Crowds: Anonymity for Web Transactions

Michael K. ReiterAviel D. Rubin

Jan 31, 2006 Presented by – Munawar Hafiz

Crowds: Anonymity for Web Transactions

Contributions * Introduces the concept of ‘Degree of Anonymity’

* Introduces the concept of Crowds

* Analyzes the implementation

* Comparison with other methods

2

Degrees of Anonymity

Beyond Suspicion Sender appears no more likely to be the originator of a sent message than any other potential senders in the system.

Probable Innocence Sender appears no more likely to be the originator than not to be the originator.

Possible Innocence There is a nontrivial probability that the real sender is someone else.

What type of privacy requirement is suitable for a particular application?

3

Anonymity loves company

4

The sole mechanism of anonymity is blending and obfuscation.

The Mix approachThe Mix approach

• Obfuscate the data

• Blend the data with cover traffic

The Onion Routing approachThe Onion Routing approach

• Obfuscate the data

• Use cell padding to make data look similar

The Crowds approachThe Crowds approach

• Data may be in clear text

• Hide in a group and make everyone in the group equally responsible for an act.

Crowds in operation : Setup

Setup Phase 1. User first joins a crowd of other users and he is represented by a jondo

process on his local machine. He registers to a server machine which is called a Blender.

2. User configures his browser to use the local jondo as the proxy for all new services.

3. The blender sends the data of other nodes in the crowd to the local jondo.

4. All other members in the crowd go through a Join Commit.

5

Crowds in operation : Communication

Communication Phase 1. User passes her request to a random member in the crowd.

2. The selected router flips a biased coin with forwarding probability pf .

3. With probability (1- pf ) , it delivers the message directly to destination. Otherwise it forwards the message to a randomly selected next router.

6

Anonymity for Crowds approach

7

Distinct Characteristics of Crowds

8

Use of encryption A single path key is used for end-to-end encryption

At each node, path key is re-encrypted using link encryption

Fast stream cipher for encrypting reply traffic

Static Path Dynamic paths hurt the anonymity achieved

Paths are changed during join and failure

Protection against timing attacks Sender revealed if it is an immediate predecessor of malicious jondo.

Introduce delays for thwarting attacks

Comparison with MIX networks

9

Crowds and MIX solve different anonymity problems Crowds provide (probable innocence) sender anonymity MIX networks provide sender and receiver un-linkability

Different type of protection against global passive eavesdropper Crowds provide no protection MIX networks provide protection again global eavesdropper

Performance Crowds provide better performance Public key encryptions and decryptions affect performance.

Different approach in routing (Efficiency) In Crowds paths are selected randomly In a re-mailer, the circuit has to be determined first.

Concepts coming out of Crowds

10

Every node is a MIX Making the end nodes and the MIXes indistinguishable Distributed workload Used in MorphMix / Tarzan for Peer to Peer communication

The leaky pipe architecture Any node is an exit node Used in Tor to provide better protection against

Robustness No single point of failure Distributed Blender ??

Anonymity loves company The more the user base, the better the anonymity Highly scalable

Limitations of Crowds

11

• Content in plaintext Apply end-to-end encryption to protect content Limitation : Gathering multimedia content

• Restriction on using ActiveX controls etc. Current Internet landscape is different from this requirement

• Vulnerable to DoS attacks Malicious jondos can simply drop packets.

• Performance overhead Increased network traffic, increased retrieval time and load on jondos

Break for brainstorming : What type of applications can use this approach ?

• Deployment problem with firewalls

Crowds for Social Networking

12

Are you comfortable in a friendly crowd or unfriendly crowd ?

Are you willing to take the risk of being logged by server ?

A crowds network where all the participants know each other and are therefore trusted.

A crowds network with trusted entities but not friends / acquaintances.

A crowds network that includes adversaries and honest nodes, all un-trusted.

What about content tampering risks ?

Discussion questions

13

Crowds provide better options for deployment than an onion routingscheme like Tor. Yet you see Tor deployed in two continents and crowdsa research prototype only. What is the reason?

What would happen if membership in the crowd is controlled by the blender but in this case the blender is using public key authentication. Would the overall anonymity be improved?

What are the factors that hinder crowd scalability?

The crowds approach limit the subset of users that hides the messageinitiator. How does it affect anonymity ?

Have we seen the end of crowds ?