1 / 23

Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes

Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes. Andrew Tran, Nicholas Hopper, Yongdae Kim Presenter: Josh Colvin, Fall 2011. Anonymous Networks. Serve as an important tool Online privacy Censorship resistance Surveillance evasion

deliz
Télécharger la présentation

Hashing it Out in Public Common Failure Modes of DHT-based Anonymity Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hashing it Out in PublicCommon Failure Modes of DHT-based Anonymity Schemes Andrew Tran, Nicholas Hopper, Yongdae Kim Presenter: Josh Colvin, Fall 2011

  2. Anonymous Networks • Serve as an important tool • Online privacy • Censorship resistance • Surveillance evasion • Safeguarding freedom of expression online

  3. Anonymity Guidelines • Hiding among more users provides stronger anonymity • Usability, latency, and scalability therefore contribute to security

  4. Clarification • All schemes considered here fall under certain specific criteria • Based on the circuit model • Provide low-latency connections • Anonymity based on limited knowledge of the circuit

  5. Tor • Rely on a global list of all active nodes in the network • Limited scalability due to quadratic communication costs

  6. Distributed Hash Table • Node is assigned an identifier (nodeID) • Specific data are also assigned keys • Overlay designates ownership of a set of keys to a single live node (root) • Each node maintains a routing table • Every routing table maintains a number of distinct entries

  7. DHT Queries • Two main types of queries • Recursive • Iterative • Both processes take O(log n) steps

  8. Recursive Queries • Source gives control of the query to the closest node to the target • Process repeats until the root is found (or not) • Passes data back

  9. Iterative Queries • Requests data from node in routing table with greatest prefix match • Queried node responds with location of node with greater prefix match • Source node continues chain of queries until no greater match can be found • The result must now be the intended target (if it exists)

  10. Recursive Query Example D A C B

  11. Iterative Query Example D A C B

  12. Note on Routing Types • Node failure does not necessarily identify the source of the failure for recursive routing • Selective uncooperation is possible without running the risk of being blacklisted • Iterative routing does not share this problem • Passive attacks on anonymity can occur

  13. DHT Attacks • Two main security issues • Passing a query through a malicious node is statistically likely • Query result accuracy is difficult to verify

  14. Query Capture • Query is captured if any hops used are controlled by an attacker • With a small fraction ( < 20%) of compromised nodes, this can be very likely

  15. Adversary’s Options • Once an attacker has a captured query, he has three options • Forward the query to a malicious (or possibly nonexistent) node • Drop the query • Log the query

  16. Mitigating Attacks • Several options for minimizing the ability of adversaries to operate effectively • Make nodeID’s verifiable • Redundant queries • “density check”

  17. Verifiable nodeID’s • Can be implemented by hashing IP addresses for use as nodeID’s • Attackers cannot place a malicious node without controlling an IP address that maps to the desired space • Unable to easily support NAT boxes without a security tradeoff

  18. Redundant Queries • Multiple routes are followed • Precautions must be taken to prevent path convergence • Increases bandwidth overhead • Increased likelihood of identity compromise • On average, the majority of paths will be compromised • Cannot easily distinguish valid responses

  19. “Density Check” • Tests if the distance between a result node and the key is consistent with the distribution of nodeID’s near the source • If this distance is too large (e.g. 1.5x greater), the result of the query is rejected • Must have a sufficiently large number of nodes to be accurate

  20. Insecure Relay Selection • Lack of proper security measures applied to DHT lookups • In general, traditional security methods are insufficient to prevent a bias towards selecting malicious nodes • No clear method to verify if a particular peer is the current root of a key • A malicious node could claim to be the correct result of a query

  21. Insecure Relay Selection, Cont. • A malicious node may return offline nodes • A threshold-type scheme may also prove unreliable • On average, the majority of redundant routes will pass through a malicious node

  22. Vulnerable Schemes • Out of ten different DHT-based anonymous overlay networks: • Two specify mechanisms to prevent DHT lookup failures • Five use overlay circuit extension with no provisions for redundant routing • The remaining three make no provisions for robustness

  23. Questions?

More Related