1 / 10

Slicing the Onion: Anonymous Routing without PKI

CS 259 Slicing the Onion: Anonymous Routing without PKI http://nms.lcs.mit.edu/~sachin/slicing.html Saurabh Shrivastava Bob Na Nb Nd Nc Alice What is Onion Routing - packets are encrypted in layers - each node decrypts the packet using its key, figures out the next hop

albert
Télécharger la présentation

Slicing the Onion: Anonymous Routing without PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 259 Slicing the Onion: Anonymous Routing without PKI http://nms.lcs.mit.edu/~sachin/slicing.html Saurabh Shrivastava

  2. Bob Na Nb Nd Nc Alice What is Onion Routing - packets are encrypted in layers - each node decrypts the packet using its key, figures out the next hop - usually public/private key pairs used, but here symmetric keys will be used - how to distribute the keys to nodes? use information slicing: split the key into lots of pieces, send them on disjoint paths to the respective target nodes

  3. Ic1Ic2Ia2Id1 Ia1Ia2Ic2IB2Ia1Id1 Id1Id2 Ne Alice Ie1 Nc IB2Ia1 Id2 Na Nd IB1Id2 Ia1 Bob Nb Ib1Ib2Ic1IB1Ia2Id2 IB1IB2Ia1Id2 Ia1Ia2 Key Distribution • Bob reassembles message it received from Ne and Nb to yield IB1, IB2 meant for him and also Ia1 to be sent to Na, Id2 to be sent to Nd. • here there are 3 stages (L), split factor is 2 (d)

  4. Anonymity • Degree of Anonymity • Measured as entropy of the system • Unlinkability • … of different actions by a single user • Source/Destination anonymity • Source is hidden from all nodes including destination, (same argument for destination) • We will focus on Source anonymity

  5. Ic1Ic2Ia2Id1 Ia1Ia2Ic2IB2Ia1Id1 Id1Id2 Alice Ie1 Ne IB2Ia1 Id2 Nc IB1Id2 Ia1 Bob Na Nd Ib1Ib2Ic1IB1Ia2Id2 IB1IB2Ia1Id2 Ia1Ia2 Nb Observations • If the adversary is in control of a stage, it can get all information about keys and nodes in subsequent stages • If the adversary doesn’t control all the nodes in a stage, it is as good as controlling only 1 node in that stage. • Adversary cannot correlate information if its nodes are not in consecutive stages • Best case scenario is when • 1st stage is compromised or else • the adversary has only 1 node in consecutive stages

  6. Nc Ng Nd Ne Alice Ie1 Bob Nf Na Nb Adversary Model • Adversary controls a fraction of nodes in the graph • It is able to figure out if it has nodes in consecutive stages and if it has multiple nodes in some stage • It knows about the parameters L (number of stages) and d (splitting factor) • It tries to find the single largest chain of its nodes and tries to guess that the node prior to its chain head is the source (its guess will be good only if its chain head lies in the first stage)

  7. Analysis • Given L, d, f, figure out all possible arrangements of adversary nodes in the graph (hard). More later. • For each arrangement figure out what is the longest chain of adversary nodes possible (easy) • Given the length of the chain, find out the likelihood of correct guess of the source (easy) e.g. if L is 10, chain length is 7, chances are 0.25 that the head is in stage 1 • The authors did it differently: they assumed a network of N=100,000 nodes, of which fraction f were malicious, chose L*d nodes from N (some of which were malicious) and ran simulations to find chain lengths.

  8. Anonymity: dependent on L • If L increases, the adversary nodes are spread out and it is more difficult to form unbroken chains with nodes in consecutive stages. • Broken chains render adversary nodes useless because it cannot correlate nodes if not part of the same chain

  9. Anonymity: dependent on d • When f is low, increasing d creates more chances for the adversary to have nodes in consecutive stage • When f is high, there is high likelihood that adversary controls an entire stage, so increasing d will break this scenario

  10. Analysis 2 • Didn’t use Murphi, or any tool, used C++ programs to achieve the “hard” part (Given L, d, f, figure out all possible arrangements of adversary nodes in the graph) • given L (6) , d (4), f (.25), m (6) = L * d * f; • find all partitions of m such that none of the terms is > d • find out how many 1-chain, 2-chain, 3-chain .. m-chains can be made $ ./arrangements 6 4 ../partitions/p6 m6d4 2 = 28 => given 2 stages with d=4, how many ways can we choose places for 6 adversary nodes (partitions used [2,4] [3,3] [4,2]) • for all possible permutations of m adversary nodes in L*d nodes find out frequency of 1 chain, 2 chain 3 chain ... m-chain $ ./chains 6 4 .25 L6d4f25 0xb 3 2 604800.000000 => 3 stages in which adversary nodes present (0 0 1 0 1 1) but the effective chain length is only 2. 604800 = all possible combinations of 6 adversary nodes when present in 3 stages with d=4.

More Related