Tarzan: A Peer-to-peer Anonymizing Network Layerby Michael J.Freedman, Robert Morris

Computer ScienceGraduate StudentJinhae Kim

2/34

Introduction Design Goals Network Model Architecture Details of Design Security Analysis Conclusion

Contents

3/34

Traffic Analysis Reveals Identities

Who is talking to whom may be confidential or private:

Who is searching a public database?

Which companies are collaborating?

Who are you talking to via e-mail?

Where do you shop on-line?

4/34

Introduction Internet Anonymization

Without revealing own ID, a host can communicate with an arbitrary server.

Anonymizer.Com A host sends messages to a server through a proxy.

Anonymous remailer system, Onion Routing, and Zero-Knowledge’s Freedom A host connects to a server through a set of mix

relays.

5/34

Introduction - Problems Proxy server

Dos attacks Single point of failure

A set of mix relay Network edge traffic analysis

6/34

Introduction - Tarzan Sequence of mix relay No centralized (equal peer) Hide the originator Each node can be a originator and/or relay

Prevent edge analysis Construct a tunnel with sequence of Tarzan peer

using layered encryption Ensure the anonymity in network layer

7/34

Design Goals Application independence Anonymity against malicious nodes Fault-tolerance and availability Performance Anonymity against a global eavesdropper

8/34

Network Model

In relation to node X, adversarial machines can control address spaces and can spoof virtual nodes within corrupted domains

X

border gateway

unswitched LAN

local subnetmalicious routers

honest routers

corrupted domainshonest nodes

malicious nodes

spoofed nodes

9/34

(AppPriv)kerneldivert

Architecture Overview

An IP packet is diverted to the local tunnel initiator. Translate to a private address space, wrap in several layers of

encryption, and send to the first relay in UDP. Decrypts one layer and send to the next relay. PNAT extracts the original IP packet, NATs the packet to its own

public address, and writes the raw packet to the internet.

Clientapp

initiator

src: Appdst: Dest

relayd src: Privdst: Dest

src: Privdst: Dest

src: Privdst: Dest

Tag: 31

Tag: 17

Tag: 59

relayd

(31 17) (17 59)

PNAT

(PrivPNAT)src: PNATdst: Dest

InternetDestrelay

drelay

d

10/34

Packet Relay A flow tag uniquely identifies each link of each

tunnel. Symmetric encryption hides data. A MAC protects its integrity. Separate keys are used in each direction of each

relay. The tunnel initiator

clear each IP packet’s source address field. perform a nested encoding for each tunnel relay. encapsulates the result in a UDP packet.

11/34

Packet Relay - Encoding T = (h1, h2,…,hl, hpnat) : A sequence of nodes

ekhi , ikhi

: Forward encryption and integrity keys

seq : packet sequence number An initiator produces block Bi for each relay hi,

starting with hpnat

ci = ENC (ekhi, {Bi+1})

ai = MAC (ikhi, {seq, ci})

Bi = {seq, ci, ai}

12/34

Tunnel Setup A Tarzan node pseudo-randomly selects a series

of nodes. The initiator iteratively setup the entire tunnel

hop by hop. Generate and Distribute the symmetric keys

encrypted under the relays’ public keys.

13/34

Tunnel Setup Protocol

establish_request(h0,h2)

establish_response

h1 R {h0.neighbors}

h2 R {h1.neighbors}

h3 R {h2.neighbors}

establish_request(h1,h3)

!ok or timeout

h3 R {h2.neighbors}

reset_forward_request(h3)

reset_forward_response

….

h0(initiator)

h1 h2 hpnat

establish_response(hl)

14/34

IP Packet Forwarding Create a generic anonymizing IP tunnel

IP forwarder: divert certain packets and ships them over a Tarzan tunnel.

Client forwarder: replace real address with a random address

PNAT (Pseudonymous Network Address Translator) Remote hosts can communicate with PNAT

normally. Double-blinded channel: achieve both sender

and recipient anonymity (using different PNAT)

15/34

Tunnel Failure and Reconstruction

The initiator regularly sends ping to the PNAT. PNAT failure: select a new hpnat for the tunnel. Otherwise: attempt to rebuild the tunnel to the

original PNAT. Higher-level connections don’t die upon tunnel

failure.

16/34

Peer Discovery A Tarzan node requires some means to learn

about all other nodes. Use a simple gossip-based protocol for peer

discovery. The Tarzan discovery protocol supports three

related operations. Initialization: allow fast information propagation. Redirection: allow nodes to shed load. Maintenance: provide an incremental update a node’s

peer database with only new information.

17/34

Peer Discovery Protocol Ua, Va: the set of a’s unvalidated/validated known

peers A new node a contacts existing node b to discover Ua . Node a validates b once a receives a response. Node a successively contacts the new neighbors in

Ua . Retrying neighbors in Va . If the difference between Va and Vb is big:

b is busy: a.redirect (b), otherwise: a.initialize (b) Otherwise:

a.maintain (b); b.maintain(a)

18/34

Peer Selection Three-level hierarchy: /16, /24

subnets, and relevant IP addresses The leading d-bits of a node’s IP

address are transformed to an identifier via hash (ipaddr/d, date)

Lookup (key) method: generate id16 via hash (key/16, date) and find the smallest identifier ≥ id16 on the /0 identifier ring; and so on…

Example: Lookup (key) with id16 = 541A, id24 = 82F1, and id32 = 261B. This ultimately maps to the hash value 4F9A, which yields IP address 18.26.4.9

18D3

3CB8

49A1

712F

9D37

B541

CA13

F72A

58E2

/0

21F8

3A25

5212

7C38

B1E3

E436

45F1

94D1

18.26/16

23A5

4F9A

974F

B11A

61D1

18.26.4/24

19/34

Cover Traffic and Link Encoding

Use of cover traffic to provide more time-invariant traffic patterns independent of bandwidth demands.

A traffic mimics: traffic invariants between a node and mimics that protect against information leakage.

20/34

Selecting Mimics Upon joining the network, node a asks k other nodes to

exchange mimic traffic with it. Mimic relationship must be symmetric. Ma

i: i th mimic of node a, as the peer returned by lookupi (a.ipaddr).

lookupi (a.ipaddr): similar to peer selection except the identifier idi

d is generated by recursively applying the cryptographic hash function i times to {a.ipaddr/d, date}, i ≤ (k+1).

Node a sends to Mai a mimic request, including the tuple

{a.ipaddr/d, date}. Accept condition

1< i ≤ (k+1) Ma

i.lookupi (a.ipaddr) = Mai

21/34

Tunneling Through Mimics Choice of relay: mimics of the previous hop

Mimic topology and traffic flows for k = 3 Each node has ҡ ≈ 6 mimics.

Tunnel: arrows in bold a random PNAT: dotted line

PNAT

22/34

Unifying Traffic Patterns The packet headers, sizes, and rates of a node’s

incoming traffic from its mimics must be identical to its outgoing traffic.

All packets along mimics links are symmetrically encrypted.

Encrypted packets along links are padded to be all the same size.

A node generates and distributes symmetric keys when it connects with a new mimic.

23/34

Security Analysis Adversary

Break sender anonymity by back-tracing observed messages to their source.

Watching traffic patterns or message encodings. Trace a message forward to its egress from a PNAT to

compromise the recipient anonymity of non-participating servers.

Tarzan P2P design: expose less identifying topological

information. Resist powerful traffic-analysis attacks.

24/34

Comparing Anonymity Properties

Tarzan’s model: P2P, layered encryption Onion Routing: network core, layered encryption Crowds: P2P, link encryption only

information exposed?

Bad first relay Bad intermediate relay

Bad last relay Bad first and last relays

OR CrowdsTarzan OR Crowds Tarzan OR Crowds

Tarzan

OR Crowds Tarzan

sender activityrecipient activitysender content

recipient content

YesNoNoNo

MaybeYes

MaybeYes

MaybeNoNoNo

NoNoNoNo

NoYesNoYes

MaybeNoNoNo

NoYesNoYes

NoYesNoYes

NoYesNoYes

YesYesYesYes

MaybeYes

MaybeYes

MaybeYes

MaybeYes

25/34

Onion Routing Define Route

Initiator and responder interface onion routing proxies Construct the anonymous connection Move data through the connection

Using layered encryption Destroy the anonymous connection Reference:

http://www.onion-router.net/Publications.html

26/34

Crowds “blending into a crowd”:

operate by grouping users into a large and geographically diverse group (crowd)

Collaborating crowd members cannot distinguish the originator from a member who is merely forwarding.

27/34

Crowds – Path in a Crowds

Reference http://avirubin.com/crowds.pdf

1

2

3

6

5

4

Crowd Web Servers

3

5

1

6

2

4

28/34

Static Vs. Adaptive Adversaries

Static adversary Corrupt some number of independent physical

machines Read packets and analyze the contents, sizes, rates,

and volumes of packets addressed to machines under its control

Use timing analysis to determine whether packets seen at different relays belong to the same tunnel

Time-bounded adaptive adversary Pick-and-choose which machines to compromise after

it joins the system But Time-bounded…

29/34

Considering Adaptive Adversaries

Protect against an adaptive adversary The period to compromise all tunnel relays must be

longer than the tunnel’s duration. Tunnels should not be repeatedly constructed through

the same small set of largely-compromised relays. Tarzan

randomly choosing Node-selection mechanism: host diversity

Honest nodes store tunnel keys and routing tables only in memory: disable core dumps and process tracing.

Scalable architecture: offer a large choice of nodes. Mimic reassignment: ensure set of relays changes daily.

30/34

Defining Probability of Failure

An adversary compromises M gateway routers or LAN machines.

An adversary run m malicious node within each of these M corrupted domains.

The network size is n, N-domain system. CLAIM 1. A node selects a malicious mimic with prob. M/N. CLAIM 2. Nobody can bias an initiator’s choice of relays.

To achieve claims, a node must select its mimics uniformly over the entire set of domains.

31/34

Malicious Nodes Attempt… Corrupt gossiping

Gossip addresses that do net exist or only returns malicious nodes.

Leverage open admission Try to control “important” IP addresses or run multiple

nodes. Ignore neighbor-selection algorithm

Attempt to select malicious nodes as its mimic.

32/34

Security Enforcement Securing Resource Discovery

Protect against fake entries: Tarzan differentiates between unvalidated and validated addresses in the peer-discovery and selection process.

Hardening the Open Admissions Policy Distribute keys indirectly through a gossiping protocol. Tunnel initiators choose mimics by selecting uniformly

at random from among available domains. Enforcing Proper Mimic Selection

Tunnel should be constructed through nodes selected in an unbiased and random fashion.

33/34

Traffic Analysis Attacks Information leakage in tunnels

Prevent global eavesdropper: Cover traffic Information leakage at network exit points

Network-edge attack: packet replay, tagging, reordering, and flooding

Prevention: Seq. no, buffering incoming packets, encrypting messages, cover traffic

34/34

Conclusion Tarzan provides a flexible layer for sender,

recipient Sustain anonymity in hostile environments,

against both malicious participants and global eavesdroppers

Transparent to internet application P2P design: decentralized, highly scalable, and

easy to manage. Lack of network core: increase fault-tolerance to

individual relay failure