Slide 1

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory The Tor Project 18th ACM Conference on Computer and Communications Security October 17-21, 2011 Chicago, IL

Slide 2

Overview Onion routing provides anonymous communication. 2

Slide 3

Overview Onion routing provides anonymous communication. ? 3

Slide 4

Overview Onion routing provides anonymous communication. ? ? 4

Slide 5

Overview Onion routing provides anonymous communication. ? ? ? 5

Slide 6

Overview Onion routing provides anonymous communication. It is insecure against an adversary with resources. ? ? 6

Slide 7

Overview Onion routing provides anonymous communication. It is insecure against an adversary with resources. Trust can help avoid such an adversary. We provide a model of trust. We design trust-based routing algorithms. ? ? 7

Slide 8

Overview Onion routing provides anonymous communication. It is insecure against an adversary with resources. Trust can help avoid such an adversary. We provide a model of trust. We design trust-based routing algorithms. Improve anonymity with robustness to trust errors. ? ? 8

Slide 9

Onion Routing 9

Slide 10

10 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.Onion-encrypted data is sent and unwrapped along the circuit. 3.The process runs in reverse for return data.

Slide 11

Onion Routing International onion-routing network Estimated at over 300,000 users daily 2500 onion routers Uses include 11 torproject.org - Avoiding censorship - Gathering intelligence - Political activism - Whistleblowing

Slide 12

Problem 12 Problem

Slide 13

13 Problem Adversary may observe or control routers.

Slide 14

14 Problem Adversary may observe or control routers. Traffic patterns can link first and last routers.

Slide 15

Problem Adversary may observe or control routers. Traffic patterns can link first and last routers. 15 Path SelectionProbability of attack success # routers observed# connections until successful attack Random0.01250100 + guards & exits0.0180 guards, 90 exits10 w/ prob. 0.1 + bandwidth weighting0.01guard&exit, 124 MiBps7.7 w/ prob. 0.077 2500 total routers, 900 exit, 800 guard First-last Correlation Attack Success

Slide 16

Key Idea: Trust Users may know how likely a router is to be under observation. 16 NameHostnameBandwidthUptimeLocationTor versionOS moria1moria.csail.mit. edu 460 KB/s1 daysUSA0.2.3.5- alpha Linux rathergonaked212-82-33- 112.ip.14v.de 302 KB/s6 daysGermany0.2.2.33Linux Unnamedstatic-ip-166- 154-142- 114.rev.dyxnet.c om 58 KB/s58 daysHong Kong 0.2.1.29Windows Server 2003 SP2 Source: http://torstatus.blutmagie.de, 10/12/2011 Tor Routers with Possible Trust Factors

Slide 17

Problems 1.What is trust? Model 2.How do we use trust? Path-selection algorithm 17

Slide 18

Model 18 User u Nave users N AuAu Probability of Compromise: c u (r) 01 Adversaries Trust: u (r) = 1-c u (r) Observed destination Observed source

Slide 19

Trust-based Path Selection Algorithm 1.Destination links observed only Use downhill algorithm. 2.Source links observed only Use one-hop path of most-trusted router. 3.Neither source nor destination links observed Connect directly to destination. 4.Both source and destination links observed Connect directly to destination. 19

Slide 20

Downhill Algorithm Key idea: Blend in with the nave users. 20 RandomMost trusted

Slide 21

Downhill Algorithm Key idea: Blend in with the nave users. 21 RandomMost trusted

Slide 22

Downhill Algorithm Key idea: Blend in with the nave users. 22 Most trustedRandom

Slide 23

Downhill Algorithm 23 Most trusted Random Trust 0 0 Fraction of Routers Router Trust CDF 1

Slide 24

Downhill Algorithm 24 Most trustedRandom Trust 0 0 Fraction of Routers Router Trust CDF 1

Slide 25

Downhill Algorithm 25 Most trusted Random Trust 0 0 Fraction of Routers Router Trust CDF 1

Slide 26

Downhill Algorithm 26 Most trustedRandom Trust 0 0 Fraction of Routers Router Trust CDF 1 Downhill

Slide 27

Downhill Algorithm 27

Slide 28

Downhill Algorithm 28 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric.

Slide 29

Downhill Algorithm 29 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 30

Downhill Algorithm 30 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 31

Downhill Algorithm 31 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 32

Downhill Algorithm 32 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 33

Downhill Algorithm 33 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 34

Downhill Algorithm 34 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 35

Downhill Algorithm 35 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i

Slide 36

Downhill Algorithm 36 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i 3.For each connection, 1.Create circuit through selected routers. 2.Randomly choose two routers. 3.Extend circuit through them to the destination.

Slide 37

Downhill Algorithm 37 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i 3.For each connection, 1.Create circuit through selected routers. 2.Randomly choose two routers. 3.Extend circuit through them to the destination.

Slide 38

Downhill Algorithm 38 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i 3.For each connection, 1.Create circuit through selected routers. 2.Randomly choose two routers. 3.Extend circuit through them to the destination.

Slide 39

Downhill Algorithm 39 1.Set path length l and trust levels 1,, l to optimize expectation of anonymity metric. 2.For 1 i l, Randomly select among routers with trust i 3.For each connection, 1.Create circuit through selected routers. 2.Randomly choose two routers. 3.Extend circuit through them to the destination.

Slide 40

Anonymity Analysis Metric: Posterior probability of actual source of a given connection. 40 u Example: Let T i = {r : u (r) i }. Let A u R be the routers compromised by A u. Let X 1 = Pr[ u chose observed path] = ( |T 1 \A u |/|T 1 | ) ( |T 2 \A u |/|T 2 | ) ( 1/|T 3 | ) ( 1/|R| ) 2 Let X 2 = Pr[ n N chose observed path] = ( |R\A u |/|R| ) 2 ( 1/|R| ) 3 Posterior probability: X 1 /(X 1 +|N|X 2 ) static dynamic

Slide 41

Anonymity Analysis 41 Expected anonymity DownhillMost trustedRandomLower bound Many @ medium trust0.02740.25190.10880.01 Many @ low trust0.05500.17510.47630.001

Slide 42

Anonymity Analysis 42 Scenario 1: User has some limited information. =.99 =.9 =.1 5 routers 1000 routers 10 routers Expected anonymity DownhillMost trustedRandomLower bound Many @ medium trust0.02740.25190.10880.01 Many @ low trust0.05500.17510.47630.001

Slide 43

Anonymity Analysis 43 Scenario 2: User and friends run routers. Adversary is strong. =.999 =.95 =.5 5 routers 50 routers 1000 routers Expected anonymity DownhillMost trustedRandomLower bound Many @ medium trust0.02740.25190.10880.01 Many @ low trust0.05500.17510.47630.001

Slide 44

Linking Analysis Metric: Connection entropy at times user communicates. 44 Example: (u,d1)(u,d1) t1t1 t2t2 t3t3 (u,d2)(u,d2)(u,d3)(u,d3)

Slide 45

Linking Analysis Metric: Connection entropy at times user communicates. 45 Example: (?,d 1 ) t1t1 t2t2 t3t3 (?,d 2 )(?,d 3 ) The adversary may not know the user.

Slide 46

Linking Analysis Metric: Connection entropy at times user communicates. 46 Example: (v,d1)(v,d1) t1t1 t2t2 t3t3 (v,d2)(v,d2)(v,d3)(v,d3) Connections without dynamic hops may be linked by final hop.

Slide 47

Linking Analysis Metric: Connection entropy at times user communicates. 47 Example: (v,d1)(v,d1) t1t1 t2t2 t3t3 (w,d2)(w,d2)(x,d3)(x,d3) With dynamic hops, posterior distribution may be more even.

Slide 48

Linking Analysis Metric: Connection entropy at times user communicates. 48 Example: (v,d1)(v,d1) t1t1 t2t2 t3t3 (w,d2)(w,d2)(x,d3)(x,d3) With dynamic hops, posterior distribution may be more even. Theorem: Entropy of connection distribution is increased by using dynamic hops.

Slide 49

Trust Errors Theorem (informal): Error in trust of router r changes expected anonymity proportional to 1. Size of error 2. Expected number of times r is used 3. Expected relative size of rs trust set 49

Slide 50

Trust Errors 50 Errors in Scenario 1 (many @ medium trust) Fraction x of low are medium, x/2 of med. are low, x/2 of med. are high, x of high are medium.

Slide 51

Conclusion Adversaries can attack onion-routing network like Tor today. External trust can provide protection. We provide a model to express the problem and solution. We give a path-selection algorithm and show that it improves anonymity. Future Work 51 Dependent compromise Link adversary Multiple adversaries per user Road warrior Private trust values Private adversaries

Slide 52

Onion Routing 52 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network.

Slide 53

Onion Routing 53 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened.

Slide 54

Onion Routing 54 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. {{{M} 3 } 2 } 1

Slide 55

Onion Routing 55 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. {{M} 3 } 2

Slide 56

Onion Routing 56 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. {M} 3

Slide 57

Onion Routing 57 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. M

Slide 58

Onion Routing 58 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. 4.The process runs in reverse for return data. M

Slide 59

Onion Routing 59 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. 4.The process runs in reverse for return data. {M} 3

Slide 60

Onion Routing 60 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. 4.The process runs in reverse for return data. {{M} 3 } 2

Slide 61

Onion Routing 61 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. 4.The process runs in reverse for return data. {{{M} 3 } 2 } 1

Slide 62

Onion Routing 62 UsersOnion RoutersDestinations 1.A user cryptographically constructs a circuit through the network. 2.A stream to the destination is opened. 3.Onion-encrypted data is sent and unwrapped along the circuit. 4.The process runs in reverse for return data. 5.The user changes the circuit periodically.

Slide 63

Problems 1. What is trust? Model adversary Differs among users Model user knowledge Include uncertainty 63 2. How to use trust? Blend user connections together Use trust explicitly in guard nodes Protect trust information

Slide 64

Model Agents Users: U Routers: R Destinations: D Adversaries: {A u } u U 64 Trust Probability of compromise: c u (r) Trust: u (r) = 1 - c u (r) Known whether source and destination links are observed Nave users: N U A n 1 =A n 2, n 1,n 2 N c n (r) = c N, n N

Slide 65

Anonymity Analysis 65 Scenario 3: Trust is based on geographic region. =0.9=0.5 =0.1 350 routers Expected anonymity DownhillMost trustedRandomLower bound Many @ medium trust0.02740.25190.10880.01 Many @ low trust0.05500.17510.47630.001 Equal high/med/low0.10210.10270.50000.1