Preserving Caller Anonymity inVoice-over-IP NetworksMudhakar Srivatsa†, Ling Liu‡and Arun Iyengar†IBM T.J. Watson Research Center, Yorktown Heights, NY - 10598†College of Computing, Georgia Institute of Technology, Atlanta, GA - 30332‡{msrivats, aruni}@us.ibm.com, [email protected]— Applications such as VoIP need to provideanonymity to clients while maintaining low latency to sat-isfy quality of service (QoS) requirements. Existing so-lutions for providing anonymity such as mix networksare not well suited to applications like VoIP, SSH, andgaming which require low communication latency. Thispaper investigates the problem of on-demand constructionof QoS sensitive routes on anonymizing networks usingthe VoIP application. We first describe triangulation basedtiming analysis attacks on shortest path route set up pro-tocols. We show that even when a small fraction (∼1%)of the network is malicious, the adversary can infer thesource (caller) with reasonably high probability. Second,we describe random walk based route set up protocols thatsignificantly improve anonymity while satisfying latency-based QoS guarantees. We describe a prototype imple-mentation of our proposal and show that our protocolscan significantly reduce the probability of inferring thecaller. We present a detailed experimental evaluation todemonstrate our attacks and quantify the performanceand scalability of our guards.I. INTRODUCTIONMany applications such as VoIP need to provide anony-mity to clients using the application. Existing approachestypically use mix networks [10], [17], [12], [16], [8]which provide good anonymity for high latency com-munications by routing network traffic through a num-ber of nodes with random delays and random routes.However, emerging applications such as VoIP1, SSH,online gaming, etc have additional quality of service(QoS) requirements that are hard to be accommodatedby such mix networks; for instance ITU (InternationalTelecommunication Union) recommends up to 250msone-way latency for interactive voice communication2.1VoIP’s share of worldwide voice traffic has grown from 12.8% in2003 to an estimated 75% in 2007 [6]2A case study [29] indicates that latencies up to 250ms are un-perceivable to human users, while latencies over 400ms significantlydeteriorate the quality of voice conversations.Several authors have pointed out that low latency ap-plications on mix networks may be vulnerable to timinganalysis attacks [30], [35], [28]. In this paper, we inves-tigate trade offs between QoS guarantees and anonymityusing VoIP as a sample application. A VoIP networktypically consists of a core proxy network and a set ofclients that connect to the edge of this proxy network(see Figure 1). We show how the identity of VoIP callerscan be identified via timing attacks. We then presentsolutions for preserving anonymity while satisfying QoSrequirements.In particular, this paper investigates the problem of on-demand construction of QoS sensitive routes on anonymiz-ing networks and makes two contributions. First, wedescribe triangulation based timing analysis attacks ona peer-to-peer broadcast based shortest route set up pro-tocol. Unlike previous timing analysis attacks [33], [36],[38], [32], [9], [13], [31] that use inter-packet timingcharacteristics, our timing analysis attacks focus exclu-sively on the execution times of different stages in theroute set up protocol. We show that while the VoIProute set up protocol meets the QoS requirement (bysetting up the shortest path), it is vulnerable to timinganalysis that can reveal the identity of the caller withnon-trivial probability even when only a small fractionof the network nodes are malicious (∼1%).Second, we develop and implement three solutionsto improve the resilience of route set up protocols toprovide anonymity while satisfying latency-based QoSguarantees. First, we show that naively adding randomdelays to network latencies does not alleviate the prob-lem. We then show that a pure random walk based routeset up protocol can significantly reduce the probabilityof inferring the caller, although it may blatantly violateQoS requirements by setting up routes with unboundedlatencies. We describe two hybrid route set up proto-cols that combine random walk and shortest route setup protocols with the goal of providing resilience to2008 IEEE Symposium on Security and Privacy978-0-7695-3168-7 /08 $25.00 © 2008 IEEEDOI 10.1109/SP.2008.1050Fig. 1. Anonymizing VoIP Networktriangulation based timing attacks, while satisfying QoSrequirements.The rest of this paper is organized as follows. We de-scribe a VoIP network model in Section II. We describethe triangulation based timing attacks in Section III fol-lowed by our guards in Section IV. We describe a pro-totype implementation and present detailed experimentalevaluation to demonstrate our attacks and quantify theperformance and scalability of our guards in Section V.We discuss related work in Section VI and conclude thepaper in Section VII.II. PRELIMINARIES:VOIP ROUTE SET UP PROTOCOLVoIP applications typically use two main protocols: aRoute Set Up protocol for call setup and termination, anda Real-time Transport Protocol (RTP) for media delivery.Our work is relevant to peer-to-peer VoIP protocols (suchas Skype [5]) which use route set up protocols similarto the one described in this section. The route set upprotocol allows a caller to search for a receiver (identifiedby a URL, e.g.: sip:me.xyz.com) and sets up the shortestroute (also called circuit) to the receiver node. RTP maybe used to carry voice traffic between the caller and thereceiver along an established bi-directional voice circuit.The VoIP route set up protocol typically operates infour steps. First, theinitSearch initiates a route set uprequest from a VoIP clientsrc. Second, the processSearchprocesses a route set up request at some node on theVoIP network. Third, theprocessResult processes theresults of a route set up request at some node on the VoIPnetwork. Fourth, thefinSearch concludes the route setup procedure. We now describe these four operations indetail, which are important for understanding triangula-tion based timing attacks discussed in the next section.initSearch. A VoIP client src initiates a route set upfor a receiverdst by broadcasting search (searchId,sipurl = dst.sipurl, ts = curT ime) to all nodes p∈ ngh(src),wherengh(src) denotes the neighbors ofnodesrc in the VoIP network. The search identifier
View Full Document
Unlocking...