Mixminion: A next-generation anonymous remailer George Danezis - - PowerPoint PPT Presentation

mixminion a next generation anonymous remailer george
SMART_READER_LITE
LIVE PREVIEW

Mixminion: A next-generation anonymous remailer George Danezis - - PowerPoint PPT Presentation

Nov 25, 2023 310 likes •548 views

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson 1 Outline Background Related systems A few improvements over past work Secure single-use reply block mechanism 2 Anonymous,

slide-1
SLIDE 1

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson

1

slide-2
SLIDE 2

Outline

  • Background
  • Related systems
  • A few improvements over past work
  • Secure single-use reply block mechanism

2

slide-3
SLIDE 3

Anonymous, message-based communication

  • Forward messages, only Alice remains anonymous
  • Direct replies, only Bob remains anonymous
  • Anonymized reply messages where Alice and Bob

remain anonymous

3

slide-4
SLIDE 4

Threat Model (we hope)

  • Global passive adversary: can observe all links
  • Controls some of the nodes/links
  • Can send, modify, delay, etc some messages

We are not real-time, fast, packet-based, or steganographic.

4

slide-5
SLIDE 5

Basic building block: Mix

A B

E(...M,B) M ... ... ... ... ... ... Mix

A mix batches, decrypts, and reorders messages

5

slide-6
SLIDE 6

Multiple Hops

1

A B

M

2

E ...(E (M,to B), to 2)

2 1 2

E ...(M,to B)

Assume not all hops will collude and reveal A

6

slide-7
SLIDE 7

Fixed length messages by re-padding

3

1

M M ... 2 3 ... 3

  • Add random junk to the bottom to replace the info you

strip off. Everything’s encrypted, so it looks ok.

7

slide-8
SLIDE 8

Reply block

1

A B

D(D(...(M)))

2

M,"bob"

D(M),D("bob")

...

  • “bob” = 1, E1(2, ...En(B))
  • In Mixminion, replies act like forward messages.

8

slide-9
SLIDE 9

Related systems

  • One-hop: Anonymizer, hotmail, etc
  • Low-latency: onion routing, Freedom
  • Remailers: Cypherpunk, Mixmaster, Babel
  • Other: flash mix, hybrid mix, provable shuffle, etc

9

slide-10
SLIDE 10

Integrated directory servers Act as reputation servers too

  • Mixmaster’s ad hoc scheme opens users up to

partitioning attacks.

  • Directory servers can be out of sync; evil DSs can

give out rigged subsets to trace clients.

  • DSs must successively sign directory bundles; a

threshold of servers is assumed good.

10

slide-11
SLIDE 11

Link encryption for forward anonymity

  • Mixmaster uses SMTP for transport
  • We use TLS over TCP
  • Link encryption and short-term keys stop many

attacks

11

slide-12
SLIDE 12

Key rotation / Replay prevention

  • Mixmaster has no built-in key rotation
  • ...and sketchy replay detection mechanism
  • Solve them together: we keep hashes of all

messages seen since the last key rotation.

12

slide-13
SLIDE 13

Tagging attack on headers

  • Mixmaster/Babel headers have a hash to integrity-

check that hop. Doesn’t check the rest of the header!

  • We can flip some bits later in the header.

If we

  • wn the hop that corresponds to the part we just

broke, we can recognize the message.

  • So we make the hash cover the entire header.

13

slide-14
SLIDE 14

And payload too... But you can’t know the payload when writing a reply block!

  • Forward messages want hashes, and replies can’t

have them.

  • If replies are rare relative to forwards, replies are

easy to track.

14

slide-15
SLIDE 15

Messages have two headers and a payload

Build a path out of two legs, one for each header

  • For forward messages, Alice makes both legs
  • For direct replies, Alice can use the reply block

directly

  • For anonymized replies, Alice makes the first leg

and uses Bob’s reply block for the second.

15

slide-16
SLIDE 16

Legs are connected by the Crossover Point

  • One of the hops in the first header is marked as a

crossover point

  • At the crossover point, we decrypt the second header

with a hash of the payload, and then swap the headers.

16

slide-17
SLIDE 17

Forward messages are anonymous:

  • If the second header or the payload are tagged in

the first leg, then the second header is unrecover- able.

  • If tagged in the second leg, we’ve already gotten

anonymity from the first.

17

slide-18
SLIDE 18

Replies are anonymous:

  • The adversary can never recognize his tag.

18

slide-19
SLIDE 19

Multiple-message tagging attacks

  • If Alice sends multiple messages along the same

path, Mallory can tag some, recognize the pattern at the crossover point, and follow the rest.

  • Only works if Mallory owns the crossover point.
  • Fix: Alice spreads over k crossover points

(and hopes Mallory doesn’t own most of them)

19

slide-20
SLIDE 20

Nymservers and single-use reply blocks

  • Work like pop/imap servers
  • User anonymously sends a bunch of reply blocks to

receive the mail that’s waiting for him.

20

slide-21
SLIDE 21

Future work

  • Dummy traffic policy
  • Exit abuse
  • Directory servers
  • Synchronous batching
  • More analysis!

21

slide-22
SLIDE 22

Play with our code

http://mixminion.net/ (Code, mailing list, design, spec) Do you want to run a server?

22