Class 8Introduction to Anonymity
CIS 755: Advanced Computer SecuritySpring 2015
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S15/
Administrative stuff
• Monday office hours moved to 2:30– Will be 2:30 – 4
• How was your break?
• Quiz graded– Discussion
Anonymity Concepts
• Privacy– Confidentiality
• Anonymity/Pseudonymity– Unobservability– Unlinkability
Properties of eCash
• Unforgeability
• Non-reusability
• Anonymity– Untraceability– Unlinkability
Dining Cryptographers
• Three people toss coins: heads=1, tails=0• Menus hide right-hand coin• XOR your coin flip result and left
neighbor’s result• Report value to everyone• Report opposite value to send a single bit• If the sum is odd, someone sent a message
Dining Cryptographers II
• Slow• Error-prone• Needs tamper detection• Does not scale• Provides unobservability
Unobservability
• k-anonymity (scalable dining cryptographers)– Must be implemented very carefully
• Link padding– Inefficient– Cover traffic knowledge
Unlinkability
• Sender X Receiver(Sender can’t identify receiver)
• Sender X Receiver(Receiver can’t identify sender)
• Sender X Receiver(Neither knows who the other is)
– How do we handle authentication?
• Unobservability implies unlinkability (?)
For Bob For Bob from Alicefrom AliceFor Carol For Carol from Alicefrom AliceFor David For David from Alicefrom Alice
Onion Encryption
Source routing with capabilities
B, dataS3S2S1 B
S3
S2
S1
A
Message for BobWrapping for CarolWrapping for Doug
Onion Encryption IIBob
Alice
Wrapping for Edward
Edward
Doug
Carol
Chaum MixesBob
Alice
Output in lexographic order
Global AdversaryBob
Alice
Chaum Mix CascadeBob
Alice
Anonymous Reply
• Address for replies:
• Reply:
• Mix0 decrypts N,A; sends:
• Mix decrypting reply does not know destination• Mix encrypting reply does not know source
Mixminion
A
B
C
D
E Bob
A,B,C,D,E
Alice
Bob
Problems with Mixminon
• Centralized entities required– Availability failure– Anonymity failure (how?)
• Malicious nodes:– Control entry and exit– Unlikely
Anonymous Email
• High-latency• Low-throughput• Provides unlinkability
– Have to be careful about authentication
• No default end-to-end confidentiality (PGP)– Actually, there is for replies
• Secure against global adversary
Anonymous Web Browsing
• Low-latency• Medium-throughput• Server does not know client• Provides sender unlinkability
– Have to be careful about authentication
• No default end-to-end confidentiality (SSL)• NOT secure against global adversary
Tor
A
B
C
TCP over TCP (UGH!)
Anonymous Web Services
• Web service does not know client• Client does not know web service• Provides sender and receiver unlinkability
• Rendezvous
Tor Hidden Services
A
B
C
D
E
F
Problems with Tor
• Global adversary– What are the possible attacks?– Long term intersection– Defined as NOT HANDLED by Tor– Functional vs. actual?
• Packet counting
• Packet sampling
Problems with Tor
• “Centralized” entities required– Availability failure– Anonymity failure (how?)
• Malicious nodes:– Control entry and exit
• Hopefully unlikely – entry guards
• Preferential attraction of clients– Eureka! We can lie!
Problems with Tor II
• Information leakage from software– Web browser language– System time– How else?
• Malicious attacks on software– How?
Problems with Tor III
• Information leakage from design:– Latency (Hopper et al.)
• Unlinkability failure:– Latency (Hopper et al.)
• See a pattern?• Prevention?
Global AdversaryBob
Alice
Mix serverMix
server
Global Adversary vs. TorBob
Alice
Entire Tor
network
Entire Tor
network
Problems with Tor
• Preferential attraction of clients– Eureka! We can lie!
• Information leakage from software• Information leakage and linkability failure
from latency (Hopper et al.)• Malicious nodes
– Control entry and exit• Hopefully unlikely – entry guards
Tor Network Positioning Attack
A
B
C
M
Tor Linkability Attack
A
B
C
Tor Selective DoS Attack
A
B
C
Tor reliability
• RDoS = (1-t)2 + (tf)3
(1-t)2 dominates
A defense – entry guards
Useful, but ≤ 3 guards may decrease resilience
Othermixes
Questions?
Reading discussion