Download
towards a theory of onion routing n.
Skip this Video
Loading SlideShow in 5 Seconds..
Towards a Theory of Onion Routing PowerPoint Presentation
Download Presentation
Towards a Theory of Onion Routing

Towards a Theory of Onion Routing

178 Views Download Presentation
Download Presentation

Towards a Theory of Onion Routing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008

  2. Overview • Anonymous communication and onion routing • Formally model and analyze onion routing(Financial Cryptography 2007) • Probabilistic analysis of onion routing(Workshop on Privacy in the Electronic Society 2007) 1

  3. Setting Anonymous Communication:What? 2

  4. Setting Communication network Anonymous Communication:What? 2

  5. Setting Communication network Adversary Anonymous Communication:What? 2

  6. Setting Communication network Adversary Anonymity Anonymous Communication:What? 2

  7. Setting Communication network Adversary Anonymity Sender anonymity Anonymous Communication:What? 2

  8. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? 2

  9. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Anonymous Communication:What? w.r.t. amessage 2

  10. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage 2

  11. Setting Communication network Adversary Anonymity Sender anonymity Receiver anonymity Unlinkability Anonymous Communication:What? w.r.t. amessage w.r.t. all communication 2

  12. Anonymous Communication:Why? 3

  13. Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Anonymous Communication:Why? 3

  14. Useful Individual privacy online Corporate privacy Government and foreign intelligence Whistleblowers Interesting How to define? Possible in communication networks? Cryptography from anonymity Anonymous Communication:Why? 3

  15. Anonymous Communication Protocols • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) 4

  16. Anonymous Communication Protocols • Tarzan (2002) • Hordes (2002) • Salsa (2006) • ISDN,pool,Stop-and-Go,timed,cascademixes • etc. • Mix Networks (1981) • Dining cryptographers (1988) • Onion routing (1999) • Anonymous buses (2002) • Crowds (1998) • PipeNet (1998) • Xor-trees (2000) 4

  17. Deployed Anonymity Systems • anon.penet.fi • Freedom • Mixminion • Mixmaster • Tor • JAP • FreeNet • anonymizer.com and other single-hop proxies • I2P • MUTE • Nodezilla • etc. 5

  18. Onion Routing • Practical design with low latency and overhead • Open source implementation (http://tor.eff.org) • Over 1000 volunteer routers • Estimated 200,000 users • Sophisticated design 6

  19. Anonymous Communication Mix Networks Dining cryptographers Onion routing Anonymous buses Deployed Analyzed 7

  20. A Model of Onion Routing with Provable AnonymityJohnson, Feigenbaum, and SyversonFinancial Cryptography 2007 • Formally model onion routing using input/output automata • Characterize the situations that provide possibilistic anonymity 8

  21. How Onion Routing Works 1 2 u d 3 5 User u running client Internet destination d 4 Routers running servers 9

  22. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  23. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  24. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers 9

  25. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d 9

  26. How Onion Routing Works {{{m}3}4}1 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  27. How Onion Routing Works 1 2 u d 3 5 {{m}3}4 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  28. How Onion Routing Works 1 2 u d 3 5 {m}3 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  29. How Onion Routing Works 1 2 u m d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  30. How Onion Routing Works 1 2 u d m’ 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  31. How Onion Routing Works 1 2 u d 3 5 4 {m’}3 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  32. How Onion Routing Works 1 2 u {{m’}3}4 d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  33. How Onion Routing Works 1 2 {{{m’}3}4}1 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged 9

  34. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. 9

  35. How Onion Routing Works 1 2 u d 3 5 4 • u creates l-hop circuit through routers • u opens a stream in the circuit to d • Data are exchanged. • Stream is closed. • Circuit is changed every few minutes. 9

  36. How Onion Routing Works 1 2 u d 3 5 4 10

  37. How Onion Routing Works 1 2 u d 3 5 4 11

  38. How Onion Routing Works 1 2 u d 3 5 4 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11

  39. How Onion Routing Works 1 2 u d 3 5 4 u 1 2 Theorem 1: Adversary can only determine parts of a circuit it controls or is next to. 11

  40. Model • Constructed with I/O automata(Lynch & Tuttle, 1989) • Models asynchrony • Relies on abstract properties of cryptosystem • Simplified onion-routing protocol • Each user constructs a circuit to one destination • No separate destinations • No circuit teardowns • Circuit identifiers 12

  41. Automata Protocol u v w 13

  42. Automata Protocol u v w 13

  43. Automata Protocol u v w 13

  44. Automata Protocol u v w 13

  45. Automata Protocol u v w 13

  46. Automata Protocol u v w 13

  47. Automata Protocol u v w 13

  48. Automata Protocol u v w 13

  49. Automata Protocol u v w 13

  50. Automata Protocol u v w 13