participant can communicate anonymously with non-participant user can talk to cnn
DESCRIPTION
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science [email protected] Public Design Workshop September 13, 2002 http://pdos.lcs.mit.edu/tarzan/. The Grail of Anonymization. Participant can communicate anonymously with non-participant - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/1.jpg)
Building a Peer-to-Peer Anonymizing Network Layer
Michael J. Freedman
NYU Dept of Computer Science [email protected]
Public Design WorkshopSeptember 13, 2002
http://pdos.lcs.mit.edu/tarzan/
![Page 2: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/2.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 2
• Participant can communicate anonymously with non-participant
• User can talk to CNN.com
User
?
?
• Nobody knows who user is
The Grail of Anonymization
![Page 3: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/3.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 3
?=?
Should we offer anonymity?
Actions of user seeking anonymity
Method of observing
user’s identity
Legal Illegal
Legal
Illegal Definitely!
Yes
???
No (?)
![Page 4: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/4.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 4
Our Vision for Anonymization
• Thousands of nodes participate• Bounce traffic off one another
• Mechanism to organize nodes: peer-to-peer• All applications can use: IP layer
![Page 5: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/5.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 5
Alternative 1: Proxy Approach
• Intermediate node to proxy traffic
• Completely trust the proxy
Anonymizer.com
User Proxy
![Page 6: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/6.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 6
Realistic Threat Model
• Corrupt proxy(s)
– Adversary runs proxy(s)
– Adversary targets proxy(s) and compromises,
possibly adaptively
• Network links observed
– Limited, localized network sniffing
– Wide-spread (even global) eavesdropping
e.g., Carnivore, Chinese firewall, ISP search warrants
![Page 7: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/7.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 7
Failures of Proxy Approach
User ProxyProxy
• Traffic analysis is easy
• Proxy reveals identity
![Page 8: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/8.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 8
Failures of Proxy Approach
User Proxy XX
• CNN blocks connections from proxy
• Traffic analysis is easy
• Adversary blocks access to proxy (DoS)
• Proxy reveals identity
![Page 9: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/9.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 9
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
Onion Routing, Freedom
Small-scale, static network
![Page 10: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/10.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 10
Alternative 2: Centralized Mixnet
User Relay Relay Relay
• MIX encoding creates encrypted tunnel of relays
– Individual malicious relays cannot reveal identity
• Packet forwarding through tunnel
• Cover traffic among relays hides data traffic
![Page 11: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/11.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 11
Failures of Centralized Mixnet
Relay Relay Relay
• CNN blocks core routers
X
![Page 12: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/12.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 12
Relay Relay
Failures of Centralized Mixnet
• CNN blocks core routers
• Adversary targets core routers
RelayRelay
![Page 13: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/13.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 13
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
![Page 14: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/14.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 14
Relay
Failures of Centralized Mixnet
Relay Relay
• CNN blocks core routers
• Adversary targets core routers
• Allows network-edge analysis
Relay
• Cover traffic doesn’t protect edges (n2)
X
![Page 15: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/15.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 15
Tarzan: Me Relay, You Relay
• Thousands of nodes participate
• Build tunnel over pseudorandom set of nodes
• Cover traffic covers edges
Crowds:
small-scale, not self-organizing, not a mixnet, no cover
![Page 16: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/16.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 16
Benefits of Peer-to-Peer Design
• No network edge to analyze:
First hop does not know he’s first
?
? ?? ?
• CNN cannot block everybody
• Adversary cannot target everybody
• Global eavesdropping gains little info
![Page 17: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/17.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 17
Managing Peers
• Requires a mechanism that
1. Discovers peers
2. Scalable
3. Robust against adversaries
![Page 18: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/18.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 18
• Adversary can join more than once
• Stop it from spoofing addresses outside of control?
Adversaries Can Join System
Contact peers directly to
– Validate IP address
– Learn public key
![Page 19: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/19.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 19
Adversaries Can Join System
• Adversary can join more than once
• Can control many addresses on each subnet!
Randomly select nodes by subnet “domain”,
not IP address
![Page 20: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/20.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 20
Tarzan: Joining the System
1. Contacts known peers to learn neighbor lists
2. Validates each peer by directly pinging
User
![Page 21: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/21.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 21
Tarzan: Discovering Peers
User
3. Nodes pair-wise choose (verifiable) mimics
4. Mimics begin passing cover traffic
![Page 22: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/22.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 22
Tarzan: Discovering Peers
User
5. Building tunnel:
Iteratively selects peers and builds tunnel
from among last-hop’s mimics
![Page 23: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/23.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 23
Tarzan: Building Tunnel
User
5. Building tunnel:
Public-key encrypts tunnel info during setup
Maps flowid session key, next hop IP addr
Tunnel Private AddressPublic Alias
Address
RealIP
Address
PNAT
![Page 24: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/24.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 24
IP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
Diverts packets to tunnel source router
IP
X
![Page 25: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/25.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 25
IP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
IPIP
NATs to private address space 192.168.x.x
Layer encrypts packet
![Page 26: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/26.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 26
Encapsulates in UDP and forwards packet
Strips off encryption, forwards to next hop
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
IPIPIP
APP
![Page 27: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/27.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 27
IPIP
NATs again to public alias address
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
![Page 28: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/28.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 28
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
APP
Reads IP headers and sends accordingly
IP
![Page 29: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/29.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 29
Response repeats process in reverse
IPIP
Tarzan: Tunneling Data Traffic
6. Reroutes packets over this tunnel
User
IPIPIPIP
APPIPIP
IP
![Page 30: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/30.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 30
Tarzan: Tunneling Data Traffic
Transparently supports anonymous servers
Can build double-blinded channels
Server
IPIPIPIP
APP
IPIP
IPIP IPIP
IPIP
IP IP IP IPIP
IP
ObliviousUser
![Page 31: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/31.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 31
Summary
• Gain anonymity:– Peer-to-peer: scalable, decentralized, secure
– Cover traffic over mimics
• Transparent IP-layer anonymization– Towards a critical mass of users
![Page 32: Participant can communicate anonymously with non-participant User can talk to CNN](https://reader035.vdocuments.site/reader035/viewer/2022062518/568146af550346895db3cacc/html5/thumbnails/32.jpg)
September 13, 2002 Building a Peer-to-Peer Anonymizing Network Layer Page 32
More information…
http://pdos.lcs.mit.edu/tarzan/