Real-Time Mixes for ISDN Requirements of real-time communication - - PowerPoint PPT Presentation

Real-Time Mixes for ISDN

Requirements of real-time communication

• Becomes important when using services like

telephony where a continuous data stream via channels has to be transmitted

• In order to configure an anonymous channel, the

requirements of real-time communication must be stated for the network in which such channel is to establish

• The network examined is the narrow-band ISDN
• The modifications of the protocols are examined in

the context of voice and data communication on the ISDN as standardized

Requirements of real-time communication

• ISDN networks are actually build by most European PTT`s

(post Telegraph Telephone companies)

• Anonymous channels can also be applied to other networks as

long as a certain delay at the start of a connection is tolerable

• This was done for mobile communication based on GSM

standard

• Similar ideas were applied to synchronous communication
• ver TCP/IP networks
• The techniques are based on mixes
• In ISDN NW each user is connected to a local exchange via an

exclusive wire, where the bandwidth is shared in the long- distance NW

• Voice communication means strict real-time during a call and

certain upper bound on the setup time

Requirements of real-time communication

• The ISDN requirements are that :

Two bit-transparent duplex channels with 64 kbit .s-1 each must be offered on two given data channels of exactly his bandwidth Any additional signaling channel of 16 kbit .s-1 is available and .. Any additional messages needed should fit into the signaling structure of the given ISDN

Requirements of real-time communication

• Basic mixes as described by chaum are only suitable

for non-real time communication as :

There is a significant delay since a mix must wait until it has a sufficiently large amount of message to mix The asymmetric cryptographic operation on the message that each mix must perform takes a certain time and can

• nly start when at least a long block of the message has

arrived and .. The use of probabilistic encryption results in a significant bandwidth expansion if several mixes are used Thus a modification if the mix concept becomes necessary in

• rder to mix continuous data streams in real time .

Assumptions :

• 1. Anonymous connections:

Other NTs at the same LE as A Anonymity set including B Long distance NW Local exchange of A NW terminating (NT) device of A

NTA NTB LE(A) LE(B)

A B

• 1. Anonymity connection
• Is understood as follows :

A is only anonymous among the people whose channels are mixed with hers by a local exchange (LE) All subscribers of one LE build an anonymity set by equally acting to the LE On the NW side, it is possible to map actions of the anonymity set to a single member If A is member of the anonymity set LE(A) and B of LE(B) for long distance calls one can only tell if anyone from LE(A) is communicating with anyone from LE(B)

• 2. Encryption
• An asymmetric and symmetric encryption system is needed

specifically, the use of RSA and a symmetric system with 128- bit keys like IDEA are used Furthermore OFB is assumed i.e. a pseudo-one-time pad

• Thus synchronization as supported by ISDN is a precondition

for the protocol such that ach arriving bit can be decrypted at

• nce
• The participants must not get out of synch. The usage of

synchronized stream cipher allows to be very fast while mixing can be implemented without the function `test-for- replays`

• Hybrid encryption of minimal length is used .
• If Alice A wants to send a message N to Bob , B she first

generates a key KAB

• 2. Encryption
• She appends as much of N to KAB as fits in the same

block of the symmetric encryption system and encrypts this block with CB

• She encrypts the rest of N with KAB the entire
• peration is denoted by :

) ( ), , ( ) (

* + + +

= N K N K C N C

AB AB B B

• 2. Encryption
• The randomly chosen key KAB also makes

RSA probabilistic

• To prevent attacks from KAB and the rest of the

first block should be mingled by symmetric encryption with a globally known key.

• 3. Mix cascades
• For all her channels A uses a fixed mix cascade, say

M1,….Mm. this does not reduce anonymity

• Quite the reverse, if no cascade is used someone who

communicates with her more than once might intersect these anonymity set

• Mix cascades also reduce timing problems between

the mixes as well as the problem that all messages of a batch must be of equal length both are critical for performance

• In the ISDN scenario, the cascade will be situated at

A`s LE, i.e. between user side and network side of the LE

• 3. Mix cascades

network Network side of LE Mix cascade User side of LE Network terminating (NT) device of A NTA

A

LE(A)

Inclusion of mix cascade in local exchange

Each Mi for i≥2 initially generates a key pair (Ci,di) and publishes Ci, and A shares a symmetric key KA1 with M1

• 4. Signaling and data channel
• With hybrid encryption, the basic mix scheme can be used for

very long messages . However each bit on the data channel should be handled at once. Thus it is not enough to use a data channel

• Each mix would still have to wait for the whole first block of

data to arrive before it can start decrypting, therefore the asymmetric decrypted part is a separate message that will be sent on the signaling channel before the actual data transmission starts

• The actual data can then be transmitted in the data channel

without any bandwidth expansion and without delay

• Note : only simplex channels are considered; duplex channels

will be realized as a pair of simplex channels

• 4. Signaling and data channel
• It is distinguished between mix sending

channels that keep the sender anonymous and mix receiving channels that keep the recipient anonymous that work other way round

• These mix channels will serve as building

blocks and will be combined later.

Building blocks :mix channels

• By modifying the original mixes accordingly,

mix channels are introduced which are a mechanism to mix continuous data streams.

Mix signaling channels

• Mix sending channels :

The sender A construct the message for a mix sending channel as follows : Nm+1 := N Ni := C*i(Di,Ni+1) (i=m,m-1,….,2) N1 := KA1(D1,N2) N : are signaling data that should be output by the last mix of the cascade Di : are data A wants to give Mi in addition to the symmetric key KAi

Mix sending channels

• She sends N1 to the user side of her LE which passes it to M1
• M1 receives all messages of the senders belonging to the same LE

it receives N1 from A and decrypts it with KA1

• Subsequently, each Mi for i≥2 receives Ni from Mi-1and decrypts it

with di

• Thus each mix processes the data Di in whatever way is intended

and forwards Ni+1 to Mi+1 or , for i=m, further in the NW

• the data Di simply comprises a timestamp ti
• In contrast to the original mixes this eliminates the need to

compare messages of different batches for repeats

• Because of the fixed mix cascades, the timestamps only have to be

local sequence number of batches of setup messages

Mix sending channels

User side of the local exchange (LE)

mix1 mix2 mix3 mix1 mix2 mix3 Mix cascade in the LE(A) Mix cascade in the LE(B)

Mix sending channel of A Mix sending channel of B

cl cl

Anonymity set Mix signaling part Network side of LE Mix data part Traceable communication Between LE(A) and LE(B)

Nconn-setup

A B Establishment of a mix sending channel (Table of stored information) LE user side :in ch out ch C1 to mix 1 Mix 1 :C1 C2,KA1 Mix 2 :C2 C3,KA2 Mix 3 :C3 C4,KA3 LE network side : C4 CL, Nconn-setup

Mix sending channels

• Each Mi (i<m) processes this setup message as

follows (Mi denoted as mix i)

Mi reserves an outgoing data channel Ci+1 to Mi+1 for the following continuous data. It is sensible to re-order the

• utgoing channels in the same way as the corresponding

setup messages in the output batch Mi tells the position of the outgoing channel to Mi+1, together with the decrypted setup message Ni+1 Mi stores the correspondence between the incoming and the

• utgoing channel (in ch out ch)

Mi stores KAi as belonging to this correspondence .(the index is only notation; no mix after M1 knows that the key is from A) If the setup in done, incoming channels are fixed for the time

• f sending the data that belong to this connection setup.

Mix receiving channels

• Mix receiving channels make recipients

anonymous with respect to senders.

• These channels have a setup message

constructed just like that for a mix sending channel (except for the part N which was left

• pen anyway)

Connecting the two halves

• To make A and B both anonymous, a mix channel

from A is connected with a mix receiving channel built up by B

• The innermost parts, N, of both setup messages

contain a common channel label, CL, and, on A`s side, routing information to the mix cascade that B uses

• In the ISDN context, this will be the address of B`s

local exchange (LE(B)).

• The result is called a mix channel

Mix data channels

• Mixing setup messages and messages and mixing data will be different

modules

• After establishing a sending channel Mi can immediately decrypt each

bit of data arriving on the incoming channel with KAi and can forward it on the corresponding outgoing channel (this is represented as lower half of the mixes (called mix data part))

• For the receiving channel the correspondence data channels established

and used in the reverse way: channels from Mi+1 to Mi and reserved.

• The last channel leads from M1(mix 1) to B
• When data arrive on the data channel, Mi encrypts them with KBi
• Thus B receives multiple encrypted data and must decrypt them with

all his keys KBi (this is a variant of the anonymous return address)

• However, here B establishes a return channel himself instead of

passing a return address to A

• This is more efficient in this scenario and will foil active attacks on B

by A

Problems with pure mix channels

• The main problem is how to get enough channels of equal length to

be mixed together

• For channels this means that the setup messages belong to the same

batch and the following continuous data start and end at the same time otherwise an attacker could distinguish such channels in spite

• f mixing
• It might be difficult enough to obtain enough connections starting at

the same time, is connections must be established within, say, 3 sec without routing them unnecessarily through the long-distance NW

• And it is highly unlikely that enough of them and at the same time

by themselves

• Therefore some users would have to wait for others before being

allowed to release their channels (i.e. their NW terminations would send encrypted nonsense when the continuous data end)

• However, each user has only two channels; thus it cannot be

tolerated that they are blocked

Real-Time Mixes

• Mix channels cannot simply used to mix entire

connections because of the varying length of phone calls

• The technique of Real-Time Mixes solves all the

remaining problems of mix channels

• Questions :

How does B know that he should set up a mix receiving channel for A`s data? How does A know the label? How does one get enough channels at each local time that start together ? How can one make them end together?

Real-Time Mixes

• The solution for those questions consists of

Time-slice channels Dummy traffic where it costs nothing and Broadcast of short connection-setup messages Thus mix channels for time slices can be used to build the entire abstract protocols. They are combined with other ingredients to guarantee a sufficient size of the batches without additional cost and for the initial establishment of anonymous connections

Time-slice and dummy channels

• Each connection is divided into a sequence of time-slice channels,

which look unrelated to everybody except for the respective sender and recipient

• With each time slice, users can release connections and/or establish

new ones

• Each participant who does not need a channel during a time slice

establishes a dummy time-slice channel instead.

• This costs no additional bandwidth because this channel is on the

subscriber line only

• (in more details ) during each time slice, each subscriber A

maintains two mix sending channels and two receiving channels through the m mixes at her local exchange in order to setup signaling and data channels

• They are called time-slice sending (TS-) channels and time-slice

receiving (TR-)

• The corresponding setup messages are called TS-and TR- setup

messages

• Thus before each time slice, A must send two TS- and two TR- setup

messages

Time-slice and dummy channels

• The last mix at A`s local exchange passes the innermost part, N of

each setup message to the local exchange for connection

• For any TR-setup message, N only consists of a connection label CL
• Any TS-setup message contains a connection label CL, the address

ALE of the local exchange of the corresponding recipient, and information about the message to pass as well as the connection setup message Nconn-setup itself

• The information indicates the status of the setup message i.e.

meaningful or meaningless (mfM/mlM) and the status of the data (mfD/mlD)

• Dummy traffic for example is a (mlM)
• If A has a real connection with a recipient B, the connection labels

must agree

• This will be achieved by letting A and B generate them pseudo-

randomly from the same seed CLinit, which will be exchanged in Nconn-setup

• Real connection is duplex and realized by two independent simplex

channels

Time-slice and dummy channels

• If B has no real connection on one of its two duplex channels

during a time slice

• He sets up a simplex channel with himself instead : he sends a

TS-setup and TR- setup message with the same connection label

• Hence these dummy channels look like local connections
• This makes local connections completely unobservable except

for the initial wish to establish one

• In this case the mfM/mlM field indicates this as a real

anonymity sets communication

Time-slice and dummy channels

TS-setup (ALE(B),CLB(j),mlM,mfD) DATA DATA TS-setup (ALE(A),CLA(2),mlM,mfD) DATA DATA

NTA NTB LE(A) LE(B) Time-slice 1

TR-setup (CLB(j)) DATA DATA TS-setup (ALE(B),CLB(1),mfM,mlD) TR-setup (CLA(1))

Nconn-setup

ALE(A),CLinit Time-slice 2

TR-setup (CLB(2)) DATA DATA TS-setup (ALE(B),CLB(2),mlM,mlD) TR-setup (CLA(2)) D*(2)

Time-slice and dummy channels

DATA DATA

Time-slice 3

TR-setup (CLB(3)) DATA DATA TS-setup (ALE(B),CLB(3),mlM,mfD) TR-setup (CLA(3)) D*(3) TS-setup (ALE(A),CLA(3),mlM,mfD) D´(3)

Whereas CLinit :=(CLB(i),CLA(i),KAB) D*(2) :=DATA(ALE(A),CLA(2)) D´(3) :=DATA(ALE(B),CLB(3)) D*(3) :=DATA(ALE(A),CLA(3))

Time-slice and dummy channels

• The data channel are treated according to the setup messages as

described previously, i.e. forwarded from the sending channel to the specified receiving channel (real or dummy), with one exception :

• During connection establishment, when the sender already

designates a real recipient in the TS-setup message but does not yet send real data (compare with t1and t2), she must specify that data as meaningless (mlD).

• Thus the data (which must be mixed anyway) are thrown away on

the NW side instead of being unnecessarily transported through the long-distance NW

• If at any mix, no data arrive on a channel, the mix replaces them by

random data

• This prevents that an attacker could simply see where a channel

leads by cutting it off.

• However as log as no body cuts off channels there is a continuous

data stream, because users are supposed to send data all the time

Establishing connections

• Basic idea : broadcast of short connection-setup messages
• If A wants to call B, she needs to tell him that he should stop

setting up dummy channels with himself and set them up to meet A´s channels instead

• Thus one connection-setup message (Nconn-setup) must be

delivered to B in a different way

• Still. B may not want A to know his real location address

inside his anonymity set

• This is achieved by allowing implicit addresses and

broadcasting short connection-setup messages in B´s anonymity set

• A connection-setup message is broadcast to all subscribers at

B´s LE.

Establishing connections

• An implicit address of B allows B, but no body else, to

identify a message as belonging to him

• In the following only invisible addresses are considered .

Apart from or rather within the implicit address, Nconn-setup must contain

The address of A´s local exchange, so that B can address his TS-channel there and A seed CLinit from which A and B will generate the connection labels for the future time slices of this connection with a pseudo-random generator, item the number ti of the time slice so that B knows that this is when A starts running the pseudo-random generator.

Establishing connections

• Per time slice, one label is generated for the simplex channel

from A to B and one for that from B to A

• They are called CLB(i) and CLA(i), respectively, where i

stands for the number of the time slice within the connection .

• Nconn-setup may also contain a key kAB for hybrid encryption as

usual, or such a key can be derived from the seed before the labels

• On A´s side, Nconn-setup is packed into the innermost part N of a

TS-setup message

• Thus there is no problem of finding enough other connection-

setup messages of equal length to mix it with.

Releasing connections

• The LEs should not release channels in the long-distance

network after every time slice

• Instead they can either wait until the channel is not

needed again in the next time slice, or (with slight restriction of bit transparency) the end of the connection can be signaled in the data channel

• Thus for each real connection, e.g. a phone call, a

channel through the long-distance NW is switched at most once.

• If a NT does not answer at once, this is no problem for

anonymity because the mixes will fill up the sender's unused TR-channel.

Releasing connections

• In principle, A can let her NT wait whether B will answer for

an arbitrary period of time

• If for example the connection-setup message contains an

additional filed which is shown to B, he might end his previous connection in favor of the new one

• It is then useful to include an upper bound on the time A will

wait after sending the connection-setup message.

• So B will not be disturbed nor will NTB build up a long-

distance channel to NTA after A gave up waiting.

• A in person should not be forced to wait on the phone, be

notified by a short ring when B answers .

• Then A will typically not have to repeat her connection-setup

message to B

• This significantly reduces the broadcast traffic on the signaling

channel.

Releasing connections

• Remark:

if such long waiting times are allowed, the connection labels should be generated by a pseudo- random function of the time-slice number instead of

• sequentially. In practice such a function can be

derived from the symmetric encryption system used.

• Recall

the data on the data channels are sent

• continuously. The setup message for time slice i are

sent on the signaling channel at the same time as the data of time slice i-1 are sent on the data channel.

Summary

• The concept of mixes of Real-Time Mixes

comprises time-slice channels, dummy traffic where it costs nothing, and broadcast of short connection-setup message

• This concept can be used for various

communication systems. As a practical example, the application of the concept to ISDN was sketched .in particular, the connection- establishment was described for several time slices.