Online Anonymitybeyond TorDr. Mar�n Schmiedecker

Outline

Online Anonymity

Tor

Alterna�ves to Tor

Interes�ng Times Ahead

2/38

Online Anonymity

Online Anonymity

3/38

Online Anonymity

4/38

Anonymity Set

• Anonymity requires a peer group/set• Well-defined group of individuals• The bigger the be�er

”Anonymity is the state of being not iden�fiable within a set ofsubjects, the anonymity set.” [Pfitzmann, 2000]

5/38

Anonymity Set

6/38

Degrees Of Anonymity

• Pseudonymity• Sender/Recipient anonymity:

◦ Sender/Recipient of a message cannot be determined• Unlinkability:

◦ Messages cannot be a�ributed to a pair of users• Unobservability:

◦ Cannot be determined if specific user sent messages at all

7/38

Chaum Mix

• Base of modern anonymity systems• David Chaum: ”Untraceable electronic mail, returnadresses, and digital pseudonyms”, Communica�ons ofthe ACM, 1981

• Chaum Mix◦ Order of sent messages != order of received messages◦ Messages are split into equal chunks and padded◦ Hinders de-anonymiza�on based on analyzing the network

traffic

8/38

One-hop mix

Figure: Basic Mix, George Danezis, UCL 9/38

Chaum mix proper�es

• unlinkability: use of cryptography, message chunking• traffic analysis: reordering of messages

10/38

Broken Mix: no reordering but FIFO

Figure: FIFO Mix, George Danezis, UCL

A�ackers can link senders to recipients by observing the mix. 11/38

Protec�on against traffic analysis

Figure: Mix Batching / Pooling, George Danezis, UCL

Threshold sends all messages once certain number ofmessages reached (Chaum), pooling: some messages are keptback.

12/38

Tor

13/38

Tor

14/38

Tor

15/38

Tor

16/38

Tor

17/38

TorNSA: Tor = King of Anonymity1

• “S�ll the King of high secure, low latency InternetAnonymity”

• no new a�ack found in these files• but: Tor users can be tagged• some of the files by the NSA on Tor:http://media.encrypted.cc/files/nsa/

1http://www.theguardian.com/world/2013/oct/04/

nsa-gchq-attack-tor-network-encryption18/38

Alterna�ves to Tor

Garlic Rou�ng

• Founda�on of the Invisible Internet Project (I2P)• Layer-based encryp�on

◦ Basic idea: Chaum mixes / Onion Rou�ng• Messages are bundled

◦ Messages are merged into Bulbes/Cloves• ElGamal/AES + SessionTag

◦ Combina�on of asymmetric and symmetric encryp�on methods

19/38

Example Garlic Rou�ng: I2P

• Based on Java, ac�ve development since 2003• I2P Router creates local proxy (4444/TCP)• I2P Applica�ons

◦ Filesharing (BitTorrent, eMule, Gnutella)◦ E-Mail (Postman, I2P-Bote)◦ Instant messaging (I2P Messenger)◦ Publishing (Syndie)◦ Distributed file-system/storage (Tahoe-LAFS)

20/38

Garlic Rou�ng: I2P

• Tunnels to other I2P nodes are created(incoming / outgoing tunnels)

• Use focuses on “Darknet“ applica�ons (as opposed to Tor)

21/38

Anonymity systems overview

22/38

Interes�ng Times Ahead

OTR, Signal and more

• key protocol for (un-)authen�cated encryp�on• OTR, mpOTR, axolotl• part of Signal, Whatsapp, Wire• open libraries available• forward secrecy

23/38

Ricochet

• builds on Tor2

• spawns hidden service• allows for anonymous cha�ng• no party has to reveal iden�ty• implicitly authen�cated

2https://ricochet.im24/38

HORNET (2015) [1]

• onion-rou�ng on the network layer• no local states• all relevant informa�on in headers• only symmetric cryptography• can achieve close to 100 Gbit/s

25/38

Dissent (2012) [2]

• provable privacy• (groups of) client-server• based on DC-net shuffles• anytrust, one honest server needed• more efficient as DC-nets (linear!)• trade-offs: intersec�on a�acks, scalability

26/38

Riffle (2016) [3]

• improves Dissent• can handle many more clients• efficient symmetric crypto• bandwidth propor�onal to messages

27/38

Aqua (2013) [4]

• Tor-like infrastructure• mix-based• each client has one edge mix• k-anonymity among k honest clients

28/38

Vuvuzela (2015) [5]

• uses differen�al privacy• scales to millions of users• hides most metadata• onion-like relaying• s�ll somewhat efficient

29/38

Alpenhorn (2016) [6]

• protocol for ini�a�ng communica�on• employs forward secrecy (key ratchet)• uses iden�ty-based encryp�on• added to Vuvuzela

30/38

Riposte (2015) [7]

• usable for broadcas�ng• few writers, many readers• provable privacy (reverse PIR)• protects against traffic analysis

31/38

Loopix (2017) [8]

• sender- and receiver anonymity• unobservability!• traffic analysis resistance against a global network

adversary!• mix-based, very low latency

32/38

To conclude

• Tor leads the way• DC-nets vs. mixes• much more to come

33/38

Ques�ons?

References I[1] Chen Chen, Daniele E Asoni, David Barrera, George

Danezis, and Adrain Perrig.Hornet: High-speed onion rou�ng at the network layer.In Proceedings of the 22nd ACM SIGSAC Conference onComputer and Communica�ons Security, pages 1441–1454.ACM, 2015.

[2] David Isaac Wolinsky, Henry Corrigan-Gibbs, Bryan Ford,and Aaron Johnson.Dissent in numbers: Making strong anonymity scale.In 8th USENIX Symposium on Opera�ng Systems Designand Implementa�on, pages 179–182, 2012. 34/38

References II[3] Albert Kwon, David Lazar, Srinivas Devadas, and Bryan

Ford.Riffle.Proceedings on Privacy Enhancing Technologies,2016(2):115–134, 2016.

[4] Stevens Le Blond, David Choffnes, Wenxuan Zhou, PeterDruschel, Hitesh Ballani, and Paul Francis.Towards efficient traffic-analysis resistant anonymitynetworks.In ACM SIGCOMM Computer Communica�on Review,volume 43, pages 303–314. ACM, 2013. 35/38

References III

[5] Jelle Van Den Hooff, David Lazar, Matei Zaharia, andNickolai Zeldovich.Vuvuzela: Scalable private messaging resistant to trafficanalysis.In Proceedings of the 25th Symposium on Opera�ngSystems Principles, pages 137–152. ACM, 2015.

[6] David Lazar and Nickolai Zeldovich.Alpenhorn: Bootstrapping secure communica�on withoutleaking metadata.

36/38

References IV

In Proceedings of the 12th Symposium on Opera�ngSystems Design and Implementa�on (OSDI), Savannah, GA,2016.

[7] Henry Corrigan-Gibbs, Dan Boneh, and David Mazieres.Riposte: An anonymous messaging system handlingmillions of users.In Security and Privacy (SP), 2015 IEEE Symposium on,pages 321–338. IEEE, 2015.

37/38

References V

[8] Ania Piotrowska, Jamie Hayes, Tariq Elahi, Sebas�anMeiser, and George Danezis.The loopix anonymity system.arXiv preprint arXiv:1703.00536, 2017.

38/38