Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the - - PowerPoint PPT Presentation

privacy enhancing technologies 2003
SMART_READER_LITE
LIVE PREVIEW

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the - - PowerPoint PPT Presentation

Mar 25, 2024 310 likes •490 views

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous, Censorship-Resistant Networks Dennis Kgler Federal Office for Information Security, Germany Dennis.Kuegler@bsi.bund.de 1 Anonymous,

slide-1
SLIDE 1

1

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the

Implications for Anonymous, Censorship-Resistant Networks

Dennis Kügler Federal Office for Information Security, Germany Dennis.Kuegler@bsi.bund.de

slide-2
SLIDE 2

2

Anonymous, Censorship-Resistant Networks

  • Anonymous Peer-to-Peer Networks

– Gnutella

  • Searching is relatively anonymous
  • Downloading is not anonymous
  • Censorship-Resistant Networks

– Eternity Service

  • Distributed storage medium
  • Attack resistant
  • Anonymous, Censorship-Resistant Networks

– Freenet – GNUnet

slide-3
SLIDE 3

3

GNUnet: Obfuscated, Distributed Filesystem

  • Content Hash Key: [H(B),H(EH(B)(B))]

– Content encryption: H(B) – Unambiguous filename: H(EH(B)(B))

  • Content replication

– Caching while delivering – Based on unambiguous filename

  • Searchability

– Keywords

slide-4
SLIDE 4

4

GNUnet: Peer-to-Peer MIX Network

  • Initiating node

– Downloads content

  • Supplying nodes

– Store content unencrypted

  • Intermediary nodes

– Forward and cache encrypted content – Plausible deniability due to encryption

  • Economic model

– Based on credit – Charge for queries – Pay for responses

A B

cB=cB-20- Query Priority=20

slide-5
SLIDE 5

5

GNUnet Encoding

  • DBlocks

– 1KB of the content – Content hash encrypted

  • IBlocks

– CHKs of 25 DBlocks – Organized as tree – Content hash encrypted

  • RBlock

– Description of the content – CHK of the root IBlock – Keyword encrypted

RBlock IBlock DBlock IBlock IBlock ... ... DBlock DBlock

slide-6
SLIDE 6

6

The Attacker Model

  • Attacker

– Controls malicious nodes that behave correctly – Prepares dictionary of interesting keywords – Observes queries and responses

  • Queries for known keywords
  • Queries for known IBlocks and DBlocks
  • Responses containing known IBlocks and DBlocks
  • Goals

– Uncover initiating node – Uncover supplying node(s): Censorship

slide-7
SLIDE 7

7

Classical Attacks

  • Intersection Attack

– Not all nodes participate in every (MIX) batch – Remove nodes not involved in routing linkable traffic

  • Predecessor Attack

– Log identity of preceding node – All nodes are logged with equal probability – Initiator is logged more often

  • Both attacks are not discussed in GNUnet
slide-8
SLIDE 8

8

The Shortcut Attack

  • Shortcuts do not hurt anonymity?

– Remove nodes from anonymity set

  • Simplification

– Guess preceding node – Verify guess afterwards – No flooding required

A B C Traffic

slide-9
SLIDE 9

9

Comments from the GNUnet Team

  • Only outbound traffic is considered for

indirection!

– Flooding requires credit

  • Shortcut attack may become even more powerful
  • Improved attack does not require flooding at all

– Introduces additional intersection attack: DDoS

  • GNUnet doesn't setup static paths!

– Every query is routed individually (with preference)

  • Route queries to nodes that have responded recently
  • Further queries are likely to use the shortcut

– Attacks are more likely without static paths

  • Predecessor Attack
  • Triangulation & Encircling Attack
slide-10
SLIDE 10

10

Triangulation & Encircling Attack

slide-11
SLIDE 11

11

Censoring GNUnet

  • Rubber Hose Cryptanalysis

– Censor infrequently requested content – Force nodes to remove content

  • Content Filtering

– Censor frequently requested content – Legally enforced by law

slide-12
SLIDE 12

12

Rubber Hose Cryptanalysis

  • Distance Attack

– Determine nodes providing illegal content – Use low, increasing TTL to query nodes

  • GNUnet uses a different notion of TTLs

– Relative Time: TTL – Absolute Time: TTL + Tnode

slide-13
SLIDE 13

13

Routing Queries and Responses

  • Routing Table

– Order entries by absolute time – Fixed number of entries

  • Discard only overstocked entries
  • Relative TTL may become negative!
  • Responses

– Only after entry has been allocated long enough – Probably received response from another node

  • Intersection Attack

– Linkability reduces deniability

slide-14
SLIDE 14

14

Reverse Shortcut Attack

  • Reverse Shortcut Attack

– Remove nodes from anonymity set

  • Simplification

– Guess following node – Verify guess afterwards – No flooding required

A B C Traffic

slide-15
SLIDE 15

15

Content Filtering

  • Every block is unique identified by H(EH(B)(B))
  • Censoring with licenses

– Search for illegal content – Issue negative licenses for indexed content

  • Prohibits delivering the block

– Issue positive license upon request otherwise

  • Allows delivering the block
  • Time restricted
  • Need not check content

– Licenses are cached in GNUnet

slide-16
SLIDE 16

16

Conclusion

  • We have presented some attacks on GNUnet

– Linkability should be prevented at all costs – Setup paths as static as possible – Shortcut Attacks cannot be fixed easily

  • Economic model cannot replace trust
  • PGP Web of Trust?

– Unique identifiers enable content filtering

  • Content filtering perhaps won't be realized
  • ...but it shows weaknesses in the concept
  • So, is GNUnet a sound approach?