Cashmere: Resilient Anonymous Routing Li Zhuang (U.C. Berkeley) Feng Zhou (U.C. Berkeley) Ben Y. Zhao (U. C. Santa Barbara) Antony Rowstron (Microsoft Research UK) Andrzej Skalski
Plan What is anonymous routing Traditional Approach Cashmere – design goals Idea of Structured Overlay Networkds and Key-Based Routing How Cashmere uses SON and KBR Cashmere's Transmission protocol details Attack model Anonymity Measurements Briefly on resilience and fault tolerance Briefly on performance in terms of computation and communication Notice on ommited information
What is anonymous routing? Anonymous routing is a set of techniques in comunication that protects users from identification by third-party observers. Typical usage is either military or anti-censorship activity. This paper does not cover legal or ethical issues of described techniques.
Traditional Approach: Chaum-Mixes (and it's extensions) Each message from A to B is is passed through a sequence of relays R 1 , R 2 ... R L , each having a pair of assymetric encryption keys. After discovering the route (selecting relays) A encrypts a message with a series of public keys corresponding to chosen sequence. Then each relay apply private-key decrypt transformation to received message, and passes it to next one, until fully-unencrypted message reaches B.
Traditional Approach: Chaum-Mixes (and it's extensions), ctd. If any Ri fails to decrypt and forward for any reason, entire process fails. Because none of R i knows what the source of message was, it's impossible to give A specific information on failure. Source needs to discover the failure by itself, and create new path from living nodes. This implies either broadcast, or existence of some special tracking-nodes. If node failures are frequent, such approach suffers huge performance losses.
Cashmere – design goals Source anonymity – identity of source is hidden to al other nodes, including destination node. Unlinkability – even if source and destination are known to be participating in communication, they cannot be distinguished from other participating nodes as A and B. Resilience – improved tolerance to node failures in terms of performance.
Cashmere – architecture Instead of single-node relays, Cachmere uses virtual relay groups , of multiple nodes. Membership of the group can change dynamically. All members of one group share a common public/private key pair. Forwarding path is a sequence of relay groups . Destination is a member of final relay group .
Idea of Structrued Overlay Networks and Key-Based Routing Structured overlay network ( SOP ) is a set of nodes (participants of the network). Each SOP has it's own k-bit identifier space . Each node of SOP has it's own random nodeID assigned from this space by an off-line CA (central authority). Each node maintains a routing table that contains (usually) O(log N) records like < nodeID of v, IP of v> where v is some participant of the overlay and N is the number of nodes in overlay. It is enforced by the algorithm of constructing the routing table, that path from A to B is
Idea of Structrued Overlay Networks and Key-Based Routing, ctd. Destination's nodeID is used as a key (or address). Each relay node selects from it's routing table a neighbour whose nodeID shares the longest prefix with key and forwards the message to it. The picture shows example routing from 5230 to 8954 (for some reason authors decided to write all numbers reversed in their paper, just read them backwards). It's just an example of idea, not a Cashmere design.
How Cashmere use it: Instead of relay nodes , Cashmere relies on relay groups . A relay group is a sub-set of nodes , that share the same m-bit prefix of their nodeID (1< m < k) further called groupID. For each prefix of any length to any existing nodeID , a pair of public/private keys is generated. User wishing to join network gets these data from CA (all signed by CA): Unique k-bit nodeID , and number m - length of groupID prefix. k pairs of private/public keys for all prefixes to nodeID (prefix keys) All public prefix keys.
Key-Based Routing with relay groups groupID instead of nodeID is used as the key in Key-Based Routing procedure. As the message is routed through network, the first node that receives the message and shares the groupID prefix with message key acts as a group representant, and processes the message on behalf of the relay group . (later about processing) Therefore we can consider passing a message through relay groups as a sequence of anycasts to members of another group.
Transmission protocol: A transmits message M to B. A generates a random sequence of m-bit groupID s that contains groupID of B (at any position!), the sequence identifies L relay groups . We will further call these relay groups P 1 , P 2 ,... ,P L . A encrypts forwarding path in multiple layers. Then A encrypts (independently) M's payload (details later) and anycasts the obtained package to P 1 . When a node N matching current prefix P i receive a package, it acts on behalf it's relay group : it decrypts outer layer using group's private key revealing P i+1 's ID, and anycasts it further. N also multicast current payload to all nodes in it's group.
Transmission protocol: how A encrypts the message payload It's required that only B can successfully decrypt M, and that it receives it no matter which node will act as B's relay group representant. Furthermore, current payload need to vary in each hop, because otherwise it could mark the routing path. Therefore Cashmere create a relay group P i 's payload as follows: R i is a symmetric key generated by source for each relay group P i . Obviously, for B in relay group P dst , Payload dst is generated first, and induces other indices.
Transmission protocol: how A encrypts forwarding path Forwarding path carries symmetrical keys R i generated by the source, successing groupID and path suffix or termination symbol. For optimisations, definition of Path i will be extended, details later.
Transmission protocol: example: B is in P 2 , L = 4, 12302 acts as 123** representant
Transmission protocol: Optimisations Because Path i and Payload i are decoupled, Path i can be stored for further ↔ usage by the nodes. Each node caches map Path i <Path i+1 , P i+1 , R i > In order to avoid asymmetric encrypt/decrypt operations on each data, source A while computing Path, creates a series of additionala values K 1 , K 2 , …, K L , where: for B in relay group P d , and all other K i are random. ”|” is contactenation, and FLAG means ”yes, you're a destination node, and prefix is a symmetric key”. So now, recipe for Path i is: and the representant of relay group multicasts K i along with Payload i .
Transmission protocol: the big picture
Quickly about Reply Address (no new ideas here) If sender A wishes to receive a feedback from B (either ACK or a real message with it's payload) it basically constructs a reply path in the same manner as forwarding path: A generates a sequence of P 1 ' , P 2 ' , ... , P L ' and ensures, that it's relay group is on the list. Then: where k i ', R i ' are selected random, and send it to B along with original message.
Attack model Let f be the fraction of all nodes the attacker controls. Controlled nodes leak all information (including private/public keys) immediately to attacker. Furthermore, attacker can listen to either all or some part of the traffic in the network. Each time any estimations will be given, this figure will be specified.
Anonymity Measurment: entrophy Let: f – number of compromised nodes N – number of all nodes q – average relay group size (q = N/2^m) L – length of the path Ω – set of nodes Ω p u – probability of node u from being a source or destination of a message. Then, entrophy is defined as follows:
Anonymity Measurement: anonymity of the system Intuitively, the ideal anonymity is situation, when all nodes seems to be equally probable as source or destination of a message: Then, optimal entrophy is: Therefore, the measurement of anontymity of a system, is:
Anonymity Measurement: unlinkability in terms of entrophy, details In this measurement, authors assumed that: attacker knows the exact number L attacker knows only compromised nodes' traffic Results are compared to traditional Chaum-Mixes.
Anonymity Measurement: unlinkability in terms of entrophy, image
Recommend
More recommend
