Transcript ppt - Stanford Secure Computer Systems Group

The Case for Network-Layer,
Peer-to-Peer Anonymization
Michael J. Freedman
Emil Sit, Josh Cates, Robert Morris
MIT Lab for Computer Science
IPTPS’02
March 7, 2002
http://pdos.lcs.mit.edu/tarzan/
The Grail of Anonymization
• Participant can communicate anonymously
with non-participant
User
?
• User can talk to CNN.com
• Nobody knows who user is
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 2
Our Vision for Anonymization
• Millions of nodes participate
• Bounce traffic off one another
• Mechanism to organize nodes: peer-to-peer
• All applications can use: IP layer
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 3
Alternative 1: Proxy Approach
User
Proxy
• Intermediate node to proxy traffic
• Completely trust the proxy
Anonymizer.com
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 4
Realistic Threat Model
• Corrupt proxy
– Adversary runs proxy
– Adversary targets proxy and compromises
• Limited, localized network sniffing
• Global passive observer?
• Adaptive active adversary?
Use cover network: a different paper
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 5
Failures of Proxy Approach
User
Proxy
Proxy
• Proxy reveals identity
• Traffic analysis is easy
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 6
Failures of Proxy Approach
User
X
Proxy
X
• Proxy reveals identity
• Traffic analysis is easy
• CNN blocks connections from proxy
• Adversary blocks access to proxy (DoS)
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 7
Alternative 2: Centralized Mixnet
User
Relay
Relay
Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
Onion Routing, Freedom
Small-scale, static network, not general-purpose
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 8
Failures of Centralized Mixnet
Relay
Relay
Relay
X
• CNN blocks core routers
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 9
Failures of Centralized Mixnet
Relay
Relay
Relay
Relay
• CNN blocks core routers
• Adversary targets core routers
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 10
Failures of Centralized Mixnet
Relay
Relay
Relay
Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 11
Tarzan: Me Relay, You Relay
• Millions of nodes participate
• Build tunnel over random set of nodes
Crowds:
small-scale, not self-organizing, not a mixnet
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 12
Benefits of Peer-to-Peer Design
?
?
?
?
?
• CNN cannot block everybody
• Adversary cannot target everybody
• No network edge to analyze:
First hop does not know he’s first
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 13
Managing Peers
•
Requires a mechanism that
1. Discovers peers
2. Scalable
3. Robust against adversaries
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 14
Adversaries Can Join System
• Adversary can join more than once
Due to lack of central authentication
• Try to prevent adversary from impersonating
large address space
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 15
Stopping Evil Peers
• Contact peers directly to
– Validate IP address
– Learn public key
Adversary can only answer small address space
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 16
Tarzan: Joining the System
User
1. Contacts known peer in big (Chord) network
2. Learns of a few peers for routing queries
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 17
Tarzan: Discovering Peers
User
3. Contacts random peers to learn {IP addr, PK}
Performs Chord lookup(random)
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 18
Tarzan: Building Tunnel
PNAT
User
Real
IP
Address
Tunnel Private Address
Public
Alias
Address
4. Iteratively selects peers and builds tunnel
Public-key encrypts tunnel info during setup
Maps flowid  session key, next hop IP addr
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 19
Tarzan: Tunneling Data Traffic
IP
APP
IP
X
User
5. Reroutes packets over this tunnel
Diverts packets to tunnel source router
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 20
Tarzan: Tunneling Data Traffic
APP
IP
User
IP
IP
5. Reroutes packets over this tunnel
NATs to private address space 192.168.x.x
Layer encrypts packet
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 21
Tarzan: Tunneling Data Traffic
APP
IP
IP
IP
User
5. Reroutes packets over this tunnel
Encapsulates in UDP and forwards packet
Strips off encryption, forwards to next hop
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 22
Tarzan: Tunneling Data Traffic
IP
APP
IP
User
5. Reroutes packets over this tunnel
NATs again to public alias address
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 23
Tarzan: Tunneling Data Traffic
APP
IP
User
5. Reroutes packets over this tunnel
Reads IP headers and sends accordingly
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 24
Tarzan: Tunneling Data Traffic
IP
APP
IP
IP
IP
IP
IP
IP
User
IP
IP
5. Reroutes packets over this tunnel
Response repeats process in reverse
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 25
Tarzan: Tunneling Data Traffic
IP
APP
IP
IP
IP
IP
IP
IP
Server
IP
IP
Oblivious
User
Transparently supports anonymous servers
Can build double-blinded channels
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 26
Tarzan is Fast (Enough)
• Prototype implementation in C++
• Setup time per hop:
~20 ms + transmission time
• Packet forwarding per hop:
< 1 ms + transmission time
• Network latency dominates performance
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 27
Summary
• Gain anonymity:
– Millions of relays
– No centralization
Peer-to-Peer
design
• Transparent IP-layer anonymization
– Towards a critical mass of users
March 7, 2002
The Case for Network-Layer, Peer-to-Peer Anonymization
Page 28