anonymity networks for crypto geeks the department of
play

Anonymity Networks for Crypto Geeks, the Department of Defense, and - PowerPoint PPT Presentation

Apr 11, 2024 •297 likes •1.02k views

Anonymity Networks for Crypto Geeks, the Department of Defense, and you. Nick Mathewson <nickm@freehaven.net> The Free Haven Project MIT SIPB talk; 2 Feb 2006 This talk is about anonymity. Technical Social 1. What is it? 2. Why does

  1. Anonymity Networks for Crypto Geeks, the Department of Defense, and you. Nick Mathewson <nickm@freehaven.net> The Free Haven Project MIT SIPB talk; 2 Feb 2006

  2. This talk is about anonymity. Technical Social 1. What is it? 2. Why does it matter? 3. How do we build it? 4. What happens then?

  3. 1. What is anonymity anyway? (Wearing a funny wig, right?)

  4. Informally: anonymity means you can't tell who did what “Who wrote this blog post?” “Who's been viewing my webpages?” “Who's been emailing patent attorneys?”

  5. Formally: anonymity means indistinguishability within an “anonymity set” Alice1 Alice2 Alice3 Bob Alice4 Alice5 .... Attacker can't tell which Alice Alice6 is talking to Bob! Alice7 Alice8

  6. We have to make some assumptions about what the attacker can do. Alice Anonymity network Bob watch Alice! watch (or be!) Bob! Control part of the network! Etc, etc.

  7. Anonymity isn't cryptography: Cryptography only protects contents. “Hi, Bob!” “Hi, Bob!” <gibberish> Alice attacker Bob

  8. Anonymity isn't steganography: Attacker can tell that Alice is talking; just not to whom. Bob1 Alice1 Alice Anonymity network Alice2 Bob2 ... AliceN (Strong high-bandwidth steganography may not exist.)

  9. Anonymity isn't just wishful thinking... “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”

  10. ...since “weak” anonymity... isn't. “You can't prove it was me!” Proof is a very strong word. With statistics, suspicion becomes certainty. “Promise you won't look!” Will others parties have the ability and inclination to “Promise you won't remember!” keep their promises? “Promise you won't tell!” Not what we're talking “I didn't write my name on it!” about. Nope! (More info later.) “Isn't the Internet already anonymous?”

  11. 2. Why does anonymity matter? What, theoretically speaking, do we have to hide?

  12. Anonymity serves different interests for different user groups. Governments Businesses “It's traffic-analysis “It's network security!” resistance!” Anonymity “It's privacy!” Private citizens

  13. Regular citizens don't want to be watched and tracked. Blogger Blogger “I sell the logs.” Hostile Bob Alice Alice “Oops, I lost the logs.” 8-year-old Incompetent Bob Alice “Hey, they aren't Indifferent Bob Sick my secrets.” Alice Name, address, Consumer age, friends, Alice interests .... (medical, financial, etc), unpopular opinions, Oppressed illegal opinions.... Alice (the network can track too)

  14. Businesses need to keep trade secrets. “Oh, your employees are reading Competitor our patents/jobs page/product sheets?” “Hey, it's Alice! Give her the 'Alice' version!” Competitor AliceCorp “Wanna buy a list of Alice's suppliers? Compromised What about her customers? network What about her engineering department's favorite search terms?”

  15. National organizations need anonymity for their security. “Why is alice.localpolice.gov reading Investigated my website?” suspect Officer Alice “Why no, alice.localpolice.gov! Sting I would never sell counterfeits on e b ay!” target “What am I bid for a list of Baghdad Agent Untrusted IP addresses that get email from .gov?” Alice ISP Compromised “What does the CIA Google for?” service

  16. You can't get anonymity on your own: private solutions are ineffective... Alice's small Citizen “One of the 25 users ... anonymity net Alice on AliceNet.” Officer Municipal Investigated Alice “Looks like a cop.” anonymity net suspect AliceCorp AliceCorp “It's somebody at Competitor anonymity net AliceCorp!”

  17. ... so, anonymity loves company! Citizen “???” ... Alice Officer Investigated Alice Shared “???” suspect anonymity net AliceCorp Competitor “???”

  18. Yes, bad people need anonymity too, but they are already doing well. Compromised botnet Stolen mobile phones Evil Criminal Alice Open wireless nets .....

  19. Yes, bad people need anonymity too, but they are already doing well. Compromised botnet Stolen mobile phones Evil Criminal Alice Open wireless nets .....

  20. 3. How does anonymity work? (a short history, with Tor focus) (Because we were Course 6, not Course 17.)

  21. Tor is not the first or only design for anonymity. Low-latency High-latency Single-hop Chaum's Mixes proxies (1981) Crowds (~96) anon.penet.fi (~91) V1 Onion ZKS Routing (~96) “Freedom” Remailer networks: (~99-01) cypherpunk (~93), mixmaster (~95), Java Anon Proxy mixminion (~02) (~00-) Tor (01-) ...and more!

  22. Low-latency systems are vulnerable to end-to-end correlation attacks. Low-latency: Alice1 sends: xx x xxxx x Alice2 sends: x x xx x x match! Bob1 gets: x x x x x x match! Bob2 gets: xx x xxxx x Time High-latency: Alice1 sends: xx x xxxx Alice2 sends: x x xx x x Bob1 gets: xx xxxx ..... Bob2 gets: x xxxxx ..... These attacks work in practice. The obvious defenses are expensive (like high-latency), useless, or both.

  23. Still, we focus on low-latency, because it's more useful. Interactive apps: web, IRC, VOIP, ssh, X11, ... # users, low-latency anonymity systems: millions? Apps that accept multi-hour delays and high bandwidth overhead: email, sometimes. # users, high-latency anonymity systems: tens of thousands? And if anonymity loves company....?

  24. The simplest designs use a single relay to hide connections. Bob1 Alice1 Bob3,“X” “Y” Relay Alice2 “Z” Bob2 Bob1, “Y” “X” ” Z “ , 2 b o B Bob3 Alice3 (ex: some commercial proxy providers)

  25. But an attacker who sees Alice can see what she's doing. Bob1 Alice1 Bob3,“X” “Y” Relay Alice2 “Z” Bob2 Bob1, “Y” “X” ” Z “ , 2 b o B Bob3 Alice3

  26. Add encryption to stop attackers who eavesdrop on Alice. Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 (ex: numerous commercial proxy providers)

  27. But a single relay is a single point of failure. Bob1 Alice1 E(Bob3,“X”) “Y” Evil Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 Eavesdropping the relay works too.

  28. So, add multiple relays so that no single one can betray Alice. Bob1 Alice1 “Y” R1 “Z” R3 Bob2 Alice2 Bob3 “X” Alice3 R2

  29. Wrap messages in multiple layers of encryption: each relay removes a layer. Bob1 Alice1 E1(R2, “Y” E2(Bob3,“X”) ) E3(Bob1, R1 “Y”) “Z” R3 Bob2 E1(R3, E3(Bob1, “Y”) ) E2(Bob3, Alice2 E3(Bob2, “X”) “Z”) Bob3 “X” ( E 3 R 3 , E 2 ( Alice3 R2 ) Z ” ) 2 , “ B o b

  30. Use long-lived node-to-node links to hide number of connections. Alice S3 Bob S1 S2 S4

  31. Since public-key is expensive, use it at the start of a session to establish session keys... The “onion” Alice E1(S2,K1,E2(S3,K2,E3(K3,Bob))) S3 Bob S1 E3(K3,Bob) S2 E2(S2,K2,E3(K3,Bob)) S4

  32. ...then, use session keys to encrypt actual traffic. Alice K1(K2,(K3, “Hi Bob”))) “ H i B o b ! S3 ” Bob S1 K3(“Hi Bob”) S2 K2,K3(“Hi Bob”)) S4

  33. A corrupt first hop can tell that Alice is talking, but not to whom. Alice K1(K2,(K3, “Hi Bob”))) “ H i B o b ! S3 ” Bob S1 K3(“Hi Bob”) S2 K2,K3(“Hi Bob”)) S4

  34. A corrupt final hop can tell that somebody is saying “Hi Bob,” but not who. Alice K1(K2,(K3, “Hi Bob”))) “ H i B o b ! S3 ” Bob S1 K3(“Hi Bob”) S2 K2,K3(“Hi Bob”)) S4

  35. Stop here, and you have version 1 Onion Routing. ● Developed by researchers at US NRL ● Separate proxies for each user application on entry and exit. Web exit Web AP Web AP OR Alice Bob network FTP AP FTP exit ● Patented. ● Small test deployment, closed source. – (This prevented wider deployment.)

  36. Zero Knowledge System's “Freedom Network” (~1999-2001) ● Developed as commercial product ● Much like OR, but: – More effort at efficient routing. – Pay-per-service model. – Tried padding, briefly. ● (It was ineffective and uneconomical) – Paid ISPs to run servers. ● Shut down in late 2001, probably due to cost problems. – Trust model was hard to market.

  37. JAP/WebMIX network (~2000-) ● JAP = Java Anon Proxy ● Uses cascade topology instead of free-route. Bob1 Alice1 S S S Bob2 Dresden Alice2 S S S BobN AliceN – Cascades aggregate more traffic – But if correlation still works, attack is easier. ● PR problems related to illegal court order. ● Still active, still running, open source.

  38. Tor* started at NRL in 2001 to remove obstacles to Onion Routing. OR v1 obstacles Never released Slow: multiple PK ops per request No forward secrecy Fixed list of servers Hard to scale * Tor, not TOR.

  39. Simplify: Tor anonymizes TCP streams only, and makes other applications clean high-level protocols. SSH S O C K S Web SOCKS P H T T Web browser scrubber Tor network Tor client SOCKS IRC client

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
K-Anonymity &amp; Social Networks CompSci 590.03 Instructor:

K-Anonymity &amp; Social Networks CompSci 590.03 Instructor:

K-Anonymity &amp; Social Networks CompSci 590.03 Instructor: Ashwin Machanavajjhala (Some slides adapted from [Hay et al, SIGMOD (tutorial) 2011]) Lecture

598 views • 41 slides
Deployed Anonymity Networks: A brief history Nick Mathewson &lt;nickm@freehaven.net&gt; The

Deployed Anonymity Networks: A brief history Nick Mathewson &lt;nickm@freehaven.net&gt; The

Deployed Anonymity Networks: A brief history Nick Mathewson &lt;nickm@freehaven.net&gt; The Free Haven Project This presentation About me Introduction to anonymous communication High-latency networks Low-latency networks

792 views • 39 slides
A Geeks Guide to Universal Acceptance An update to TechDay Agenda What is Universal

A Geeks Guide to Universal Acceptance An update to TechDay Agenda What is Universal

A Geeks Guide to Universal Acceptance An update to TechDay Agenda What is Universal Acceptance How is this a Geeks Issue Case Studies ICANN IT Verisign-GoDaddy How can Geeks Help Introduction to UASG Review

522 views • 25 slides
for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

Anonymity Trilemma not all is lost for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 Universitaet zu Luebeck Anonymous Communication (AC) Networks

449 views • 21 slides
K-Anonymity &amp; Social Networks CompSci 590.03 Instructor: Ashwin Machanavajjhala (Some slides

K-Anonymity &amp; Social Networks CompSci 590.03 Instructor: Ashwin Machanavajjhala (Some slides

K-Anonymity &amp; Social Networks CompSci 590.03 Instructor: Ashwin Machanavajjhala (Some slides adapted from [Hay et al, SIGMOD (tutorial) 2011]) Lecture 4 : 590.03 Fall 12 1 Announcements Project ideas are posted on the site. You are

1.26k views • 38 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
The Geeks Guide to Leading Teams @patkua ThoughtWorks The Geeks Guide to Leading Teams

The Geeks Guide to Leading Teams @patkua ThoughtWorks The Geeks Guide to Leading Teams

The Geeks Guide to Leading Teams @patkua ThoughtWorks The Geeks Guide to Leading Teams @patkua @patkua ThoughtWorks Who am I? Who am I? Programmer Me! Who am I? Tech Lead Agile Coach Author http://tiny.cc/retrobook Programmer

1.71k views • 130 slides
CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian Stefan UCSD Fall 2019 Lecture outline Foundations of privacy Historical and current crypto wars in the US Privacy-enhancing

611 views • 50 slides
Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017

Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017

Anonymity Networks Laslo Hunhold Mathematisches Institut Universitt zu Kln 27th July 2017 In the lecture Information Theory and Statistical Physics by Prof. Dr. Johannes Berg motivation motivation hide initiator of a message in a

1.58k views • 68 slides
Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A.

Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A.

Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A. Martucci , Max M auser F uhlh Technische Universit at Darmstadt Telecooperation Lab 64293 Darmstadt, Germany Email:

67 views • 6 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Replacing Weary Crypto: Upgrading the I2P network with stronger primitives str4d

Replacing Weary Crypto: Upgrading the I2P network with stronger primitives str4d

Replacing Weary Crypto: Upgrading the I2P network with stronger primitives str4d https://geti2p.net str4d@i2pmail.org @str4d 2016-01-08 Tor and I2P have several similarities... Both started circa 2003 Location anonymity Onion

469 views • 17 slides
INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A

INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A

INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A P R I L 0 6 , 2 0 1 3 1 INTRODUCTION In the previous lecture we took a look at low-level networking communication protocols using sockets.

1.16k views • 76 slides
Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation Infrastructure Tooling scriptingis.life 2 Why Vulnerable Machines? King of the Hill Practice Red team - scan and exploit Blue team

304 views • 18 slides
JAP Web-Mixes Stefan Kpsell, TU Dresden, sk13@inf.tu-dresden.de Overview Statistics

JAP Web-Mixes Stefan Kpsell, TU Dresden, sk13@inf.tu-dresden.de Overview Statistics

JAP Web-Mixes Stefan Kpsell, TU Dresden, sk13@inf.tu-dresden.de Overview Statistics Mix Development and Deployment How to attract Developers ? Attracting Users Abuse Results of a users Survey Overview

441 views • 17 slides
Show n Tell (Berkeley Style) Bruce A. Mah bmah@tenet.Berkeley.EDU 15 June 1992 Show

Show n Tell (Berkeley Style) Bruce A. Mah bmah@tenet.Berkeley.EDU 15 June 1992 Show

Show n Tell (Berkeley Style) Bruce A. Mah bmah@tenet.Berkeley.EDU 15 June 1992 Show n Tell (bmah) 1/8 What Ive Been Doing RCAP (Will he ever finish?) XUNET 3 (The Search for Gigabits) Sendmail (Once a sysadmin...) Show

426 views • 8 slides
User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de

User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de

User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction Databases Baixa Login Permisos Lectures System administration introduction 1 Operating System

821 views • 28 slides
Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1 Agenda A short history of Unix Login and user accounts access control Instances of general security principles Audit configuration

641 views • 38 slides
Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of

Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of

Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of Nature? T-Shirt, explain rules here T-Shirt, explain rules here 4e candidate with m 4e = 124.6 GeV p T (electrons)= 24.9, 53.9, 61.9, 17.8 GeV m

1.09k views • 50 slides
Outline Clare in our context Religion and contemplation Violence as Clares context

Outline Clare in our context Religion and contemplation Violence as Clares context

9/25/19 Class 1b Life as a Sacred Text: Clare of Assisi Outline Clare in our context Religion and contemplation Violence as Clares context Radical poverty as a response to violence Responses to violence in our world 1 9/25/19

513 views • 12 slides

More recommend