security in p2p environments anonymity on the internet

Security in P2P environments

Anonymity on the internet

What is anonymity?

• “Generally speaking, our purpose is to hide the relationship between an observable action (for example, a message sent across a public network) and the identity of the users involved with this action”*

* A Survey of Anonymous Peer-to-Peer File-Sharing (Tom Chothia and Konstantinos Chatzikokolakis)

So who knows?

The internet service provider (ISP) know who you are.

For example my IP address is: [Example]

Visit www.Al-Qaeda.evil

An e-mail [Example]

The ISP would know that I did that

So?

Your IP address is your digital fingerprint, the ISP can link that to you

So if, for example, you are sharing music in an unprotected system, the RIAA / IFPI / whatever, can file a subpoena against your ISP to tell them who you are

Then you will properly get a nasty letter

A more extreme case

•Companies •Health insurance (Visiting netdoktor.dk a lot?)•Marketing (Only visiting book sites?)

•Governments•Perhaps I am a potential terrorist

Who could be interested in your

browsing habits?

People using the internet for nasty stuff

Hackers

Terrorists

Copyright infringement

People watching child pornography

People using the internet for “illegal” stuff

Political activist in, for example, China

People using the internet for legal stuff

Us? (Active session)

A few examples

Journalist (Investigative reporters)?

Socially sensitive communication (Illness, abuse)?

Law enforcement (Anonymous tips)?

People with marketing paranoia

Just to name a few

Is it relevant ?

This summer, France suggested that in EU, the internet traffic should be monitored so you could be “excluded” from the internet, if you did something they deemed illegal 3 times.

The Swedish “FRA-lov” allows the Swedish government to monitor all traffic going in and out of Sweden (using a very powerful computer).

Last Wednesday, the Danish ISP Tele2, was force to close access to the bit torrent site “Pirate Bay”

You could encrypt your message but

That does not ensure anonymity

It is still known who sent it, and where it was sent to

You could go to an internet cafe but

You are properly logged and videotaped while being there / going there (extreme case)

People will properly remember you being there (again extreme case)

You could use a proxy server but

You can find a proxy server at http://www.anonymizer.com/

Can you trust the proxy server?

Single point of failure

Single point of “lawsuit”

You can install a Trojan on another computer

It’s tedious

It’s illegal

It’s only complicating the search for you, somewhere you properly still left a digital fingerprint

Agenda

TOR

Freenet

MUTE

TOR

Archiving anonymity

Problems with basic routing

Routing – chain of nodes

Cryptostuff

The onion reveals!

Breakable?

Basic routing

Every router knows YOU!

ECHELON is listening !!

Claims

Total client anonymity, hidden routing information

Compromised routers/proxies does not break anonymity!

Traffic analysis in practice impossible

TOR solves this - http://tor.eff.org

The Onion Router

Remember Ogres = TOR

But how ???!

Connects through a chain of proxynodes

Encrypts messages in layers for each node

Each node only knows its neighbors in the chain

Routing information is also encrypted (important)

Routing chain 1

Routing chain 2

Routing chain 3

Cryptostuff

Cryptostuff

Cryptostuff

Public/private key encryption is slow

TOR uses this only for estabilishing symmetric key based encrypted link (faster)

Hiding routing info

1 •Client establishes routing path

2 •Each message is encrypted in layers with nodes public key

3 •Each node can unwrap their layer

4 •Each node decrypts the information and only gets encrypted ciphertext and IP on next node

5 •And so forth…

Requirements

Volunteers

You can't get anonymity alone

Distributed trust (more than one node)

Preferably nodes are as worldwide and spread as possible

Security increases with larger network (makes traffic analysis harder)

Neat features

General purpose TCP proxy – not just HTTP

Low latency

Easy to participate

Configurable – only relay HTTP traffic for example

Comes with bundled browser

[Example]and Vuze [Example]

Breakable?

Active session – what weaknesses can you see in this approach?

• Identification of a client is possible, by comparing the list of known ”stable” nodes, with nodes hopping on and off (probably end clients)

• Is 3 hops enough?• How about DNS lookups? If your ISP logs your DNS requests, it is

easy to see which sites you're visiting

Freenet

INTERNET

INTERNET

FREENET

YOU

CLIENTS

SERVERS

END-POINTS

DECENTRALIZEDPUBLISHERS

CONSUMERS

HOW DO I LOCATE

MY NEIGHBORS?

Somewhat

paranoid

Opennet

Truly paranoidDarknet

Content distribution

Publishing websites or 'freesites'

Communicating via message boards

Sending e-mail messages

Reading/updating wikis

WHAT IS FREENET USED FOR?

UNIQUE RESOURCE IDENTIFIERS

Content Hash Key (CHK)

• Great for content that does not change• Examples: images, audio files, copies of secret CIA documents

Signed Subspace Key (SSK)

• Like an Internet domain name, but using crypto stuff• Useful for content that changes (sites, discussions, etc.)

Keyword-Signed Keys (KSK)

• Easy to remember, but not very secure

HARD DRIVE SPACE

BANDWIDTH BY DEMAND

DEMO

MUTE

Mute is a P2P file sharing system

Designed with anonymity in mind

Classical search (you may know this)

Uses an algorithm inspired by ants

Designed for ad-hoc networks

[Example]

What is MUTE

So how does it work?

Each node have a pseudo identity

To search the network, a node broadcasts a message with its own pseudo identity, a unique message identifier and a time to live (TTL) counter.

This is sent to all the nodes neighbours and they send it to their neighbours

Until the TTL expire

Uses a non-deterministic time-to-live counter (decided up start up)

There are three phases

First phase: A count down to zero (To hide the originating node)

Second phase: Standard 5 hop counter

Third phase: Non-deterministic forwarding (A node will drop a message with ¾ probability and forward the message to n neighbours with 1 / (3*22)

When a node receives a message it records the pseudo address of the sender and the connection upon it was received

Each node builds and maintains this routing table for all the pseudo identities it sees

A node can respond over the most used connection (if it already has it in the routing table) or send the response to all its neighbours

You neighbours know your IP address but they do NOT know your virtual address

Each neighbour connection is encrypted so even though you could tap into the traffic between your neighbour, it would be unreadable

Normal P2P system

113.18.92.15: Madonna_Holiday.m

p3

In MUTE7213..DCA5:

Madonna_Holiday.mp3

So how would this look?

Should you trust these systems?

Winny (P2P file sharing)

2 people using it got arrested (movie sharing)

And the author (Researcher at Tokyo CS department)

REFERENCES

• @book{oram01peer, title = {Peer-To-Peer: Harnessing the Benefits of a Disruptive Technology}, editor = {Andy Oram}, publisher = {O'Reilly \& Associates}, year = {2001}}

• @article{surveyP2P, title = {A Survey of Anonymous Peer-to-Peer File-Sharing}, author= {Tom Chothia and Konstantinos Chatzikokolakis}, year = {2005}}

• @article{piCalculus, title = {Analysing the MUTE Anonymous File-Sharing System Using the Pi-Calculus}, author= {Tom Chothia}, year = {2006}}

• @webpages{MUTE, FreeNet and TOR respectively:http://mute-net.sourceforge.net/http://freenetproject.org/http://www.torproject.org/

}

• @article{lowcost, title = {Low-Cost Traffic Analysis of Tor}, author= {Steven J. Murdoch and George Danezis}, year = {2005}}

• @slides{tor, title = {Anonymous Communications for the United States Department of Defense...and you}, author= {Roger Dingledine}, year = {2005}}