slicing the onion: anonymity using unreliable overlays sachin katti jeffrey cohen & dina katabi

Slicing the Onion: Anonymity Using Unreliable

Overlays

Sachin KattiJeffrey Cohen & Dina Katabi

Problem Statement

Leverage existing popular P2P overlays to send confidential, anonymous messages without keys

Overlays rock!

• Thousands of nodes

• Plenty of traffic to hide anonymous communication

• Diverse membership Nodes unlikely to collude

• Dynamic Hard to track

Ideal for anonymous communication

Overlays suck!

• Nodes don’t have public keys

• Nodes are not trustworthy

• Nodes are unreliable

This talk:Information Slicing

• Message confidentiality, and source and destination anonymity

• No public keys• Churn resilient

1. Message Confidentiality Without Keys

Confidentiality via Information Slicing

Split message to random pieces and send pieces along node-disjoint paths

“aaspdgfqw”“asdlfrwe” Random pieces

“Borat: Cultural”“Leanings of America” Split into two

“Borat: Cultural

Leanings of America” Original Message

Randomize them!

22a

21a

12a

11a “Borat: Cultural”

“Leanings of America”

Me D

Confidentiality via Information Slicing

“aaspdgfqw”1211 a,a

“asdlfrwe”2221 a,a

Message Recovery by destination

Received random pieces“aaspdgfqw”,a,a 1211

“asdlfrwe”,a,a 2221

“aaspdgfqw”“asdlfrwe” Matrix inversion

1

2221

1211

aa

aa

Pieces of original message

“Borat: Cultural”“Leanings of America”

Original Message“Borat: Cultural

Leanings of America”

Destination gets all pieces can decode

Even an attacker that gets all but one piece cannot decode!

2. Anonymity without Keys

System Setup

Anonymous communication has two phases

• Route Setup• A node learns how to forward a received

message

• Data transmission• Just follow the routes

Setup Anonymous Routes

• Each node knows its next hop• No one else knows the next hop of a node • Why not tell each node the ID of its next hop

in a confidential message?

Idea : Build anonymity by confidentially sending to each node

it’s routing info!

Idea : Build anonymity by confidentially sending to each node

it’s routing info!

Exponential Blowup!

Naïve way to send to a node its next hop

V

W R

Z

Z2Z1 I,IZ’s next hop information:

R’s next hop information: R2R1 I,I

Challenge: Exponential Blowup

Solution: Reuse nodes without giving them too much information

Challenge: Exponential Blowup

Solution: Reuse nodes without giving them too much information

V

W R

Z

V and W will know Z and R’s next hops

Z2I

Z1I

R1I

R2I

V

W R

ZZ1I

R1I

Reuse V to send pieces that belong to different nodes

Challenge: Exponential Blowup

Solution: Reuse nodes without giving them too much information

V

W R

Z

Z2I

Z1I

R1I

R2I

Reuse nodes to send multiple pieces as long as the pieces belong to different messages

Reuse nodes to send multiple pieces as long as the pieces belong to different messages

Challenge: Exponential Blowup

Solution: Reuse nodes without giving them too much information

Slicing Protocol

S

S’

Source has multiple IP addresses

R

V

W

Z

Slicing Protocol

S

S’

D

X

Source organizes nodes into stages

R

V

W

Z

Slicing Protocol

S

S’

D

X

Destination D is placed randomly (here in last stage)

R

V

W

Z

Slicing Protocol

S

S’

D

X

Source confidentially tells each node its next hop info

R

V

W

Z

Slicing Protocol

S

S’

D

X

V receives the ids of its next hops along disjoint paths

V2I

V1I

R

V

W

Z

Slicing Protocol

S

S’

D

X

V also receives one piece meant for Z and one for R,but cannot decipher their next hops

R2V2 II ,

Z1V1 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

W also receives its info and pieces for Z and RW cannot decipher Z’s and R’s next hops

R2V2 II ,

Z1V1 II ,

R1W1 II ,

Z2W2 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

V and W have pieces meant for Z and R

R2Z1 II ,

R1Z2 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

V and W forward the pieces meant for Z and R

Z2I

Z1I

R2I

R1I

R2V2 II ,

Z1V1 II ,

R1W1 II ,

Z2W2 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

Node disjoint paths to deliver to Z itsV and W do not have enough pieces to know Z’s info

Z2I

Z1I

R2I

R1I

R2V2 II ,

Z1V1 II ,

R1W1 II ,

Z2W2 II ,

Z2Z1 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

Z2I

Z1I

R2I

R1I

R2V2 II ,

Z1V1 II ,

R1W1 II ,

Z2W2 II ,

The same for R

R

V

W

Z

Slicing Protocol

S

S’

D

X

V and W are reused without revealing anything about Z and R’s routing information

Z2I

Z1I

R2I

R1I

R2V2 II ,

Z1V1 II ,

R1W1 II ,

Z2W2 II ,

R

V

W

Z

Slicing Protocol

S

S’

D

X

Similarly source constructs entire graph

R

V

W

Z

Slicing Protocol

S

S’

D

X

Anonymity without keys!

3. Dealing With Churn

Slicing Protocol - Churn• What if node V departs?

R

V

W

ZS

S’

D

X

Slicing Protocol - Churn• What if node V departs?• Destination cannot decode

R

V

W

ZS

S’

D

X

X

How Do We Combat Churn?

• Churn causes data loss

• Typical solution Add Redundancy

• Use coding to efficiently add redundancy

Source Coding the Data

• Source Coding (Erasure Codes)• Split into 3 pieces instead of 2

• Any 2 pieces suffice to retrieve data

• Added redundancy of (1/2) = 50%

3231

2221

1211

aa

aa

aa

2

1

m

m

3

2

1

I

I

I

3

2

I

I1

3231

2221

aa

aa

2

1

m

m

Source Coding For Robustness

S

S1

V

W R

Z D

X

S2 U P Y

X

• Destination D gets two pieces Can decodeSource coding can tolerate one node failure in the

network

Source coding can tolerate one node failure in the

network

S

S1

V

W R

Z D

X

S2 U P Y

X

• What if a second node (here Z) fails?

Source Coding For Robustness

S

S1

V Z

S2

X X

W R

D

X

U P Y

• What if a second node (here Z) fails?• Destination D cannot decode

Source Coding For Robustness

Coding partially solves problem

Z

X

R

S

S1

V

S2

X

W

U P

D

X

Y

• Focus on node R

Coding partially solves problem

R

2I

1I

Due to upstream node failure, R receives

2 pieces instead of 3

Coding partially solves problem

R

2I

1I

R can only send out two pieces now,

Initial redundancy is destroyed

2I

1I

Regenerating Redundancy

R

2I

1I

Pieces are linear combinations of message fragments

2221212

2121111

mamaI

mamaI

Network Coding

R

2I

1I2221212

2121111

mamaI

mamaI

R can create a linear combination of the pieces he received to generate a new piece

Take Linear combination of the pieces

222121211121'3 )maa)maaII I ((

New piece

'3I

Network Coding

R

2I

1I

R can now send out 3 pieces instead of 2

Redundancy is regenerated inside the network

2I

1I

'3I

Network Coding

R

2I

1I

Can tolerate downstream node failures

2I

1I

'3I

Network coding can tolerate one node failure in every

stage

Network coding can tolerate one node failure in every

stage

General Network Coding• Nodes send linear combinations of incoming pieces• Technique generalizes to any number of extra pieces

For k extra pieces, network coding tolerates k failures in

every stage

For k extra pieces, network coding tolerates k failures in

every stage

4. Evaluation

Evaluation Environment

• Implementation in Python• Evaluated both in simulation and on PlanetLab• Evaluate anonymity, performance and churn

resilience• Each metric is evaluated against the optimal

existing baseline

Anonymity• Simulate an overlay of 10000 nodes• Attackers are placed randomly in the network• Attackers can control nodes, snoop on their

edges, and collude• Comparison with Chaum mixes (optimal baseline)• Entropy is standard anonymity metric

x N

xPxP

)log(

))(log()(Anonymity

How anonymous is information slicing?

Fraction of Attacking Nodes

An

onym

ity

High anonymity despite no keys

High anonymity despite no keys

Source Anonymity

Info. Slicing

Chaum mix

Churn Resilience

• Compared against practical anonymity system Onion Routing

• For fairness, onion routing is modified to have redundancy using source coding

• Metric:

• Prob. of successfully sending a message, given a particular redundancy

Churn Resilience

Info. Slicing

Onion Routing

with source coding

Pro

bab

ility

of S

ucc

ess

Added Redundancy

Large increase in probability of success because of network coding

Large increase in probability of success because of network coding

Results for a Probability of Node Failure = 0.3

Implementation on PlanetLab

Churn Resilience - Planetlab

00.10.20.30.40.50.60.70.80.9

1

0 0.5 1 1.5

Information Slicing

Onion Routing with source coding

Added Redundancy

Pro

bab

ility

of S

ucc

ess

Network Coding nearly doubles the churn resilience with the same

overhead!

Network Coding nearly doubles the churn resilience with the same

overhead!

Performance

No. of Stages

Th

rou

ghp

ut (

Mb/

s)

Th

rou

ghp

ut (

Mb/

s)No. of Stages

Info. Slicing

Onion Routing Onion Routing

• Two nodes in each stage and five stages

Local Network PlanetLab

Parallel paths Increased throughput

Parallel paths Increased throughput

Info. Slicing

Conclusion

• Confidentiality Node disjoint paths

• Low Cost Anonymity Node Reuse

• Churn Resilience Network Coding

Enabled anonymous communication in P2P overlays with no keys.

Information Slicing provides