Tarzan: A Peer-to-Peer Anonymizing Network LayerMichael J. Freedman, NYU Robert Morris, MITACM CCS 2002http://pdos.lcs.mit.edu/tarzan/November 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 2•Participant can communicate anonymously with non-participant•User can talk to CNN.comUser ? •Nobody knows who user isThe Grail of AnonymizationNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 3Our Vision for Anonymization•Thousands of nodes participate•Bounce traffic off one another•Mechanism to organize nodes: peer-to-peer•All applications can use: IP layerNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 4Alternative 1: Proxy Approach•Intermediate node to proxy traffic•Completely trust the proxyAnonymizer.comUserProxyNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 5Threat model•Corrupt proxy(s)–Adversary runs proxy(s)–Adversary targets proxy(s) and compromises, possibly adaptively•Network links observed–Limited, localized network sniffing–Wide-spread (even global) eavesdroppinge.g., Carnivore, Chinese firewall, ISP search warrantsNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 6Failures of Proxy ApproachUserProxy•Traffic analysis is easy•Proxy reveals identityProxyNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 7ProxyFailures of Proxy ApproachUserXX•CNN blocks connections from proxy•Traffic analysis is easy•Adversary blocks access to proxy (DoS)•Proxy reveals identityNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 8Alternative 2: Centralized MixnetUserRelayRelayRelay•MIX encoding creates encrypted tunnel of relays–Individual malicious relays cannot reveal identity•Packet forwarding through tunnel Onion Routing, FreedomSmall-scale, static networkRelayNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 9Failures of Centralized Mixnet •CNN blocks core routersXRelayRelayRelayRelayUserNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 10RelayFailures of Centralized Mixnet •CNN blocks core routers•Adversary targets core routersRelayRelayRelayRelayRelayRelayUserNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 11•CNN blocks core routers•Adversary targets core routers•So, add cover traffic between relays–Hides data traffic among coverAlternative 2: Centralized MixnetRelayRelayRelayRelayUserRelayNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 12Failures of Centralized Mixnet•CNN blocks core routers•Adversary targets core routersRelay RelayRelayRelayRelayRelayUserNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 13Failures of Centralized Mixnet•CNN blocks core routers•Adversary targets core routers•Still allows network-edge analysisRelay RelayRelayRelayRelayRelayUserRelayRelayNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 14Failures of Centralized Mixnet•Internal cover traffic does not protect edges•External cover traffic prohibitively expensive?–n2 communication complexityRelay RelayRelayRelayRelayRelayUserRelayRelayRelayRelayNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 15•No distinction between anon proxies and clients–Peer-to-peer model•Anonymity against corrupt relays–MIX-net encoding–Robust tunnel selection–Prevent adversary spoofing or running many nodes•Anonymity against global eavesdropping–Cover traffic protects all edges–Restrict topology to make cover practical–Choose neighbors in verifiably-random manner•Application-independence–Low-latency IP-layer redirectionTarzan goalsNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 16Tarzan: Me Relay, You Relay•Thousands of nodes participate–CNN cannot block everybody–Adversary cannot target everybodyNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 17Tarzan: Me Relay, You Relay•Thousands of nodes participate•Cover traffic protects all nodes–Global eavesdropping gains little infoNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 18 Benefits of Peer-to-Peer Design?????•Thousands of nodes participate•Cover traffic protects all nodes•All nodes also act as relays–No network edge to analyze–First hop does not know he’s firstNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 19•No distinction between anon proxies and clients–Peer-to-peer model•Anonymity against corrupt relays–MIX-net encoding–Robust tunnel selection–Prevent adversary spoofing or running many nodes•Anonymity against global eavesdropping–Cover traffic protects all nodes–Restrict topology to make cover practical–Choose neighbors in verifiably-random manner•Application-independence–Low-latency IP-layer redirectionTarzan goalsNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 201. Contacts known peers to learn neighbor lists2. Validates each peer by directly pingingTarzan: Joining the SystemUserNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 21Tarzan: Generating Cover Traffic4. Nodes begin passing cover traffic with mimics:–Nodes send at some traffic rate per time period–Traffic rate independent of actual demand–All packets are same length and link encryptedUserNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 22Tarzan: Selecting tunnel nodesUser5. To build tunnel:Iteratively selects peers and builds tunnel from among last-hop’s mimicsPNATNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 23But, Adversaries Can Join SystemUserPNATNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 24But, Adversaries Can Join SystemUser•Adversary can join more than once by spoofing addresses outside its control Contact peers directly to validate IP addr and learn PKPNATNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 25But, Adversaries Can Join SystemUser•Adversary can join more than once by running many nodes on each machine it controls Randomly select by subnet “domain” (/16 prefix, not IP)PNATNovember 20, 2002Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 26But, Adversaries Can Join SystemUser•Adversary can join more than once by running many nodes on each machine it controls Randomly select by subnet
View Full Document