Defending Anonymous Communications Against Passive Logging Attacks Matthew Wright Micah Adler Brian N. Levine Clay Shields✁ [email protected] micah@ cs.umass.edu brian@ cs.umass.edu clay@ cs.georgetown.edu Dept. of Computer Science, University of Massachusetts, Amherst, MA 01003 ✁ Dept. of Computer Science, Georgetown University, Washington, DC 20057 Abstract initiators of a stream of communications. With sufficient path reformations — which are unavoidable in practice Westudy the threat that passive logging attacks pose — the attackers will see the initiator more often than the to anonymous communications. Previous work analyzed other nodes. In thatprior work, we showed thatthis attack these attacks under limiting assumptions. Wefirstdescribe applied to a class of protocols that included all protocols a possible defense that comes from breaking the assump- for anonymous communications that were known at the tion of uniformly random path selection. Our analysis time. We also gave an analysis thatplaced bounds on how shows that the defense improves anonymity in the static long the attacks would take to run for a number of specific model, where nodes stay in the system, but fails in a dy- protocols. namic model, in which nodes leave and join. Additionally, In constructing the attack and analysis in thatpaper, we we use the dynamic model to show that the intersection made several simplifying assumptions abouthow the pro- attack creates a vulnerability in certain peer-to-peer sys- tocols operated. Here we examine the effects of relaxing tems for anonymous communciations. We present simu- each assumption. Specifically, we assumed: lation results that show that attack times are significantly lower in practice than the upper bounds given by previous 1. The subset of nodes that forward an initiator's mes- work. To determine whether users' web traffic has com- sages are chosen uniformly atrandom; munication patterns required by the attacks, we collected and analyzed the web requests of users. We found that, 2. Users make repeated connections to specific respon- for our study,frequentand repeated communication to the ders, which are outside points of communication; same web site is common. 3. Nodes do notjoin or leave the session; These assumptions were necessary for the proof we pro- 1. Introduction vided that showed that the attack works in all cases, and they were also critical to our analysis of the bounds on the Designing systems for anonymous communications is time required for a successful attack. We argued in that a complex and challenging task. Such systems mustbe se- paper that the assumptions are reasonable based on exist- cure against attackers at a single point in time; less obvi- ing protocols. ously, they must also protect users from attacks that seek In this paper, we examine more closely the univer- to gain information about users over the lifetime of the sal applicabilityof predecessorattacks againstanonymous system. protocols. Weexamine ourassumptions and the effectthat In our prior work [21], we analyzed such an attack: the relaxing those assumptions has on the effectiveness of the predecessor attack. In this attack, a set of nodes in the attack. Our specific contributions are: anonymous system work togetherto passively log possible ✂ First, we show thatdefenses thatuse non-randomse- This paper was supported in partby National Science Foundation awards lection of nodes for path creation offer significant ANI-0087482, ANI-0296194, and EIA-0080199. protection for the initiator in a stable system. ✂ Second, we show that the design of some exist- the class degrades against the predecessor attack. We de- ing peer-to-peer systems for anonymous communi- fined an active set as the set of nodes used by the initiator cations leads to a practical and efficient intersection of a communication to propagate its message through the attack. network. This can be, for example, a path in Crowds or the set of nodes that share coin flips with the initiator in a ✂ Third, we examine the practical effectiveness of DC-Net. the attacks through simulation. Our previous work proved analytical upper bounds on the number of For any protocol inside our class, we required that the rounds required; the simulations in this paperdemon- active set be chosen uniformly at random many times. In strate thatattackers can be successful in significantly current protocols, that assumption holds because active fewer rounds than the maximums guaranteed by the sets change each time a node is allowed to join the net- bounds. E.g., attacks on Onion Routing and Crowds, work. If active sets did not change, then messages from with 1000 nodes and 100 attackers, succeed in a recently joining nodes are easily identified. However, it time one-fifth of the rounds guaranteed by the upper is not necessary that the new active sets are chosen uni- bounds. formly at random — in Section 3, we explore ways to choose paths that exploit this fact, with the intention of ✂ Fourth, we characterize measurements taken from defending againstdegradation of anonymity. two web proxies to show the actual frequency and duration of user activities on the Web. This study The second major result in our prior work was a set of allowed us to make some observations aboutuser be- analytic bounds describing how long it might take for at- havior with regard to our assumptions. tackers using the predecessor attack to effectively degrade the anonymity of a user in Crowds, Onion Routing, and The body of this paper is organized around those goals. Mix-Nets. We gave bounds on the number of rounds, i.e., In Section 2, we review related work. We then present periodic changes in the active set, that guarantee for the and analyze the effectiveness of new techniques for avoid- attackers a high probability of success in guessing the ini- ing predecessor attacks in a static model in Section 3. In tiator. We use the following notation: is the number Section 4 we use a dynamic model to study the intersec- of nodes in the network, ✁ is the number of those nodes tion attack and the defenses introduced in Section 3. We that are attackers, and ✂ is the fixed path length of Onion describe the results of our simulations of the predecessor Routing or Mix-Nets. attack in Section 5. In Section 6, we show how often users ✝✟✞✡✠☛ go to the same website from dataobtained by tracking real Against Crowds, the attackers require ✄✆☎ rounds to identify the attacker with high probability ☎✌☞✎✍ . For users. We offer concluding remarks in Section 7. ✏ ☎ ✏ ☎ ✝ ✄ the same level of confidence, the attackers need ✞✡✠☛ ✒ ✒ ✄✑☎ ✞✡✠☛ 2. Background rounds againstOnion Routing and ✝ rounds against Mix-Nets. In Section 5, we provide simulation results that In this section, we review the results from our prior are tighterthan these bounds and show how the confidence work that serve as the foundation of this paper. We also of the attackers grows over time. describe related material. In the prior work, we also assumed that rounds oc- curred regularly, and thatthe initiator communicated with 2.1. Our Prior Work the responderin every round. If nodes are allowed to leave and join the protocol, then attackers can force rounds to Our previous work described the predecessor attack, occur as often as the system allows by simply having cor- first discovered by Reiter and Rubin as an attack against rupt nodes join and leave. However, they cannot force Crowds [15]. The primary purpose of our current work the initiator to communicate with the responder during a is to extend our previous results in the analysis of anony- round, which is necessary for the attackers to get data on mous protocols. In this section, we review the definitions, the identityof the initiator. If the initiator rarely communi- methods, and results of that work, and we refer the reader cates with the responder, then the amount of time it takes to the full paper if greater detail is desired [21]. for the attackers to get data from enough rounds can be The first contribution of our previous work was to de- very large. In Section 6, we use logs of Web usage to ex- fine a class of protocols, which included all known pro- amine how many rounds attackers can expect to get data tocols for anonymous communication, and to prove that from over time. 2.2. Related Work discuss some of these protocols and their resistance to the predecessor attack. A number of papers have addressed attacks against One of these is P5, by Sherwood, etal [18]. This proto- systems of anonymous communications. The creators col is designed foranonymitybetween peers connecting to of Crowds [15], Onion Routing[20], Hordes [12], Free- each other, rather than outside responders. It could, how- dom [1], Tarzan[8], Stop-and-Go Mixes [10], and others ever, be adapted to outside communication by using des- have provided analysis of their protocols against some at- tination peers as the final proxy to the rest of the Internet. tacks. P5 uses a tree-based broadcast protocol, where a user's Only a few of these analyses consider the degrada- anonymity is based on the sizes of the differentbroadcast tion of anonymity over time, including Reiter and Rubin's groups in which she is in. seminal work [15]. Berthold, et al., discuss an intersec- The authors assume that “users do not leave once tion attack against the anonymity groups that arise when they join” to prevent a decline in users' anonymity [18]. multiple mix routes are chosen [3]. In this attack, the dif- Withoutthis assumption, anonymitygroups would shrink, ferentanonymitygroups are intersected witheach other to leading to degradation of anonymity within the groups. shrink the number of possible initiators. We expect that this assumption does not hold well in to- Raymondalso discusses an intersection attack based on day's networks, in which nodes may frequentlyshutdown.