Preserving Caller Anonymity in

Voice-over-IP Networks

Mudhakar Srivatsa, Ling Liu and Arun Iyengar

Presenter: Bo Wu

Agenda

Voice-over-IP Caller Anonymity Threat Models Defending Methods Experimental Evaluation Conclusion

Phone. The history…

PSTNPSTN

PSTN- stands for PSTN- stands for Public Switched Public Switched Telephone Telephone NetworkNetwork

Circuit-based Circuit-based means reserving means reserving resources for resources for each usereach user

Kind of expensiveKind of expensive

Voice-over-IP: another choice Voice over Internet ProtocolVoice over Internet Protocol

““A method for taking analog audio signals, A method for taking analog audio signals, like the kind you hear when you talk on like the kind you hear when you talk on the phone, and turning them into digital the phone, and turning them into digital data that can be transmitted over the data that can be transmitted over the Internet. “Internet. “

Also known as:Also known as:• Voice over Packet (VoP)Voice over Packet (VoP)• IP Telephony (IPT)IP Telephony (IPT)

Benefits

#1. SAVING MONEY!#1. SAVING MONEY!•Routing phone calls over

existing data networks to avoid the need for separate voice and data networks.

•VOIP offer features and services for free (or at little cost)

Benefits

Increased AgilityIncreased Agility Tactical AdvantagesTactical Advantages Integrate things like: emails, phone, Integrate things like: emails, phone,

instant messages, etc.instant messages, etc.

VoIP is popular

Characteristics of VoIP network

P2P topology

InternetInternetpeerpeer

peerpeer

peerpeer

peerpeer

peerpeer

Characteristics of VoIP network

Additional QoS requirement•ITU (International Telecommunication

Union) recommends up to 250ms one-way latency for interactive voice communication.

People go mad due to bad quality

Anonymity in VoIP networks

What is anonymity?•NO leakage of

information about identity

Why is it important?•Human rights

•Sensitive applications

Where is the caller?

Source privacy Hot topic in many

kinds of networks: Ad hoc, Sensor networks, Mesh networks, ……

Papers published in: Infocom, ICDCS, CCS, Securecomm, S&P…

What’s the difficulties?

Strong ability of attackers•Content analysis

•Timing analysis Fully distributed Link latency ……

How VoIP works?

Establish routes:•Unstable topology

•Routes across different ASPs Sending messages

•Comply to different application protocols

Confidentiality•Hop-by-hop encryption

•End-to-end encryption

Establishing routes

InitSearch:

Bo

Zhenhua

<SearchID, dest ID, start time>

How does it work?

ProcessSearch

Bo

Zhenhua

How does it work?

FinSearch

Bo

Zhenhua

Zhenhua

What’s the problem?

Bad guys are there…

Bo

Bad guy: Mr. X

Bad guy: Mr. Y

Zhenhua

What’s the problem?

Bad guys are there…

Bo

Bad guy: Mr. X

Bad guy: Mr. Y

Zhenhua

What’s the problem?

What if Zhenhua is surrounded by bad guys?

Bo

Bad guy: Mr. X

Bad guy: Mr. Y

Bad guy: Mr. W

Bad guy: Mr. Z

Threat model

Composed by assumptions and formulations

Three threat models:•Deterministic Triangulation Attack

•Statistical Triangulation Attack

•Differential Triangulation Attack

Deterministic Triangulation Attack

“Deterministic” means fixed latency for each link

Exploit two properties of the route set up protocol:•1. It establishes the shortest route between the

two nodes src and dst.

•2. Any node can estimate its distance from src

=> Each bad guy has the knowledge of its distance from any other node in the network

Deterministic Triangulation Attack

BoMr. Y

Mr. X

Deterministic Triangulation Attack

Deterministic Triangulation Attack

For each bad guy pi in network

•If

•

Calculate the final score:

Statistical Triangulation Attack

“Statistical” means link latency follows some probabilistic distribution, say Gaussian distribution

Exploit one nice property of Gaussian distribution•X, Y follow Gaussian distribution

• If Z = X + Y THEN E(Z) = E(X)+E(Y) When calculating scores, use mean value

Differential Triangulation Attack

The mentioned two attacks relies on the time stamp in search packet to make the first estimation.

What if the source remove time stamp?•The attackers can still cooperate……

Differential Triangulation Attack

Bo

Mr. Y

Mr. Y

Zhenhua

Dist(Bo, X)-Dist(Bo,Y) < Dist(Zhenhua, X)-Dist(Zhenhua, Y)

Topology discovery All of the three threat

models require global information like topology and link latency

Malicious nodes can collude to collect such information• Send ping messages

with small TTL

• Infer local topology and link latency through pong messages

Attack efficiency

Deterministic Triangulation

Statistical Triangulation

Attack efficiency

Differential Triangulation

Defending algorithms

General idea: break the tight correlation of timing and distance

Random walk Search Algorithm•Best anonymity, worst QOS

Hybrid route set up•Tradeoff between anonymity and QOS

Random walk search algorithm

Basic idea:•Randomly select a neighbor to forward

search request instead of broadcasting(Random walk is used in tens of papers to defend against traffic analysis.)

Why it works?•According to random walk theory:

Hybrid Route set up protocol

Controlled random walk•Two phases

•Random walk search phase•Search dest node by random walk

•Broadcast search phase•Search dest node by broadcast

•One kind of probabilistic routing:•Start at random walk search phase

•Remain in this phase with probability of p

•Transfer to Braodcast search phase with probability of 1-p

Hybrid Route set up protocol

Multi-Agent Random Walk•Send out w search messages instead of one

•Every search message performs random walk

•Route established when the first search message arrives at dest node

•Tradeoff when setting w•Bigger w means smaller latency

•Bigger w also increases attacking efficiency

Simulation results

Latency study:

Simulation results

Anonymity study:

Comments

Brilliant Threat models•Capture key properties of broadcast

•A small percentage of nodes can attack very accurately

Not quite novel defending methods•Random walk has been used by tens of

(if not hundreds of) papers

•No deep analysis of the performance

Conclusion

VoIP is gaining more and more popularity

Three threat models directly target at caller’s anonymity

Introduce randomness to defend against timing attack

Lesson: challenging problem to protect privacy as well as providing QoS

Questions?