Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002 http://pdos.lcs.mit.edu/tarzan/
The Grail of Anonymization • Participant can communicate anonymously with non-participant User ? ? • User can talk to CNN.com • Nobody knows who user is November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 2
Our Vision for Anonymization • Thousands of nodes participate • Bounce traffic off one another • Mechanism to organize nodes: peer-to-peer • All applications can use: IP layer November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 3
Alternative 1: Proxy Approach User Proxy • Intermediate node to proxy traffic • Completely trust the proxy Anonymizer.com November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 4
Threat model • Corrupt proxy(s) – Adversary runs proxy(s) – Adversary targets proxy(s) and compromises, possibly adaptively • Network links observed – Limited, localized network sniffing – Wide-spread (even global) eavesdropping e.g., Carnivore, Chinese firewall, ISP search warrants November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 5
Failures of Proxy Approach User Proxy Proxy • Proxy reveals identity • Traffic analysis is easy November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 6
Failures of Proxy Approach X User X Proxy • Proxy reveals identity • Traffic analysis is easy • CNN blocks connections from proxy • Adversary blocks access to proxy (DoS) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 7
Alternative 2: Centralized Mixnet Relay User Relay Relay Relay • MIX encoding creates encrypted tunnel of relays – Individual malicious relays cannot reveal identity • Packet forwarding through tunnel Onion Routing, Freedom Small-scale, static network November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 8
Failures of Centralized Mixnet Relay X User Relay Relay Relay • CNN blocks core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 9
Failures of Centralized Mixnet Relay Relay User Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 10
Alternative 2: Centralized Mixnet Relay Relay User Relay Relay Relay • CNN blocks core routers • Adversary targets core routers • So, add cover traffic between relays – Hides data traffic among cover November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 11
Failures of Centralized Mixnet Relay User Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 12
Failures of Centralized Mixnet Relay User Relay Relay Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers • Still allows network-edge analysis November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 13
Failures of Centralized Mixnet Relay Relay User Relay Relay Relay Relay Relay Relay Relay Relay • Internal cover traffic does not protect edges • External cover traffic prohibitively expensive? – n 2 communication complexity November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 14
Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all edges – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 15
Tarzan: Me Relay, You Relay • Thousands of nodes participate – CNN cannot block everybody – Adversary cannot target everybody November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 16
Tarzan: Me Relay, You Relay • Thousands of nodes participate • Cover traffic protects all nodes – Global eavesdropping gains little info November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 17
Benefits of Peer-to-Peer Design ? ? ? ? ? • Thousands of nodes participate • Cover traffic protects all nodes • All nodes also act as relays – No network edge to analyze – First hop does not know he’s first November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 18
Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all nodes – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 19
Tarzan: Joining the System User 1. Contacts known peers to learn neighbor lists 2. Validates each peer by directly pinging November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 20
Tarzan: Generating Cover Traffic User 4. Nodes begin passing cover traffic with mimics: – Nodes send at some traffic rate per time period – Traffic rate independent of actual demand – All packets are same length and link encrypted November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 21
Tarzan: Selecting tunnel nodes PNAT User 5. To build tunnel: Iteratively selects peers and builds tunnel from among last-hop’s mimics November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 22
But, Adversaries Can Join System PNAT User November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 23
But, Adversaries Can Join System PNAT User • Adversary can join more than once by spoofing addresses outside its control � Contact peers directly to validate IP addr and learn PK November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 24
But, Adversaries Can Join System PNAT User • Adversary can join more than once by running many nodes on each machine it controls � Randomly select by subnet “domain” (/16 prefix, not IP) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 25
But, Adversaries Can Join System PNAT User • Adversary can join more than once by running many nodes on each machine it controls � Randomly select by subnet “domain” (/16 prefix, not IP) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 26
But, Adversaries Can Join System PNAT User • Colluding adversary can only select each other as neighbors � Choose mimics in universally-verifiable random manner November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 27
Tarzan: Selecting mimics K16 = H(H(U.IP/16)) lookup(K16) K32 = H(H(U.IP)) lookup(K32) H 4 (U.IP) H 3 (U.IP) H(18.26) H(216.16.108.10) A D H(216.165) H i (A.IP) H 2 (U.IP) H(216.16.31.13) User H(128.2) H(216.16.54.8) H i (B.IP) H i (C.IP) H(13.1) IP H(169.229) B C IP/16 3. Nodes pair-wise choose (verifiable) mimics November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 28
Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all nodes – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 29
Tarzan: Building Tunnel PNAT User Real Public IP Tunnel Private Address Alias Address Address 5. To build tunnel: Public-key encrypts tunnel info during setup Maps flowid � session key, next hop IP addr November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 30
Tarzan: Tunneling Data Traffic IP X APP IP PNAT User 6. Reroutes packets over this tunnel Diverts packets to tunnel source router November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 31
Tarzan: Tunneling Data Traffic APP IP PNAT User IP IP 6. Reroutes packets over this tunnel NATs to private address 192.168.x.x Pads packet to fixed length November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 32
Tarzan: Tunneling Data Traffic APP IP IP PNAT User IP IP 6. Reroutes packets over this tunnel Layer encrypts packet to each relay Encapsulates in UDP, forwards to first hop November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 33
Recommend
More recommend
