anonymous communication with emphasis on tor*jkatz/security/f09/lectures/syverson.pdf2 dining...
TRANSCRIPT
![Page 1: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/1.jpg)
1
Paul Syverson U.S. Naval Research Laboratory
Anonymous Communicationwith emphasis on Tor**Tor's Onion Routing
![Page 2: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/2.jpg)
2
Dining Cryptographers (DC Nets)
● Invented by Chaum, 1988● Strong provable properties● Versions without collision or abuse
problems have high communication and computation overhead
● Don't scale very well
![Page 3: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/3.jpg)
3
Mixes
![Page 4: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/4.jpg)
4
![Page 5: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/5.jpg)
5
![Page 6: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/6.jpg)
6
![Page 7: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/7.jpg)
7
![Page 8: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/8.jpg)
8
![Page 9: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/9.jpg)
9
Mixes● Invented by Chaum 1981 (not counting ancient
Athens)● As long as one mix is honest, network hides
anonymity up to capacity of the mix● Sort of
– Flooding– Trickling
● Many variants– Timed– Pool– ...
![Page 10: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/10.jpg)
10
Anonymous communicationsTechnical Governmental/Social
1. What is it?
2. Why does it matter?
3. How do we build it?
![Page 11: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/11.jpg)
11
1.What is anonymity anyway?
![Page 12: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/12.jpg)
12
Informally: anonymity means you can't tell who did what
“Who wrote this blog post?”
“Who's been viewing my webpages?”
“Who's been emailing patent attorneys?”
![Page 13: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/13.jpg)
13
Formally: anonymity means indistinguishability within an
“anonymity set”
Alice1
Alice4
Alice7
Alice2
Alice6
Alice5
Alice8
Alice3
....Bob
Attacker can't tell which Aliceis talking to Bob!
![Page 14: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/14.jpg)
14
Formally: anonymity means indistinguishability within an “anonymity set”
Alice1
Alice4
Alice7
Alice2
Alice6 Alice5
Alice8
Alice3....
Bob
Attacker can't distinguishwhich Alice is talking to Bob
![Page 15: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/15.jpg)
15
Formally: anonymity means indistinguishability within an “anonymity set”
Alice1
Alice4
Alice7
Alice2
Alice6 Alice5
Alice8
Alice3....
Bob
Attacker can't distinguishwhich Alice is talking to Bob
● Can't distinguish?● Basic anonymity set size● Probability distribution within anonymity set● ....
![Page 16: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/16.jpg)
16
We have to make some assumptions about what the
attacker can do.
AliceAnonymity network Bob
watch (or be!) Bob!
watch Alice!
Control part of the network!
Etc, etc.
![Page 17: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/17.jpg)
17
Anonymity isn't confidentiality: Encryption just protects contents.
Alice
Bob
“Hi, Bob!”“Hi, Bob!” <gibberish>
attacker
![Page 18: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/18.jpg)
18
Anonymity isn't steganography:Attacker can tell that Alice is talking;
just not to whom.
Alice1 Bob1
...
AnonymitynetworkAlice2
AliceN
Bob2
![Page 19: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/19.jpg)
19
Anonymity isn't just wishful thinking...“You can't prove it was me!”
“Promise you won't look!”
“Promise you won't remember!”
“Promise you won't tell!”
“I didn't write my name on it!”
“Isn't the Internet already anonymous?”
![Page 20: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/20.jpg)
20
...since “weak” anonymity... isn't.
“You can't prove it was me!”
“Promise you won't look!”
“Promise you won't remember!”
“Promise you won't tell!”
“I didn't write my name on it!”
“Isn't the Internet already anonymous?”
Will others parties have the ability and incentives to keep their promises?
Proof is a very strong word.With statistics, suspicion becomes certainty.
Not what we're talking about.
Nope! (More info later.)
![Page 21: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/21.jpg)
21
2. Why does anonymity matter?
![Page 22: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/22.jpg)
22
Anonymity serves different interests for different user groups.
Anonymity
Private citizens
Governments Businesses
“It's traffic-analysisresistance!”
“It's network security!”
“It's privacy!”
Human rights advocates
“It's censorshipcircumvention!”
![Page 23: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/23.jpg)
23
Regular citizens don't want to be watched and tracked.
(the network can track too)
Hostile Bob
Incompetent Bob
Indifferent Bob
“Oops, I lost the logs.”
“I sell the logs.”
“Hey, they aren't my secrets.”
Name, address,age, friends,
interests(medical, financial, etc),
unpopular opinions,illegal opinions....
BloggerAlice
8-year-oldAlice
SickAlice
ConsumerAlice
....
Unionmember
Alice
![Page 24: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/24.jpg)
24
Many people don't get to
see the internet that
you can see...
![Page 25: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/25.jpg)
25
and they can't
speak on the
internet either...
![Page 26: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/26.jpg)
26
It's not only about
dissidents in faraway
lands
![Page 27: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/27.jpg)
27
Regular citizens don't want to be watched and tracked.
Stalker Bob
Censor/BlockerBob
“I look for you todo you harm.”
Name, address,age, friends,
interests(medical, financial, etc),
unpopular opinions,illegal opinions....
CrimeTargetAlice
OppressedAlice
....
HumanRightsWorkerAlice
“I control your worldview and whoyou talk to.”“I imprison you for seeing/saying thewrong things.”
![Page 28: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/28.jpg)
28
Law enforcement needs anonymity to get the job done.
OfficerAlice
Investigatedsuspect
Stingtarget
Anonymoustips
“Why is alice.fbi.gov reading my website?”
“Why no, alice.localpolice.gov!I would never sell counterfeits on ebay!”
Witness/informerAlice
“Is my family safe if Igo after these guys?”
OrganizedCrime
“Are they really going to ensuremy anonymity?”
![Page 29: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/29.jpg)
29
Businesses need to protect trade secrets... and their customers.
AliceCorp
Competitor
Competitor
Compromisednetwork
“Oh, your employees are reading our patents/jobs page/product sheets?”
“Hey, it's Alice! Give her the 'Alice' version!”
“Wanna buy a list of Alice's suppliers?What about her customers?What about her engineering
department's favorite search terms?”
Compromised/malicious
hosts
“We attack Alice's customers withmalware, and watch forwhen she notices us.”
![Page 30: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/30.jpg)
30
Governments need anonymityfor their security
UntrustedISP
AgentAlice
“What does the CIA Google for?”Compromised
service
“What will you bid for a list of BaghdadIP addresses that get email from .gov?”
“What bid for the hotel room from whichsomeone just logged in to foo.navy.mil?”
![Page 31: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/31.jpg)
31
Semitrustednetwork
Governments need anonymityfor their security
Coalitionmember
Alice
Sharednetwork
Hostilenetwork
“Do I really want to reveal myinternal network topology?”
“Do I want all my partners to know extent/pattern of my comms with
other partners?”
“How can I establish communication with locals without a
trusted network?”
“How can I avoid selective blocking ofmy communications?”
![Page 32: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/32.jpg)
32
HiddenSevices
“Can I hide where my MLS chat server/my automated regrader is?”Can my servers resist DDoS and
physical attack even by authorized users?”
Governments need anonymityfor their security
Govt.web server
Bob
Homelandsecuritynetwork
Defense inDepth
“How can I securely and quickly exchange vital info with every
sheriff's dept and Hazmat transporter without bringing them into my secure
network? “Do I want every SIPRNET node to
know where all the traffic on it is headed?”
![Page 33: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/33.jpg)
33
You can't be anonymous by yourself: private solutions are ineffective...
OfficerAlice
Investigatedsuspect
...
AliceCorpCompetitor/
malware host
CitizenAlice
AliceCorpanonymity net
Municipalanonymity net
Alice's smallanonymity net
“Looks like a cop.”
“It's somebody at AliceCorp!”
“One of the 25users on AliceNet.”
![Page 34: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/34.jpg)
34
... so, anonymity loves company!
OfficerAlice
Investigatedsuspect
...
AliceCorpCompetitor
CitizenAlice
Sharedanonymity net
“???”
“???”
“???”
![Page 35: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/35.jpg)
35
Don't bad people use anonymity?
![Page 36: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/36.jpg)
36
Current situation:Bad people on internet are doing
fineTrojansVirusesExploits
PhishingSpam
BotnetsZombies
EspionageDDoS
Extortion
![Page 37: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/37.jpg)
37
Giving good people a fighting chance
-DDoS resistant servers-Enable sharing threat info
-Freedom of access
-ResistIdentity Theft
-Reduce cyberstalkingof kids
-Protect operations andanalysts/operatives
AnonymityNetwork
-Encourage informants-Protect free speech
![Page 38: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/38.jpg)
38
3. How does anonymity work?
![Page 39: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/39.jpg)
39
Anonymity Systems for the Internet
Chaum's Mixes(1981)
Remailer networks:cypherpunk (~93), mixmaster (~95),mixminion (~02)
High-latency
...and more!
anon.penet.fi (~91-96)
Low-latency
Single-hopproxies (~95-)
NRL V1 OnionRouting (~97-00)
ZKS“Freedom”(~99-01)
Crowds(~96)
Java Anon Proxy(~00-) Tor
(01-)
NRL V0 OnionRouting (~96-97)
![Page 40: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/40.jpg)
40
Low-latency systems are vulnerable to end-to-end correlation attacks.
Low-latency: Alice1 sends: xx x xxxx x Bob2 gets: xx x xxxx x Alice2 sends: x x xx x x
Bob1 gets: x x x x x x
High-latency: Alice1 sends: xx x xxxx Alice2 sends: x x xx x x
Bob1 gets: xx xxxx ..... Bob2 gets: x xxxxx .....
Time
These attacks work in practice. The obvious defenses are expensive (like high-latency), useless, or both.
match!
match!
![Page 41: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/41.jpg)
41
Still, we focus on low-latency,because it's more useful.
Interactive apps: web, IM, VOIP, ssh, X11, ...# users: millions?
Apps that accept multi-hour delays and high bandwidth overhead: email, sometimes.# users: hundreds at most?
And if anonymity loves company....?
![Page 42: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/42.jpg)
42
The simplest designs use a single relay to hide connections.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Relay
Bob3,“X”
Bob1, “Y”
Bob2, “Z”
“Y”
“Z”“X”
![Page 43: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/43.jpg)
43
But an attacker who sees Alice can see who she's talking to.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Relay
Bob3,“X”
Bob1, “Y”
Bob2, “Z”
“Y”
“Z”“X”
![Page 44: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/44.jpg)
44
Add encryption to stop attackers who eavesdrop on Alice.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Relay
E(Bob3,“X”)E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”“X”
(e.g.: some commercial proxy providers, Anonymizer)
![Page 45: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/45.jpg)
45
But a single relay is a single point of failure.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Evil orCompromised
Relay
E(Bob3,“X”)E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”“X”
![Page 46: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/46.jpg)
46
But a single relay is a single point of bypass.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
IrrelevantRelay
E(Bob3,“X”)E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”“X”
Timing analysis bridges all connections through relay ⇒ An attractive fat target
![Page 47: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/47.jpg)
47
So, add multiple relays so thatno single one can betray Alice.
BobAlice
R1
R2
R3
R4 R5
![Page 48: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/48.jpg)
48
A corrupt first hop can tell that Alice is talking, but not to whom.
BobAlice
R1
R2
R3
R4 R5
![Page 49: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/49.jpg)
49
A corrupt final hop can tell someone is talking to Bob, but not
who it is.BobAlice
R1
R2
R3
R4 R5
![Page 50: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/50.jpg)
50
Alice makes a session key with R1
BobAlice
R1
R2
R3
R4 R5
![Page 51: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/51.jpg)
51
Alice makes a session key with R1...And then tunnels to R2
BobAlice
R1
R2
R3
R4 R5
![Page 52: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/52.jpg)
52
Alice makes a session key with R1...And then tunnels to R2...and to
R3BobAlice
R1
R2
R3
R4 R5
![Page 53: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/53.jpg)
53
Alice makes a session key with R1...And then tunnels to R2...and to
R3Then talks to Bob over circuit
BobAlice
R1
R2
R3
R4 R5
![Page 54: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/54.jpg)
54
Feasible because onion routing uses (expensive) public-key crypto just to build
circuits, then uses (cheaper) symmetric-key crypto to pass data
BobAlice
R1
R2
R3
R4 R5
![Page 55: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/55.jpg)
55
Can multiplex many connections through the encrypted circuit
BobAlice
R1
R2
R3
R4 R5
Bob2
![Page 56: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/56.jpg)
56
That's Tor* in a nutshell
* Tor's Onion Routing
![Page 57: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/57.jpg)
57
Focus of Tor is anonymity of the communications pipe, not the application data that passes
through it
![Page 58: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/58.jpg)
58
Tor anonymizes TCP streams only:it needs other applications to clean
high-level protocols.
Webbrowser
Webscrubber
IRCclient
SSH
Tor client Tor network
SOCKS
SOCKS
HTTP SOCKS
![Page 59: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/59.jpg)
59
● Freely available (Open Source), unencumbered, and● Comes with a spec and full documentation:
– Docs and instructions translated into 15+ languages– German univ. implemented compatible Java Tor clients– Researchers use it to study anonymity
● Several commercial imitators● Focus on Usability/Scalability/Incentives● 200000+ active users, including various govt. and law
enforcement users● PC World magazine: Tor in the Top 100 Products of 2005.● Began as NRL research project 2001 (1995)● Tor Project now a US 501(c) 3 with a handful of employees
and many volunteers
Tor: The Big Picture
![Page 60: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/60.jpg)
60
![Page 61: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/61.jpg)
61
Usability for relay operators
● Rate limiting: shouldn't eating too much bandwidth.● Exit policies: not everyone is willing to emit arbitrary traffic.
● Middle-man node: no exit from Tor network (reject *:*)● Bridge node: not part of public Tor network at all
allow 18.0.0.0/8:*allow *:22allow *:80reject *:*
![Page 62: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/62.jpg)
62
Choose how to install it● Tor Browser Bundle: standalone Windows exe
with Tor, Vidalia, Firefox, Torbutton, Polipo, e.g. for USB stick
● Vidalia bundle: Windows/OSX installer● Tor VM: Transparent proxy for Windows● “Net installer” via our secure updater● Incognito Linux LiveCD
![Page 63: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/63.jpg)
63
![Page 64: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/64.jpg)
64
![Page 65: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/65.jpg)
65
The basic Tor design uses a simple centralized directory protocol.
S2
S1Alice
Trusted directory
Trusted directory
S3
cache
cache
Servers publishself-signeddescriptors.
Authoritiespublish a consensuslist of all descriptors
Alice downloadsconsensus anddescriptors fromanywhere
![Page 66: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/66.jpg)
66
Governments and other firewalls can just block the whole Tor network.
Alice
Alice
S
SS
SX
X
![Page 67: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/67.jpg)
67
R4
R2
R1
R3
Bob
Alice
Alice
Alice
Alice
Alice
BlockedUser
BlockedUser
BlockedUser
BlockedUser
BlockedUser
Alice
AliceAlice
Alice
Alice
Alice
Alice
Alice
AliceAlice
![Page 68: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/68.jpg)
68
![Page 69: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/69.jpg)
69
Tor is only a piece of the puzzle
● Assume the users aren't attacked by their hardware and software– No spyware installed, no cameras
watching their screens, etc● Assume the users can fetch a genuine
copy of Tor: from a friend, via PGP signatures, etc.
![Page 70: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/70.jpg)
70
Lessons?● 1) Bad people don't need Tor. They're
doing fine.● 2) Honest people need more
security/privacy/anonymity.● 3) Law enforcement can benefit from it
too.● 4) Tor is not unbreakable.
![Page 71: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/71.jpg)
71
Suggestions: Know your adversary
● Destination adversary: lock down applications, etc. https://www.torproject.org/download.html/#Warning
● Exit node adversary: same advice, also worry about pseudonymous profiles. – DON'T assume passwords over otherwise unencrypted
links are safe because they went through Tor first.● Local/temporary adversary: you are probably OK just
using (properly configured) Tor– CAVEAT: You might have other adversaries watching you
even if they are not your immediate concern
![Page 72: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/72.jpg)
72
Suggestions: Know your adversary
● Well-funded tech-savvy adversary: Be patient, onion routing is not there yet.– Using Tor is usually better than not using Tor or using
anything else I know of.– Nothing to prevent someone from running a nontrivial
percentage of Tor nodes and watching the traffic over them and/or watching internet connections.
– Currently working on research to work trust into the model and design of Tor.
![Page 73: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/73.jpg)
73
Location Hidden Servers
● Alice can connect to Bob's server without knowing where it is or possibly who he is
● Already told you why this is desirable, but...●
● How is this possible?
![Page 74: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/74.jpg)
74
1. Server Bob creates onion routes to Introduction Points (IP)
(All routes in these pictures are onion routed through Tor)
Bob'sServer
IntroductionPoints
1
1
1
Location Hidden Servers
![Page 75: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/75.jpg)
75
Alice'sClient
1. Server Bob creates onion routes to Introduction Points (IP)
2. Bob publishes his xyz.onion address and puts Service Descriptor incl. Intro Pt. listed under xyz.onion
Bob'sServer
IntroductionPointsService
LookupServer
XYZ Service
2
1
1
1
Location Hidden Servers
![Page 76: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/76.jpg)
76
Alice'sClient
2'. Alice uses xyz.onion to get Service Descriptor (including Intro Pt. address) at Lookup Server
ServiceLookupServer
Bob'sServer
IntroductionPointsXYZ Service
2'
2
1
1
1
Location Hidden Servers
![Page 77: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/77.jpg)
77
Alice'sClient
3. Client Alice creates onion route to Rendezvous Point (RP)
Bob'sServer
IntroductionPoints
RendezvousPoint
ServiceLookupServer
3
2'
1
1
1
2
Location Hidden Servers
![Page 78: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/78.jpg)
78
Alice'sClient
3. Client Alice creates onion route to Rendezvous Point (RP)
4. Alice sends RP address and any authorization through IP to Bob
Bob'sServer
IntroductionPoints
RendezvousPoint
ServiceLookupServer
4
2'
1
1
1
2
Location Hidden Servers
3
![Page 79: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/79.jpg)
79
Alice'sClient
5. If Bob chooses to talk to Alice, connects to Rendezvous Point
6. Rendezvous Point mates the circuits from Alice and Bob
Bob'sServer
IntroductionPoints
RendezvousPoint
ServiceLookupServer
65
2
2'
4
Location Hidden Servers
3
1
1
1
![Page 80: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/80.jpg)
80
Alice'sClient
Bob'sServer
RendezvousPoint
Final resulting communication channel
Location Hidden Servers
![Page 81: Anonymous Communication with emphasis on Tor*jkatz/security/f09/lectures/syverson.pdf2 Dining Cryptographers (DC Nets) Invented by Chaum, 1988 Strong provable properties Versions without](https://reader034.vdocument.in/reader034/viewer/2022050516/5f9fddc685ad313e3a3b1145/html5/thumbnails/81.jpg)
81
Further Questions?
● Contact me: http://www.syverson.org
● Onion Routing homepage: http://www.onion-router.net
● Download/read about Tor: https://www.torproject.org
● Major papers on anonymity: htttp://freehaven.net/anonbib