Design Principles for Low Latency Anonymous Network Systems Secure Against Timing Attacks

Design Principles for Low Latency Anonymous Network Systems Secure against Timing Attacks

Rungrat Wiangsripanawan, Willy Susilo and Rei Safavi-Naini

Center for Information Security School of Information Technology and Computer Science University of Wollongong, Australia Email: [email protected], [email protected], [email protected]

Abstract as email systems. On the other hand, low latency applications are applications that do need real-time or Low latency anonymous network systems, such as near real-time responses. Examples include web ap- Tor, were considered secure against timing attacks plications, secure shell (SSH) and instant messenger. when the threat model does not include a global ad- Both systems are built based on Chaum’s idea. Un- versary. In this threat model the adversary can only linkability is provided in a similar way in both cases see part of the links in the system. In a recent paper using a sequence of nodes between a sender and its entitled Low-cost traffic analysis of Tor, it was shown receiver, and using encryption to hide the message that a variant of timing attack that does not require a content. An intermediate node knows only its prede- global adversary can be applied to Tor. More impor- cessor and its successor. tantly, authors claimed that their attack would work High-latency systems are message-based systems on any low latency anonymous network systems. The while, low-latency systems are connection-based. implication of the attack is that all low latency anony- That is, for high-latency systems there is one mes- mous networks will be vulnerable to this attack even sage per one path, and for a new message a new path if there is no global adversary. is created. However, low-latency systems use a path In this paper, we investigate this claim against for a period of time and send data as a stream of other low latency anonymous networks, including packets over the same path. Tarzan and Morphmix. Our results show that in con- Another difference between the two is due to the trast to the claim of the aforementioned paper, the at- time restriction. Anonymous systems for low latency tack may not be applicable in all cases. Based on our applications may ignore the mixing process that in- analysis, we draw design principles for secure low la- cludes batching and reordering, hence, they would be tency anonymous network system (also secure against more susceptible to traffic analysis attacks and in par- the above attack). ticular timing attacks. Timing attacks can be as sim- Keywords: Low latency, anonymous, timing attacks, ple as comparing the difference between the time that Tor, Tarzan, Morphmix packets enter and leave a network, with the time for traversing a route. Timing attacks can be more com- 1 Introduction plex and include extracting traffic patterns of links and comparing them to determine a route. In this Anonymous communication systems were first intro- paper, we concentrate on the second approach. duced in the seminal paper of Chaum (Chaum 1981). The timing attack in (Danezis 2004, Levine, Re- Conceptually, a message to be anonymized is relayed iter, Wang & Writght 2004) uses the fact that each through a series of nodes called mix nodes. Each mix node in the network introduces a different delay. The node performs operations that have two main objec- delay can be used to guess the correlation between tives. The first one is to provide bitwise unlinkabil- the input links and output links of a node. An ad- ity and is aimed at message content, and the second versary can observe links over time and by comparing one is mixing that is aimed at message flow. To pro- traffic patterns of all links, determine series of nodes vide unlinkability messages are padded and encrypted that have similar link patterns and are likely to form so that the adversary cannot see the content of data a route. Using statistical methods, the adversary can packets and so cannot link the content. In each node obtain information about the sender and the receiver incoming message is batched and reordered or relayed of a path, or at least the path itself. The attack can be in a way that is difficult for the adversary to discover avoided by making the timing characteristic of each its corresponding outgoing message through the mes- link indistinguishable. This, however, requires an un- sage arrival and departure times. Also, to make the reasonable amount of mixing operations and cover attack more difficult, dummy traffic is introduced. traffic and hence, long delays. It is not a trivial task Anonymous communication systems over the In- to find the right balance between anonymity and de- ternet can be classified into two categories: systems lay in these networks. for high-latency applications and systems for low- The aforementioned timing attack assumes a latency applications. High latency applications are global adversary, who can observe all links in the net- application that do not demand quick responses, such works. Under a weaker threat model, i.e. excluding the global adversary, most low latency networks, such Copyright (c) 2007, Australian Computer Society, Inc. This as Tor (Dingledine, Mathewson & Syverson 2004) can paper appeared at the Australasian Information Security Work- be considered secure. In this weaker threat model, shop: Privacy Enhancing Technologies (AISW), Ballarat, Aus- the adversary is allowed to only observe a fraction of tralia. Conferences in Research and Practice in Information the links. This is a plausible assumption considering Technology (CRPIT), Vol. 68. Ljiljana Brankovic, Paul Cod- the systems are operated over public networks, such dington, John F. Roddick, Chris Steketee, Jim Warren, and as the Internet and so there is no assurance that the Andrew Wendelborn, Eds. Reproduction for academic, not-for profit purposes permitted provided this text is included. timing attacks can achieve more than finding parts of the routes with non-negligible success probability. 183 Recently, Murdoch and Danezis have shown a 2 Related Works low cost attack that can successfully “break” low latency systems, and does not use a global adver- In this section, we will briefly review the three exist- sary (Murdoch & Danezis 2005). Their attack ing anonymous network systems, namely Tor, Tarzan is based on a traffic analysis attack proposed by amd Morphmix. Danezis (Danezis 2004). In their attack, Tor’s provided anonymity can be broken by an attacker that 2.1 Tor only has a partial view of the network or is one of the Tor nodes. The attack works because Tor removes Tor, the second-generation Onion Routing, is a the mixing operation that has been used in its earlier circuit-based low-latency anonymous communication version, and instead processes its input queues in a service (Dingledine et al. 2004). It is an improved round robin fashion. The Tor node is responsible for version of the Onion Routing. Onion Routing(OR) receiving and forwarding each stream’s packets. A is an overlay system that aims to provide anonymous corrupted Tor node can create connections to other communication to applications such as web brows- Tor nodes and so indirectly estimate other nodes’ traf- ing, instant messenger and secure shell. As the OR’s fic volumes at each time. These estimates use the designs have several flaws and limitations when be- difference in the latency of streams that are sent and ing deployed, Tor has included several additional fea- received back using those connections. As the traffic tures that OR does not provide. Some of them are volume or traffic load on each Tor node is a result of perfect forward secrecy, congestion control, directory the traffic load of all relayed connections on that Tor services, integrity checking, configurable exit policies, node, the technique in (Danezis 2004) can be used and rendezvous point and hidden service. Tor also to estimate the traffic pattern of each node and utli- removes features that are considered by its authors mately a good estimate of the route. Authors noted as being unnecessary. These features are mixing, that their scheme can be applied to any anonymous padding and traffic shaping. low latency systems. This significantly invalidates the There are three entities: a Tor client, Tor servers threat model used in many low latency anonymous (Tor nodes), and a recipient. Logically, a Tor client is systems. a sender that wants to have an anonymous communication with its recipient. It is an Onion P roxy in OR. Our Contributions Tor servers are intermediate nodes or Onion Routers We examine the attack proposed by Murdoch and in OR. They are responsible for routing streams to Danezis (Murdoch & Danezis 2005), and investigate its next nodes in accordance to what the Tor client if it works for other low latency anonymity networks. instructs them. Like OR, Tor calls the last Tor node, We note that Tarzan (Freedman & Morris 2002) and before a recipient, the exit node. The recipient does MorphMix (Rennhard & Plattner 2002) work dif- not need to be a member of the Tor network. That is ferently from Tor. In particular, they both employ because the exit node acts as a guardian between the peer-to-peer architecture, whereas Tor tends to rely open world (recipients) and the Tor network. on dedicate servers. Also, Tarzan includes some mix- Similar to OR, a Tor client selects a number of ing operations and cover traffic, which does not exist Tor servers as members of a circuit (OR and Tor call in Tor. Moreover, MorphMix allows an intermediate a path a circuit). Where OR restricts one circuit node to select part of the anonymous path, whereas for one TCP stream, Tor allows many TCP streams in Tor, a Tor client chooses the whole path by himself. to share the circuit. Circuits are constructed a priori. Our analysis has two directions. Firstly, we focus The main responsibility of the Tor client is to set up a on the latency of the system, to verify whether it can circuit and establish common keys between the client be used to represent the traffic load of each node. and all intermediate nodes. These keys are used later Secondly, we look at the effectiveness of the attack on when the client wants to send relay cells to its recip- different architectures and mechanisms. We will use ient and vice versa. Tor fixes a circuit’s size to be 3 our analysis to provide design principles for building Tor server nodes. More details of circuit construction secure low latency anonymity systems that do not can be found in (Dingledine et al. 2004). suffer from these types of attacks. When the client wants to send data to its recip- Organization of The Paper ient anonymously, for example, when a user starts The rest of this paper is organized as follows. In browsing a website, streams of packets are divided Section 2, we briefly describe the related works in into fixed-sized cells. The Tor’s cell size is 512 bytes. this area. In particular, we review the three existing Then, they are wrapped layer by layer using session anonymous network systems, namely Tor, Tarzan and keys derived from pre-negotiated common keys. This Morphmix and highlight the differences among them. is done in a way that when they are unwrapped by the In Section 3, we review the low cost attack on Tor Tor server, the node is able to know merely its prede- as described by Murdoch and Danezis (Murdoch & cessor and successor nodes. Unlike OR that provides Danezis 2005). We note that this attack is claimed to mixing processes, the incoming cells to the Tor node be applicable in any low latency network systems. In are simply put into queues, processed and sent out in contrast to this claim, we provide a counter example a first come first serve fashion. in Section 4 where the attack fails to be conducted. Tor Threats Model In particular, we discuss the possibility of employing An adversary’s goal is to observe both the initiator this attack in Morphmix, and we show that the result and the recipient. Like all other practical low latency does not provide the required information as claimed. anonymous systems, Tor does not provide any mech- In Section 5, we derive some necessary conditions re- anisms to protect against a global passive adversary. quired when building a secure low latency network However, it is designed to prevent the system against system. By adhering these necessary conditions, a an adversary that has the following capacities: secure low latency network system can be built and the resulting system will not suffer from the low cost • the adversary who can observe some fraction of attacks. We also provide some related discussions to network traffic; highlight our results. Finally, Section 6 concludes the • the adversary who can generate, modify, delete paper. or delay traffic; • the adversary who can operate onion routers of his own; 184 Recipient ex Server

Relay 3/ Relay2 Exit node

Relay1

- Tor relay

Tor Proxy/ (sender) Tor Network

Figure 1: Tor architecture

• the adversary who can compromise some frac- other aspects of attacks that are harmful to Tor, tions of onion routers. namely attacks with directory service and rendezvous points. However, they are outside the scope of this Attacks using the network traffic can be classified paper. More details can also be found in (Dingledine into two main categories: traffic confirmation attacks et al. 2004). and traffic analysis attacks. Each category consists of both passive and active attacks. Traffic confirmation attacks are attacks where the adversary uses a traffic 2.2 Tarzan pattern to confirm his guess. For example, the adver- Tarzan is another low latency anonymous system, sary suspects that Alice is talking to Bob. Passively, which is also based on the Chaum’s mix concept. he observes traffic at both Alice and Bob’s ends and Similar to other low latency anonymous systems, it uses a pattern that obtained from timing or volume is aimed to provide anonymity for applications such of packets that enter and leave both ends to verify as web-application or instant messenger. Unlike Tor, his suspicion; or actively embeds timing signatures Tarzan is based on peer-to-peer architecture. Each into the traffic between these two nodes to force the Tarzan node can be both a Tarzan client (the sender) distinct patterns that can be recognized. However, or a Tarzan relay. This is done to avoid end-to-end traffic analysis attacks are attacks that the adversary timing analysis of an entry and exit nodes. That is, learns which points in the network he should attack any one can join and leave the network and all nodes by using traffic patterns. For example, the passive ad- can be potential initiators. Tarzan provides peer dis- versary can observe the network edges and then uses covery by using a protocol based on the gossip-based relationships in timing or volume of packets to cor- mechanism similar to the one in (Harchol-Balter, relate traffic that enter or leave the network; or the Leighton & Lewin 1999). Due to the peer-to-peer active adversary can insert a pattern into traffic that characteristic, an adversary can imitate himself as can be detectable afterward. many Tarzan nodes as he wishes. Therefore, Tarzan Examples of the traffic analysis attacks that could is equipped with a mechanism to store peers in a way be mounted with Tor are as follows. The passive ad- that reduces a chance that a malicious node is se- versary can use other externally visible user-selected lected. This is done by hashing the node’s IP address options such as timing of packets to correlate traf- according to its subnet and categorizing its result into fics. The active adversary can replay traffic; or he levels. can choose to deny service to trustworthy routers and The recipient in Tarzan does not necessarily have move them to compromised router; or he can deny to be a Tarzan node; it can be any node in the net- services to users and see if traffic stops elsewhere. work. Tarzan provides a mechanism to get through Tor and Traffic analysis it through PNAT. Tarzan claims that it is resistant Tor considers traffic confirmation attacks, such as to the global adversary’s attack, that is achieved via end-to-end timing correlation, outside their design its cover traffic mechanism, known as mimic traffic. goal. Tor designers focus their threat model merely on To prevent an overwhelming network consumption, the traffic analysis attacks (Dingledine et al. 2004). Tarzan limits the mimic traffic of each Tarzan node Since Tor does not include the global passive or ac- to merely with some of its peers. tive adversary in its threat model, some traffic analy- To illustrate this, when joining the network, after sis attacks, such as observing traffic pattern, can be discovering all other peers, the Tarzan node selects a discarded. Dingledine and Mathewson (Dingledine number of nodes as its mimics. Then, when an anony- et al. 2004) provide more details on how Tor de- mous connection is required, the next relay node must fends other traffic analysis attacks. There are also be chosen from the node’s mimic list. 185 Recipient Ex webserver PNAT

n3 n4

S en n1 n2 a de r

Tarzan Network

Figure 2: Tarzan Architecture with mimics

When a Tarzan node a wants to have an anony- in-the-middle attack, MorphMix introduces a witness. mous connection with its recipient such as a web The witness’s duty is to act as a third party during server svr, assuming that the anonymous tunnel has the next hop selection process. It allows the initiator l + 1 length where l is a number of the nodes in the a to establish a shared key with the appended node tunnel, a selects its first hop from its mimic list, say c through b, without revealing c’s key information to n1. Then, a asks n1 for n1’s mimic list (ln1). a b or without b being a malicious node. Figure 3 is nd chooses the 2 hop, from (ln1). Then, a repeats this cited from (Rennhard & Plattner 2002). It shows process until l hops. Finally, a chooses the last node how MorphMix selects the next hop with the wit- randomly from a’s peer database. This last node acts ness’s help. Assuming that the connection between as an exit node in Tor but Tarzan names it PNAT. the initiator a and b has already been established. Therefore, the connections has the following path: The complete procedure is illustrated as follows. a → n1 → n2 → ... → nl → P NAT → svr. It is important to note that P NAT is selected randomly 1. a selects a witness w from the set of nodes it already knows. It then generates its half from all peers in the database not from nl’s mimic list, otherwise numbers of available paths are limited. of the key information DHa and encrypts Figure 2 illustrates Tarzan network’s architecture and it with W’s public key together with the its tunnel connections. In this example, each Tarzan nonce({nonce1,DHa}P uKw). Note that a nonce node has approximately 6 mimics. is used against replay attack and s is a number of nodes a wants b to offer. Due to DHa is encrypted with the w’s public key. b has no idea 2.3 MorphMix what this information is. MorphMix (Rennhard & Plattner 2002, Rennhard 2. After b receives the message, it sends the en- & Plattner 2004) is another low latency anonymous crypted DHa ({nonce1,DHa}P uKw) to w with system. Its main objective is to provide a practical its selection of nodes and their public keys anonymous communication to the masses. It is based ({ip , P uK , ip , P uK , ip , P uK }). on a peer-to-peer architecture. Similar to Tor, Mor- c c d d e e phMix is a circuit-based mix system that makes use of 3. w has two tasks. First, it decrypts fix-length cells and layered encryption to establish a {nonce1,DHa}P uKw to get DHa. Then, w circuit through other nodes. Cover traffic is removed selects randomly node c as the next hop. Next, unless really required. The circuit, the first node, the it sends request for next hop to c. This includes last node and the nodes in between are called the b’s information {ipb, P uKb} together with anonymous tunnel, the initiator, the final node and a’secret to c. the intermediate nodes, respectively. Unlike Tor or Tarzan, the intermediate nodes in MorphMix are not 4. c checks if it will accept the request. If so, it entirely chosen by the initiator. Rather, MorphMix sends ok-message back to w. allows each intermediate node to select its successor. 5. w signs a set of nodes that b selects together with When an initiator node a wants to establish an anony- nonce and sends back to b with its chosen node mous tunnel, it selects the first intermediate nodes b 1 for the next hop put first after the nonce1 in the from its current neighbor list. Then, it establishes a signature. The signature is used as a receipt from symmetric key between them. The shared key is used w to a. for layered encryption. To extend the tunnel, a asks b for a selection of nodes that should be used as its next 6. b receives the message from w. It knows that its hop. b sends a a set of its recommended nodes chosen next hop is c. It then generates an identifier(id) from b’s neighbors. a then chooses one of them, for that is used to identify the anonymous tunnel of example, node c. a appends c to b in the tunnel. A this link between b and c. Then, it sends this id symmetric key between a and c is created and then, with the new nonce (nonce2) to c. sends to c through b. To prevent b from being man- 7. c replies b with its DH-exchange part with id. 186

Figure 3: MorphMix hop selections.

8. b sends to a c’s DH part and the signature of w low cost attack indeed disproves this argument and that consists of list of chosen nodes. shows that the initial design is still vulnerable to the timing attacks’ variants. It is true that the adversary Unlike any other systems, MorphMix does not re- cannot observe all links in the network and mount quire that any MorphMix node must have knowledge attacks as described in (Danezis 2004). Nevertheless, of all other nodes. Rather, MorphMix pays more at- being one of the Tor nodes does not prohibit the ad- tention to collusion’s detection of malicious nodes. versary to measure latencies between all the nodes and itself. In particular, these latencies can be used 3 A Low Cost Attack in Low Latency Anony- to infer to traffic volumes of the nodes that it is com- mous System municating. Since the traffic pattern of each node can be obtained from its traffic volume, the adversary can In this section, we review a low cost attack on Tor as use the techniques described in (Danezis 2004) to do described in (Murdoch & Danezis 2005). The term further analysis. Then, he is able to infer which nodes low cost comes from the fact that the adversary re- carry the similar traffic pattern. In other words, they quires only a partial view of the network, i.e. being are the relay nodes in the same circuit. one of the Tor nodes, to attack the Tor network. The The idea is supported by the Tor architecture. The attack shows that the Tor system is vulnerable to a Tor node has given each connection its own buffer variant of timing analysis attack, even though this at- and processes these buffers in a round robin fashion. tack was claimed to be prevented in the original Tor When the buffer has no stream, it simply ignores and threats model. That is, the claim that traffic analy- moves to process the next buffer. More importantly, sis attacks on Tor cannot be done without a global the mixing process has been removed from Tor due passive adversary is indeed false. to its designers’ doubts on capacity and practicality The attack, conceptually, takes advantage of a (Dingledine et al. 2004). Hence, when a new connec- seemingly unavoidable limitation of the low latency tion is established; or when any existing connection is anonymous system; that is time. The goal of the at- removed; or when the traffics of the existing connec- tack is to infer which nodes are being used to relay tions are changed, the traffic loads on the Tor node streams in the Tor circuit. This greatly decreases the is changed. This affects the responses that this Tor anonymity properties of Tor system. Experimental node would have on connections with other Tor nodes results are conducted and presented to support the that are previously established and are still currently theoretical attack. In the end, the authors further working. Consequently, due to this same reasons, the claim that this attack should be applicable to any traffic loads of the other Tor nodes are changed as low latency anonymous system, such as Tarzan and well. Therefore, they can conclude that the change MorphMix. of the traffic load on one Tor node affects other Tor nodes that have connections to it. Hence, for nodes The Idea of The Attack that are on the same circuit, their traffic loads should The idea comes from the known fact that delay cannot result in the same pattern of effects. Note that the be induced much in the low latency systems. Hence, change of traffic load occurred from the Tor node’s the timing pattern of packets should persist through- environments, such as its CPU load, is ignored. out a circuit. Tor had survived the typical timing attack because its designers believed that the global Entities Involved passive adversary is hardly possible. It does not con- The adversary merely requires to be a member of the sider this type of attacks in their threats model. The Tor’s system. That is, being one of the Tor clients. 187

Figure 4: Low Cost Attack Model in Tor

This node is called a corrupt node or a probe node. 4 Analysis of the Low Cost Timing Attack against Tarzan and Morphmix Attack Model Conceptually, the attack works as follows. To perform this attack with other systems, we em- • A corrupt Tor node establishes connections to ploy the same model as the one used by Tor. The ad- other Tor nodes in order to measure these con- versary requires at least two entities: a corrupt node nections’ latencies. and a corrupt server. A corrupt node is changed to a sender node in each particular system. That is, • The corrupt Tor node keeps monitoring latencies a Tarzan client in Tarzan, and an initiator node in of all these connections during a reasonable time MorphMix. period. Next, a corrupt node needs to acquire a list of all other nodes in the system. Then, it establishes • The latencies values are used to estimate traffic connections to these nodes so that it can monitor their loads of the Tor nodes’ that the corrupt node connections’ latencies. Connections are monitored for makes connection with. a period of time. During that time, the corrupt server • Traffic patterns are derived from the traffic loads. keeps sending its traffic into the system. When the monitoring period finishes, latency of each connection • When the adversary has the traffic pattern of all is used to estimate the traffic load of that particular nodes, it can further mount an attack similar to node. Then, the traffic load is compared with the ones in (Danezis 2004, Levine et al. 2004). server traffic. If it results in similarity, the node is concluded as one of the intermediate nodes in the To make their attack more powerful, a variant of the path. When traffic of all nodes are compared, the attack is proposed. That is, a network server to which possible path(s) is/are derived. a user is connected to, is corrupted. Thus, there is no need to observe a connection to extract the traffic Thus, the attack would be successful under the pattern. The adversary can choose a traffic pattern following three conditions: that is easily detected and sends its streams through the corrupt server. The aim of the attack is to find a • Latencies received at the corrupt node indeed path between a victim node and the corrupt server. represent traffic loads of the target nodes. This greatly reduces the anonymity of the system to be at the same level with a simple proxy. Finally, • The corrupt node must be able to know other it is claimed that the attack would work with other participants in the network. low latency network systems, including Tarzan and • The corrupt node must be able to establish a MorphMix. direct connection to all nodes it wants to monitor. In the next section, we will investigate this argument and show that the claim made in this paper is The attack is successful in Tor because the Tor only valid under some restricted conditions. Figure 4 architecture satisfies these conditions. Firstly, due and figure 5 illustrate the low cost attack model and to the fact that Tor removes mixing operations and its procedure respectively. cover traffic, its timing characteristic is retained. This is supported by the experiment result in (Murdoch & Danezis 2005). Secondly, Tor provides a directory service that a Tor client can acquire a list of all other Tor servers. Third, there is no restriction to prohibit 188 At a corrupt node At a corrupt server requirement. Unlike Tor, Tarzan restricts its traffic Preparation through merely its mimics. Therefore, when target Find a list of all other nodes Prepare target stream ({1, 2, ..., N})(S(t)) nodes are not mimics of a corrupt node, the corrupt Tarzan node may not be able to make a one-hop con- Action nection to each target node. When the connections 1. for i = 1 to N require more than one hop, the corrupt Tarzan node make connection to each nodei; cannot be sure about the correctness of the latency 2. for i = 1 to N it measures. Then, the traffic load may be interfered 2.1 while t record send S(t) by the other traffic load of the nodes in between the latency of each nodei (L(i)); connections. Up to this point, it seems that the low 2.2 derive → T (i) latency attack may not work in Tarzan. Nevertheless, traffic load of nodei 2.3 compare T (i) the adversary is fortunate. Tarzan employs P NAT , with the server traffic S(t) which is the last node in the tunnel prior to the recip- 2.4 if T (i) ≈ S(t) then ient. Unlike other intermediate nodes in the tunnel nodei is a relay in the path. that their successors and their predecessors are re- 3. Obtain a path, for example, stricted to their mimics, the P NAT can be any node node1 → node3 → node6 in Tarzan network. Therefore, to measure latency of other node in the network with a single hop connec- Figure 5: Low cost attack’s procedure. tion, the corrupt node can treat each target node as the P NAT of that connection. Then, there will be no problem with the mimic traffic. the Tor client not to establish a connection to all Tor In summary, the low cost attacks should be ap- servers. plicable with the Tarzan architecture, unless Tarzan’s mimic traffic can destroy timing characteristic of the 4.1 Low Cost Attack in Tarzan streams or the P NAT mechanism is modified to require the exit node to be part of the mimics. To investigate if the attack is applicable with Tarzan, we will analyze what influences each condition has 4.2 Low Cost Attack in MorphMix provided to the system. The major differences between MorphMix and Tor Latency seems to be the architectures of the systems and the There are two differences between Tarzan and Tor method to select tunnels’ members and the exit node. that should affect the latency. The first one is Tor MorphMix works in a peer-to-peer environment where operates its queue in a round-robin fashion. Secondly, Tor has dedicate servers acting as Mix nodes. In Tor, Tor does not include mixing operations and cover traf- a Tor client is the one who selects all participants in fic. The case is different for Tarzan. Tarzan provides its anonymous tunnel by itself. However, a MorphMix a mimic mechanism. That is, even though Tarzan node selects its participants through suggestions of does not mention how each Tarzan node manages its each intermediate node in the tunnel. Tor does have incoming queues, Tarzan controls the rate of output an exit node but MorphMix does not. We conduct links according to the average rates of its input links. our investigation whether the low cost attack will be When each link does not reach the rate it requires, applicable to MorphMix based on the same three cri- Tarzan inserts dummy data. Also, prior to sending teria mentioned earlier. out its streams to output links, the Tarzan node does some mixing and batching within each link’s outgoing Latency queue. MorphMix nodes appear to work in the similar fash- Then, the question is if this so-called mimic has ion as Tor nodes, after tunnels are established. That enough influence to destroy the timing characteristic is, no cover traffic mechanism is included. Thus, in of each traffic stream. At this stage, it seems that this aspect, the attack should be applicable to Mor- the only way to prove this statement is to conduct phMix. an experiment in the same fashion as the experiment conducted in Tor. Unfortunately, Tarzan does not Node discovering ability provide the test-bed that includes the mimic part. There is no requirement in MorphMix that each Mor- We leave this as an open research question. For the phMix node must have knowledge of all other Mor- purpose of this analysis, we would treat the Tarzan phMix nodes in the system. Simply, each node re- node operations as a black box and assume that tim- quires a handful of other nodes obtained locally such ing signature is not destroyed. Hence, the comparison as from its neighbors. Then, when it wants to estab- between the attack on Tor and Tarzan is still fair. lish a tunnel, it continually asks each hop one at a time to recommend a set of possible next hop. This Node discovering ability allows nodes in MorphMix system to create anony- A Tarzan node discovers other peers through a mech- mous tunnels without concerning the knowledge of anism based on a gossip-protocol. Thus, each Tarzan all nodes in the system. node can gather all information about all peers. What The implication is as follows. When the low cost seems to be a problem is Tarzan is based on peer-to- attack is employed, the corrupt MorphMix node has a peer architecture so that the number of nodes should problem with acquiring a complete list of all running be huge and the network should be dynamic. Then, MorphMix nodes. That is, it must discover all nodes whether it is possible that the corrupt node can moni- first. This is not a trivial exercise, in particular, when tor all others’ node latency is dubious. However, since the discovery can only be done through MorphMix we are merely concerned with the ability to know tunnel establishment mechanism. Therefore, an ef- other peers in the network, Tarzan is still considered fective searching algorithm is required. Nevertheless, to satisfy this condition. this involves a lots of work. Hence, the so-called “low” cost attack will now become “costly”. Also, by the Connection Establishment ability time all nodes are discovered, the list may be out- After recognizing all other nodes in the network, if dated, since some peers may have disappeared from the corrupt node is able to establish a direct con- the network. Moreover, due to loose knowledge of nection with all nodes through an anonymous tunnel other nodes’ presences, there is no assurance that all in Tarzan network, then this will satisfy the third 189 nodes in the MorphMix network are connected. In Systems, such as Tor, claim that they provide this case, the attack cannot even be conducted. enough countermeasure against this type of attacks. However, they have not considered that a variant of Connection Establishment ability the attack can be applied without having to involve a There is no restriction in MorphMix connection. global adversary. By taking advantage over the tim- Hence, each MorphMix node can have a one-hop con- ing constraint and the removing of cover traffic, the nection to other MorphMix node directly. low cost attack has successfully attacked the weaker In short, the current attack is not applicable to threat model in Tor, and therefore, this model is re- the MorphMix architecture because the corrupt node garded as insufficient. is lacking the knowledge of a complete list of all Mor- According to our investigation with other systems, phMix nodes. which are Tarzan and Morphmix, the attack is considered to be valid to all low latency networks with the requirement that the system must allow a node to 5 Design Requirements for Secure Low La- obtain a list of all other nodes in the network. Other- tency Networks wise, if this capability is prohibited, the weaker threat model is acceptable. There are two essential conditions required in mount- Hence, for any anonymous low latency system that ing the low-cost attack. Firstly, the knowledge of all wants to claim the weaker threat model that secures other nodes in the system by a corrupt node is es- against a timing attack, this condition must be en- sential. Without this knowledge, this type of attacks forced. Under this condition, each node is only al- cannot be performed. Secondly, the latency being lowed to know a subset of neighbors, but not all of probed must genuinely represent the traffic load. them. Based on these observations, we derive the follow- This can be used as another supportive reason ing conclusions. There are two alternative approaches to favor peer-to-peer based systems over dedicated- that can be taken to prevent the low cost traffic analy- server based systems in designing a low latency sis attacks. anonymous network. This is due to the fact that a 1. Preventing all nodes from gathering information number of nodes in the peer-to-peer system is huge. of the whole network , i.e. a list of all nodes. This Thus, if an adversary manages to find all the nodes, implies that we only need to provide adequate the list would be outdated as it is hard to obtain the information so that an anonymous tunnel can be list of all nodes within a short time. created. 6 Conclusion 2. Inserting cover traffic into streams in the network in a way such that the network cannot find the In this paper, we investigated one of the attacks in streams’ signature. low latency anonymous network systems, namely the Based on either of these two possible approaches, low cost traffic analysis attack. This attack is an im- we can build a secure low latency network that will portant one, since it has proven to be successful in not be susceptible against the low cost attacks. attacking a system like Tor, which was believed to It is important to note that all strategies suggested be secure under the weaker threat model. Moreover, by (Murdoch & Danezis 2005) fall into the second ap- these types of attacks are claimed to work with any proach. However, as they introduce more latency to low latency anonymous systems. We presented a case each connection and involve a covert channel, there where this attack is not applicable. We also investi- remains an open problem in what degree that cover gate some important properties that need to be en- traffic should be employed. Hence, the first alterna- sured whilst building low latency network systems, so tive sheds a new light in preventing this attack. that they will not be susceptible against these types of attacks. Hence, we provided some necessary condi- Further Discussions tions that are important and need to be adhered when The significant part for anonymity preserving in a designing the low latency anonymous networks. We low latency anonymous system appears to be in the note that cautions must be exercised upon building second scenario, that is, the message flow or traffic this type of networks. flow. This is due to the main restriction of the system, which is an intolerable long delay. When enough delay is introduced, it distorts the relay node capabil- References ity to mix or make its incoming and outgoing streams indistinguishable. This leaves some “clue” for the ad- Chaum, D. (1981), Untraceable electronic mail, re- versary to finally break the anonymity of the system. turn address, and digital pseudonyms, in ‘Com- However, having multiple nodes in the anonymous muniation of ACM’, Vol. 24, pp. 84–88. tunnel hardens the adversary in the sense that he Danezis, G. (2004), The traffic analysis of continuous- must be able to control all nodes or links. This group time mixes, in ‘Proceedings of Privacy Enhanc- of adversary is called global adversaries. ing Technologies workshop (PET2004)’, Vol. It seems rather difficult to provide anonymous low 3424 of LNCS. latency systems that are both resistant to global adversaries and provide acceptable delay for applica- Dingledine, R., Mathewson, N. & Syverson, P. (2004), tions. Fortunately, it is not a trivial task to be the Tor: the second-generation onion router, in ‘Pro- global adversary in the Internet as the Internet hosts ceedings of the 13th USENIX Security Sympo- are distributed around the globe under different do- sium. San Diego, CA, USA. 9-13 Aug. 2004.’. mains and authorities. Therefore, it is considered to be reasonable to assume that a system is secure un- Freedman, M. J. & Morris, R. (2002), Tarzan: A peer- der a weaker type of adversaries. These adversaries to-peer anonymizing network layer, in ‘CCS’02 , are allowed to do several things both passively and Washington, DC, USA’, ACM. actively, such as observing some fractions of network Harchol-Balter, M., Leighton, T. & Lewin, D. (1999), traffic or generating, modifying, deleting or delaying Resource discovery in distributed networks, in traffic or operating some intermediate nodes; except the requirement for observing all links. 190 ‘PODC ’99: Proceedings of the eighteenth an- nual ACM symposium on Principles of distributed computing’, ACM Press, New York, NY, USA, pp. 229–237. Levine, B. N., Reiter, M. K., Wang, C. & Writ- ght, M. K. (2004), Timing attacks in low-latency mix-based systems, in ‘Proceedings of Financial Cryptograhy (FC’04)’. Murdoch, S. J. & Danezis, G. (2005), Low cost traffic analysis of Tor, in ‘IEEE Symposium on Security and Privacy, Oakland, California, USA, May 8 11, 2005’. Rennhard, M. & Plattner, B. (2002), Introducing Morphmix: peer-to-peer based anonymous internet usage with collusion detection, in ‘WPES ’02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society’, ACM Press, New York, NY, USA, pp. 91–102. Rennhard, M. & Plattner, B. (2004), Practical anonymity for the masses with Morphmix, in ‘Fi- nancial Cryptography. 8th International Confer- ence, FC 2004. Revised Papers.’.

191