Transcript Lecture10

Modelling and Analysing of
Security Protocol: Lecture 10
Anonymity: Systems
Today’s Lecture
• Practical course issues.
• Theoretical anonymity.
– Dinning Cryptographers Protocol
– Definitions of Anonymity
– The Crowds Protocol
BREAK
• Practical anonymous systems
–
–
–
–
Onion Routing and the Tor System
Mix Networks
Anonymous File-sharing Systems: MUTE
Anonymous Publishing: Freenet
Crowds
• A crowd is a group of n nodes
• The initiator selects randomly a node (called
forwarder) and forwards the request to it
• A forwarder:
– With prob. 1-pf selects
randomly a new node and
forwards the request to him
– With prob. pf sends the
request to the server
server
Crowds
• The sender is beyond suspicion to the server.
• Some of the nodes could be corrupted.
• The initiator could forward the message to a
corrupted node.
• The sender has probable innocence to other
nodes.
Crowds
• Problem: many people won’t forward traffic for
others.
• A practical system has to make forwarding
traffic for others optional or controllable.
server
Onion Routing
• Each node makes its key public
• The initiator selects the whole route and encrypts
the message with all keys in reverse order
• Each node unwraps a layer and forwards the
message to the next one
{3,{server,m}k3}k2
{2,{3,{server,m}k3}k2}k1
1
2
{server,m}k3
m
server
3
Onion Routing
• Each node only learns the next one in the path
• End-users can run their own node
– Better anonymity
• or use an existing one
– More efficient
– User's identity is revealed to the node
Tor
• Tor implement this protocol.
• Several hundred volunteer nodes.
• Firefox plug-in.
• Managed by the US navy.
Problems with Tor
• You reveal you IP to the first node and the
last node see who you are talking to.
• If an attacker controls the first and the last
node they may be able to match the packets
using traffic analysis.
• No anonymity from an attacker that monitors
the whole network.
• Some protocol broadcast their IP address
MIXes
• MIXes are proxies that forward messages
between them
• A user contacts a MIX to send a message
• The MIX waits until it has received a number of
messages, then forwards them in different order
MIXes
• It is difficult to trace the route of each
message.
• May provide beyond suspicion S-R
unlinkability even to a global attacker.
• Messages have to be delayed (can be solved
with dummy traffic).
• More complicated when sending series of
packets
Mutli-casting
• Broadcast the message to the whole network.
• Beyond suspicion for the receiver.
• No anonymity for the sender.
• Multicasting is a good technique for
broadcasting messages .... but very inefficient
to send just one message.
Spoofed UDP
• The from IP address is not used by routers,
only by higher-level protocols such as TCP.
• UDP does not have to use this address.
• A random address can be used instead to
provide sender anonymity.
• Method prohibited by many ISPs.
Anonymous File-Sharing system
800,000 downloads
Appeal for donations
Informal description
Source code
Peer-to-Peer File-Sharing
In newer networks peers record the
IP address of other peers.
A searcher sends a request to all
of it’s “neighbours”.
This is forwarded to all of there
neighbours, up to a fixed hops.
A
Peer-to-Peer File-Sharing
The search request includes
A’s IP address.
Any peer with the requested
file contacts A directly.
A
Peer “A” may then request the
file.
Peer-to-Peer File-Sharing
No anonymity from peers inside the
network:
The search message gives the
searcher’s IP address and name
of the files they are looking for.
A
By requesting a file, you can find
out the IP address of all peers
that are offering the file.
MUTE
• MUTE removes the IP address from the file
exchange.
• Peers only know the IP address of their direct
neighbours.
• Peers choose random “pseudo ID”.
• Files are not sent directly between peers. Instead
files are sent via a number of peers.
• MUTE uses a version of the “Ants” ad-hoc routing
protocol.
Anonymity Provided by MUTE
• MUTE makes it hard to link the IP address of
a peer with its pseudo ID.
• Peers only know the ID address's of their
direct neighbours, but not their pseudo ID.
• The network should provide enough cover to
let a neighbour deny using a particular ID.
• If an attacker can completely surround a peer
it looses anonymity.
MUTE: Search
The search takes place as before, but this
time the message uses its pseudo ID as
the “from ID”.
A
A
A
A
A
Each peer builds a routing table by
records the ID and the connection.
A
A probabilistic time-to-live counter limits
the search.
A
A
A
MUTE: Reply
A
B
If B wants to reply it sends a
message to A’s pseudo ID.
A
B
B
A
A
This message is routed using the adhoc routing table.
B
The route to B is also recorded
A
A
A
A
A
Un-forgeable Pseudo IDs
• MUTE using a hash of using authentication
keys as the peers pseudo IDs.
• A peer generates a RSA signature key “kS” and an
authentication key “kA”.
• The message header now has the form:
( to ID, #(kA), message ID-time_stamp,
FLAGS:(SkS(messageID-time_stamp), kA) )
Freenet and Free Haven
• There are a number of “anonymous
publishing system”.
• For example Freenet and the MIX based Free
Haven.
• These systems make the original author of a
file anonymous, not the responder.
• Nodes will often cache files.Therefore you
can “trick” a node into storing and “offering” a
file.
Summary of methods
Some Kinds of Attack
•
•
•
•
•
•
•
•
Timing attacks
System Membership
Time-to-Live Attacks (Mute, Mantis)
Multiple Attackers (Mute)
Statistical Attacks (MIXes)
Forced Repeat (Crowds)
Nodes Joining and Leaving
Denial of Service (Mute)
Today’s Lecture
• Practical course issues.
• Theoretical anonymity.
– Dinning Cryptographers Protocol
– Definitions of Anonymity
– The Crowds Protocol
BREAK
• Practical anonymous systems
–
–
–
–
Onion Routing and the Tor System
Mix Networks
Anonymous File-sharing Systems: MUTE
Anonymous Publishing: Freenet