
Design Principles for Low Latency Anonymous Network Systems Secure against Timing Attacks Rungrat Wiangsripanawan, Willy Susilo and Rei Safavi-Naini Center for Information Security School of Information Technology and Computer Science University of Wollongong, Australia Email: [email protected], [email protected], [email protected] Abstract as email systems. On the other hand, low latency ap- plications are applications that do need real-time or Low latency anonymous network systems, such as near real-time responses. Examples include web ap- Tor, were considered secure against timing attacks plications, secure shell (SSH) and instant messenger. when the threat model does not include a global ad- Both systems are built based on Chaum's idea. Un- versary. In this threat model the adversary can only linkability is provided in a similar way in both cases see part of the links in the system. In a recent paper using a sequence of nodes between a sender and its entitled Low-cost tra±c analysis of Tor, it was shown receiver, and using encryption to hide the message that a variant of timing attack that does not require a content. An intermediate node knows only its prede- global adversary can be applied to Tor. More impor- cessor and its successor. tantly, authors claimed that their attack would work High-latency systems are message-based systems on any low latency anonymous network systems. The while, low-latency systems are connection-based. implication of the attack is that all low latency anony- That is, for high-latency systems there is one mes- mous networks will be vulnerable to this attack even sage per one path, and for a new message a new path if there is no global adversary. is created. However, low-latency systems use a path In this paper, we investigate this claim against for a period of time and send data as a stream of other low latency anonymous networks, including packets over the same path. Tarzan and Morphmix. Our results show that in con- Another di®erence between the two is due to the trast to the claim of the aforementioned paper, the at- time restriction. Anonymous systems for low latency tack may not be applicable in all cases. Based on our applications may ignore the mixing process that in- analysis, we draw design principles for secure low la- cludes batching and reordering, hence, they would be tency anonymous network system (also secure against more susceptible to tra±c analysis attacks and in par- the above attack). ticular timing attacks. Timing attacks can be as sim- Keywords: Low latency, anonymous, timing attacks, ple as comparing the di®erence between the time that Tor, Tarzan, Morphmix packets enter and leave a network, with the time for traversing a route. Timing attacks can be more com- 1 Introduction plex and include extracting tra±c patterns of links and comparing them to determine a route. In this Anonymous communication systems were ¯rst intro- paper, we concentrate on the second approach. duced in the seminal paper of Chaum (Chaum 1981). The timing attack in (Danezis 2004, Levine, Re- Conceptually, a message to be anonymized is relayed iter, Wang & Writght 2004) uses the fact that each through a series of nodes called mix nodes. Each mix node in the network introduces a di®erent delay. The node performs operations that have two main objec- delay can be used to guess the correlation between tives. The ¯rst one is to provide bitwise unlinkabil- the input links and output links of a node. An ad- ity and is aimed at message content, and the second versary can observe links over time and by comparing one is mixing that is aimed at message flow. To pro- tra±c patterns of all links, determine series of nodes vide unlinkability messages are padded and encrypted that have similar link patterns and are likely to form so that the adversary cannot see the content of data a route. Using statistical methods, the adversary can packets and so cannot link the content. In each node obtain information about the sender and the receiver incoming message is batched and reordered or relayed of a path, or at least the path itself. The attack can be in a way that is di±cult for the adversary to discover avoided by making the timing characteristic of each its corresponding outgoing message through the mes- link indistinguishable. This, however, requires an un- sage arrival and departure times. Also, to make the reasonable amount of mixing operations and cover attack more di±cult, dummy tra±c is introduced. tra±c and hence, long delays. It is not a trivial task Anonymous communication systems over the In- to ¯nd the right balance between anonymity and de- ternet can be classi¯ed into two categories: systems lay in these networks. for high-latency applications and systems for low- The aforementioned timing attack assumes a latency applications. High latency applications are global adversary, who can observe all links in the net- application that do not demand quick responses, such works. Under a weaker threat model, i.e. excluding the global adversary, most low latency networks, such Copyright (c) 2007, Australian Computer Society, Inc. This as Tor (Dingledine, Mathewson & Syverson 2004) can paper appeared at the Australasian Information Security Work- be considered secure. In this weaker threat model, shop: Privacy Enhancing Technologies (AISW), Ballarat, Aus- the adversary is allowed to only observe a fraction of tralia. Conferences in Research and Practice in Information the links. This is a plausible assumption considering Technology (CRPIT), Vol. 68. Ljiljana Brankovic, Paul Cod- the systems are operated over public networks, such dington, John F. Roddick, Chris Steketee, Jim Warren, and as the Internet and so there is no assurance that the Andrew Wendelborn, Eds. Reproduction for academic, not-for pro¯t purposes permitted provided this text is included. timing attacks can achieve more than ¯nding parts of the routes with non-negligible success probability. 183 Recently, Murdoch and Danezis have shown a 2 Related Works low cost attack that can successfully \break" low latency systems, and does not use a global adver- In this section, we will briefly review the three exist- sary (Murdoch & Danezis 2005). Their attack ing anonymous network systems, namely Tor, Tarzan is based on a tra±c analysis attack proposed by amd Morphmix. Danezis (Danezis 2004). In their attack, Tor's pro- vided anonymity can be broken by an attacker that 2.1 Tor only has a partial view of the network or is one of the Tor nodes. The attack works because Tor removes Tor, the second-generation Onion Routing, is a the mixing operation that has been used in its earlier circuit-based low-latency anonymous communication version, and instead processes its input queues in a service (Dingledine et al. 2004). It is an improved round robin fashion. The Tor node is responsible for version of the Onion Routing. Onion Routing(OR) receiving and forwarding each stream's packets. A is an overlay system that aims to provide anonymous corrupted Tor node can create connections to other communication to applications such as web brows- Tor nodes and so indirectly estimate other nodes' traf- ing, instant messenger and secure shell. As the OR's ¯c volumes at each time. These estimates use the designs have several flaws and limitations when be- di®erence in the latency of streams that are sent and ing deployed, Tor has included several additional fea- received back using those connections. As the tra±c tures that OR does not provide. Some of them are volume or tra±c load on each Tor node is a result of perfect forward secrecy, congestion control, directory the tra±c load of all relayed connections on that Tor services, integrity checking, con¯gurable exit policies, node, the technique in (Danezis 2004) can be used and rendezvous point and hidden service. Tor also to estimate the tra±c pattern of each node and utli- removes features that are considered by its authors mately a good estimate of the route. Authors noted as being unnecessary. These features are mixing, that their scheme can be applied to any anonymous padding and tra±c shaping. low latency systems. This signi¯cantly invalidates the There are three entities: a Tor client, Tor servers threat model used in many low latency anonymous (Tor nodes), and a recipient. Logically, a Tor client is systems. a sender that wants to have an anonymous communi- cation with its recipient. It is an Onion P roxy in OR. Our Contributions Tor servers are intermediate nodes or Onion Routers We examine the attack proposed by Murdoch and in OR. They are responsible for routing streams to Danezis (Murdoch & Danezis 2005), and investigate its next nodes in accordance to what the Tor client if it works for other low latency anonymity networks. instructs them. Like OR, Tor calls the last Tor node, We note that Tarzan (Freedman & Morris 2002) and before a recipient, the exit node. The recipient does MorphMix (Rennhard & Plattner 2002) work dif- not need to be a member of the Tor network. That is ferently from Tor. In particular, they both employ because the exit node acts as a guardian between the peer-to-peer architecture, whereas Tor tends to rely open world (recipients) and the Tor network. on dedicate servers. Also, Tarzan includes some mix- Similar to OR, a Tor client selects a number of ing operations and cover tra±c, which does not exist Tor servers as members of a circuit (OR and Tor call in Tor. Moreover, MorphMix allows an intermediate a path a circuit).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-