DOCSLIB.ORG

Quantitative Anonymity Guarantees for Tor

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Quantitative Anonymity Guarantees for Tor Saarland University Faculty of Mathematics and Computer Science Quantitative Anonymity Guarantees for Tor Dissertation zur Erlangung des Grades des Doktors der Ingenieurwissenschaften der Fakult¨at f¨urMathematik und Informatik der Universit¨atdes Saarlandes von Sebastian Wilhelm Ludwig Meiser Saarbr¨ucken, Februar 2016 Day of Colloquium 23. November 2016 Dean of the faculty Prof. Dr. Frank-Olaf Schreyer Chair of the Committee Prof. Dr. Christian Rossow Reviewers Prof. Dr. Michael Backes Prof. Aniket Kate, Ph.D. Dr. George Danezis Academic Assistant Dr. Robert K¨unnemann ii Zusammenfassung In dieser Arbeit pr¨asentieren wir eine neue Methode, um beweisbar sichere Anony- mit¨atsgarantien f¨urProtokolle zur anonymen Kommunikation zu geben und veran- schaulichen die Anwendung dieser Methode anhand des Tor Protokolls. Zu diesem Zweck pr¨asentieren wir zun¨achst das AnoA Framework, welches dazu dient, die Anony- mit¨atvon Protokollen zur anonymen Kommunikation zu quantifizieren. Der Angreifer, der in AnoA betrachtet wird, ist modular konfigurierbar. Wir zeigen, wie das Tor Protokoll in einer abstrakten Weise analysiert werden kann und greifen hierbei auf eine existierende Formalisierung von Tor im Universal Composibility (UC) Frame- work zur¨uck. Wir beweisen, dass unsere abstrakten Betrachtungen sichere Garantien ergeben. Dar¨uber hinaus entwickeln wir effizient berechenbare und beweisbar sichere Formeln, mit denen sich die Sicherheit von Tor gegen¨uber von Angreifern, die entweder durch Besitz eigener Tor Server oder durch eine Uberwachung¨ der Kommunikation, auf eine passive Art versuchen, die Anonymit¨atzu brechen. Letztlich f¨uhrenwir eine umfassende Analyse des Tor Netzwerks durch und berechnen die Anonymit¨at,die Tor gegen eine Vielzahl solcher Angreifer zur Verf¨ugung stellt, basierend auf den technischen Eigenschaften von Tor's Pfadsuchalgorithmus (und einigen Alternativen). iii iv Abstract In this thesis, we present a methodology to compute sound anonymity guarantees for anonymous communication protocols, which we apply to the Tor protocol. To this end, we present AnoA, a formal framework for quantifying the anonymity of anonymous communication protocols against modularly describable adversaries. We show how the Tor protocol can be analyzed in an abstract way by utilizing an existing formalization of Tor in the universal composability (UC) framework and prove that this analysis is sound. Moreover, we derive efficiently computable, sound anonymity guarantees for Tor against eavesdropping adversaries that may control Tor servers or wiretap communica- tions between parties. For known adversaries that perform perfect traffic correlations we show that our bounds are tight. Finally, we perform an extensive analysis of the Tor network against such adversaries in which we calculate the anonymity of Tor when using Tor's current path selection, thereby considering many real-world properties of the path selection algorithm, as well as when using one of several variants, against a variety of eavesdropping adversaries that can control Tor nodes (depending on various properties) or wiretap the communication between them. v vi Acknowledgments Sufficiently acknowledging all people that positively influenced me during my doc- toral studies is certainly a hard task. I will try to keep these words brief and hope to not offend in doing so. I want to thank my supervisor Michael Backes for his support, for the various explicit and implicit lessons in these past years and for giving me suffi- cient freedom in my research agenda. I obviously want to thank all my colleagues with which I worked together in these past years, foremost Esfandiar Mohammadi; I enjoyed our discussions, the invention of our grand board game, and, being able to call you a friend. Moreover, I want to thank Aniket Kate for his undying optimism regarding our projects, as well as for the foresight in striving for such types of guarantees. I want to thank Dominique Unruh for teaching me the art of designing definitions and proofs and Tim Ruffing for all helpful discussions. Concerning the line of research started by this thesis I want to thank all students and internship students that I had the pleasure to supervise (in almost alphabetical order): Markus Bauer, who both helped in fixing the implementation of MATor and who as his Bachelor's thesis developed a MATor plugin for the Tor browser, Simon Koch, who successfully battled parenthesis to perform a large-scale data collection for our network- infrastructure adversaries, Tahleen Rahman who had the bravery to delve into the depths of Tor's C-implementation and who extended this dissertation in her Master's thesis by modeling adversaries that add new Tor nodes to the consensus, Marcin Slowik who significantly contributed to more than one refactoring of MATor and with whom I had helpful discussions about the nature and generality of adversarial advantages, Lukas Wedeking, who as his Bachelor's thesis analyzed the impact of adversaries on Tor's hidden services on basis of this dissertation, and finally Marta Wrzola and Dawid Gawel who in their internship contributed to the final refactoring of MATor. I also want to thank the Cognition and Action research group of Prof. Dirk Wentura, as well as Prof. Christian Frings for giving me insights into psychology and pragmatism when solving problems, as well as for their encouraging discussions concerning my doctoral studies. Finally, I want to thank my family for their support and my friends for the countless hours of stress-relieving pen-and-paper games. For Science. vii viii Background of this Dissertation This dissertation is based on three peer-reviewed papers that have been accepted at influential and well-ranked conferences in the field of computer security, in each of which the author contributed as one of the main authors. In addition, the author was the main author of other peer-reviewed papers in the field of cryptography and information security [11, 10] and one of the main authors of a paper slightly related to the foundation of this thesis [16]. However, this dissertation focuses on the following four papers, as this selection defines a novel and very promising line of work. The author considers a thorough and consistent presentation that partially improves upon the original works to be significantly more useful to the research community than less consistent presentation that additionally covers the papers mentioned above. In AnoA [13] (published at CSF'13), as well as in the extended technical report • and the journal version (to be published in a special issue of the Journal of Privacy and Confidentiality), the author contributed significantly to the central notions of the framework, whereas a preliminary and abstract analysis of the Tor net- work (which is not included here) was mainly done by Praveen Manoharan. The central notion of IND-CDP is influenced by the papers \Computational Differen- tial Privacy" [81] of Mironov et. al, and \Secrecy without Perfect Randomness: Cryptography with (Bounded) Weak Sources" [16] in which the author also con- tributed as one of the main authors. The adaptations of the UC protocol to the AnoA framework were performed by Esfandiar Mohammadi. Praveen and Es- fandiar also worked on the UC-realization of differential-privacy style properties, which is a central building block for AnoA. In the paper \(Nothing Else) MATor(s)" [14] (published at CCS'14), the author • contributed as one of the main authors. Together with Esfandiar Mohammadi, he investigated how the actual Tor client implements Tor's current path selection algorithm, as well as the impact of these subtle choices on Tor's anonymity. More- over, they investigated the impact of TCP ports and derived sound formulas for calculating anonymity guarantees for Tor. The author additionally contributed to the implementation of MATor, a tool used for calculating Tor's anonymity that forms the foundation of all implementations considered for the evaluations in this thesis. In \Your choice MATor(s)" [12] (published at PETS'16), the author was the main • author and driving force. The author contributed by defining a novel, observation based analysis for calculating the anonymity guarantees, that is significantly more precise than the heuristics used before. The necessary modifications and the par- tial re-implementation of the analysis tool MATor, however, was done by Marcin Slowik, who worked under the author's direct supervision and the evaluation was designed and performed by both authors. ix x Finally, in a paper we are currently working on that is targeted at analyzing • the impact of network-level adversaries on Tor, the author contributed mainly to the theoretical foundations by defining a novel, observation based analyses of the calculation of our anonymity guarantees, together with the proofs on its correctness. The gathering of data was performed by Simon Koch, Tor's Internet topology was developed by the author together with Esfandiar Mohammadi and Christian Rossow. As an additional effort for this thesis, the individual papers have been combined into one consistent analysis of Tor that includes a novel formalization of a simplified AnoA game for Tor against eavesdropping adversaries. To this end, the majority of proofs has been revised, the analysis tool MATor has been re-factored and we repeated our large-scale formal evaluation of Tor against eavesdroppers. Contents 1 Introduction 1 1.1 Contribution . .2 1.2 Overview . .4 1.2.1 Anonymity and Privacy . .5 1.2.2 Intuition: Indistinguishability Based Anonymity . .6 1.2.3 The Tor Protocol . 10 1.2.4 From Observations of an Eavesdropper to Anonymity Guarantees 13 1.2.5 Defining Categories of Eavesdroppers . 14 1.2.6 Evaluating Tor Against Eavesdroppers . 16 1.3 Related Work . 16 1.3.1 Anonymous Communication Protocols . 17 1.3.2 Practical Attacks and Countermeasures . 18 1.3.3 Anonymity Analyses . 18 2 AnoA 23 2.1 Notation . 23 2.2 Full AnoA Game . 24 2.3 Anonymity Notions . 27 2.3.1 Sender Anonymity . 28 2.3.2 Recipient Anonymity .
Load more

Recommended publications
  • A Formal Treatment of Onion Routing
    A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya 1 IBM Research, Zurich Research Laboratory, CH–8803 R¨uschlikon [email protected] 2 Computer Science Department, Brown University, Providence, RI 02912 USA [email protected] Abstract. Anonymous channels are necessary for a multitude of privacy-protecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic as- pects of onion routing have not been sufficiently explored: no satisfactory definitions of security have been given, and existing constructions have only had ad-hoc security analysis for the most part. We provide a formal definition of onion-routing in the universally composable framework, and also discover a simpler definition (similar to CCA2 security for encryption) that implies security in the UC frame- work. We then exhibit an efficient and easy to implement construction of an onion routing scheme satisfying this definition. 1 Introduction The ability to communicate anonymously is requisite for most privacy-preserving interactions. Many cryptographic protocols, and in particular, all the work on group signatures, blind signatures, electronic cash, anonymous credentials, etc., assume anonymous channels as a starting point. One means to achieve anonymous communication are mix-networks [6]. Here, messages are wrapped in several layers of encryption and then routed through in- termediate nodes each of which peels off a layer of encryption and then forwards them in random order to the next node. This process is repeated until all layers are removed. The way messages are wrapped (which determines their path through the network) can either be fixed or can be chosen by each sender for each message.
    [Show full text]
  • Anoa: a Framework for Analyzing Anonymous Communication Protocols Unified Definitions and Analyses of Anonymity Properties
    AnoA: A Framework For Analyzing Anonymous Communication Protocols Unified Definitions and Analyses of Anonymity Properties Michael Backes1;2 Aniket Kate3 Praveen Manoharan1 Sebastian Meiser1 Esfandiar Mohammadi1 1 Saarland University, 2 MPI-SWS, 3 MMCI, Saarland University {backes, manoharan, meiser, mohammadi}@cs.uni-saarland.de [email protected] February 6, 2014 Abstract Protecting individuals' privacy in online communications has become a challenge of paramount importance. To this end, anonymous communication (AC) protocols such as the widely used Tor network have been designed to provide anonymity to their participating users. While AC protocols have been the subject of several security and anonymity analyses in the last years, there still does not exist a framework for analyzing complex systems such as Tor and their different anonymity properties in a unified manner. In this work we present AnoA: a generic framework for defining, analyzing, and quantifying anonymity properties for AC protocols. AnoA relies on a novel relaxation of the notion of (computational) differential privacy, and thereby enables a unified quantitative analysis of well- established anonymity properties, such as sender anonymity, sender unlinkability, and relationship anonymity. While an anonymity analysis in AnoA can be conducted in a purely information theoretical manner, we show that the protocol's anonymity properties established in AnoA carry over to secure cryptographic instantiations of the protocol. We exemplify the applicability of AnoA for analyzing real-life systems by conducting a thorough analysis of the anonymity properties provided by the Tor network against passive adversarys. Our analysis significantly improves on known anonymity results from the literature. Note on this version Compared to the CSF version [BKM+13], this version enhances the AnoA framework by making the anonymity definitions as well as the corresponding privacy games adaptive.
    [Show full text]
  • Network Anonymity
    Network Anonymity Kenan Avdic´∗ and Alexandra Sandstrom¨ y Email: f∗kenav350, [email protected] Supervisor: David Byers, [email protected] Project Report for Information Security Course Linkopings¨ universitet, Sweden Abstract Nevertheless, obtaining anonymity on the internet can be a difficult matter, depending on what degree of In this paper we intend to examine to what degree it anonymity is required. Invariably, the Internet protocol is currently possible to achieve anonymity, with special version 4 has a destination IP-address (and so it will in emphasis on the Internet. We also intend to examine the the future with IPv6) that can be traced to a physical availability of such techniques for an average internet interface, i.e. a computer and its location and possibly the user. There is a historical and current perspective in- owner or user. Currently, discovering someone’s identity cluded, from mix-nets to today’s systems such as Tor, can be done via the internet service provider, and can Freenet and others. We discuss the efficiency of these in some countries be, due to recent increasingly harsher systems and their vulnerabilities. Finally, we discuss intellectual property legislation, a trivial matter. Due the results from a technical and social point of view to obvious technology limitations it is not possible to on anonymity and privacy, both on the Internet and in achieve total anonymity, as the unique IP-address must general. be available for communication. Thus, in order to achieve a measurable degree of anonymity, one cannot rely on 1. Introduction the secrecy of an IP-address, i.e.
    [Show full text]
  • Anonymous Communication on the Internet
    Proceedings of Informing Science & IT Education Conference (InSITE) 2014 Cite as: Grahn, K. J., Forss, T., & Pulkkis, G. (2014). Anonymous communication on the internet. Proceedings of In- forming Science & IT Education Conference (InSITE) 2014 (pp. 103-120). Retrieved from http://Proceedings.InformingScience.org/InSITE2014/InSITE14p103-120Grahn0483.pdf Anonymous Communication on the Internet Kaj J. Grahn, Thomas Forss, and Göran Pulkkis Arcada University of Applied Sciences, Helsinki, Finland [email protected] [email protected] [email protected] Abstract There are many kinds of systems developed for anonymous communication on the internet. We survey a number of systems and evaluate their security. Among these systems we compare func- tionalities like Onion Routing, anonymous VPN services, probabilistic anonymity, and determin- istic anonymity. Other types of anonymous communication such as messaging, peer-to-peer communication, web use, emailing, and use of other Internet applications are also presented. We follow up by presenting different types of attacks with the purpose of identifying anonymously communicating users. These attacks fall into the following categories: internal/external attacks, passive/active attacks, and static/adaptive attacks. We describe the following attacks as well as known protections against these attacks: predecessor attacks, intersection attacks, timing attacks, and Sybil attacks. Lastly we discuss design choices, operation, and security of the current TOR network – The 2G Onion Router. Access
    [Show full text]
  • A Survey of Anonymous Communication Channels
    Journal of Privacy Technology 20060701001 A Survey of Anonymous Communication Channels George Danezis [email protected] K.U. Leuven, ESAT/COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium. Claudia Diaz [email protected] K.U. Leuven, ESAT/COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium. Abstract We present an overview of the field of anonymous communications, from its establishment in 1981 from David Chaum to today. Key systems are presented categorized according to their underlying principles: semi-trusted relays, mix systems, remailers, onion routing, and systems to provide robust mixing. We include extended discussions of the threat models and usage models that different schemes provide, and the trade-offs between the security properties offered and the communication characteristics different systems support. Keywords: Anonymous communications, Mix systems, Traffic analysis, Privacy. 1. Introducing Anonymous Communications Research on anonymous communications started in 1981 with Chaum’s seminal paper “Untrace- able electronic mail, return addresses, and digital pseudonyms” (Chaum (1981)). Since then, a body of research has concentrated on building, analyzing and attacking anonymous communica- tion systems. In this survey we look at the definition of anonymous communications and the major anonymous communication systems grouped in families according to the key design decisions they are based on. Data communication networks use addresses to perform routing which are, as a rule, visible to anyone observing the network. Often addresses (such as IP addresses, or Ethernet MACs) are a unique identifier which appear in all communication of a user, linking of all the user’s transactions. Furthermore these persistent addresses can be linked to physical persons, seriously compromis- ing their privacy.
    [Show full text]
  • Social Networking for Anonymous Communication Systems: a Survey
    Social Networking for Anonymous Communication Systems: A Survey Rodolphe Marques Andre´ Zuquete´ Instituto de Telecomunicac¸oes˜ Universidade de Aveiro/IEETA Aveiro, Portugal Aveiro, Portugal [email protected] [email protected] Abstract relay node. This leaves a door open to malicious behavior in the network, where an attacker can run one or several Anonymous communication systems have been around for relay nodes in the network in an attempt to undermine the sometime, providing anonymity, enhanced privacy, and cen- anonymity that these networks provide to their clients. sorship circumvention. A lot has been done, since Chaum’s Attacks on anonymous communication systems have been seminal paper on mix networks, in preventing attacks able thoroughly studied, most of them being passive attacks to undermine the anonymity provided by these systems. through traffic analysis. The most common attacks are the This, however, is a difficult goal to achieve due to the de- predecessor attack [1], the intersection attacks [2], timing centralized nature of these systems. In the end it boils down attacks [3], and Sybil attacks [4]. These attacks can be to finding a subset of trusted nodes to be placed in critical easily performed by controlling some specific relay nodes in positions of the communication path. But the question re- the circuits created by the clients. Timing attacks are more mains: ”How to know if a given node can be trusted?”. In critical in low latency anonymity networks and are extremely this paper we present a survey of a new research area which difficult to detect do to their passive nature.
    [Show full text]
  • Arxiv:1803.02816V1 [Cs.NI] 7 Mar 2018
    Shedding Light on the Dark Corners of the Internet: A Survey of Tor Research Saad Saleha,∗, Junaid Qadirb, Muhammad U. Ilyasa,c aSchool of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad-44000, Pakistan bInformation Technology University, Lahore, Pakistan cDepartment of Computer Science, Faculty of Computing and Information Technology, University of Jeddah, Jeddah, Mecca Province 21589, Saudi Arabia Abstract Anonymity services have seen high growth rates with increased usage in the past few years. Among various services, Tor is one of the most popular peer-to-peer anonymizing service. In this survey paper, we summarize, analyze, classify and quantify 26 years of research on the Tor network. Our research shows that `security' and `anonymity' are the most frequent keywords associated with Tor research studies. Quantitative analysis shows that the majority of research studies on Tor focus on `deanonymization' the design of a breaching strategy. The second most frequent topic is analysis of path selection algorithms to select more resilient paths. Analysis shows that the majority of experimental studies derived their results by deploying private testbeds while others performed simulations by developing custom simulators. No consistent parameters have been used for Tor performance analysis. The majority of authors performed throughput and latency analysis. Keywords: Tor; Security; Anonymity; Survey; Analysis; Deanonymization; Breaching; Path selection; Performance analysis. 1. Introduction In this paper, we survey various studies conducted on the Tor network covering the scope of these studies. We The Internet has revolutionized the world by trans- quantify the studies into three broad but distinct groups, forming it into a global entity.
    [Show full text]
  • Anoa: a Framework for Analyzing Anonymous Communication Protocols? Anonymity Meets Differential Privacy
    AnoA: A Framework For Analyzing Anonymous Communication Protocols? Anonymity meets differential privacy Michael Backes1;3, Aniket Kate2, Praveen Manoharan3, Sebastian Meiser3, and Esfandiar Mohammadi3 1 MPI-SWS 2 MMCI, Saarland University 3 Saarland University {backes,manoharan,meiser,mohammadi}@cs.uni-saarland.de [email protected] Abstract. Protecting individuals' privacy in online communications has become a challenge of paramount importance. To this end, anonymous communication (AC) protocols such as the widely used Tor network have been designed to provide anonymity to their participating users. While AC protocols have been the subject of several security and anonymity analyses in the last years, there still does not exist a framework for analyzing complex systems such as Tor and their different anonymity properties in a unified manner. In this work we present AnoA: a generic framework for defining, analyzing, and quantifying anonymity properties for AC protocols. AnoA relies on a novel relaxation of the notion of (computational) differential privacy, and thereby enables a unified quantitative analysis of well-established anonymity properties, such as sender anonymity, sender unlinkability, and relationship anonymity. While an anonymity analysis in AnoA can be conducted in a purely information theoretical manner, we show that the protocol's anonymity properties established in AnoA carry over to secure cryptographic instantiations of the protocol. 1 Introduction Privacy enhancing technologies, such as anonymous communication (AC) proto- cols, seek to protect users' privacy by anonymizing their communication over the Internet. Employing AC protocols has become increasingly popular over the last decade. This popularity is exemplified by the success of the Tor network [40].
    [Show full text]