PowerPoint Presentation

CS 4700 / CS 5700Network FundamentalsLecture 22: Anonymous Communications(Wave Hi to the NSA)18/22/2012DefenseChristo Wilson2

You Are Not Anonymous3Your IP address can be linked directly to youISPs store communications recordsUsually for several years (Data Retention Laws)Law enforcement can subpoena these recordsYour browser is being trackedCookies, Flash cookies, E-Tags, HTML5 StorageBrowser fingerprintingYour activities can be used to identify youUnique websites and apps that you useTypes of links that you clickWiretapping is Ubiquitous4Wireless traffic can be trivially interceptedAirsnort, Firesheep, etc.Wifi and Cellular traffic!Encryption helps, if its strongWEP and WPA are both vulnerable!Tier 1 ASs and IXPs are compromisedNSA, GCHQ, 5 Eyes~1% of all Internet trafficFocus on encrypted traffic

Who Uses Anonymity Systems?5If youre not doing anything wrong, you shouldnt have anything to hide.Implies that anonymous communication is for criminalsThe truth: who uses Tor?JournalistsLaw enforcementHuman rights activistsNormal peopleFact: Tor was/is developed by the NavyBusiness executivesMilitary/intelligence personnelAbuse victimsWhy Do We Want Anonymity?6To protect privacyAvoid tracking by advertising companiesViewing sensitive contentInformation on medical conditionsAdvice on bankruptcyProtection from prosecutionNot every country guarantees free speechDownloading copyrighted materialTo prevent chilling-effectsIts easier to voice unpopular or controversial opinions if you are anonymousAnonymity Layer7Function:Hide the source, destination, and content of Internet flows from eavesdroppers Key challenge:Defining and quantifying anonymityBuilding systems that are resilient to deanonymizationMaintaining performanceApplicationPresentationSessionTransportNetworkData LinkPhysicalAnonymityDefinitions and ExamplesCrowdsChaum Mix / Mix NetworksTorOutline8Quantifying Anonymity9How can we calculate how anonymous we are?Anonymity SetsLarger anonymity set = stronger anonymity

Who sent this message?Suspects (Anonymity Set)

Other Definitions11UnlinkabilityFrom the adversaries perspective, the inability the link two or more items of interestE.g. packets, events, people, actions, etc.Three parts:Sender anonymity (who sent this?)Receiver anonymity (who is the destination?)Relationship anonymity (are sender A and receiver B linked?)UnobservabilityFrom the adversaries perspective, items of interest are indistinguishable from all other items

Crypto (SSL)12

Data Traffic

Content is unobservableDue to encryptionSource and destination are trivially linkableNo anonymity!Anonymizing Proxies13Source is knownDestination anonymity

HTTPS Proxy

Destination is knownSource anonymity

No anonymity!Anonymizing VPNs14Source is knownDestination anonymity

VPN Gateway

Destination is knownSource anonymity

No anonymity!

Using Content to Deanonymize15

HTTPS Proxy

No anonymity!

Reading GmailLooking up directions to homeUpdating your G+ profileEtcFact: the NSA leverages common cookies from ad networks, social networks, etc. to track usersData To Protect16Personally Identifiable Information (PII)Name, address, phone number, etc.OS and browser informationCookies, etc.Language informationIP addressAmount of data sent and receivedTraffic timingDefinitions and ExamplesCrowdsChaum Mix / Mix NetworksTorOutline17Crypto Algorithms18Symmetric algorithmsConventional algorithmsEncryption and decryption keys are the sameExamples: DES, 3DES, AES, BlowfishAsymmetric algorithmsCommonly known as Public Key algorithmsEncryption key and decryption key are differentExamples: Diffie-Hellman, RSA, Elliptic curve

Symmetric Key Crypto19Lets say we have a plaintext message M a symmetric encryption algorithm E and a key K

M E(K, M) = C E(K, C) = M

Advantages:Fast and easy to useDisadvantagesHow to securely communicate the key?

Cyphertext CSymmetric encryption is reversiblePublic Key Crypto20Lets say we have plaintext message M a public key algorithm F and two keys KP (public) and KS (private)

M F(KP, M) = C F(KS, C) = M

M F(KS, M) = C F(KP, C) = M

Encrypt with the public keyDecrypt with the private keyPublic Key Crypto in Action21Safe to distribute the public key KPCan only decrypt with the private key KSComputationally infeasible to derive KS from KP

KPKP

Crowds22

Crowds Example23Links between users use public key cryptoUsers may appear on the path multiple times

Final Destination

Anonymity in Crowds24No source anonymityTarget receives m incoming messages (m may = 0)Target sends m + 1 outgoing messagesThus, the target is sending somethingDestination anonymity is maintainedIf the source isnt sending directly to the receiver

Anonymity in Crowds25Source and destination are anonymousSource and destination are jondo proxiesDestination is hidden by encryption

Anonymity in Crowds26Destination is knownObviouslySource is anonymousO(n) possible sources, where n is the number of jondos

Anonymity in Crowds27Destination is knownEvil jondo is able to decrypt the messageSource is somewhat anonymousSuppose there are c evil jondos in the systemIf pf > 0.5, and n > 3(c + 1), then the source cannot be inferred with probability > 0.5

Other Implementation Details28Crowds requires a central server called a BlenderKeep track of who is running jondosKind of like a BitTorrent trackerBroadcasts new jondos to existing jondosFacilitates exchanges of public keysSummary of Crowds29The good:Crowds has excellent scalabilityEach user helps forward messages and handle loadMore users = better anonymity for everyoneStrong source anonymity guaranteesThe bad:Very weak destination anonymityEvil jondos can always see the destinationWeak unlinkability guaranteesDefinitions and ExamplesCrowdsChaum Mix / Mix NetworksTorOutline30Mix Networks31A different approach to anonymity than CrowdsOriginally designed for anonymous emailDavid Chaum, 1981Concept has since been generalized for TCP trafficHugely influential ideasOnion routingTraffic mixingDummy traffic (a.k.a. cover traffic)Mix Proxies and Onion Routing32Mixes form a cascade of anonymous proxiesAll traffic is protected with layers of encryption

Mix

[KP , KP , KP]Encrypted TunnelsNon-encrypted dataE(KP , E(KP , E(KP , M))) = C

Another View of Encrypted Paths33

Return Traffic34In a mix network, how can the destination respond to the sender?During path establishment, the sender places keys at each mix along the pathData is re-encrypted as it travels the reverse path

KP1KP2KP3

Traffic Mixing35Hinders timing attacksMessages may be artificially delayedTemporal correlation is warpedProblems:Requires lots of trafficAdds latency to network flows

1234Arrival Order1234Send Order

Mix collects messages for t secondsMessages are randomly shuffled and sent in a different orderDummy / Cover Traffic36Simple idea:Send useless traffic to help obfuscate real traffic

Definitions and ExamplesCrowdsChaum Mix / Mix NetworksTorOutline37Tor: The 2nd Generation Onion Router38Basic design: a mix network with improvementsPerfect forward secrecyIntroduces guards to improve source anonymityTakes bandwidth into account when selecting relaysMixes in Tor are called relaysIntroduces hidden servicesServers that are only accessible via the Tor overlay

Deployment and Statistics39Largest, most well deployed anonymity preserving service on the InternetPublicly available since 2002Continues to be developed and improvedCurrently, ~5000 Tor relays around the worldAll relays are run by volunteersIt is suspected that some are controlled by intelligence agencies500K 900K daily usersNumbers are likely larger now, thanks to Snowden

Celebrities Use Tor40

How Do You Use Tor?41Download, install, and execute the Tor clientThe client acts as a SOCKS proxyThe client builds and maintains circuits of relaysConfigure your browser to use the Tor client as a proxyAny app that supports SOCKS proxies will work with TorAll traffic from the browser will now be routed through the Tor overlay

Selecting Relays42How do clients locate the Tor relays?Tor Consensus FileHosted by trusted directory serversLists all known relaysIP address, uptime, measured bandwidth, etc.Not all relays are created equalEntry/guard and exit relays are specially labelledWhy?Tor does not select relays randomlyChance of selection is proportional to bandwidthWhy? Is this a good idea?

Attacks Against Tor Circuits43Tor users can choose any number of relaysDefault configuration is 3Why would higher or lower number be better or worse?

Entry/GuardMiddleExitSource: knownDest: unknownSource: unknownDest: unknownSource: unknownDest: knownSource: knownDest: known

Predecessor Attack44Assumptions:N total relaysM of which are controlled by an attackerAttacker goal: control the first and last relayM/N chance for first relay(M-1)/(N-1) chance for the last relayRoughly (M/N)2 chance overall, for a single circuitHowever, client periodically builds new circuitsOver time, the chances for the attacker to be in the correct positions improves!This is the predecessor attackAttacker controls the first and last relayProbability of being in the right positions increases over timeGuard Relays45Guard relays help prevent attackers from becoming the first relayTor selects 3 guard relays and uses them for 3 monthsAfter 3 months, 3 new guards are selectedOnly relays that:Have long and consistent uptimesHave high bandwidthAnd are manually vetted may become guardsProblem: what happens if you choose an evil guard?M/N chance of full compromise

Hidden Services46Tor is very good at hiding the source of trafficBut the destination is often an exposed websiteWhat if we want to run an anonymous service?i.e. a website, where nobody knows the IP address?Tor supports Hidden ServicesAllows you to run a server and have people connect without disclosing the IP or DNS nameMany hidden servicesTor Mail, Tor CharDuckDuckGoWikileaks

The Pirate BaySilk Road (2.0)https://go2ndkjdf8whfanf4o.onionHidden Service Example47Onion URL is a hash, allows any Tor user to find the introduction points

HiddenServiceIntroduction Points

Rendezvous PointPerfect Forward Secrecy48In traditional mix networks, all traffic is encrypted using public/private keypairsProblem: what happens if a private key is stolen?All future traffic can be observed and decryptedIf past traffic has been logged, it can also be decryptedTor implements Perfect Forward Secrecy (PFC)The client negotiates a new public key pair with each relayOriginal keypairs are only used for signaturesi.e. to verify the authenticity of messages

An attacker who compromises a private key can still eavesdrop on future traffic but past traffic is encrypted with ephemeral keypairs that are not storedTor Bridges49Anyone can look up the IP addresses of Tor relaysPublic information in the consensus fileMany countries block traffic to these IPsEssentially a denial-of-service against TorSolution: Tor BridgesEssentially, Tor proxies that are not publicly knownUsed to connect clients in censored areas to the rest of the Tor networkTor maintains bridges in many countries

Obfuscating Tor Traffic50Bridges alone may be insufficient to get around all types of censorshipDPI can be used to locate and drop Tor framesIran blocked all encrypted packets for some timeTor adopts a pluggable transport designTor traffic is forwarded to an obfuscation programObfuscator transforms the Tor traffic to look like some other protocolBitTorrent, HTTP, streaming audio, etc.Deobfuscator on the receiver side extracts the Tor data from the encodingConclusions51Presented a brief overview of popular anonymity systemsHow do they work?What are the anonymity guarantees?Introduced TorLots more work in anonymous communicationsDozens of other proposed systemsTarzan, Bluemoon, etc.Many offer much stronger anonymity than Tor however, performance is often a problemAnonymous P2P Networks52Goal: enable censorship resistant, anonymous communication and file storageContent is generated anonymouslyContent is stored anonymouslyContent is highly distributed and replicated, making it difficult to destroyExamplesFreeNetGNUnet