message splitting against the partial adversary andrei serjantov the free haven project (uk) steven...
TRANSCRIPT
![Page 1: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/1.jpg)
Message Splitting Against the Partial Adversary
Andrei Serjantov
The Free Haven Project (UK)
Steven J Murdoch
University of Cambridge Computer Laboratory
![Page 2: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/2.jpg)
Outline
• Mix Systems. Criticisms.– too strong threat model(!)– intersection attack when >1 msg (too much data) sent
• Weaker threat model• Sending each message via random route
– “non connection-based system”
• Empirical observations about Mixmaster Mixminion• Characteristic delay function [Dan04] is difficult to
esitmate
![Page 3: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/3.jpg)
Mix Systems
• Well known to this audience• Implemented
– Mixmaster– Mixminion
• Threat Model– Global Passive Adversary (GPA)– GPA with some (all but one?) compromised
mixes
![Page 4: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/4.jpg)
Criticisms
• GPA does not exist– (a matter of some debate)
• The mix system (Chaum 81) allows one fixed-sized message to be sent anonymously– Great for votes– Ok for email– Bad for Web Browsing– Awful for Bit Torrent
• If >1 message (more than 32K data), anonymity is degraded
![Page 5: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/5.jpg)
Intersection Attack
A
B
C2 2 2
1
1
1
11
1D
E
F
Mix 1
Mix 4
Mix 3
Mix 2
Senders Receivers
Attacker
![Page 6: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/6.jpg)
TrafficVolume of data dow nloaded through the anonymity system
0
5000
10000
15000
20000
25000
Volume of data, Kb
Nu
mb
er o
f u
sers
![Page 7: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/7.jpg)
Intersection Attack
• [BPS00] On the Disadvantages of Free Mix Routes (PET2001)
• [WALS02] An Analysis of the Degradation of Anonymous Protocols (NDSS’02)
• [KAP02] Limits of Anonymity in Open Environments (IH2002)
• [Dan03] Statistical Disclosure (I-NetSec03)• [DS04] (IH2004)
• [Dan04] The traffic analysis of continuous-time mixes (PET2004)
etc
![Page 8: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/8.jpg)
The Common Wisdom
• Intersection attacks are:– Realistic– Powerful (reduce anonymity quickly)– Hard to protect against
• Require lots of dummy traffic
![Page 9: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/9.jpg)
A Weaker Model
A
B
C
1
2
Mix 3 Mix 4
Mix 1Mix 2
D
E
F
1
2
1
2
Attacker observes:not all inputsnot all outputs
Notinteresting
![Page 10: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/10.jpg)
A Better Threat Model
• A Partial Adversary– Does not observe all Sender to Mix links– (alternatively not all mixes which senders can
send to)– Ignore compromised mixes
![Page 11: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/11.jpg)
Observed Mix
A
B
D
E
Mix 1 Mix 2
Mix 3Mix 4
1
2
1
2
1
2
Attacker sends all his messages via one single route theough the mix system
![Page 12: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/12.jpg)
Splitting Data
A
B
C
Mix 3
Mix 1
Mix 4
Mix 2E
F
1
2
2
11
1
1
11
Sender B splits his stream of data and sends each message via arandomly chosen route
The problem: how do you choosethe first mix?
![Page 13: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/13.jpg)
The Details
• Problem:– mixes to send to
• compromised, the rest not (but no idea which ones)
– P packets
– What are the s.t. a random subset (attacker)
of size gives least information about
– Note that (dummy traffic)
– No proof or optimal solution in this paper!• See one possible solution next
MPP1
iPfM
fM
PPi
M
![Page 14: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/14.jpg)
One possible scheme
• Pick (uniformly) at random a sequence of mixes
• Pick from a geometric distribution with mean . Set
• Pick from a geometric distribution with mean . Set
• etc• Another in the paper (with some analysis)
1P
1' PPP 2P
2''' PPP 2/'P
2/P
![Page 15: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/15.jpg)
Part II
• (Looking at a particular intersection attack and finding it not as easy as it looks at first glance)
![Page 16: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/16.jpg)
Another Intersection Attack
• Danezis 2004 (thanks for the diagrams)
The Idea:
![Page 17: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/17.jpg)
The Details
![Page 18: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/18.jpg)
The Characteristic Delay Function
• What is this for– Mixes– Mixmaster– Mixminion– Tor
• This maybe unfair – Danezis intended his attack for lwo latency systems (Tor)
• Nevertheless interesting
![Page 19: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/19.jpg)
The Characteristic Delay Function
• Theory:– What is the delay of a mix (cascade/network)– Can say not very much about it (as usual)
• Details in the paper
• Practice:– Steven wrote a disciplined pinger
• Does not ping too often, hope not to affect the results by sampling
![Page 20: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/20.jpg)
Results
![Page 21: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/21.jpg)
Results
![Page 22: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/22.jpg)
Comparing
• Nothing surprising– Mixmaster has longer delay– Heavy tails
![Page 23: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/23.jpg)
Conclusions I
• It is well known that the intersection attack is powerful– No reason to abandon investigation!
• New interesting, mathematically well defined threat model
• Splitting traffic amongst first nodes– Does not have the efficiency of Tor or other
connection-based systems– Does gain anonymity advantage (but only by means of
a weaker threat model)
![Page 24: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/24.jpg)
Conclusions II
• Characteristic function of Mixmaster, Mixminion difficult to work out in theory or estimate empirically
• Data at:
• All references at “Anonymity Bibliography”
Thank you
![Page 25: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/25.jpg)
The Anonymity Advantage
The Network(Mixmaster)
100
17
10
5
87
The Network(Mixmaster)
100
170
10
5
87
Total observed packets
Alice
Alice
![Page 26: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/26.jpg)
Intersection Attack
SendersReceivers
AttackerMixes
![Page 27: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/27.jpg)
A Weaker Model
Attacker observes:not all inputsnot all outputs
Notinteresting
![Page 28: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/28.jpg)
Observed Mix
Attacker sends all his messages via one single route theough the mix system
![Page 29: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/29.jpg)
Splitting DataAttacker splits his stream of data and sends each message via arandomly chosen route
The problem: how do you chooseThe first mix?
![Page 30: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/30.jpg)
Results
![Page 31: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/31.jpg)
Results
![Page 32: Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory](https://reader030.vdocument.in/reader030/viewer/2022032723/56649cfe5503460f949ced61/html5/thumbnails/32.jpg)
Comparing
• Nothing surprising– Mixmaster has longer delay– Heavy tails