modelling and analysing of security protocol: lecture 10
TRANSCRIPT
Modelling and Analysing ofSecurity Protocol: Lecture 10
Anonymity: Systems
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE– Anonymous Publishing: Freenet
Crowds
• A crowd is a group of n nodes• The initiator selects randomly a node (calledforwarder) and forwards the request to it
• A forwarder:– With prob. 1-pf selects
randomly a new node andforwards the request to him
– With prob. pf sends therequest to the server
server
Crowds
• The sender is beyond suspicion to the server.
• Some of the nodes could be corrupted.
• The initiator could forward the message to acorrupted node.
• The sender has probable innocence to othernodes.
Crowds
• Problem: many people won’t forward traffic forothers.
• A practical system has to make forwardingtraffic for others optional or controllable.
server
Onion Routing• Each node makes its key public• The initiator selects the whole route and encrypts
the message with all keys in reverse order• Each node unwraps a layer and forwards the
message to the next one
{2,{3,{server,m}k3}k2}k11 2
3m
{3,{server,m}k3}k2
{server,m}k3
server
Onion Routing
• Each node only learns the next one in the path
• End-users can run their own node– Better anonymity
• or use an existing one– More efficient– User's identity is revealed to the node
Tor
• Tor implement this protocol.
• Several hundred volunteer nodes.
• Firefox plug-in.
• Managed by the US navy.
Problems with Tor• You reveal you IP to the first node and the
last node see who you are talking to.
• If an attacker controls the first and the lastnode they may be able to match the packetsusing traffic analysis.
• No anonymity from an attacker that monitorsthe whole network.
• Some protocol broadcast their IP address
MIXes• MIXes are proxies that forward messages
between them• A user contacts a MIX to send a message• The MIX waits until it has received a number of
messages, then forwards them in different order
MIXes• It is difficult to trace the route of each
message.
• May provide beyond suspicion S-Runlinkability even to a global attacker.
• Messages have to be delayed (can be solvedwith dummy traffic).
• More complicated when sending series ofpackets
Mutli-casting
• Broadcast the message to the whole network.
• Beyond suspicion for the receiver.
• No anonymity for the sender.
• Multicasting is a good technique forbroadcasting messages .... but very inefficientto send just one message.
Spoofed UDP
• The from IP address is not used by routers,only by higher-level protocols such as TCP.
• UDP does not have to use this address.
• A random address can be used instead toprovide sender anonymity.
• Method prohibited by many ISPs.
Anonymous File-Sharing system
800,000 downloads
Informal description
Source code
Appeal for donations
Peer-to-Peer File-Sharing
In newer networks peers recordthe IP address of other peers.
A searcher sends a request to allof it’s “neighbours”.
This is forwarded to all of thereneighbours, up to a fixed hops.
A
Peer-to-Peer File-Sharing
The search request includesA’s IP address.
Any peer with the requestedfile contacts A directly.
Peer “A” may then requestthe file.
A
Peer-to-Peer File-Sharing
No anonymity from peers insidethe network:
The search message gives thesearcher’s IP address and nameof the files they are looking for.
By requesting a file, you can findout the IP address of all peersthat are offering the file.A
MUTE• MUTE removes the IP address from the file
exchange.
• Peers only know the IP address of their directneighbours.
• Peers choose random “pseudo ID”.
• Files are not sent directly between peers. Insteadfiles are sent via a number of peers.
• MUTE uses a version of the “Ants” ad-hoc routingprotocol.
Anonymity Provided by MUTE• MUTE makes it hard to link the IP address of
a peer with its pseudo ID.
• Peers only know the ID address's of theirdirect neighbours, but not their pseudo ID.
• The network should provide enough cover tolet a neighbour deny using a particular ID.
• If an attacker can completely surround a peerit looses anonymity.
MUTE: Search
The search takes place as before, but thistime the message uses its pseudo IDas the “from ID”.
Each peer builds a routing table byrecords the ID and the connection.
A probabilistic time-to-live counter limitsthe search.
AA
A
A
A
AA
AA
MUTE: Reply
If B wants to reply it sends amessage to A’s pseudo ID.
This message is routed using the ad-hoc routing table.
The route to B is also recorded
AA
A
A
A
AA
AA
B
B
B
B
Un-forgeable Pseudo IDs
• MUTE using a hash of using authenticationkeys as the peers pseudo IDs.
• A peer generates a RSA signature key “kS” and anauthentication key “kA”.
• The message header now has the form:
( to ID, #(kA), message ID-time_stamp, FLAGS:(SkS(messageID-time_stamp), kA) )
Freenet and Free Haven• There are a number of “anonymous
publishing system”.
• For example Freenet and the MIX basedFree Haven.
• These systems make the original author of afile anonymous, not the responder.
• Nodes will often cache files.Therefore youcan “trick” a node into storing and “offering” afile.
Summary of methods
Some Kinds of Attack
• Timing attacks• System Membership• Time-to-Live Attacks (Mute, Mantis)• Multiple Attackers (Mute)• Statistical Attacks (MIXes)• Forced Repeat (Crowds)• Nodes Joining and Leaving• Denial of Service (Mute)
Today’s Lecture• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE– Anonymous Publishing: Freenet