Network Security:Anonymity

Otto HuhtaT-110.5241 Network security

Aalto University, Nov-Dec 2014

2

Outline

1. Anonymity in general2. High-latency anonymous routing3. Low-latency anonymous routing — Tor

Anonymity

3

4

Definitions

Security:“free from danger or threat”

Privacy:“control over personal information or actions”

Anonymity: “unidentifiable”

5

PrivacyControl over personal information

Emphasized in EuropeGathering, disclosure and false representation of factsabout one’s personal life

Right to be left aloneEmphasized in AmericaAvoiding interference, control, discrimination, spam,censorship

Anonymity is a tool for achieving privacyBlending into the crowd

6

Anonymity (online) – Why?Protection against mass surveillanceCensorship resistance, freedom or speechProtection against discrimination, e.g. geographicaccess control or price differentiationBusiness intelligence, police investigation, politicaland military intelligenceWhistle blowing, crime reportingElectronic votingCyber war, crime, illegal and immoral activities?

7

Anonymity - terminologyIdentity, identifierAnonymity — they don’t know who you arePseudonymity — intentionally allow linking of someevents to each other

E.g. sessions, payment and service accessUnlinkability — they cannot link two events or actions(e.g. messages) with each otherAuthentication — strong verification of identityWeak identifier — not usable for strong authenticationbut may compromise privacy

E.g. nickname, IP address, SSID, service usage profileAuthorization — verification of access rights

Does not always imply authentication (remember SPKI)

8

Anonymity in communicationsAnonymity towards communication peers

Sender anonymity — receiver does not know who and wheresent the messageReceiver anonymity — can send a message to a recipientwithout knowing who and where they areBi-directional anonymity — neither sender nor recipient knoweach other’s identity

Third-party anonymity — an outside observer cannotknow who is talking to whom

Unobservability — an outside observer cannot tell whethercommunication takes place or notStrength depends on the capabilities of the adversary

Anonymity towards access networkAccess network does not know who is roaming there

Related concept: location privacy

9

Who is the adversary?Discussion: who could violate your privacy andanonymity?Global attacker, your government

e.g. retention of traffic data, NSA PRISMServers across the Internet, colluding commercialinterests

e.g. web cookies, trackers, advertisersCriminals

e.g. identity theftEmployerPeople close to you

e.g. stalkers, co-workers, neighbors, family members

10

? Strong anonymity?Anonymity and privacy of communicationsmechanisms are not strong in the same sense asstrong encryption or authenticationEven the strongest mechanisms have seriousweaknesses

Need to trust many others to be honestServices operated by volunteers and activistsSide-channel attacks

Anonymity tends to degrade over time forpersistent communication

11

Anonymity on the Internet

Problem: weak identifiersIP address, MAC address• IPv6 address can contain MAC addressTCP sequence number, IP Identifier fieldLocation/app data, browser plugins, languages, etc.

Simple solution: VPNsNeed to trust VPN providerSusceptible to Traffic analysisIP addresses can still leak information

Better: Mix Networks, Onion Routing

High-LatencyAnonymous Routing

13

Mix - Introduction

Threat model: Global adversaryCan observe all messages, all traffic

trivially learns sender & receiver

Goal: Break link between sender and receiver

Solution: Cryptographic relays

14

Mix (1)

Mix is an anonymity service [Chaum 1981]Attacker sees both sent and received messages but cannot linkthem to each other sender anonymity, third-party anonymityagainst a global observerThe mix receives encrypted messages (e.g. email), decrypts (or re-encrypts) them, and forwards to recipients

Decryption

15

Mix (2)

Attacker can see the input and output of the mixAttacker cannot see how messages are shuffled in the mixConcept: Anonymity set = all nodes that could have sent (orcould be recipients of) a particular message

Decryption

16

Mix (3)

Two security requirements:Bitwise unlinkability of input and output messages — cryptographicproperty; must resist active attacksResistance to traffic analysis — attacker can delay, drop or injectdummy messages

Basic securityRe-encryp on a ack Solu on: freshness (random string)Replay attack Solution: MIX discards repeated input messages

Examples of design mistakes:FIFO order of delivering messages; no freshness check at mix; norandom initialization vector for encryption; no padding to hidemessage length; malleable encryption

Decryption

17

Mixing in practiceMix strategies

Threshold mix — wait to receive k messages before delivering• Anonymity set size kPool mix — mix always buffers k messages, sends one when itreceives one

Both strategies add delay high latencyNot all senders and receivers are always active

In a closed system, injecting cover traffic can fix this(What about the Internet?)

Real communication (email, TCP packets) does notcomprise single, independent messages but commontraffic patterns such as connections

Attacker can observe beginning and end of connectionsAttacker can observe request and response pairs sta cal tra c analysis

18

Who sends to whom?

Threshold mix with threshold 3

19

Anonymity metricsSize of the anonymity set: k-anonymity

Suitable for one round of threshold mixingProblems with k-anonymity:

Mul ple rounds statistical analysis based on understandingcommon patterns of communications can reveal who talks to whom,even if k for each individual message is highPool mix k =

Entropy: E = i=1…n (pi log2pi)“Not all senders are always equally likely to have sent a message”Measures the amount of missing in information in bits: how muchdoes the attacker not knowCan measure entropy of the sender, recipient identity etc.

Problems with measuring anonymity:Anonymity of individual messages vs. anonymity in a systemDepends on the attacker’s capabilities and background informationAnonymity usually degrades over time as attacker collects morestatistics

20

Trusting the mixProblem: The mix must be honest!

Solution: Route packets through multiple mixesAttacker must compromise all mixes on the route

However compromising almost all the mixes may reducethe size of the anonymity set

Example: anonymous remailers for emailanon.penet.fi 1993–96

21

Mix networks (1)

22

Mix networks (2)

Mix network is just a distributed implementation of mix

23

Mix networks (3)

Mix cascade — all messages from all senders arerouted through the same sequence of mixes

Good anonymity, poor scalability, poor reliability

Free routing — each message is routedindependently via multiple mixes

Other policies between these two extremesBut remember that the choice of mixes could be a weakidentifier!

24

Mix networks (4)Concept: Onion encryption

Goal: only endpoints can see plaintext messageMultiple layers of PK-encryption:

Alice M1: EM1(M2, EM2(M3, EM3(Bob,M)))M1 M2: EM2(M3, EM3(Bob,M))M2 M3: EM3(Bob, M)M3 Bob: M

Encryption at every layer must provide bitwise unlinkability detect replays and check integrity in free rou ng, must keep message length constant

Re-encryption mix — special crypto that keeps themessage length constant with multiple layers ofencryption

25

Receiver anonymityAlice distributes a reply onion:EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K))))Messages from Bob to Alice:Bob M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), MM3 M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M)M2 M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M))M1 Alice: EAlice(K), Ek1(Ek2(Ek3(M)))

Alice can be memoryless: ki = h(K, i)

26

Sybil attackProblem: Mixes tend to be run by volunteers

Anyone can join the networkApplies in general to open systems which anyone can join

Attacker creates a large number of seemingly independentnodes, e.g. 50% o all nodes some routes will go through only attacker’s nodesDefence: increase the cost of joining the network:

Human verification that each mix is operated by a different person ororganizationThe IP address of each mix must be in a new domainRequire good reputation of a measurable kind that takes time andeffort to establishSelect mixes in a route to be at diverse locations

Sybil attacks are a danger to most P2P systems, not justanonymous routing

E.g. reputation systems, content distribution

27

Other attacksProblem 1: Who are the others in the network?(n-1) attack

Attacker blocks all but one honest sender, floods all mixes withits own messages, and finally allows one honest sender to getthough easy to trace because all other packets are theattacker’sPotential solutions: access control and rate limiting for senders,dummy traffic injection, attack detection

Problem 2: Anonymity degrades over timeStatistical attacks

Attacker may accumulate statistics about the communicationover time and reconstruct the sender-receiver pairs based onits knowledge of common traffic patterns

Low-LatencyAnonymous Routing

28

29

Tor

Problem with Mix networks: High-latencyToo slow for interactive use (e.g. web browsing)

Solution: Remove mixing at relays… But what about security?

More realistic(?) attacker model: can control some nodes, can sniffsome links, not everythingNew compromise between efficiency and anonymity:

No mixing at the onion routersAll packets in a session, in both directions, go through the same routersShort route, always three onion routersTunnels based on symmetric cryptographyNo cover trafficProtects against local observers at any part of the path, but vulnerable toa global attacker

“2nd generation onion router”

30

Tor overview5’000 relays, 2’000’000 daily users

Directory Servers hold list of all relays (incl. public keys)

Overlay networkRandomly chosen, but fixed circuits through 3 relays

Encryption:Onion encryption between user and last relayTLS encryption between relays (and user)

31

Tor – Building a circuit (1)

32

Tor – Building a circuit (2)

33

Tor – Building a circuit (3)

34

Tor – Building a circuit (4)

35

Circuits in TorAlice OR1 OR2 OR3 Bob

Authenticated DHAlice – OR1

Authenticated DH, Alice – OR2

K1

Encrypted with K1

K2

Authenticated DH, Alice – OR3Encrypted with K1, K2

Encrypted with K1, K2, K3

K3

[Danezis]

Last linkunencrypted

Alice notauthenticated,

only the ORs

K1

TCP connection Alice –Bob

K1,K2

K1,K2,K3

36

Circuits in TorAlice OR1 OR2 OR3 Bob

Authenticated DHAlice – OR1

Authenticated DH, Alice – OR2

K1

Encrypted with K1

K2

Authenticated DH, Alice – OR3Encrypted with K1, K2

Encrypted with K1, K2, K3

K3

[Danezis]

Last linkunencrypted

Alice notauthenticated,

only the ORs

K1

TCP connection Alice –Bob

K1,K2

K1,K2,K3 Additionally, linkwiseTLS connections:

Alice–OR1–OR2–OR3

37

Rough comparison: OR vs Mix networks

Mix Networks Onion Routing

Security from: Mixing at relays(+ maybe route unpredictability)

Route unpredictability(no mixing)

Threat model: Global adversary Non-global adversary

Performance High-Latency Low-Latency

Example use: Email Web browsing

Paul Syverson, 2009

38

Tor limitations (1)Traffic confirmation attacks

Scenario: adversary can monitor both endpoints can trivially con rm the endpoints are communica ng

Problem: relays don’t (significantly) alter trafficSolution: none (outside Tor threat model)

Traffic analysis attacksScenario: adversary controls/monitors part of user circuit (netw. links/relays)

Passive: can correlate tra c based on packet size, ming, volume, etc. Ac ve: can modify traffic (drop, delay, etc.) and look for traffic fingerprint

IF a acker controls rst and last relay again trivially con rm communication(Problem same as above)Solution: make it difficult to control relays, switch circuits (limited effect)

Note 1: Always a risk of compromiseClient chooses relays at randomSimplified: if c compromised relays out of n total• probability of choosing malicious relay c/n, and for both first and last relay (c/n)2

Why three routers, not two?

39

Tor limitations (2)Malicious exit relays

Problem: exit relay sees ‘unencrypted’ client trafficSolution: use TLS!

Information leak from browser, applications, OSProblem 1: Tor doesn’t anonymize traffic contentProblem 2: Other applications access Internet directlySolution: Tor browser bundle, disable JS, separate device

Blacklisting of entry or exit relaysProblem: Remote server sees IP of exit relaySolution (Exit relay): noneSolution (Entry relay): Bridges

40

Tor – Hidden ServicesServers running ‘inside’ the Tor network

Physical location hiddenTraffic under onion encryption all the way to server

Specific method for opening circuitsIntroduction and Rendezvous points

ExamplesSearch engines, file storage, Facebook, etc.WikiLeaksFinnish sites also: sipuliwiki, thorlautaIllegal activities

41

Other systems: FreenetFreenet is a DHT-based P2P content distributionsystemFocus on sensorship resistant publishing

Plausible deniability for content publishers andredistributorsNode itself cannot determine what content it stores

42

Conclusions: AnonymityAnonymity requires a crowdMix networks

Strong anonymity for messagingMixing reduces performance

Onion routingInteractive useAssumes a weaker adversaryTor widely deployed

43

ExercisesCompare k-anonymity for senders in threshold mix and pool mixWhat can a malicious Tor exit node achieve?Compare how the following affect anonymity level in Tor and high-latency email mixes:

Percentage of compromised mixesNumber of mixes in the routeChoosing a new random route periodically

Is it possible to provide anonymity to honest users without helpingcriminals?Learn about the latest attacks against Tor. New ones are publishedregularly. Why is this the case?Is Tor use unobservable? That is, can it be used safely in a country orworkplace where its use may be punished?Could malware or other software on your computer leak informationabout which web sites you access with Tor (or to whom you send emailthrough a mix network)?Will using Tor make you more or less vulnerable to monitoring bygovernements?

44

Optional readingMix networks:

A survey on mix networks and their secure applications(first few pages are very good)- K Sampigethaya, R Poovendran - Proceedings of the IEEE, 2006

Anonymity metrics:k-anonymity: A model for protecting privacy- L Sweeney - International Journal of Uncertainty, Fuzziness and …, 2002

Towards an information theoretic metric for anonymity- A Serjantov, G Danezis - Privacy Enhancing Technologies, 2003

Original Tor paperTor: The second-generation onion router- R Dingledine, N Mathewson, P Syverson - 2004

E.g. Tor threat model, more details on design choices, etc.