Anonymity Networks for Crypto Geeks, the Department of Defense, and - - PowerPoint PPT Presentation

Anonymity Networks for Crypto Geeks, the Department of Defense, and you.

Nick Mathewson <nickm@freehaven.net> The Free Haven Project MIT SIPB talk; 2 Feb 2006

This talk is about anonymity.

Technical Social

• 1. What is it?
• 2. Why does it matter?
• 3. How do we build it?
• 4. What happens then?

1. What is anonymity anyway?

(Wearing a funny wig, right?)

Informally: anonymity means you can't tell who did what

“Who wrote this blog post?” “Who's been viewing my webpages?” “Who's been emailing patent attorneys?”

Formally: anonymity means indistinguishability within an “anonymity set”

Alice1 Alice4 Alice7 Alice2 Alice6 Alice5 Alice8 Alice3 .... Bob Attacker can't tell which Alice is talking to Bob!

We have to make some assumptions about what the attacker can do.

Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network! Etc, etc.

Anonymity isn't cryptography: Cryptography only protects contents.

Alice Bob “Hi, Bob!” “Hi, Bob!” <gibberish> attacker

Anonymity isn't steganography: Attacker can tell that Alice is talking; just not to whom.

Alice Alice1 Bob1 ... Anonymity network Alice2 AliceN (Strong high-bandwidth steganography may not exist.) Bob2

Anonymity isn't just wishful thinking...

“You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”

...since “weak” anonymity... isn't.

“You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”

Will others parties have the ability and inclination to keep their promises? Proof is a very strong word. With statistics, suspicion becomes certainty. Not what we're talking about. Nope! (More info later.)

2. Why does anonymity matter?

What, theoretically speaking, do we have to hide?

Anonymity serves different interests for different user groups.

Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!”

Regular citizens don't want to be watched and tracked.

(the network can track too) Hostile Bob Incompetent Bob Indifferent Bob Blogger Alice “Oops, I lost the logs.” “I sell the logs.” “Hey, they aren't my secrets.” Name, address, age, friends, interests (medical, financial, etc), unpopular opinions, illegal opinions.... Blogger Alice 8-year-old Alice Sick Alice Consumer Alice Oppressed Alice ....

Businesses need to keep trade secrets.

AliceCorp Competitor Competitor Compromised network “Oh, your employees are reading

• ur patents/jobs page/product sheets?”

“Hey, it's Alice! Give her the 'Alice' version!” “Wanna buy a list of Alice's suppliers? What about her customers? What about her engineering department's favorite search terms?”

National organizations need anonymity for their security.

Officer Alice Investigated suspect Sting target Untrusted ISP “Why is alice.localpolice.gov reading my website?” “Why no, alice.localpolice.gov! I would never sell counterfeits on ebay!” Agent Alice “What does the CIA Google for?” Compromised service “What am I bid for a list of Baghdad IP addresses that get email from .gov?”

You can't get anonymity on your own: private solutions are ineffective...

Officer Alice Investigated suspect ... AliceCorp Competitor Citizen Alice AliceCorp anonymity net Municipal anonymity net Alice's small anonymity net “Looks like a cop.” “It's somebody at AliceCorp!” “One of the 25 users

• n AliceNet.”

... so, anonymity loves company!

Officer Alice Investigated suspect ... AliceCorp Competitor Citizen Alice Shared anonymity net “???” “???” “???”

Yes, bad people need anonymity too, but they are already doing well.

Evil Criminal Alice Stolen mobile phones Compromised botnet Open wireless nets .....

Yes, bad people need anonymity too, but they are already doing well.

Evil Criminal Alice Stolen mobile phones Compromised botnet Open wireless nets .....

3. How does anonymity work? (a short history, with Tor focus)

(Because we were Course 6, not Course 17.)

Tor is not the first or only design for anonymity.

Chaum's Mixes (1981) Remailer networks: cypherpunk (~93), mixmaster (~95), mixminion (~02) High-latency ...and more! anon.penet.fi (~91) Low-latency Single-hop proxies V1 Onion Routing (~96) ZKS “Freedom” (~99-01) Crowds (~96) Java Anon Proxy (~00-) Tor (01-)

Low-latency systems are vulnerable to end-to-end correlation attacks.

Low-latency: Alice1 sends: xx x xxxx x Alice2 sends: x x xx x x Bob1 gets: x x x x x x Bob2 gets: xx x xxxx x High-latency: Alice1 sends: xx x xxxx Alice2 sends: x x xx x x Bob1 gets: xx xxxx ..... Bob2 gets: x xxxxx ..... Time These attacks work in practice. The obvious defenses are expensive (like high-latency), useless, or both. match! match!

Still, we focus on low-latency, because it's more useful.

Interactive apps: web, IRC, VOIP, ssh, X11, ... # users, low-latency anonymity systems: millions? Apps that accept multi-hour delays and high bandwidth

• verhead: email, sometimes.

# users, high-latency anonymity systems: tens of thousands?

And if anonymity loves company....?

The simplest designs use a single relay to hide connections.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay Bob3,“X” Bob1, “Y” B

• b

2 , “ Z ” “Y” “Z” “X” (ex: some commercial proxy providers)

But an attacker who sees Alice can see what she's doing.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay Bob3,“X” Bob1, “Y” B

• b

2 , “ Z ” “Y” “Z” “X”

Add encryption to stop attackers who eavesdrop on Alice.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,“X”) E(Bob1, “Y”) E ( B

• b

2 , “ Z ” ) “Y” “Z” “X” (ex: numerous commercial proxy providers)

But a single relay is a single point of failure.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,“X”) E(Bob1, “Y”) E ( B

• b

2 , “ Z ” ) “Y” “Z” “X” Eavesdropping the relay works too.

So, add multiple relays so that no single one can betray Alice.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 R1 “Y” “Z” “X” R2 R3

Wrap messages in multiple layers of encryption: each relay removes a layer.

Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 R1 E1(R2, E2(Bob3,“X”) ) E1(R3, E3(Bob1, “Y”) ) E 2 ( R 3 , E 3 ( B

• b

2 , “ Z ” ) ) “Y” “Z” “X” R2 R3 E3(Bob2, “Z”) E3(Bob1, “Y”) E2(Bob3, “X”)

Use long-lived node-to-node links to hide number of connections.

S2 S1 S4 S3 Alice Bob

Since public-key is expensive, use it at the start of a session to establish session keys...

S2 S1 E1(S2,K1,E2(S3,K2,E3(K3,Bob))) S4 S3 Alice E2(S2,K2,E3(K3,Bob)) E3(K3,Bob) Bob The “onion”

...then, use session keys to encrypt actual traffic.

S2 S1 K1(K2,(K3, “Hi Bob”))) S4 S3 Alice K2,K3(“Hi Bob”)) K3(“Hi Bob”) Bob “ H i B

• b

! ”

A corrupt first hop can tell that Alice is talking, but not to whom.

S2 S1 K1(K2,(K3, “Hi Bob”))) S4 S3 Alice K2,K3(“Hi Bob”)) K3(“Hi Bob”) Bob “ H i B

• b

! ”

A corrupt final hop can tell that somebody is saying “Hi Bob,” but not who.

S2 S1 K1(K2,(K3, “Hi Bob”))) S4 S3 Alice K2,K3(“Hi Bob”)) K3(“Hi Bob”) Bob “ H i B

• b

! ”

Stop here, and you have version 1 Onion Routing.

• Developed by researchers at US NRL
• Separate proxies for each user application on

entry and exit.

• Patented.
• Small test deployment, closed source.

– (This prevented wider deployment.)

Alice Bob Web AP Web AP Web exit FTP exit FTP AP OR network

Zero Knowledge System's “Freedom Network” (~1999-2001)

• Developed as commercial product
• Much like OR, but:

– More effort at efficient routing. – Pay-per-service model. – Tried padding, briefly.

• (It was ineffective and uneconomical)

– Paid ISPs to run servers.

• Shut down in late 2001, probably due to cost

problems.

– Trust model was hard to market.

JAP/WebMIX network (~2000-)

• JAP = Java Anon Proxy
• Uses cascade topology instead of free-route.

– Cascades aggregate more traffic – But if correlation still works, attack is easier.

• PR problems related to illegal court order.
• Still active, still running, open source.

Alice2 AliceN Alice1 Bob2 BobN Bob1 S S Dresden S S S S

Tor* started at NRL in 2001 to remove

• bstacles to Onion Routing.

*Tor, not TOR.

OR v1 obstacles Never released Slow: multiple PK ops per request No forward secrecy Fixed list of servers Hard to scale

Simplify: Tor anonymizes TCP streams

• nly, and makes other applications

clean high-level protocols.

Web browser Web scrubber IRC client SSH Tor client Tor network S O C K S SOCKS H T T P SOCKS

Performance: Tor tunnels multiple TCP streams over each circuit.

Alice S4 S1 S5 S3 S2 Bob1 Bob2 Don't need to build as many circuits; saves lots of PK.

Security: Tor limits the impact of key compromise by opening circuits step-by-step.

Alice S2 S1 Encrypted with K1 Alice S1 (set up K1) Alice S2 S3 S1 Encrypted with K1 (set up K2) Encrypted with K2 (set up K3) Session keys can't be reconstructed after session is over.

Deployment: Tor became viable as a volunteer-operated network.

• Needed bandwidth caps: eating bandwidth is rude!
• Needed exit policies: not everyone is willing to emit

arbitrary traffic.

• Needed simple discovery mechanism...

reject 18.0.0.0/8:* allow *:22 allow *:80 reject *:*

Server discovery is hard because misinformed clients lose anonymity.

S S S S S S S S S Alice2 Bob1 Bob2 Alice1 Known to Alice1 Known to Alice2

Server discovery must not permit liars to impersonate the whole network.

Alice1 Evil Server

• 1. Alice says, “Describe the network!”

2. Alice1 Evil Server E.S. E.S. E.S. E.S. E.S. E.S. Alice is now in trouble.

Early Tor versions used a trivial centralized directory protocol.

S2 S1 Alice Trusted directory Trusted directory S3 cache cache Servers publish self-signed descriptors. Authorities publish signed lists of all descriptors Alice downloads any signed list

Tor's public release was invaluable.

Open-source Actual deployment, users! Specified Academic evaluation by real cryptographers! Compatible implementations! Users Sudden appreciation for which problems really matter. (more on this later)

Additional features were developed under NRL, EFF.

We added a control protocol for external GUI applications.

Web browser Web browser Web scrubber SSH Tor client SOCKS Control protocol HTTP S O C K S Controller GUI (Change configuration, intercept logs, manage circuits, etc.)

Tor implements responder anonymity with hidden services.

Alice Bob Directory 2 . “ P K , S i g n ( S 1 ) ” S1

• 1. “Sign(PK)”

3 . “ H ( P K ) .

• n

i

• n

” ? “ P K , S i g n ( S 1 ) ” ! All these connections are anonymized.

Tor implements responder anonymity with hidden services.

Alice Bob Directory 6 . “ T ! ” h a n d s h a k e S1 5 . P K , E ( “ M e e t m e a t S 2 ” , T ) All these connections are anonymized. S2

• 4. “Wait for T,

handshake” 5' E(“Meet me at S2”,T)

Tor implements responder anonymity with hidden services.

Alice Bob S1 S2 (provides uptime, linked to service)

Hooray, bidirectional anonymity!

(provides bandwidth, chosen by Alice)

We redesigned our directory protocol to avoid trust bottlenecks.

S2 S1 Alice Evil Trusted directory Trusted directory S3 cache cache Servers publish self-signed descriptors. Authorities publish signed lists of all descriptors; evil authority publishes lies Alice downloads any signed list: possibly the corrupt one!

We redesigned our directory protocol to avoid trust bottlenecks.

S2 S1 Alice Evil Trusted directory Trusted directory S3 cache cache Servers publish self-signed descriptors. Authorities publish signed statements about descriptors. Alice downloads all statements; believes the majority; downloads descriptors as needed. (Also uses less bandwidth!)

Our original “random” path-selection approach made sure that a long-term Alice would eventually lose.

Alice loses if first and last hop are evil. (Correlation attacks) Suppose c/n nodes are compromised. Therefore, (c/n)^2 of Alice's circuits are compromised. Therefore, if Alice's behavior stays the same, she will eventually lose.

Tor clients now use “guard” servers to give long-term Alice a chance.

Alice S S S S S S Chosen at random, held fixed. If Alice's guards are good, Alice never has a vulnerable path.

We're currently the largest strong anonymity network ever deployed.

S

> 360 running

A

> 100,000 per week

S

> 360 running

A

> 100,000 in a week

A A SS

> 40 MB/sec

Growth in servers is increasing.

Bandwidth capacity is increasing.

4. Social issues, policy issues, and second-order effects

Users appear in response to publicity, and are limited by usability.

News article Users & servers appear They leave if Tor is too hard or too slow.

Anonymity loves company, so usability is a security parameter.

Usability is easy to mess up.

Misconfigured Alice “Hey, this is fast!” Non-techie Alice “Why is it telling me about timed-out circs? Is that bad?” “Why is it telling me about DNS? Is that bad? “Why can I still see my IP?”

It seems that most users really are in it for online privacy.

(Of course, they're anonymous)

Volunteers do indeed run servers.

(Motivations: privacy? Better anonymity? ....)

Problem: Abusive users get the whole network blocked.

Jerk Alice Nice Alice Tor network /. wikipedia Some IRC networks X X X Minimize scope of blocking? Seek alternatives to IP-based access controls

On the bright side, IP blocking is the most common abuse fallout.

But check your ISP TOS, of course. The worst abuse responses have, historically, been abusive themselves. (xs4all, JAP cases) Serious crime is rare. The world has not ended.

Problem: We need to enlist public and institutional support.

“Hey, let's ban anonymity!” “Um, no. I need it.”

(unless this answer appears a lot, we're in trouble.) We need high-profile anonymity users. That's tricky!

Problem: China is hard to beat. They can just block the whole network.

Alice Alice S S S S X X They don't, yet. But when they do...?

Can we get a large number of semi- secret relays for China?

Alice Alice S S S S S S S S X X And how to distribute them?

Scaling the network is hard: client knowledge becomes divided.

S S S S S S S S S Alice2 Bob1 Bob2 Alice1 Known to Alice1 Known to Alice2

Remember partitioning?

But, when there are too many servers, Alice can't know them all!

Scaling the network is hard: we must create incentives to run servers.

Questions?

• Tor: http://tor.eff.org/

– Try it out; want to run a server?

• Anonymity bibliography:

http://freehaven.net/anonbib/