in addition to other details. CSE 548 - Advanced Computer/Network Security

  37. C-Mix • Sender calculates b1.y1 and transmits the onion to the next hop. • This will continue till the receiver calculates blen+1.ylen+1. • a0 doesn’t mean anything in this circuit initiation phase. • But it can be seen that the receiver can reconstruct the secret a0. • This is possible if each node calculates bkyk and forwards it. CSE 548 - Advanced Computer/Network Security

  38. C-Mix • For data transmission, the sender finds a curve of degree len+1 that shares len+1 points with the init curve and passes through the msg. • The only new point on the curve will be the point which the sender held in the circuit initiation. • In this way, the b values can be recalculated using the new x-coordinate and the receiver can reconstruct the message. CSE 548 - Advanced Computer/Network Security

  39. C-Mix Example of Basic C-Mix • Assume the path sd  M1  M2  dn, where sd is the sender and dn is the destination. • Let sender chosen polynomial for circuit initiation be • Let 3 points on the curve be {(1, 27),(2,40), (3, 59)} • Sender also calculates the values binit(1) = 3; binit(2) = -3; binit(dn) = 1. • Sender distributes the triplets {(1,27,3),(2,40,-3),(3,59, 1)} using onion routing. CSE 548 - Advanced Computer/Network Security

  40. C-Mix • Now assume that the sender wishes to transmit 31 to the destination. • Sender chooses the following new curve which shares the 3 points from init and passes through (0,31). • Then new point (4,73) is found on the curve. CSE 548 - Advanced Computer/Network Security

  41. C-Mix • The sender now calculates its new bsn(1) value as -1 and the payload as (-1)(73)= -73. • M1 receives this, updates its b1(1) value as 3((4/4-1)) = 4 and calculates new payload as -73+(4)(27)= 35. • This procedure continues as shown in figure and receiver derives the message as 31. CSE 548 - Advanced Computer/Network Security

  42. C-Mix • The basic scheme has the following vulnerabilities • The sender picks a new point whose x-coordinate needs to be propagated to the nodes. • If the value is transmitted as plain text, the attacker can observe it and track paths. • If the same value is used every time, the sum added to the payload remains the same. • So it is necessary to ensure that nodes update their b values without being tracked. CSE 548 - Advanced Computer/Network Security

  43. C-Mix Globally determined x values • All nodes in the path keep track of the no. of messages sent through each VCI. • The sender uses this value and a global function to identify the new x-coordinate. • The path nodes can also determine this new value and update their b values. • An attacker cannot detect a circuit because all paths use the message count and the global function. • A maximum number of messages are allowed through a Virtual Circuit. • If the limit is reached, a new path is to be determined. CSE 548 - Advanced Computer/Network Security

  44. C-Mix Multiple points for each node • Consider a case where the attacker has observed the incoming and outgoing payloads at a node. • In the basic scheme, the attacker would be able to identify the nodes binit value (and calculate b values for forthcoming transmissions). • To mitigate this, each node receives multiple point triplets. • In this case, the degree of the curve used will be greater than the number of nodes. • The attacker on observing the incoming and outgoing packets can no longer obtain the secrets (because the number of points is hidden). CSE 548 - Advanced Computer/Network Security

  45. C-Mix Security Properties • The secrecy of the transmitted message is based on the properties of polynomial interpolation. • As the receiver also holds certain points on the curve, C-Mix is secure against these attacks: • Colluding attack where all path nodes share information. • Blending attack from sender to receiver. • Traffic analysis attack after the number of points at each node are revealed. CSE 548 - Advanced Computer/Network Security

  46. C-Mix Anonymity Properties • In case of a colluding attack • Path anonymity is maintained with at least one uncompromised node. • In a collusion by comparing global values, same anonymity as onion routing. • When a blending attack is carried out • The attacker needs to know the number of points at a node to identify the points. • Identifying the points in turn only lead to path information which is previously known. • Traffic Analysis Attack • Defeats simple schemes but is susceptible to long term traffic analysis like Hitting Set Attack. • Same level of anonymity as onion routing. CSE 548 - Advanced Computer/Network Security

  47. Performance Evaluation Benchmark for Evaluation • The computation overhead introduced by split mix and efficiency of using C-Mix is evaluated. • Encryption/Decryption times for AES 256 observed using C++ cryptographic functions. • Time for multiplication and addition over a finite field Zp calculated using Maple 9. CSE 548 - Advanced Computer/Network Security

  48. Performance Evaluation • Split Mix when used with padding introduces additional overhead into the network. • This is due to the additional data that needs to be decrypted in the network. • The various scenarios used for the computational overhead comparison is shown in the table. • Note that the case No Pad is the same as the time taken for onion routing. CSE 548 - Advanced Computer/Network Security

  49. Performance Evaluation • The computation time taken by C-Mix is compared to onion routing for data transmission. • Different cases with different number of points in the network is considered. • First case assumes the message sizes to be same as the finite field size. • C-Mix is faster for up to 40 points when message size <4096 bits. CSE 548 - Advanced Computer/Network Security

  50. Performance Evaluation • Comparison for a fixed 1024 bit field size with AES 256 and varying field sizes. • The number of points is fixed at 30. • When 1024 bit field is used, C-Mix is faster compared to AES 256 for all message sizes. CSE 548 - Advanced Computer/Network Security

More Related