Anonymous Communication with emphasis on Tor* *Tor's Onion Routing Paul Syverson U.S. Naval Research Laboratory 1 Dining Cryptographers (DC Nets) ● Invented by Chaum, 1988 ● Strong provable properties ● Versions without collision or abuse problems have high communication and computation overhead ● Don't scale very well 2 Mixes 3 4 5 6 7 8 Mixes ● Invented by Chaum 1981 (not counting ancient Athens) ● As long as one mix is honest, network hides anonymity up to capacity of the mix ● Sort of – Flooding – Trickling ● Many variants – Timed – Pool – ... 9 Anonymous communications Technical Governmental/Social 1. What is it? 2. Why does it matter? 3. How do we build it? 10 1. What is anonymity anyway? 11 Informally: anonymity means you can't tell who did what “Who wrote this blog post?” “Who's been viewing my webpages?” “Who's been emailing patent attorneys?” 12 Formally: anonymity means indistinguishability within an “anonymity set” Alice1 Alice2 Alice3 Alice4 Bob Alice5 .... Alice6 Attacker can't tell which Alice is talking to Bob! Alice7 Alice8 13 Formally: anonymity means indistinguishability within an “anonymity set” Alice1 Alice2 Attacker can't distinguish Alice3 which Alice is talking to Bob Alice4 Alice6 Alice5 Bob . Alice7 Alice8 . 14 Formally: anonymity means indistinguishability within an “anonymity set” Alice1 Alice2 Attacker can't distinguish Alice3 which Alice is talking to Bob Alice4 Alice6 Alice5 Bob . Alice7 Alice8 . ● Can't distinguish? ● Basic anonymity set size ● Probability distribution within anonymity set ● .... 15 We have to make some assumptions about what the attacker can do. Alice Anonymity network Bob watch Alice! watch (or be!) Bob! Control part of the network! Etc, etc. 16 Anonymity isn't confidentiality: Encryption just protects contents. “Hi, Bob!” “Hi, Bob!” Alice <gibberish> attacker Bob 17 Anonymity isn't steganography: Attacker can tell that Alice is talking; just not to whom. Alice1 Bob1 Anonymity Alice2 network Bob2 ... AliceN 18 Anonymity isn't just wishful thinking... “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?” 19 ...since “weak” anonymity... isn't. “You can't prove it was me!” Proof is a very strong word. With statistics, suspicion becomes certainty. Wil l o t h e r s p a r t i e s h a v e “Promise you won't look!” the ability and incentives to keep their promises? “Promise you won't remember!” “Promise you won't tell!” Not what we're talking “I didn't write my name on it!” about. Nope! (More info later.) “Isn't the Internet already anonymous?” 20 2. Why does anonymity matter? 21 Anonymity serves different interests for different user groups. Governments Businesses “It's traffic-analysis “It's network security!” resistance!” Anonymity “It's censorship “It's privacy!” circumvention!” Private citizens Human rights advocates 22 Regular citizens don't want to be watched and tracked. Blogger Hostile Bob “I sell the logs.” Alice 8-year-old Incompetent Bob “Oops, I lost the logs.” Alice Sick Indifferent Bob “Hey, they aren't Alice my secrets.” .... Name, address, age, friends, (the network can track too) Consumer interests Alice (medical, financial, etc), Union unpopular opinions, member illegal opinions.... 23 Alice Many people don't get to see the internet that you can see... 24 and they can't speak on the internet either... 25 It's not only about dissidents in faraway lands 26 Regular citizens don't want to be watched and tracked. “I look for you to Crime Stalker Bob Target do you harm.” Alice Human Censor/Blocker “I control your Rights Bob worldview and who Worker you talk to.” Alice “I imprison you for .... Name, address, seeing/saying the age, friends, Oppressed wrong things.” interests Alice (medical, financial, etc), unpopular opinions, illegal opinions.... 27 Law enforcement needs anonymity to get the job done. Investigated “Why is alice.fbi.gov reading my suspect website?” Officer Sting “Why no, alice.localpolice.gov! Alice target I would never sell counterfeits on ebay!” Organized “Is my family safe if I Crime go after these guys?” Witness/informer Anonymous “Are they really going to ensure Alice tips my anonymity?” 28 Businesses need to protect trade secrets... and their customers. “Oh, your employees are reading Competitor our patents/jobs page/product sheets?” “Hey, it's Alice! Give her the 'Alice' version!” Competitor AliceCorp “Wanna buy a list of Alice's suppliers? Compromised What about her customers? network What about her engineering department's favorite search terms?” Compromised/ “We attack Alice's customers with malicious malware, and watch for hosts when she notices us.” 29 Governments need anonymity for their security “What will you bid for a list of Baghdad Untrusted IP addresses that get email from .gov?” ISP “What bid for the hotel room from which Agent someone just logged in to foo.navy.mil?” Alice Compromised service “What does the CIA Google for?” 30 Governments need anonymity for their security “Do I really want to reveal my Shared internal network topology?” network “Do I want all my partners to know extent/pattern of my comms with Coalition other partners?” member Hostile Alice network “How can I establish communication with locals without a trusted network?” Semitrusted network “How can I avoid selective blocking of my communications?” 31 Governments need anonymity for their security “How can I securely and quickly Homeland exchange vital info with every security sheriff's dept and Hazmat transporter network Govt. without bringing them into my secure web server network? “Do I want every SIPRNET node to Bob Defense in know where all the traffic on it is headed?” Depth “Can I hide where my MLS chat Hidden server/my automated regrader is?” Sevices Can my servers resist DDoS and physical attack even by authorized users?” 32 You can't be anonymous by yourself: private solutions are ineffective... Alice's small Citizen “One of the 25 anonymity net ... Alice users on AliceNet.” Officer Municipal Investigated Alice anonymity net suspect “Looks like a cop.” AliceCorp AliceCorp Competitor/ “It's somebody at anonymity net malware host AliceCorp!” 33 ... so, anonymity loves company! Citizen ... “???” Alice Officer Investigated Alice Shared suspect “???” anonymity net AliceCorp Competitor “???” 34 Don't bad people use anonymity? 35 Current situation: Bad people on internet are doing fine Trojans Viruses Exploits Botnets Zombies Espionage DDoS Spam Phishing Extortion 36 Giving good people a fighting chance -DDoS resistant servers -Enable sharing threat info -Freedom of access Anonymity Network -Resist -Encourage informants -Protect operations and Identity Theft -Protect free speech analysts/operatives -Reduce cyberstalking of kids 37 3. How does anonymity work? 38 Anonymity Systems for the Internet Low-latency High-latency Single-hop Chaum's Mixes proxies (~95-) (1981) Crowds NRL V0 Onion (~96) anon.penet.fi (~91-96) Routing (~96-97) ZKS NRL V1 Onion “Freedom” Remailer networks: Routing (~97-00) (~99-01) cypherpunk (~93), mixmaster (~95), Java Anon Proxy mixminion (~02) Tor (~00-) (01-) ...and more! 39 Low-latency systems are vulnerable to end-to-end correlation attacks. Low-latency: Alice1 sends: xx x xxxx x match! Bob2 gets: xx x xxxx x Alice2 sends: x x xx x x Bob1 gets: x x x x x x match! Time High-latency: Alice1 sends: xx x xxxx Alice2 sends: x x xx x x Bob1 gets: xx xxxx ..... Bob2 gets: x xxxxx ..... These attacks work in practice. The obvious defenses are expensive (like high-latency), useless, or both. 40 Still, we focus on low-latency, because it's more useful. Interactive apps: web, IM, VOIP, ssh, X11, ... # users: millions? Apps that accept multi-hour delays and high bandwidth overhead: email, sometimes. # users: hundreds at most? And if anonymity loves company....? 41 The simplest designs use a single relay to hide connections. Alice1 Bob1 B ob ” 3,“ Y X” “ Relay Alice2 Bob1, “Y” “Z” Bob2 “X “Z” ” b2, Alice3 Bo Bob3 42 But an attacker who sees Alice can see who she's talking to. Alice1 Bob1 B ob ” 3,“ Y X” “ Relay Alice2 Bob1, “Y” “Z” Bob2 “X “Z” ” b2, Alice3 Bo Bob3 43 Add encryption to stop attackers who eavesdrop on Alice. Alice1 Bob1 E(B ob3 ” ,“X “Y ”) Relay Alice2 E(Bob1, “Y”) “Z” Bob2 ”) “X , “Z ” ob2 Alice3 E(B Bob3 (e.g.: some commercial proxy providers, Anonymizer) 44 But a single relay is a single point of failure. Alice1 Bob1 E(B ob3 ” ,“X “Y ”) Evil or Alice2 Compromised E(Bob1, “Y”) Relay “Z” Bob2 ”) “X , “Z ” ob2 Alice3 E(B Bob3 45 But a single relay is a single point of bypass. Alice1 Bob1 E(B ob3 ” ,“X “Y ”) Irrelevant Alice2 E(Bob1, “Y”) Relay “Z” Bob2 ”) “X , “Z ” ob2 Alice3 E(B Bob3 Timing analysis bridges all connections through relay ⇒ An attractive fat target 46 So, add multiple relays so that no single one can betray Alice. Alice Bob R1 R3 R4 R5 R2 47 A corrupt first hop can tell that Alice is talking, but not to whom. Alice Bob R1 R3 R4 R5 R2 48 A corrupt final hop can tell someone is talking to Bob, but not who it is. Alice Bob R1 R3 R4 R5 R2 49 Alice makes a session key with R1 Alice Bob R1 R3 R4 R5 R2 50 Alice makes a session key with R1 ...And then tunnels to R2 Alice Bob R1 R3 R4 R5 R2 51 Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Alice Bob R1 R3 R4 R5 R2 52 Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Then talks to Bob over circuit Alice Bob R1 R3 R4 R5 R2 53 Feasible because onion routing uses (expensive) public-key crypto just to build circuits, then uses (cheaper) symmetric-key crypto to pass data Alice Bob R1 R3 R4 R5 R2 54 Can multiplex many connections through the encrypted circuit Alice Bob R1 R3 Bob2 R4 R5 R2 55 That's Tor* in a nutshell * Tor's Onion Routing 56 Focus of Tor is anonymity of the communications pipe, not the application data that passes through it 57 Tor anonymizes TCP streams only: it needs other applications to clean high-level protocols.