Mixes Mixes - state of the art Enables the user to communicate - - PowerPoint PPT Presentation

Mixes

Mixes - state of the art

• Enables the user to communicate with each
• ther without identifying each other in

general

• If a mix-mediated system is used to transmit

messages, the communicating parties cannot be correlated by anybody who observes the NW and /or even corrupts some of the mixes used.

Mixes and their attacking models

• What is Mix ?

is a network node with cryptographic facilities that hides the relations between communicating users .

• Functionality of Mix:

Mix changes the appearance of the message by using a suitable cryptosystem Non-correlation by message length can be achieved if all messages have the same length initially and a length-preserving scheme is used for the cryptographic

• perations

Time correlation is avoided as the mix collects all messages in its buffer and records them before they are forwarded

Functionality of Mix

The buffering allows retention of a set of messages in the Mix, whose I/O sequence is changed by reordering This way, no correlation of the incoming and the forwarded messages of a mix is possible Buffering modes are ‘batch mode’,’ pool mode’ in the former all messages are processed at once after the buffer is filled. In the latter, one message is selected from a full buffer after a further message has been arrived .

Functionality of Mix

Functionality of Mix

• For sending a message N through the mixes:

1. Alice must prepare her message. 2. Encrypting the message with the public key ci of the mix 3. The next envelop by the second mix 4. This is done by decrypting them with their private keys, hence each mix (funny mix-men) can only open a distinct envelop that contains its personal address 5. Bob receives the message ⇒ no body can relate Alice and Bob as long as there are transferred sufficiently many other letters and not all mix/men cooperate as attackers.

Functionality of Mix

• Alice encodes a message N by successively encrypting

Ni+1 plus some random bits ri+1 with the public key ci of each mix Mi (starting with the last one)

• Ni is sent to Mi which is addressed by Ai .
• Only Mi is able to further process Ni because of its

knowledge of the secret key belonging to ci therefore it can extract Ai+1 and forward Ni+1

• The last mix of the chain gets the address Am+1 of the

recipient, Bob, to whom the message N is intended and forwarded it, it may still be encrypted for Bob, but this is independent of the mix protocol

Example of the mix functionality :

Mix 2 Mix 1

C1( r4,c2(r1,Nx)) C1( r5,c2(r2,Ny)) C1( r6,c2(r3,Nz))

C2( r3, Nz) C2( r1, Nx) C2( r2, Ny) Ny Nz Nx

Example of the mix functionality :

Mix 1

• buffering of incoming messages
• ignoring message replay
• Recoding messages di(ci(ri,Ni))=ri,Ni
• Ignoring ri and forwarding Ni
• Reordering messages

Example of the mix functionality :

• Each which is put around the original message must contain

random bits (named ri+1)in order to prevent bridging a trustworthy

Mix i

Ci(Ai+1,ri+1 , Ni+1) Ai+1,Ni+1

• otherwise an eavesdropper

could easily correlate messages because of the deterministic nature of a mix

How to connect mixes ?

• Mixes must be developed and operated by

independent users, otherwise an attacker who controls one mix would be able to control all

• It is advisable to diversify information and system

components locally, that gives an attacker a less

• pportunities to attack the system
• The existence communication network Ncs and an

anonymity network Nas is assumed

How to connect mixes ?

• For Nas the following assumptions are made: at

least one mix Mi of the mix chain, MCk the message passes must be trustworthy .

• This may be achieved by organizationally

dividing the responsibilities (i.e. different providers)

• This means :PMi

) ( ) , .( , .

j i k

PM PM j i MC Mj Mi j i k ≠ ⇒ ≠ ∧ ∈ ∃ ∀

How to connect mixes ?

• Whereby a mix chain MC comprises m mixes

with ⊕being the concatenation of all mixes used .. Hence : ) 1 ( ≥ m

i m i k AS k

M MC N MC k

1

.

=

⊕ = ∧ ∈ ∀

• a mix chain that is used persistently in the same
• rder is called cascade (static order)
• Mixes can be connected as a mix cascade or as
• pen mix sequence

Preparing the message

• Messages can be prepared for sender, recipient

anonymity, and combined.

• Sender anonymity :

The following formula introduced the general scheme for sender anonymity, which is using a direct coding scheme ) , , ( : :

1 1 1 1 + + + +

= =

i i i i i m

N r A C N N N

) 1 ,......., ( m i =

Preparing the message

• Recipient anonymity:

Bob first creates an anonymous return address (RA) according to the sender anonymity scheme He transmits it to Alice and following its receipt she can send her message N using RA to encrypt her message

1

: R RA =

)) ( , . ( , : 1

1 1 1

N k R I R msg RA N = = =

A B

Preparing the message

The scheme is called indirect since bob has to deliver the secret first in order to receive a message anonymously This also involves some additional calculation steps as each mix has to encrypt the sender's message with the symmetric key it finds after decrypting the header of RA

) , , ( : :

1 1 1 + + +

= =

i i i i i m

R A k c R e R

) 1 ,......, ( m i =

Where e is a flag that only B (index m+1) can recognize

Preparing the message

• Ri contains all necessary information for the mix

the keys Ki represent symmetric keys that the mixes have to apply if somebody uses RA(:=R1) in

• rder to send a message to B
• If A wants to send a message to N to B, she uses R1

and sends her information I1 to the first mix

• I1contains the message N
• Thus she sends N1=R1,I1 to the first mix according

to the following formula:

Preparing the message

• the first mix decrypts R1 with its private key d1 and

uses k1 for the further encrypting of I1=K0(N)

• the recipient gets therefore

i i i

I R N = With ) 1 ,....., 2 )......( ( ) (

1 1 1

+ = = =

− −

m i I k I N k I

i i i

)))...) ( ( (...( , ,

1 1

N k k k e I e

m m

=

+

And retrieve N because of his knowledge about e and all ki

Preparing the message

• Combining sender and recipient anonymity:

If both schemes are combined, there must exist a selected network node (N) relating the both anonymity schemes

Length preserving schemes

• Avoid correlations by length. they are indirect as well. to
• btain the same size of all message blocks, random bits are

added to each message

• Every message has a fixed length of b blocks that each

contain an anonymous RA, random bits and the actual message the anonymous RA is set out as follows :

[ ] [ ]

) 1 ,...., ).......( ( , ) , ( : :

1 1 1

m i R k A k c R e R

i i i i i i m

= = =

+ + +

Length preserving schemes

• [] symbolize the boundary of the block .depending on the

anonymity scheme wanted, the application of Ki in the following refers to either encryption or decryption. the appropriate operation is length preserving .

• In case of sender anonymity A generates RA and prepares

her message N by successively encrypting it with the keys Ki, which are also included in Ri for each mix subsequently she sends N1 to the first mix (N))....)) (c (....k (k k I R with...H I H N

m m 1 2 1 1 1 1 1 1 1 +

= = =

Length preserving schemes

• H1 :the header representing the anonymous RA
• I1 is the contents of the message
• By splitting the message this way, the block length b is

maintained constant. every time Ri gets shorter, random bits are added

• In case of recipient anonymity, the sender does not know the

symmetric keys that the mixes have to use. the sender knows

• nly k0 as the key to encrypt his message for the recipient thus

the sender builds his message N1 according to the following formula:

Length preserving schemes

1 1 1

I H N =

with

) (

1 1 1

N k I R H = =

Handling the information (k0,A1,R1) from the RA selected . Each mix Mi builds the message Ni+1 for the following mix using the following scheme

i i i

I H N =

with

) 1 ,....., 2 ( )......... (

1 1

+ = =

− −

m i I k I

i i i

The attacking model

Definition : attacking model is a model that describes the strength of the attacker i.e :

Which parts of the system are accessible and /or can be manipulated by the attacker in which way and Which computational capacities are available to him

The attacking model

Definition :The attacking model for mixes :

Is an attacking model which fulfills the following conditions :

An attacker can tap all lines :he can read all inputs and outputs

• f all mixes and user stations

m-1 of m mixes used can be corrupted :all information of the mix is known to the attacker or can even be manipulated by him There is no protection against a global attacker :if he can control n-1 of n users of the network, there is no chance to protect the n-th user

The attacking model

• this attacking model describes the strongest that a mix

system can withstand even if the attacker controls m-1 of m mixes he cannot trace any message

• Lemma:

Given m mixes Mi(1 ≤ i ≤ m) provided that it is assumed that :

AS i i

N M M ∈ ∀ .

) ( . 1 :

j AS j

M y trustworth N M m j j ∧ ∈ ≤ ≤ ∃

The following approach is used : The more mixes Mi are included in NAS the more one can hope that some Mi is trustworthy hence )) ( . 1 : ( → ¬ ≤ ≤ ∀ ⇒ ∞ →

i i

M y trustworth m i P m

The attacking model

• one should include the largest possible

number m of mixes in order to increase the probability P that the predicate trustworthy(Mi) holds for at least one Mi

• Def. of the attacker´s actions
• an attacker is called passive attacker if he can only
• bserve the system without performing special

actions

• an attacker is called active attacker if he performs

actions to induce the system state or to produce the data necessary for his attack

• the following distinction in two classes of

behavior assumes that the attacker is insider of the system, according to this the behavior of an attacker is defined as follows :

• Def. of the attacker´s actions
• if the attacker performs only actions that he is allowed to do

within the system under consideration and all actions that he is supposed to do according to the protocol, he behaves legitimately

• if the attacker also performs forbidden actions and/or omits

necessary actions within the system under consideration, he is manipulating the system

• any system consists of users, network nodes and links can be

established between users and nodes and between nodes respectively

• the system's bounds are all objects belonging to the

communication inside the anonymity network. in respect of mixes, an attacker behaving legitimately can tap all communication lines .

• Def. of the attacker´s actions
• because of the system's bounds users can also become attackers

but still behave legitimately e.g. they may attack the system by cooperating with each other in the sense of exchanging information about messages sent according to a given protocol

• since this exchange tales place outside of the border of the

anonymity system, the users behave legitimately.

• manipulation of the anonymity NW are the delaying or flooding
• f mixes by purpose as well as denial of services in general, this

means the attacker violates the protocol on purpose

• other manipulations are the cooperation between attacking users

, the delaying of messages, the flooding of mixes, the exchange

• f messages i.e. in general the execution of protocol steps not

allowed and the non-execution of necessary steps .

Extended functionality to avoid attacks

• correlation of messages is possible if an input message sent

again is related to the same output message

• to prevent this kind of attack a mix must discard replays of

message inputs the function‚ test-for –reply‘ can prevent this attack

• to avoid correlation by length, one must process only

messages of the same length and must use a length- preserving scheme in general

• another attack is the flooding of a mix . in some situations

especially when a single user starts this attack, the function‚ test-of-sender-identify‘ can avoid this problem

• dummies used for a better quality of service when no delay

is wanted or for security reasons

Extended functionality to avoid attacks

functions

cryptosystem - direct schemes

• indirect schemes
• anonymous return address
• length preserving schemes

buffering - batch mode

• pool mode

recording test-for –reply test-of-sender-identity dummy generation

connecting mixes - mix chain

• mix cascade

configuration possibilities of a mix

limits

• the network allows only computational security against the strongest

possible attacker thus one limit of the system is the strength of the cryptosystem used

• it is not possible to protect the communication relation between two

participants if the attackers able to check all others

m Don't care Don't care n-1 Mixes Users No of corrupted limits of protection by mixes