Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. - - PowerPoint PPT Presentation

tarzan
SMART_READER_LITE
LIVE PREVIEW

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. - - PowerPoint PPT Presentation

Feb 13, 2024 542 likes •978 views

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002 http://pdos.lcs.mit.edu/tarzan/ The Grail of Anonymization Participant can communicate anonymously with non-participant User ? ?

slide-1
SLIDE 1

Tarzan:

A Peer-to-Peer Anonymizing Network Layer

Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002

http://pdos.lcs.mit.edu/tarzan/

slide-2
SLIDE 2

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 2

  • Participant can communicate anonymously

with non-participant

  • User can talk to CNN.com

User ?

?

  • Nobody knows who user is

The Grail of Anonymization

slide-3
SLIDE 3

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 3

Our Vision for Anonymization

  • Thousands of nodes participate
  • Bounce traffic off one another
  • Mechanism to organize nodes: peer-to-peer
  • All applications can use: IP layer
slide-4
SLIDE 4

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 4

Alternative 1: Proxy Approach

  • Intermediate node to proxy traffic
  • Completely trust the proxy

Anonymizer.com

User

Proxy

slide-5
SLIDE 5

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 5

Threat model

  • Corrupt proxy(s)

– Adversary runs proxy(s) – Adversary targets proxy(s) and compromises, possibly adaptively

  • Network links observed

– Limited, localized network sniffing – Wide-spread (even global) eavesdropping e.g., Carnivore, Chinese firewall, ISP search warrants

slide-6
SLIDE 6

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 6

Failures of Proxy Approach

User

Proxy

  • Traffic analysis is easy
  • Proxy reveals identity

Proxy

slide-7
SLIDE 7

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 7

Proxy

Failures of Proxy Approach

User

X

X

  • CNN blocks connections from proxy
  • Traffic analysis is easy
  • Adversary blocks access to proxy (DoS)
  • Proxy reveals identity
slide-8
SLIDE 8

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 8

Alternative 2: Centralized Mixnet

User

Relay Relay Relay

  • MIX encoding creates encrypted tunnel of relays

– Individual malicious relays cannot reveal identity

  • Packet forwarding through tunnel

Onion Routing, Freedom

Small-scale, static network

Relay

slide-9
SLIDE 9

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 9

Failures of Centralized Mixnet

  • CNN blocks core routers

X

Relay Relay Relay Relay

User

slide-10
SLIDE 10

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 10

Relay

Failures of Centralized Mixnet

  • CNN blocks core routers
  • Adversary targets core routers

Relay Relay Relay Relay Relay Relay

User

slide-11
SLIDE 11

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 11

  • CNN blocks core routers
  • Adversary targets core routers
  • So, add cover traffic between relays

– Hides data traffic among cover

Alternative 2: Centralized Mixnet

Relay Relay Relay Relay

User

Relay

slide-12
SLIDE 12

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 12

Failures of Centralized Mixnet

  • CNN blocks core routers
  • Adversary targets core routers

Relay Relay Relay Relay Relay Relay

User

slide-13
SLIDE 13

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 13

Failures of Centralized Mixnet

  • CNN blocks core routers
  • Adversary targets core routers
  • Still allows network-edge analysis

Relay Relay Relay Relay Relay Relay

User

Relay Relay

slide-14
SLIDE 14

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 14

Failures of Centralized Mixnet

  • Internal cover traffic does not protect edges
  • External cover traffic prohibitively expensive?

– n2 communication complexity

Relay Relay Relay Relay Relay Relay

User

Relay Relay Relay Relay

slide-15
SLIDE 15

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 15

  • No distinction between anon proxies and clients

– Peer-to-peer model

  • Anonymity against corrupt relays

– MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes

  • Anonymity against global eavesdropping

– Cover traffic protects all edges – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner

  • Application-independence

– Low-latency IP-layer redirection

Tarzan goals

slide-16
SLIDE 16

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 16

Tarzan: Me Relay, You Relay

  • Thousands of nodes participate

– CNN cannot block everybody – Adversary cannot target everybody

slide-17
SLIDE 17

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 17

Tarzan: Me Relay, You Relay

  • Thousands of nodes participate
  • Cover traffic protects all nodes

– Global eavesdropping gains little info

slide-18
SLIDE 18

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 18

Benefits of Peer-to-Peer Design ? ? ? ? ?

  • Thousands of nodes participate
  • Cover traffic protects all nodes
  • All nodes also act as relays

– No network edge to analyze – First hop does not know he’s first

slide-19
SLIDE 19

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 19

  • No distinction between anon proxies and clients

– Peer-to-peer model

  • Anonymity against corrupt relays

– MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes

  • Anonymity against global eavesdropping

– Cover traffic protects all nodes – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner

  • Application-independence

– Low-latency IP-layer redirection

Tarzan goals

slide-20
SLIDE 20

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 20

  • 1. Contacts known peers to learn neighbor lists
  • 2. Validates each peer by directly pinging

Tarzan: Joining the System

User

slide-21
SLIDE 21

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 21

Tarzan: Generating Cover Traffic

  • 4. Nodes begin passing cover traffic with mimics:

– Nodes send at some traffic rate per time period – Traffic rate independent of actual demand – All packets are same length and link encrypted

User

slide-22
SLIDE 22

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 22

Tarzan: Selecting tunnel nodes

User

  • 5. To build tunnel:

Iteratively selects peers and builds tunnel from among last-hop’s mimics

PNAT

slide-23
SLIDE 23

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 23

But, Adversaries Can Join System

User

PNAT

slide-24
SLIDE 24

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 24

But, Adversaries Can Join System

User

  • Adversary can join more than once by spoofing

addresses outside its control Contact peers directly to validate IP addr and learn PK PNAT

slide-25
SLIDE 25

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 25

But, Adversaries Can Join System

User

  • Adversary can join more than once by running many

nodes on each machine it controls Randomly select by subnet “domain” (/16 prefix, not IP) PNAT

slide-26
SLIDE 26

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 26

But, Adversaries Can Join System

User

  • Adversary can join more than once by running many

nodes on each machine it controls Randomly select by subnet “domain” (/16 prefix, not IP) PNAT

slide-27
SLIDE 27

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 27

But, Adversaries Can Join System

User

  • Colluding adversary can only select each other

as neighbors Choose mimics in universally-verifiable random manner PNAT

slide-28
SLIDE 28

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 28

H(216.165)

Tarzan: Selecting mimics

  • 3. Nodes pair-wise choose (verifiable) mimics

User

H2(U.IP) H4(U.IP) H3(U.IP) Hi(A.IP) Hi(B.IP) Hi(C.IP) C B A H(216.16.108.10) H(216.16.31.13) H(216.16.54.8) H(13.1) H(128.2) H(169.229) H(18.26) K16 = H(H(U.IP/16)) lookup(K16) D K32 = H(H(U.IP)) lookup(K32)

IP/16 IP

slide-29
SLIDE 29

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 29

  • No distinction between anon proxies and clients

– Peer-to-peer model

  • Anonymity against corrupt relays

– MIX-net encoding

– Robust tunnel selection – Prevent adversary spoofing or running many nodes

  • Anonymity against global eavesdropping

– Cover traffic protects all nodes

– Restrict topology to make cover practical – Choose neighbors in verifiably-random manner

  • Application-independence

– Low-latency IP-layer redirection

Tarzan goals

slide-30
SLIDE 30

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 30

Tarzan: Building Tunnel

  • 5. To build tunnel:

Public-key encrypts tunnel info during setup Maps flowid session key, next hop IP addr

User

Tunnel Private Address Public Alias Address Real IP Address PNAT

slide-31
SLIDE 31

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 31

PNAT

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User APP

Diverts packets to tunnel source router

IP IP

X

slide-32
SLIDE 32

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 32

IP

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User APP

IP IP

NATs to private address 192.168.x.x Pads packet to fixed length

PNAT

slide-33
SLIDE 33

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 33

IP

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User APP

IP IP

Layer encrypts packet to each relay Encapsulates in UDP, forwards to first hop

PNAT IP

slide-34
SLIDE 34

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 34

Strips off encryption Forwards to next hop within cover traffic

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User

IP IP

APP

PNAT

Somebody (IP) speaking to CNN

IP

slide-35
SLIDE 35

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 35

IP IP

NATs again to public alias address

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User APP

PNAT

slide-36
SLIDE 36

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 36

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User APP

Reads IP headers and sends accordingly

IP

I’m speaking to PNAT

PNAT

slide-37
SLIDE 37

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 37

Response repeats process in reverse

IP IP

Tarzan: Tunneling Data Traffic

  • 6. Reroutes packets over this tunnel

User

IP IP IP IP

APP

IP IP PNAT IP

slide-38
SLIDE 38

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 38

Integrating Tarzan

Can build double-blinded channels Use transparently with existing systems

Peer

Speaking to Peer Speaking to PNAT

slide-39
SLIDE 39

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 39

Packet forwarding and tunnel setup

  • Tunnel Setup (public key ops)

~30 msec / hop latency + network delay

  • Packet forwarding (without cover traffic)

pkt size latency throughput 64 bytes 250 µsec 7 Mbits/s 1024 bytes 600 µsec 60 MBits/s

slide-40
SLIDE 40

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 40

Summary

  • Application-independence at IP layer

– Previous systems for email, web, file-sharing, etc.

  • No network edge through peer-to-peer design

– Core routers can be blocked, targetted, or black-box analyzed

  • Anonymity against corrupt relays and global eavesdropping

– Cover traffic within restricted topology – MIX-net tunneling through verified mimics

  • Scale to thousands

– Towards a critical mass of users

slide-41
SLIDE 41

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 41

http://pdos.lcs.mit.edu/tarzan/

slide-42
SLIDE 42

November 20, 2002

Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 42

Packet forwarding and tunnel setup

(msec)