TIKETH ZurichPractical Anonymity for the MassesPractical Anonymity for the Masseswith MorphMixwith MorphMixMarc Rennhard, Bernhard Plattner (ETH Zurich)Financial Cryptography 2004 – 12thFebruary 2004http://www.tik.ee.ethz.ch/~morphmixTIKETH Zurich2OverviewOverview• Circuit-based mix networks and their limitations• MorphMix- Main objective- Basic idea- Three core components- Analysis• Conclusions• Open issuesTIKETH Zurich3CircuitCircuit--Based Mix Networks (1)Based Mix Networks (1)• Introduced in 1996 within the context of the Onion Routing project to anonymizelow-latency applications- Mixes form an overlay network- Mixes are connected via virtual links; usually based on TCP connections- Idea: clients no longer access servers directly, but via a subset of the mixes ➔ end-to-end communication relationship is split up- Before servers can be accessed, a client builds a circuit- Data exchanged between client andserver are relayed along a circuit• Client and relationship anonymity• Additional measures to protectfrom traffic analysis attacks:- Fixed-length cells- Layered encryption- (Batching, shuffling, cover traffic ➔ performance penalty ➔ reduced usability)TIKETH Zurich4CircuitCircuit--Based Mix Networks (2)Based Mix Networks (2)• We distinguish between two main adversaries that want to compromise circuits, i.e. link client and server:- The external attacker can monitor parts of all data- The internal attacker controls a subset of all mixes• If no cover traffic is employed, a circuit is usually compromised if:-An external attacker can observethe traffic between c and m1, and m3and s-An internal attacker controls boththe first (m1) and the last (m3) mixin a circuit•Reason:- The adversary sees 24’647 bytessent from s to m3and the sameamount of data one second laterbetween m1and cTIKETH Zurich5LimitationsLimitations• Traditional (static) mix networks (Onion Routing, JAP, Anonymity Network, Tor):- Many clients use relatively small and static set of powerful mixes- Advantages: stable circuits, good performance (with few users), well-known mixes- Disadvantages: scalability (finding enough mixes to support a large user base); threat from an internal attacker that operates a significant fraction of all mixes➔ Static mix networks are not the best option to provide anonymity for the masses• MorphMix idea: move from a static to a peer-to-peer-based mix network- No distinction between clients and mixes; every client also acts as a mix ➔ nodes- Intuitively: potential advantages compared to static mix networks, in particular with respect to scalabilityTIKETH Zurich6MorphMix MorphMix ––Main ObjectiveMain ObjectiveMain objective: provide a practical system that enables anonymous low-latency Internet access for a large number of users:1. Everybody owning a state-of-the-art computer can participate2. The performance as experienced by the users is good enough such that users are not turning away from the system3. It provides good protection from long-term profiling attacks by a realistic adversary4. It scales well and can handle a large number of usersTIKETH Zurich7MorphMix MorphMix ––Details (1)Details (1)• A MorphMix node is identified with its public IP address• The nodes to which a node has established virtual links are its neighbours• In MorphMix, we name the circuitsanonymous tunnels- Start at the initiator (a)- End at the final node (d)- The nodes in between are the first, second,… intermediate node (b, c)• Since anyone can participate in MorphMix, we must expect an adversary can also operate nodes; consequently, there are:- Honest nodes that follow the protocol correctly and that are operated by honest users- Malicious nodes that collude and share their information to “break the anonymity” of honest usersTIKETH Zurich8MorphMix MorphMix ––Details (2)Details (2)• MorphMix is still a circuit-based mix network- The requirements to compromise a tunnel are the same as in static circuit-based mix networks• We focus especially on the internal attacker- Running many MorphMix nodes is easy: no access control ➔ anyone can run as many nodes as he owns IP addresses- Increasing the protection from external attackers depends on the development of efficient cover traffic mechanisms ➔ outside the scope of this work• MorphMix consists of three core components that depend on each other:1. The anonymous tunnel setup protocol2. The collusion detection mechanism to detect compromised tunnels3. The peer discovery mechanism to easily learn about other nodes• Goal of these three components: make it difficult for the internal attacker to control both the first intermediate and the final node in a tunnelTIKETH Zurich9Anonymous Tunnel SetupAnonymous Tunnel Setup• Design decision: each node along a tunnel picks the next node in the tunnel- Advantages: each node handles its local environment and can easily learn about the current state of its neighbours; no lookup-service required that keeps track of the nodes that are currently participating ➔ one key decision to make MorphMix scalable- Disadvantage: malicious nodes pick other malicious nodes as the next node- To complicate this attack, a node cannot pick the following node in the tunnel itself, but must offer a selection of nodes to the initiator, which picks one of themTIKETH Zurich10Collusion Detection MechanismCollusion Detection Mechanism- To make sure the following nodeis also malicious, malicious nodesmust now offer exclusively malicious nodes in their selections• The collusion detection mechanism is based on these selections to detect malicious nodes with high probability- Based on the assumption that honest nodes pick their neighbours – and therefore the nodes in their selections – more randomly from the set of all nodes than malicious nodes1. The initiator remembers selections it has received previously2. A new selection is compared with the internally stored selections3. The collusion detection mechanism detects selections that contain many malicious nodes with high probability ➔ malicious selection4. The initiator won’t use this anonymous tunnel to connect to serversTIKETH Zurich11Peer Discovery MechanismPeer Discovery Mechanism• Main effect of the collusion detection mechanism:- Malicious nodes cannot pick the nodes they offer in their selections “significantly less randomly” than honest nodes because otherwise, this will be detected by the initiator ➔ Malicious
View Full Document
Unlocking...