SLIDE 1
DC (Dining Cryptographers) nets [Chaum 1988 ]
Chaum, CACM 28(10), October 1985
Anonymous Communication: DC-nets, Crowds, Onion Routing Simone - - PowerPoint PPT Presentation
Anonymous Communication: DC-nets, Crowds, Onion Routing Simone - - PowerPoint PPT Presentation
Anonymous Communication: DC-nets, Crowds, Onion Routing Simone Fischer-Hbner PETs PhD course Spring 2012 DC (Dining Cryptographers) nets [Chaum 1988 ] Chaum, CACM 28 (10), October 1985 Who paid for the Dinner (anonymously)? (I) n Equal
SLIDE 2
SLIDE 3
Who paid for the Dinner (anonymously)? (I)
n Equal number of differences ó NSA paid
T T T T T H
= = = = ≠ ≠
SLIDE 4
Who paid for the Dinner (anonymously)? (II.a)
n Odd number of differencesó one cryptographer paid
T T T T T H
=
As I paid, I say the
- pposite: ≠
= ≠
As I paid, I say the
- pposite:
≠ As I paid, I say the
- pposite: ≠
≠
SLIDE 5
Who paid for the Dinner (anonymously)? (II.b)
n Odd number of differencesó one cryptographer paid
T T T T T H
=
As I paid, I say the
- pposite: ≠
= = ≠
As I paid, I say the
- pposite: =
As I paid, I say the
- pposite: ≠
SLIDE 6
DC-nets: Perfect sender anonymity through Binary superposed sending and broadcast
SLIDE 7
Anonymity preserving multi- access protocols
SLIDE 8
Anonymity preserving multi- access protocols (cont.)
SLIDE 9
Implementation-Example: Local-Area Ring Networks
SLIDE 10
DC nets - Review
n Protection properties:
n Perfect sender anonymity through superposed sending
(message bits are hidden by one-time pad encryption)
n Message secrecy through encryption n Recipient anonymity through broadcast and implicit
addresses (addressee is user who can successfully decrypt message)
n Problems:
n Denial of Service attacks by DC-net participants (Defense:
trap protocols)
n Random key string distribution
SLIDE 11
Crowds for anonymous Web- Transactions
1. User first joins a "crowd" of other users, where he is represented by a "jondo" process on his local machine 2. User configures his browser to employ the local jondo as a proxy for all new services 3. User´s request is passed by the jondo to a random member of the crowd 4. That member can either submit the request directly to the web server or forward it to another randomly (with pf> 1/2) chosen user.
- > Request is eventually submitted by a random member
SLIDE 12
Communication Paths in Crowds
1 3 6 2 5 4 3 5 1 6 2 4 Communications between jondos is encrypted with keys shared between jondos
SLIDE 13
Anonymity degrees in Crowds
n
Absolute Privacy: The attacker cannot distinguish the situations in which a potential sender sent a message and those in which he did not
n
Beyond suspicion: sender appears no more likely to be originator of a message than any other potential sender in the system
n
Probably innocense: sender appears no more likely to be originator than not to be the originator
n
Possible innocense: There is a non-trival possibility that the sender is someone else
n
Exposed: Attacker can identify sender
SLIDE 14
Anonymity Properties in Crowds
n: Number of Crowds members
SLIDE 15
Crowds -Review
n Sender anonymity against:
n end web servers n other Crowd members n eavesdroppers
n Limitations:
n No protection against “global” attackers, timing/message length
correlation attacks
n Web server´s log may record submitting jondo´s IP address as
the request originator´s address
n Request contents are exposed to jondos on the path n Anonymising service can be circumvented by Java Applets, Active
X controls
n Performance overhead (increased retrieval time, network traffic
and load on jondo machines)
n No defend against DoS-attacks by malicious crowd members
SLIDE 16
Onion Routing
n
Onion = Object with layers of public key encryption to produce anonymous bi-directional virtual circuit between communication partners and to distribute symmetric keys
n
Initiator's proxy constructs “forward onion” which encapsulates a route to the responder
n
(Faster) symmetric encryption for data communication via the circuit
Z Y X U Z Y X Z Y Z
SLIDE 17
Forward Onion for route W-X-Y-Z:
Each node N receives (PKN = public key of node N):
n
{exp-time, next-hop, Ff, Kf, Fb, Kb, payload} PKN
n
exp-time: expiration time
n
next_hop: next routing node
n
(Ff, Kf) : function / key pair for symmetric encryption of data moving forward in the virtual circuit
n
(Fb, Kb) : function/key pair for symmetric encryption of data moving backwards in the virtual circuit
n
payload: another onion (or null for responder´s proxy) X exp-timex, Y, Ffx, Kfx, Fbx, Kbx Y exp-timey, Z, Ffy, Kfy, Fby, Kby, Z exp_timez, NULL, Ffz, Kfz, Fbz, Kbz, PADDING
SLIDE 18
Virtual circuit creation and communication
n
Create command accompanies an Onion: If node receives onion, it peels off one layer, keeps forward/ backward encryption keys, it chooses a virtual circuit (vc) identifier and sends create command+ vc identifier + (rest of) onion to next hop.
n
It stores the vc identifier it receives and the one that it sent out as a pair.
n
Until circuit is destroyed -> whenever it receives data on
- ne connection, it sends it off to the other
n
Forward encryption is applied to data moving in the forward direction, backward encryption is applied in the backward direction
SLIDE 19
Example: Virtual Circuit with Onion Routing
Send data by the use of send command: Data sent by the initiator is ”pre- encrypted” prepeatedly by his proxy. If W receives data sent back by Z, it applies the inverse of the backward cryptographic operations (outermost first).
SLIDE 20
Onion Routing - Review
n Functionality:
n Hiding of routing information in connection oriented
communication relations
n Nested public key encryption for building up virtual
circuit
n Expiration_time field reduces costs of replay detection n Dummy traffic between Mixes (Onion Routers)
n Limitations:
n First/Last-Hop Attacks by
n Timing correlations n Message length (No. of cells sent over circuit)
SLIDE 21
TOR (2nd Generation Onion Router – www.torproject.org)
SLIDE 22
First Step
n
TOR client obtains a list of TOR nodes from a directory server
n
Directory servers maintain list of which onion routers are up, their locations, current keys, exit policies, etc.
Directory server
TOR client
SLIDE 23
TOR circuit setup
n Client proxy establishes key + circuit with Onion Router 1 TOR client
SLIDE 24
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
TOR client proxy
SLIDE 25
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
TOR client proxy
SLIDE 26
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 27
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 28
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 29
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 30
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 31
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 32
TOR circuit setup
n
Client proxy establishes key + circuit with Onion Router 1
n
Proxy tunnels through that circuit to extend to Onion Router 2
n
Etc.
n
Client applications connect and communicate over TOR circuit
TOR client proxy
SLIDE 33
TOR: Building up a two-hop circuit and fetching a web page
Alice Link is TLS-encrypted OR 1 OR 2
Link is TLS-encrypted Web site Unencrypted Create c1, E (g x1) Created c1, g y1, H(K1) Relay c1 {Extend, OR2, E (g x2)} Relay c1 {Extended, g y2, H(K2)} Relay c1 {{Begin <website<:80}} Relay c1 {{Connected}} Relay c1 {{Data, HTTP Get...}} Relay c1 {{Data, (response)}} Create c2, E (g x2) Created c2, g y2, H(K2) Relay c2 {Begin <website<:80} Relay c2 {Connected} Relay c2 {Data, HTTP Get...} Relay c2 {Data, (response)} (TCP handshake) HTTP Get... (response) Legend: E(x): RSA encryption {X}: AES encryption cN: a circuit ID
SLIDE 34
TOR - Review
n Some improvemnets in comparision with Onion Routing:
n Perfect forward secrecy n Resistant to replay attacks n Many TCP streams can share one circuit n Seperation of ”protocol cleaning” from anonymity:
n Standard SOCKS proxy interface (instead of having a seperate
application proxy for each application)
n Content filtering via Privoxy
n Directory servers n Variable exit policies n End-to-end integrity checking n Hidden services
n Still vulnerable to end-to-end timing and size correlations
SLIDE 35
Further reading
n Andreas Pfitzmann, Marit Hansen, Anonymity. Unlinkability, Undetectability, Unobservability,
Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology, Version v0.31,Feb. 15, 2008. http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.31.doc#_Toc64643839.
n Andreas Pfitzmann et al. ”Communication Privacy”, in: Aquisti et al. (Eds.), Digital Privacy – Theory,
Technologies, and Practices, Auerbach Publications, 2008
n D.Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms", Communications
- f the ACM, 24 (2). 1981, pp. 84-88, http://world.std.com/~franl/crypto/chaum-acm-1981.html
n P. Syverson, D. Goldschlag, M. Reed, "Anonymous Connections and Onion Routing", Proceedings of the
1997 Symposium on Security and Privacy, Oakland, 1997, http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/OAKLAND_97.ps , http://www.onion-router.net/Publications.html
n Roger Dingledine and Nick Mathewson, The Free Haven Project; Paul Syverson, Naval Research Lab,
“Tor: The Second-Generation Onion Router”, 13th USENIX Security Symposium, 2004, http://static.usenix.org/event/sec04/tech/full_papers/dingledine/dingledine.pdf
n M.Reiter, A.Rubin, "Anonymous Web Transactions with Crowds", Communications of the ACM, Vol.42,
No.2, February 1999, pp. 32-38.
n , Simone Fischer-Hübner, "IT-Security and Privacy - Design and Use of Privacy-Enhancing Security
Mechanisms", Springer Scientific Publishers, Lecture Notes of Computer Science, LNCS 1958, May 2001, ISBN 3-540-42142-4 (chapter 4)
SLIDE 36
Repetition: Diffie-Hellman Key exchange
Global Public Elements: q: prime number α: α < q and α is a primitive root of q
[If α is a primitive root of prime number p, then the numbers: α mod p, α2 mod p,…, αp-1 mod p are distinct and are a permutation of {1..p-1}. For any integer b<p, primitive root α of prime number p, one can find unique exponent i (discrete logarithm), such that b= αi mod p, 0≤ i ≤ (p-1) For larger primes, calculating discrete logarithms is considered as practically infeasible ]
SLIDE 37