Tadayoshi KohnoCSE P 590 / CSE M 590 (Spring 2010)Computer Security and PrivacyThanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...Goals for TodayAnonymityWeb SecurityResearch readingLab 1 -- May 17HW 3 -- Announced this weekend (after seeing progress through this week, and to not conflict with Lab 1)AnonymityPrivacy on Public NetworksInternet is designed as a public network• Machines on your LAN may see your traffic, network routers see all traffic that passes through themRouting information is public• IP packet headers identify source and destination• Even a passive observer can easily figure out who is talking to whomEncryption does not hide identities• Encryption hides payload, but not routing information• Even IP-level encryption (tunnel-mode IPSec/ESP) reveals IP addresses of IPSec gatewaysApplications of AnonymityPrivacy• Hide online transactions, Web browsing, etc. from intrusive governments, marketers and archivistsUntraceable electronic mail• Corporate whistle-blowers• Political dissidents• Socially sensitive communications• Confidential business negotiationsLaw enforcement and intelligence• Sting operations and honeypots• Secret communications on a public networkWhat is Anonymity?Anonymity is the state of being not identifiable within a set of subjects• You cannot be anonymous by yourself!– Big difference between anonymity and confidentiality• Hide your activities among others’ similar activitiesUnlinkability of action and identity• For example, sender and the email he or she sends are no more related after observing communication than they were beforeUnobservability (hard to achieve)Chaum’s MixEarly proposal for anonymous email• David Chaum. “Untraceable electronic mail, return addresses, and digital pseudonyms”. Communications of the ACM, February 1981.Public key crypto + trusted re-mailer (Mix)• Untrusted communication medium• Public keys used as persistent pseudonymsModern anonymity systems use Mix as the basic building blockBasic Mix DesignACDEBMix{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B{r2,{r3,M’}pk(E),E}pk(mix){r4,{r5,M’’}pk(B),B}pk(mix){r5,M’’}pk(B),B{r3,M’}pk(E),EAdversary knows all senders and all receivers, but cannot link a sent message with a received messageAnonymous Return AddressesABMIX{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),BM includes {K1,A}pk(mix), K2 where K2 is a fresh public key Response MIX{K1,A}pk(mix), {r2,M’}K2A,{{r2,M’}K2}K1Mix CascadeMessages are sent through a sequence of mixes• Can also form an arbitrary network of mixes (“mixnet”)Some of the mixes may be controlled by attacker, but even a single good mix guarantees anonymityPad and buffer traffic to foil correlation attacksDisadvantages of Basic MixnetsPublic-key encryption and decryption at each mix are computationally expensiveBasic mixnets have high latency• Ok for email, not Ok for anonymous Web browsingChallenge: low-latency anonymity network• Use public-key cryptography to establish a “circuit” with pairwise symmetric keys between hops on the circuit• Then use symmetric decryption and re-encryption to move data messages along the established circuits• Each node behaves like a mix; anonymity is preserved even if some nodes are compromisedAnother Idea: Randomized RoutingHide message source by routing it randomly• Popular technique: Crowds, Freenet, Onion routingRouters don’t know for sure if the apparent source of a message is the true sender or another routerOnion RoutingRR4R1R2RRR3BobRRRSender chooses a random sequence of routers • Some routers are honest, some controlled by attacker• Sender controls the length of the path[Reed, Syverson, Goldschlag ’97]AliceRoute EstablishmentR4R1R2R3BobAlice{R2,k1}pk(R1),{ }k1{R3,k2}pk(R2),{ }k2{R4,k3}pk(R3),{ }k3{B,k4}pk(R4),{ }k4{M}pk(B)• Routing info for each link encrypted with router’s public key• Each router learns only the identity of the next routerTorSecond-generation onion routing network• http://tor.eff.org• Developed by Roger Dingledine, Nick Mathewson and Paul Syverson• Specifically designed for low-latency anonymous Internet communicationsRunning since October 2003“Easy-to-use” client proxy• Freely available, can use it for anonymous browsingTor Circuit Setup (1)Client proxy establish a symmetric session key and circuit with Onion Router #1Tor Circuit Setup (2)Client proxy extends the circuit by establishing a symmetric session key with Onion Router #2• Tunnel through Onion Router #1 (don’t need )Tor Circuit Setup (3)Client proxy extends the circuit by establishing a symmetric session key with Onion Router #3• Tunnel through Onion Routers #1 and #2Using a Tor CircuitClient applications connect and communicate over the established Tor circuitTor Management IssuesMany applications can share one circuit• Multiple TCP streams over one anonymous connectionTor router doesn’t need root privileges• Encourages people to set up their own routers• More participants = better anonymity for everyoneDirectory servers• Maintain lists of active onion routers, their locations, current public keys, etc.• Control how new routers join the network– “Sybil attack”: attacker creates a large number of routers• Directory servers’ keys ship with Tor codeAttacks on AnonymityPassive traffic analysis• Infer from network traffic who is talking to whom• To hide your traffic, must carry other people’s traffic!Active traffic analysis• Inject packets or put a timing signature on packet flowCompromise of network nodes• Attacker may compromise some routers• It is not obvious which nodes have been compromised– Attacker may be passively logging traffic• Better not to trust any individual router– Assume that some fraction of routers is good, don’t know whichDeployed Anonymity SystemsTor (http://tor.eff.org)• Overlay circuit-based anonymity network• Best for low-latency applications such as anonymous Web browsingMixminion (http://www.mixminion.net)• Network of mixes• Best for
View Full Document