nonymizing Protocols Peter van ossum adboud University Nijmegen
Motivation Electronic Voting Dining Cryptographers Network nalysis Communication Sender nonymity [ anonymous webbrowsing ] eceiver nonymity [ anonymous webserving ] Censorship esistance
Historical Overview nonymous remailers 1993 anon.penet.fi 2003 MixMinion nonymous publishing 1999 Freenet (peer-to to-peer) nonymous webbrowsing / general 1996 Onion outing (original idea Chaum 1981) 1998 Crowds (peer-to to-peer) 2003 Tor (successor of Onion outing) 2003 Tarzan, MorphMix (peer-to to-peer)
nonymous remailers/webbrowsing Forward messages via one or more relays nonymous remailer Crowds: peer-to to-peer, no encryption Onion outing: layered encryptions Tor: : extensible communication channels
nonymizing Proxy,m m m Sender anonymity No anonymity vs. observer of
Crowds,m 1 m Sender anonymity No anonymity vs. global observer
Crowds,m 1,m 3,m m 2 Sender anonymity No anonymity vs. global observer Probabilistic Forwarding
Onion outing { 2,{ 3,{,m} 3 } 2 } 1 1 3 m 2 nonymity vs. global observer
Onion outing { 2,{ 3,{,m} 3 } 2 } 1 1 3 { 3,{,m} 3 } 2 {,m} 3 m 2 nonymity vs. global observer
Tor: : Circuits tor-aware connection 1 2 ordinary connection
Tor: : Circuits {{m} 2 } 1 tor-aware connection 1 {m} 2 2 m ordinary connection
Tor: : Circuits http://tor.eff.org/cvs/tor/doc/design-paper/tor-design.html
Tor: : Circuits {{X}} {X} - Single - Double Onion Onion http://tor.eff.org/cvs/tor/doc/design-paper/tor-design.html
nonymous publishing/webserving Serve content via relays Freenet: : data-based, peer-to to-peer Tor: : server-based, rendezvous-points
Freenet nonymous Publishing Documents (instead of agents) Censorship resistance
Freenet: : outing GUID (Globally Unique Identifier) CHK (Content Hash Key) hash(data) Content SSK (Signed Subspace Key) hash( hash(pk) hash(description) ) ) ( Publisher has/is (pk,sk( pk,sk) ) ) {CHK hash(data)} sk eni8yfo3gj8uvh-u0hpkmftf6qqge/homepage/website_howto.html eni8yfo3gj8uvh-u0hpkmftf6qqge/files/0.16a/manifest.jar pk description
Every node keeps table Freenet: : outing neighbor 1 (ip-address) guid 1 guid 2 neightbor 2 (ip-address) guid 3 guid 4 equest for guid gets forwarded to neighbor with closest guid Data ripples back along path
Freenet: : outing http://freenet.sourceforge.net/papers/freenet-ieee.pdf
Freenet: : outing Nodes accumulate files with similar hash-values http://freenet.sourceforge.net/papers/freenet-ieee.pdf
Tor nonymous service [ webserver ] Initializition points serve as proxies for server endezvous points serve as proxies for client
Tor: : nonymous Publishing DS P IP 1 IP 2 P data P data query description IP 1 description, IP 1, IP 2
Design esearch Subjects Latency vs. anonymity Incentive to participate Scalability nalysis Estimation of risk of specific attacks ttacker model Formal analysis of secrecy/authentication nonymization properties Formal analysis of anonymity
ttacker Model Dolev-Yao attacker too strong Global passive adversary + bility to corrupt nodes still too strong Partial passive adversary + bility to corrupt nodes practical analysis Global passive adversary theoretical analysis Computational adversary No formal concept yet of timing attacks, statistical traffic analysis attacks
Design esearch Subjects Latency vs. anonymity Incentive to participate Scalability nalysis Estimation of risk of specific attacks ttacker model Formal analysis of secrecy/authentication nonymization properties Formal analysis of anonymity
Formal nalysis {m} k {,{m} k } k {,{m } k } k {m} k {m } k {,{m} k } k {,{m } k } k {m } k {m} k runs look the same to global observer
Formal nalysis {,{m} k } k {,{m } k } k {m} k {m } k {,{m} k } k {,{m } k } k {m } k {m} k r ² spy ( communicated with )
Formal nalysis {} k,{m} k {m} k { } k,{m} k {m } k { } k,{m } k {m } k {} k,{m } k {m} k repeated messages global observer can discover communication pattern
Formal nalysis {} k,{m} k { } k,{m } k {m} k {m } k { } k,{m} k {} k,{m } k {m } k {m} k r ² ( spy communicated with ) r ² ( spy communicated with )
Formal nalysis {m} k C D h({m} k ) E global observer can discover pattern
Formal nalysis {m} k C D h({m} k ) E r ² spy ( and are linkable)