W hy is anonymity so hard? Roger D ingledine T he Free Haven - - PowerPoint PPT Presentation

W hy is anonymity so hard? Roger D ingledine T he Free Haven Project

1

M any people need anonymity

• Polit ical dissident s in oppressive count ries
• Government s want t o do operat ions secret ly.
• Corporat ions are vulnerable t o t raffi c analysis ( corporat e

espionage) — VPNs, encrypt ion don’t cut it .

• Individuals are t racked and profi led daily. Imagine what t hey’ll

have in your dossier in twenty years.

• ( If t hat doesn’t scare you, t hink of your kids.)

3

A M IX node

• M essages change appearance aft er decrypt ion
• Each M IX bat ches and reorders messages
• M essages are all t he same lengt h
• St ore and forward ( slow) t o maint ain anonymity set s

6

A M IX cascade

Free-rout e M IX networks

• User picks a pat h t hrough t he network
• Goal is t o hide message’s pat h
• Needs dummy t raffi c ( ineffi cient , poorly underst ood) t o

prot ect against global adversaries ( lot s of t raffi c may work t oo?)

• Example: M ixmast er

8

O nion Rout ing

• Connect ion-orient ed ( low lat ency)
• L ong-t erm connect ions betwee7 O nion Rout ers

link padding betwee7 t he rout ers

• Aims for security against t raffi c analysis, not t raffi c

confi rmat ion

• Users should run node, or anonymize connect ion t o fi rst

node, for best privacy

11

Some t echnical problems for O nion Rout ing:

13

Convenient / Usable Proxies

• Current ly we have an applicat ion proxy for each prot oco61

0w which feeds int o t he onion proxy. Users should run bot h.

• B ut we really ought t o int ercept all t raffi c – ot herwise we

need t o modify applicat ions so t hey don’t leak info.

• ...and nobody will use it if we need all t hese proxies ( not t rue:

p2p syst ems?)

14

O h yeah, and I wrot e t he O nion Rout ing code

• It ’s GPL ed ... but it ’s complicat ed.
• Send me mail and I’ll point you t o it .

15

Ideal t hreat model

• Global passive adversary – can observe everyt hing
• O wns half t he nodes

16

L ink padding and t opology

• Remember t hat our goal is t o hide t he pat h
• W it hout link padding, adversary can observe when new

connect ions st art , and where t hey go.

• n2 link padding is insane, but anyt hing less seems unsafe.
• O pen problem: what ’s t he right compromise?

17

T iming at t acks

• If t he adversary owns two nodes on your pat h, he can

recognize t hat t hey’re on t he same pat h

T agging at t acks

• O nion rout ing uses a st ream

cipher t o encrypt t he dat a st ream going in each direct ion.

• An adversary owning a node – or a link! – can fl ip a byt e in

t he dat a st ream and look for an anomalous byt e at t he exit point ( say, when it t alks t o a webserver) .

• T his sort of t hing is generally solved by including a hash, but

it ’s more complex t han t hat .

19

Anonymity is hard for economic/ social reasons t oo

• Anonymity requires ineffi ciencies in comput at ion

/ F1-6( bandwidt h,) T J F1-3.053

• 27.8

1 r/ F1-6

c315( r) ut a

B ut t rust bot t lenecks can break everyt hing

• Nodes wit h more t raffi c must be more t rust ed
• Adversary who want s more t raffi c should provide good service

St rong anonymity requires dist ribut ed t rust

• An anonymity syst em can’t be just for one ent ity
• ( even a large corporat ion or government )
• So you must carry t raffi c for ot hers t o prot ect yourself
• B ut t hose ot hers don’t want t o t rust t heir t raffi c t o just one

ent ity eit her

26

Pseudospoofi ng: volunt eers are a danger t oo

• Are half your nodes run by a single ba6 guy?
• Global PK D t o ensure unique ident it ies? No.
• D ecent ralize6 t rust fl ow algorit hms? Not yet .
• St ill a major open problem for dynamic decent ralized anonymity

Need t o manage incent ives well

Even cust omizat ion and preferent ial service are risky ( 1)

• It ’s t empt ing t o let users choose security and robust ness

paramet ers

• Eg, how many replicas of my fi le should I creat e?
• r how many pieces should I break my fi le int o?
• B ut a fi le replicat ed many t imes st ands out .

31

An example: D irect ory servers

• D ist ribut e locat ion, capabilit ies, key info, performance st at s
• A single direct ory server is a point of failure
• Redundant direct ory servers: must be ( provably!)

synchronized t o avoid part it ioning at t acks

• Can dist inguish between client s t hat use st at ic list s and client s

t hat updat e frequent ly

33

D irect ory servers ( 2)

Conclusion: we’re screwed

• Usability is a security object ive: anonymity syst ems are

not hing wit hout users.

• It ’s crit ical t hat we int egrat e privacy int o t he syst ems we use

t o int eract .

• B ut it ’s hard enough t o build a killer app.

It ’s going t o be really really hard t o solve all t he fact ors at

• nce.
• O ur current direct ions aren’t going t o work, from an incent ive

and usability perspect ive. W e need t o ret hink.

35

A point of light : M ixminion

• High-lat ency free-rout e mix network
• Fixes many of t he problems wit h M ixmast er

Anot her point of light : synchro919w syst ems

• Each message has a deadline by which t he node must pass

it on

• L engt h of pat hw iw fi xed, pat hw might even be public
• Anonymity iw now based on size of bat ch at widest point ,

even for free-rout e syst ems

• Improves fl o35( de) -ing/ t rickle at t acks

Privacy Enhancing T echnologies workshop M arch 26-28, 2003 D resden, Germany ht t p:/ / petworkshop.org/

38