PeerMix – A Peer-To-Peer Anonymous Network Abstract PeerMix is a scalable, peer-to-peer anonymizing routing service that offers strong guarantees of source anonymity against both global observers and collaborating mix nodes. PeerMix connections are bidirectional and application-independent, appropriate for Web browsing or file-sharing. PeerMix functions as a proxy, so proxy-aware applications can add anonymity seamlessly. A subset of the PeerMix nodes operates as an ephemeral mix network; that is, the mix net is a randomly selected and constantly changing subset of the peers. A prototype PeerMix network has been tested on the Stanford University Sweet Hall SPARC machines. This thesis describes previous work on anonymous connections, discusses the PeerMix anonymous routing system, and analyzes its security. 1. Introduction PeerMix is a scalable, peer-to-peer anonymizing routing service that offers strong guarantees of source anonymity against both global observers and collaborating mix nodes. Anonymizing services are desirable in a variety of contexts, both good and evil: protecting consumers from profiling by corporations, hiding communication even the existence of which must be kept secret, allowing downloads of material illegal in a given jurisdiction but publishable elsewhere, such as DeCSS or Mein Kampf, and enabling citizens, including criminals, to communicate without the knowledge of their government. Although users desire anonymity in the abstract, users often do not realize that their communications online are traceable or, if they do realize it, do not worry enough to spend money to gain anonymity. However, a peer-to-peer system allows users to gain anonymity at no expense 1 to them, only the use of otherwise unused bandwidth and computing power. Furthermore, a peer- to-peer system cannot be shut down by a government or lawsuit and thus is more resistant to attacks by one of its intended adversaries. PeerMix uses a distributed mix network in which nodes route packets for other peers. A central server is used only to maintain availability information. Such an availability server might not be considered illegal even in jurisdictions where the provision of anonymous browsing services would be illegal. Nor could a peer-to-peer system be rendered useless by a law that requires the providers of an anonymizing network to keep records subject to subpoena. Moreover, PeerMix is scaleable to large numbers of nodes, since the computational load on each node remains constant as the number of nodes increases. 2. Review of Previous Work 2.1 Anonymizing Proxies The simplest approach to anonymizing Web browsing or other forms of communication is to interpose a proxy between the client and the server. The server will see only the address of the proxy and will thus be unable to link clients between visits. There are several such anonymizing proxies available, the best known of which is the Anonymizer (www.anonymizer.com) [1]. Such a proxy provides only anonymity against a very weak adversary – a curious Web server or a local observer at that Web server, though for many users, such weak adversaries are the only ones worthy of concern. The anonymizing proxy must be trusted because it knows the mapping between HTTP requests and clients. In fact, because the anonymizing proxy routes all of a user’s traffic, it can know more about a user’s viewing habits than any single Web server. Furthermore, even if the proxy is trustworthy, a local observer at either the proxy or the client will be able to track what sites 2 the client has viewed. A more satisfactory solution requires both encryption and multiple proxies in order to frustrate traffic analysis by more powerful adversaries. 2.2 Mix Networks Chaum [2] introduces the idea of a mix network as a technique to allow an electronic mail system to hide who communicates with whom. Let A denote an address, M a message, and Ek encryption with the key k. A single mix server takes Epub(A, M), where pub is its public key, decrypts the pair (A, M), stores it in a buffer, then, after receiving a certain number of pairs, randomly permutes them, and sends each message M to its associated address A. If the encryption algorithm has semantic security, observers cannot determine the correspondence between (M,A) and its encryption Epub(M,A) and so cannot determine which message in the output corresponds to which message in the input or vice versa. Thus, if the batch size is n, it is infeasible to determine which of n recipients was intended for the encrypted pair Epub(A, M), nor can the sender be determined simply by knowing A and M. Similarly, a mix can provide anonymous return addresses for messages, allowing bi- directional communication with sender anonymity. If x wishes to communicate with y, x can send Epub(A, M) to the mix, as above, including in the message a return address - an Epub(A, k) pair, where k is a secret key. In order for y to communicate with x, y must prepend the return address to his reply (Epub(A, k), M). The mix will then decrypt the pair, encrypt the reply with the secret key in the return address, batch and permute as any other message, and then forward the message Ek(M) to x. Since it is infeasible to determine the correspondence between a message and its encryption without knowing the secret key specified in the return address, it cannot be determined which of the n recipients of the message is actually x, just as for directly addressed messages. The technique of sending through a single mix server can be obviously extended to sending messages through a cascade of mixes. This has the advantage of both reducing the trust in any 3 single mix server and allowing the message sent to be mixed in with a larger number of other messages. If any mix along the route is trustworthy, the unlinkability of any batch should be guaranteed. Neither inputs nor return addresses may be repeated, or else a simple intersection of the recipients of the two batches of n messages would reveal the corresponding recipient. Mix servers must therefore track inputs and addresses against replay. 2.3 Onion Routing In a mix net, each message requires a public key decryption to process. As public-key operations are slow compared to secret-key operations, any system that requires real-time performance must either accept only a small number of messages mixed per server or reduce the number of public key operations performed. Onion routing [3] is a system developed to build application-independent, real-time anonymous connections by allowing the public-key operations to be amortized over the lifetime of a connection. Onion routing minimizes the number of public key operations by only using asymmetric cryptography for an initial connection-setup and key- distribution step and subsequently using symmetric cryptography. In onion routing, the client first sets up an anonymous connection through a source-routed path of onion routers, each of which shares a secret key with the client. A connection setup message is called an onion, composed of layers encrypted with the public key of the intended recipient mix, each of which contains the next address and a secret key. The onion is sent to the first mix along the path, which decrypts the onion, strips off the header, stores the secret key, and sends the remainder of the onion to the address specified in the header, which repeats the procedure. The onion is processed by the mix servers along the path from the client to the server, each of which saves the secret key and the address of the next and previous mixes. When further data is sent along the connection to the server, the data is encrypted with the shared secret key at each hop. Data can 4 also be sent backwards by the same method of repeated encryption, and then decrypted at the client using the secret keys it shares with each onion router. While onion routing uses connections to decrease the total public key operations required by the system, it eases traffic analysis by requiring that each message follow along the same path. Thus the onion routing connections are padded at every hop and encouraged to be short-lived. A connection-oriented protocol is appropriate only for networks that can assume a high degree of robustness in the underlying components, due to the substantial overhead of connection setup and teardown. Onion routing is secure against global observers and, if deployed at a firewall, against collaborating mixes. However, connections from free-standing machines to the onion routing network can be broken by collaborators with probability c2/n2, where c is the number of collaborators in the system and n is the total number of mixes [4]. Onion routing was briefly available to the public, but was shut down in January 2000 pending release of the second version. The authors of onion routing envisioned that Internet Service Providers and firewalls would offer onion routing services for the packets that flow through them, so that the onion routing infrastructure could be absorbed in the general infrastructure of the network. Unfortunately, no other providers of onion routing seem forthcoming, nor is anonymity a service demanded by a large number of users from their ISP. A similar service, the Freedom Network by zero-knowledge.com [5], offered anonymity guarantees similar to onion routing, but was discontinued in December 2001 when the company decided that there was too little demand for anonymity at $50 a year. 2.4 Crowds Crowds [6] is a peer-to-peer system that was designed to offer anonymity for HTTP requests. In Crowds, peers (called jondos) are organized into static paths, each pair of which shares 5 a secret key.