360 likes | 376 Vues
Attacks on Mixes. R. Newman. Topics. Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology. Attackers. Passive Attacker
E N D
Attacks on Mixes R. Newman
Topics • Defining anonymity • Need for anonymity • Defining privacy • Threats to anonymity and privacy • Mechanisms to provide anonymity • Metrics for Anonymity • Applications of anonymity technology
Attackers • Passive Attacker • Local – only detect traffic to/from one node • Global – detect all messages • Still, can only see src and dest (assume lengths all same, contents disguised) • Active Attacker • Delay • Destroy • Modify • Replay • Fabricate
Attackers • Active Attacker – targetting a specific msg • Can manipulate batch of msgs entering Mix • Trickle Attack • Delay or drop most msgs (timed Mix) • Flood Attack • Inject attacker messages • Blending Attacks • Trickle or flood • Aim: • Only one unknown message in batch
Attackers • GAAs • Can treat as two separate, cooperating attackers • Global Inserting Attacker • Global delaying Attacker • GIA • Can insert any number of messages anywhere • Can do this in constant time • Models unauthenticated systems (what else?) • GDA • Treat deleting message as infinite delay
N-1 Attack • Threshold Mix • Threshold = N • Inject N-1messages into batch • Only the one message under attack is unknown • Know where the N-1 go • See where the other one goes • Repeat at each Mix until true destination known
Attack Classes • Exact • Attacker knows destination exactly • Attacker knows when attack succeeds • Anonymity is 0 • Certain • Attack always has the power to do this • Attack always works in finite time
Mix Classes • By resistance to Blending Attacks • Strongly Resistant • No blending attack can reduce anonymity of any message at all • Blending attack anonymity k • No blending attack can reduce the anonymity of any message below a constant k (AS size)
Mix Classes • By resistance to Blending Attacks • Vulnerable to non-exact, uncertain BAs • GAA can always reduce anonymity, but never to zero • Vulnerable to exact, uncertain BAs • GAA can always reduce anonymity to 0, but may need to spend arbitrary resources (msges, time) • Vulnerable to exact, certain BAs • GAA can always reduce anonymity to 0, with finite resources (msges, time)
Mix Classes • By resistance to Blending Attacks • Note that the list may not be in order of increasing vulnerability in a practical sense • Resources matter!
Threshold Mix • Fires when N messages arrive • Min delay is epsilon, max is infinite • Mean delay is N/2r, where r = arrival rate • Min anonymity set size is N • Distinct senders, distinct receivers
Threshold Mix • Fires when N messages arrive • Blending attack behavior • Susceptible to flooding attack • Min msgs is N-1, max is 2N-2 • Does not require delay
Threshold Mix • Fires when N messages arrive • Blending attack behavior • Susceptible to flooding attack • Min msgs is N-1, max is 2N-2 • Does not require delay Mix with N=5 Mix 2 Mix 1 Can allow other good messages to arrive, or send bad messages to flush target good good good good good
Threshold Mix • Fires when N messages arrive • Blending attack behavior • Susceptible to flooding attack • Min msgs is N-1, max is 2N-2 • Does not require delay Mix 2 Send bad messages to flush mix good Mix 1 good target bad bad bad Delay the new good messages bad
Threshold Mix • Fires when N messages arrive • Blending attack behavior • Susceptible to flooding attack • Min msgs is N-1, max is 2N-2 • Does not require delay Watch where other message goes Mix 2 good Mix 1 good target bad bad bad Know where bad messages are going bad
Timed Mix • Fires every T seconds • Min delay is epsilon e, max is T-e • Mean delay is T/2 • Min anonymity set size is 0, max is infinite • In theory... In practice, limited by rate and memory • Distinct senders, distinct receivers • Mean AS size is rT, where r is arrival rate
Timed Mix • Fires every T seconds • Blending attack behavior • Susceptible to exact, certain attack • Trickle • Delay target message until Mix fires • Delay all but target message • Takes max time of 2T-e, min of e • Does not require insertions • Can happen naturally in low traffic conditions!
Threshold OR Timed Mix • Fires every T seconds or when N msgs arrive • Min delay is epsilon e, max is T-e • Mean delay is T/2 • Min anonymity set size is 0, max is N • Mean AS size is ... • min(N, rT), where r is arrival rate
Threshold OR Timed Mix • Fires every T seconds or when N msgs arrive • Blending attack behavior • Worst of both worlds!!! • Susceptible to exact, certain attack • Trickle or Flood! • Min of 0 insertions with max time of 2T-e, min of e • Max of 2(N-1) insertions in e seconds
Threshold AND Timed Mix • Waits for at least T seconds and N msgs • Min delay is epsilon e, max is infinite • Mean delay is T/2 • Min anonymity set size is N, max is infinite • Mean AS size is ... • max(N, rT), where r is arrival rate
Threshold AND Timed Mix • Waits for at least T seconds and N msgs • Blending attack behavior • Combined blending attack is exact and certain • Trickle and Flood! • Must delay non-target messages • Must insert dummy messages • Max time of 2T-e, min of e • Max of 2(N-1) insertions and min of N-1 insertions
Pool Mixes • Maintains a pool of F messages • Initializes pool • With dummy messages or ... • Waits for F initial messages before normal ops • May be timed, threshold, or combination • Make attacks uncertain, increase cost
Threshold Pool Mix • Fires when N new messages arrive • Sends uniform random selection of N, keeps F • Min delay is epsilon, max is infinite • Infinite even if Mix fires infinitely many times! • Mean delay is 1 + F/(N+F) rounds • Mean round rate is N/r where r is arrival rate • Mean delay is (N/r)(1 + F/(N+F)) • Anonymity set size – must resort to info theory • Amax = -(1-F/N) lg (N+F) + (F/N) lg F • Min AS size is N (assumes distinct senders)
Threshold Pool Mix • Blending attack behavior • Generally have two phases: • Flush good messages out of Mix • Insert bad messages into Mix • Problem: • Can never be sure good message is flushed! • Attack becomes uncertain! • Is still exact (attacker knows when Mix is clean)
Threshold Pool Mix • Blending attack behavior • Exact but uncertain • Prob(msg still in Mix after r rounds) = [F/(N+F)]r • If there were G good messages in Mix at start, Exp(# good msgs in Mix) = G [F/(N+F)]r • Prob(all good messages have left Mix by round r) = [1 – (F/(N+F))r ]M • M ranges between F and N+F
Threshold Pool Mix • Blending attack behavior • Prob(all good messages have left Mix by round r) = [1 – (F/(N+F))r ]M • Example: N = 100, F = 60 • Average delay = 1.6 rounds • If M = 60 (i.e., Mix just fired) • Expected number of good messages in Mix is < 1 after 5 rounds, or 500 attacker messages • Prob(all M gone) > 0.5 after 5 rounds, and • Prob(all M gond) > 0.99 after 9 rounds
Timed Pool Mix • Fires every T seconds • Always retains F messages in pool • If <= F in pool, it does not fire • (hence Threshold AND Timed mix, technically) • Min delay is epsilon e, max is infinity • Min anonymity set size is F+1, max is infinite • Compute effective A similar to Threshold Pool Mix
Timed Pool Mix • Fires every T seconds (or not) • Blending attack behavior • Attacker can try to flush in one round • Delay all good messages • Insert B bad messages • Prob(flush all F good messages) = F2/(B+F) Well, so they say – I’m not convinced!
Timed Pool Mix • Fires every T seconds (or not) • Blending attack behavior • Attacker can try to flush over many rounds • Delay all good messages • Insert 1 bad message each round • Prob(flush all F good messages) = F[F/(F+1)]B Again, so they say – I’m not convinced!
Dynamic Timed Mix • Fires every T seconds with threshold N • Min pool size Fmin, f = fraction of msgs to send • Must have at least N + Fmin msgs to fire • Sends max(1, mf) messages • m = number of messages in Mix when firing • If N=1, this is Cottrell Mix • Used in Mixmaster remailer • Size of pool may change over time • If constant arrival rate then equivalent to constant pool mix
Dynamic Timed Mix • Message delay: • Min is e, max is infinite • Mean delay depends on future arrival rates • At least as high as constant-pool mix, usually higher • Anonymity • Same properties as constant pool mix • Anonymity higher since prob(stay in pool) is constant, rather than decreasing with increasing m
Dynamic Timed Mix • Blending Attack Behavior • Max prob(flushing a msg in one round) = f • Hence, attacker can’t flush mix in one round! • Attacker has to figure out pool size also • Larger pool means longer time to flush • Prob(flush in r rounds) is proportional to (1/f)r • Anonymity still goes to zero over time
Resisting Exact Attacks • All prior mixes subject to exact attacks • Attacker knows when good messages are flushed • Some provide uncertainty – don’t know how long it will take • Binomial Mix • Flush each message with some probability • Hard to determine size of pool now • Target specific goals: • Certainty • Exactness
Resisting Exact Attacks • Use same tools as attacker • Uncertainty • Don’t let attacker know when target msg leaves pool • Use dummy messages • Intermix link encryption – hard to recognize chaff • Intermix detours – reroute outgoing messages • Stop-and-Go Mixes • Inexactness • Don’t let attacker know size of current pool • Dynamic pool fractional approach • Binomial approach
Resisting Exact Attacks • Stop-and-Go (SG) Mixes • Estimate arrival time of good msg at each Mix • If msg is outside of window, discard it • Frustrates arbitrary delay attacks • But seems attacker can still manipulate system • Reputation systems • Prevent or diminish insertion attacks • Only known senders can participate • Seems hard to be both known and anonymous!
Next Up • Defining anonymity • Need for anonymity • Defining privacy • Threats to anonymity and privacy • Mechanisms to provide anonymity • Metrics for Anonymity • Applications of anonymity technology • Voting • Ecash