anonymity without sacrificing performance enhanced nymble system with distributed architecture cs...
TRANSCRIPT
Anonymity without Anonymity without Sacrificing Performance Sacrificing Performance Enhanced Nymble System with Distributed Architecture
CS 858 Project PresentationOmid Ardakanian*
Nam Pham*
*David R. Cheriton School of Computer Science, University of Waterloo
OutlineOutline Introduction
◦ Review of Nymble
◦ New goals
Ring Signature for dummies!
Proposed Solution
◦ Distributed Pseudonym Manager
◦ Distributed Nymble Manager
Analysis
Future Work
Summary
Review of NymbleReview of Nymble
Nymble WeaknessesNymble Weaknesses
Collusion between NM and PM◦De-anonymizes the network
◦Reveals user behavior
TTPs are single point of failureScalability problem
Related WorkRelated WorkBLacklistable Anonymous Credential
(BLAC)
◦ Pros: Eliminates the reliance of TTPs
◦ Cons: Suffers from severe bottleneck at the side of Service Providers
PEREA
◦ Pros: Computation is linear in the size of the blacklist
◦ Cons: Performance is still a problem
New goalsNew goals
Maintaining security properties of original Nymble Design◦Mis-authentication resistance
◦Blacklistability
◦Anonymity and Non-frameability
Enhancements◦Unconditional Anonymity
◦Scalability & Robustness
Proposed SolutionsProposed Solutions
Consists of two main parts:
◦Distributing Pseudonym Manager
◦Distributing Nymble Manager
Ring SignatureRing Signature
By Rivest, Shamir and Tauman◦A group member can sign a message
on behalf of the group without revealing her identity.
◦Ring signature is created on demand! No setup procedure or agreement
Distributing Pseudonym Distributing Pseudonym ManagerManager
User PM
IP address
pnym
Previously
Motivation If a pseudonym can
represent an IP, why don’t we use it recursively?
Alice PMi
IPA
Round 1Round 1
PM1
PM2
PMn
Alice◦Chooses a random index i◦Connects to PMi directly with her IPA
◦Requests a pseudonym for the next round
Alice PMj
IPAIPA
Round 1 (cont’d)Round 1 (cont’d)
PM1
PM2
PMn
PMi ◦Generates a codename for Alice◦Signs using a ring signature scheme◦Informs all other PMs
“IPA has been issued a pseudonym in round 1”
IPA
IPA
Alice PMi
Codename +
AckIPA
Round 1 (cont’d)Round 1 (cont’d)
PM1
PM2
PMn
PMi ◦Waits for Acknowledgements from
other PMs◦Sends ‘codename’ back to Alice
Ack
Ack
Somebody PMj
codename
Round 2Round 2
PM1
PM2
PMn
Alice◦Chooses another random index j
◦Connects to PMj anonymously using Tor
◦Requests a pseudonym to connect to NM
Somebody PMj
codenamecodename +
Round 2 (cont’d)Round 2 (cont’d)
PM1
PM2
PMn
PMj ◦Verifies the validity of <codename,
signature>◦Creates a pnym for that ‘somebody’
◦Signs pnym using a ring signature scheme◦ Informs all other PMs: “The guy with ‘codename’
has been issued a pseudonym in round 2”
codename
codename
Somebody PMjpnym +
Ack
Round 2 (cont’d)Round 2 (cont’d)
PM1
PM2
PMn
PMj ◦Waits for Acknowledgement from other
PMs◦Sends <pnym, signature> back to the
user
Ack
Ack
Aspects of DPMAspects of DPMAlice’s IP address is protected by
one more security levelIt’s not feasible for Alice to obtain
more than one pseudonym with her IP
Tor Network
Distributing NMDistributing NM
NM
PMi PMj
Cod
enam
e ac
quis
ition
Pseud
onym
acq
uisitio
n
NymbleTicket acquisition
Distributing NMDistributing NM
Tor Network
Service Provider
Serve
r Auth
entic
ation
Distributing NMDistributing NMService Provider
NM’
Linking Token Extraction
Tor Network
NM
Distributing NM - Distributing NM - RequirementsRequirements
Distributing NM (cont’d)Distributing NM (cont’d)Seed HkhkN
(pnym,sid,w)
How should we generate the seed?◦ S1: Ask another NM to create the hash of
server id with his own key Seed will not be unique
◦ S2: Ask another NM to create the hash of server id with the shared key Vulnerable to brute force attack
AnalysisAnalysisOur Solution:
◦Provides collusion prevention without eliminating TTPs No proof generation and proof verification
needed Better performance than BLAC and PEREA
◦Decreases the number of required signature
◦Eliminates unnecessary key sharing
◦Makes use of an efficient ring signature scheme with efficient size
Future WorkFuture Work
Dynamic ForgivenessMultiple Rounds for Pseudonym
RegistrationOptimal Ring SignatureExperimental Analysis
SummarySummaryWe introduced an anonymous
blocking system based on Nymble◦Using distributed TTPs architecture◦With collusion resistance feature◦With less computation cost◦With increased usability
Thank You!Thank You!