A Survey Amonymity and Amonymous File Sharing

Download Report

Transcript A Survey Amonymity and Amonymous File Sharing

A Survey Anonymity and
Anonymous File-Sharing
Tom Chothia
(Joint work with Konstantinos
Chatzikokolakis)
Outline of Talk
• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of filesharing software.
Introduction
• This is a light weight introduction to
anonymity:
–
–
–
–
Definitions
Design
Real Systems
Some Analysis of the Systems
• Next week you will see more on the technical
definitions and modeling with process calculi.
The Theory of Anonymity
Anonymity means
different things to
different users.
The right definitions are
key to understand any
system.
“On the Internet nobody
knows you’re a dog”
The Theory of Anonymity
• Anonymity is a difficult notion to define.
– Systems have multiple agents
– which have different views of the system
– and wish to hide different actions
– to variable levels.
• Sometimes you just want some doubt,
sometimes you want to act unseen.
The Theory of Anonymity
• In a system of anonymous communication
you can be:
–
–
–
–
A sender
A receive / responder
A helpful node in the system
An outsider (who may see all or just some of the
communications).
• We might want anonymity for any of these,
from any of these.
Example: Anonymous FileSharing
One node sends a request for a
file (sender)
Other nodes receive this request
(the nodes)
?
Maybe one of the nodes replies
with a file (receiver/responder).
The attacker may be any of these
or an outside observer.
Example: Anonymous FileSharing
• The user may wish to hide
– that they are offering files
– that they are taking part in
data transfer
– that they are running the
software at all.
?
• The user may want to have
plausible deniability or go
complete unnoticed.
The Theory of Anonymity
• There are many definitions.
• Some are “too weak”,
– Delov-Yao style “Provable Anonymity”
• Some are “too strong”,
– Information flow.
• There will be more on these definitions
next week.
Levels of Anonymity
Reiter and Rubin provide the classification:
• Beyond suspicion: the user appears no
more likely to have acted than any other.
• Probable innocence: the user appears no
more likely to have acted than to not to have.
• Possible innocence: there is a nontrivial
probability that it was not the user.
Beyond suspicion
• All users are Beyond suspicion:
Prob
A
B
C
Users
D
E
Beyond suspicion
• Only B and D are Beyond suspicion:
Prob
A
B
C
Users
D
E
Beyond suspicion
• Now, only B is Beyond suspicion:
Prob
A
B
C
Users
D
E
Probable Innocence
• All users are Probably Innocence
50%
Prob
A
B
C
Users
D
E
Probable Innocence
• All users are Probably Innocence
50%
Prob
A
B
C
Users
D
E
Probable Innocence
• All users are Probably Innocence
50%
Prob
A
B
C
Users
D
E
Probable Innocence
• All users are Probably Innocence
50%
Prob
A
B
C
Users
D
E
Probable Innocence
• All users are Probably Innocence
50%
Prob
A
B
C
Users
D
E
Example: The Anonymizer
An Internet connection
reveals your IP number.
?
S
The Anonymizer
The Anonymizer promise
“Anonymity”
Connection made via The
Anonymizer.
The Server see only the
Anonymizer.
Example: The Anonymizer
The sender is Beyond Suspicion to the server.
The server knows The Anonymizer is being used.
If there is enough other traffic, you are Probably
Innocence to a global observer.
The global observer knows you are using the “The
Anonymizer”
There is no anonymity to the “The Anonymizer”
Example: The Anonymizer
• From the small print:
• … we disclose personal information only in
the good faith belief that we are required to
do so by law, or that doing so is reasonably
necessary …
• … Note to European Customers: The
information you provide us will be transferred
outside the European Economic Area
Summary: The Theory of
Anonymity
• There are many agents in a system each of
which have different views.
• There are a number of different actions.
• We need to define the level of anonymity an
user has when performing a certain action,
given the attacker’s view of the system.
Outline of Talk
• The theory of Anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of filesharing software.
Theoretical Designs for
Anonymity
• We have seen an example of anonymity from
a Proxy.
• In Friend-to-Friend networks:
– nodes have fixed neighbours,
– only direct neighbours know IP addresses,
– nodes act as proxies for there neighbours.
• Anonymity to your neighbour is by trust or by
claiming you are just acting as a proxy.
Ants
The Ants protocol is for ah-hoc
networking.
Each node has a pseudo ID.
A node broadcasts a request,
labeled with its own ID.
A
Nodes record IDs it receives
over each connections.
Ants
If another nodes wishes to
reply to the request:
It sends packets labeled with
its own ID
A
The packets are sent along
the most used connection
for the to ID.
MIXes
• MIXes are proxies that forward messages
between them
• A user contacts a MIX to send a message
• The MIX waits until it has received a number of
messages, then forwards them in different order
MIXes
• It is difficult to trace the route of each
message.
• Provides beyond suspicion S-R unlinkability
even w.r.t. a global attacker.
• Messages have to be delayed (can be solved
with dummy traffic).
• More complicated when sending series of
packets
Onion Routing
• Messages are routed through a number of nodes
called Core Onion Routers (COR)
• The initiator selects the whole route and encrypts
the message with all keys in reverse order
• Each node unwraps a layer (onion) and forwards
the message to the next one
{{{m}k3}k2}k1
1
{{m}k3}k2
2
{m}k3
m
3
Onion Routing
• Each node only learns the next one in the path
• Can be used together with MIXing.
• End-users can run their own COR
– Better anonymity
• or use an existing one
– More efficient
– User's identity is revealed to the COR
Crowds
• A crowd is a group of n nodes
• The initiator selects randomly a node (called
forwarder) and forwards the request to it
• A forwarder:
– With prob. 1-pf selects
randomly a new node and
forwards the request to him
– With prob. pf sends the
request to the server
server
Crowds
• Beyond suspicion w.r.t. the server
• Some of the nodes could be corrupted.
• The initiator could forward the message
to a corrupted node.
• Probable innocence w.r.t. a node
(under conditions on the number of corrupted
nodes).
Dining Cryptographers
• Nodes form a ring
• Each adjacent pair picks a random number
• Each node broadcasts the sum (xor) of the
adjacent numbers
r5+r1
• The user who wants to send a
message also adds the message r
r5
1
• The total sum (xor) is:
r1+r2
r4+r5
r1+r2+r2+r3+r3+
r2
r4
r4+r4+r5+r5+r1+m = m
r
r2+r3
3
r3+r4+m
Dinning Cryptographers
• It's impossible to tell who added m.
• Beyond suspicion even w.r.t. to a global
attacker.
• Very inefficient: everyone must send the
same amount of data as the real sender.
• More info in Catuscia's talk
Mutli-casting
• Broadcast the message to the whole
network.
• Provides beyond suspicion for the
receiver.
• No anonymity for the sender.
• Multicasting is an efficient technique for
broadcasting messages.
• but very inefficient to send just one
message.
Spoofed UDP
• IP packets on the Internet contain the IP
address of the sender
• This address is not used by routers, only
by higher-level protocols such as TCP
• UDP does not use this address
• A random address can be used instead
to provide sender anonymity
• Method prohibited by many ISPs
Summary of methods
Outline of Talk
• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of filesharing software.
Mute
• Mute is an open source project based on the
Ants protocol.
• Mute uses a complicated 3 stage time-to-live
counter that allows an attack.
• In Mute all the probabilistic choices are fixed
when a node starts. This protects against
statistical attacks.
Ants
• Ants is also an open source project based on the
Ants protocol.
• There is a probabilistic change of dropping a search
request. Avoiding some attacks but giving little control
over searches.
• Ants send most reply packets over the best route but
sends some by other routes. This is done for
efficiency by it also stops some attacks by inside
nodes.
Mantis
• Mantis is an academic project that uses the
Ants protocol.
• But the sender may make its IP address
public and receive the file by address spoofed
UDP.
• Hence only the responder is anonymous, but
the system is very efficient.
Anonymous Peer-to-Peer FileSharing (APFS)
• APFS is based on Onion Routing
• Volunteer nodes act as proxies.
• Centralised servers store an “onion
routes” for files.
• Searching is carried out by asking a
server for an onion route for a file.
• Pro: Secure system, Con: Hard to set
up and maintain.
Freenet and Free Haven
• There are a number of “anonymous
publishing system”.
• For example Freenet and the MIX based Free
Haven.
• These systems make the original author of a
file anonymous, not the responder.
• Nodes will often cache files.Therefore you
can “trick” a node into storing and “offering” a
file.
Waste
• Waste is a friend-to-friend network. It is
designed for small groups (under 50 nodes).
• The sender and receive are known to network
insiders, but anonymous to an outside
attacker.
• Dummy traffic traffic is sent between nodes
whenever they are idle.
Tor
• Tor is an anonymous transport layer.
• It does not implement a file-sharing but filesharing software can be run on top of it.
• Tor implements onion routing without MIXes.
• Its possible that a program run on top of Tor
will reveal its IP address.
Some Other Systems
AP3
Crowds
Mislove et al.
Entropy
Freenet
entrop.stop1984.com
GNUnet
MIXes
gnunet.org
I2P
Onion routing www.i2p.net
Nodezilla Freenet
www.nodezilla.net
Napshare Ants
napshare.sourceforge.net
SSMP
Secret sharing Dingledine et al.
& onion routing
Outline of Talk
• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results for the analysis of filesharing software.
Goals for Anonymous FileSharing using Ants
• The attacker is a node in the network and
must discover the pseudo ID of its
nieghbours.
• Sender (requesting files) is Probable
Innocence to nodes and responder.
• Responder (offering files for download) is
Probable Innocence to nodes and sender.
The Model
• The model of the network is a connected
weighted graph.
• The weights are the times it takes for a
message to travel along that connection.
• Travel times are fixed.
• A single attacker, no timed-based attacks.
• No time-to-live counter.
The Attackers View
• Its connections and the real addresses of the nodes
each of these connections leads too.
• The pseudo IDs from the messages it has seen.
• For each pseudo ID, the ordered over which the
attacker receives message
• The ``to'' and ``from'' pseudo address of all the
messages past across it.
The Attackers View
• The attacker may also send messages.
• It can form message out of its own random
values, its own address or any address is has
seen.
• In particular, it can send messages the
“wrong way”.
Time-Based Attacks
• The quickest reply along any connection will come
from the direct neighbour.
• The attacker may try random request, and note the
reply times.
• The pseudo ID with the fastest reply time over any
connection is assume to be the neighbour.
• If a node shares any files at all, it is not anonymous
to its neighbour.
Result
• Assuming no timed-based attacks, there is
still a problem:
• The attacker might just see one pseudo ID
over a connection.
• Or have a unique pseudo ID “bounced back”.
• i.e., anonymity depends on how the nodes
are connected.
Result
• One node on its own is
not anonymous.
N
A
• Only node one node
fastest along a
connection is not
anonymous.
Result
N3
N4
N2
N1
A
• Active attacks allow more
discrimination.
• A receives two IDs first
over each connection.
• But N3 and N4 are
bounced back
• Therefore the attack can
identify N1 and N2.
Result
• If we assume that the attackers neighbours
might never share files then Ants is
anonymous.
• Otherwise:
– The Ants protocol can be broken by a timed
attack.
– If any connection is not used by at least two
different pairs of nodes to communicate then the
nodes on this connection are not anonymous to
each other.
Protected Addresses
• Attacker can make a message with another node’s
pseudo ID as the from address.
• This lets it disrupt communication.
• We can generate a key pair and use the
authentication key as the pseudo ID.
• The sender signs the message ID.
• Hence the attacker cannot fake messages.
Other Kinds of Attack
•
•
•
•
•
•
•
•
Global Attacker
System Membership
Time-to-Live Attacks (Mute, Mantis)
Multiple Attackers (Mute)
Statistical Attacks (MIXes)
Forced Repeat (Crowds)
Nodes Joining and Leaving
Denial of Service (Mute)
Outline of Talk
• The theory of Anonymity.
• Designs for Anonymity
• Anonymous file-sharing software
• Some early results for the analysis of filesharing software.
Further Work
• Ants Protocol:
– Finish formal model and testing,
– Time delays,
– Deciding when a network is safe,
– MIXes for file-sharing.
• General purpose formal methods for
anonymous systems.
Questions?
Example: Anonymous FileSharing
• The user may wish to hide
– that they are offering files
– that they are taking part in
data transfer
– that they are running the
software at all.
• The user may want to have
plausible deniability or go
complete unnoticed.
Example: Anonymous FileSharing
• The user may wish to hide
– that they are offering files
– that they are taking part in
data transfer
– that they are running the
software at all.
• The user may want to have
plausible deniability or go
complete unnoticed.
Forced Repeat Attack: Crowds
Time-to-live Attack: Mute
Time-to-live Attack: Mantis