practical and provably secure onion routing · 2012-07-16 · practical and provably secure onion...

Michael BackesSaarland University

MPI-SWS

Aniket KateMPI-SWS

Ian GoldbergUniversity of Waterloo

Esfandiar MohammadiSaarland University

Practical and Provably Secure Onion Routing[IEEE CSF '12]

Practical and Provably Secure OR - Esfandiar Mohammadi

Anonymous Web Browsing

2

GoogleAliceAIDS



2

GoogleAliceAIDS

AIDS

Insurance



2

GoogleAliceAIDS

AIDS

Insurance

We should talk.

What happened now?



2

GoogleAliceAIDS

AIDS

Insurance

We should talk.

What happened now?

Next time I anonymize my search via Tor.



2

GoogleAliceAIDS

AIDS

Insurance

We should talk.



2

anonymizing

Tor

• established system for anonymous web browsing• But: analyzing Tor is challenging


Anonymous Web Browsing: Tor

3

anonymizing

Tor


Tor: An Onion Routing Network

4

Anonymity against a malicious server



4


Phase 1: Establish Circuit



4



k1



4

1cid

2cid



k2

k1



4

1cid

2cid



k3

k2

k1



4

1cid3cid

2cid



k4

k3

k2

k1



4

1cid3cid

4cid

2cid


Phase 2: Send message

k4

k3

k2

k1



4

E(k1,E(k2,E(k3,E(k4, m))))

1cid3cid

4cid

cid ||1

2cid


k4

k3

k2

k1



4

E(k1,E(k2,E(k3,E(k4, m))))

1cid3cid

4cid

cid ||1

2cid


k4

k3

k2

k1



4

E(k2,E(k3,E(k4, m)))

1cid3cid

4cid

cid ||2

2cid


E(k3,E(k4, m))

k4

k3

k2

k1



4

1cid3cid

4cid

cid ||3

2cid


E(k4, m)

k4

k3

k2

k1



4

1cid3cid

4cid

cid ||4

2cid


m

k4

k3

k2

k1



4

m

1cid3cid

4cid



5

m

k4

k3

k2

k1


6

m



5

m

k4

k3

k2

k1

• analyzing tor is difficult

• typical approach– abstract OR as a black-box

6



5

m

k4

k3

k2

k1

• analyzing tor is difficult

• typical approach– abstract OR as a black-box

6

But does such a black-box abstraction capture all attacks?


Our Contribution

• We introduce a comprehensive black-box for onion routing

– We bridge the gap between a known black-box abstraction and the onion routing (OR) protocol

• Our result even holds in the presence of universal composability (UC)

• We apply our result by introducing a definition for forward secrecy– We make a first step towards proving forward secrecy

6


Our Contribution

• We introduce a comprehensive black-box for onion routing

– We bridge the gap between a known black-box abstraction and the onion routing (OR) protocol

• Our result even holds in the presence of universal composability (UC)

• We apply our result by introducing a definition for forward secrecy– We make a first step towards proving forward secrecy

6

UC ➡ Timing attacks are not covered


Outline

• Recall UC

• Discussing our Black-Box

• Challenges with the current Tor protocol

• Main Result & Applications

7


Universal Composability

8

callingprotocol

protocol P

protocol P

callingprotocol

Attacker models:• Compromised protocol parties• Compromised network links



9

callingprotocol

callingprotocol

Trusted Party(black-box)

computing the result of Pmodelling honest parties



10

callingprotocol

callingprotocol





10

callingprotocol

callingprotocol



callingprotocol

protocol P

protocol P

callingprotocol

Comparing two worlds



11

callingprotocol

callingprotocol



callingprotocol

protocol P

protocol P

callingprotocol

∀ ∃

≈

callingprotocol

callingprotocol



12

callingprotocol

protocol P

callingprotocol

protocol P

∀ ∃

≈





13



protocol P

protocol P

∃∀ ∀

b*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)

Suser with probability

xattacker

b : fraction of compromised nodes


An elegant black-box for OR

14

by Feigenbaum, Johnson, and Syverson (to appear in TISSec)



xattacker

b : fraction of compromised nodes Why is this not sufficient?



14


• abstraction is sound if no circuit is reused



xattacker

b : fraction of compromised nodes Why is this not sufficient?



14



How does the simulation work?

15


The simulator

16

(-,S)

S

Establish a fresh circuit CSend 0 to S over C

SC


with probabilityb*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)

1


Reusing Circuits

17

m1


Reusing Circuits

17

2

m1


Reusing Circuits

17

This circuit has been reused.

m2m1


Reusing Circuits

17



Reusing Circuits

18

m12m


If h = - draw a fresh handle helse check whether h is valid

b*b x := (h,U,S,m)(1-b)*b x := (h,-,S,m)b*(1-b) x := (h,U,-)(1-b)*(1-b) x := (h,-,-)


Reusing Circuits (Overapproximation)

19

(S, m, h)user

with probabilityx

attacker

b : fraction of compromised nodesm 1m 2

This circuit has

been reused


The simulator

20

(h,-,S,m)

(S,m,h)

If h is not known establish a circuit Celse look up CSend m to S over C

SC



with probability



The simulator

20

(h,-,S,m)

(S,m,h)

If h is not known establish a circuit Celse look up CSend m to S over C

SC



with probability


Drawback: we leak the reusage of a circuit via h

draw a random circuitdraw a handle (h,P,Q) for every ciphertext between P,Qleak these handles


Reusing Circuits (tighter)

21

user

attacker

S m 1m 2

This circuit has

been reused


A different Corruption Scenario

22

This circuit has been reused


The simulator

23

(m,S)


The simulator

23

(h,P1,P2,P3)

(m,S)

Black-box

E(k2,E(k3, 0l))


The simulator

23

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l)


The simulator

23

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l)


The simulator

23

(h,P1,P2,P3)

(m,S)

Black-box

h


The simulator

23

(h,P1,P2,P3)

(m,S)

Black-box

h


The simulator

23

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h

E(k4, m))


The simulator

23

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h


The simulator

23

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h

m


Our Black-Box

• Allows reusing circuits– Performs circuit construction– Maintains circuits

– Draws a fresh handle for every ciphertext

24


Are we done?

25

• How to prove circuit creation secure?– Goldberg, Stebila, and Ustaoglu introduced an efficient &

secure one-way AKE [DCC].– Perfectly suited for our proof.


Are we done?

25



• For non-malleable encryption schemes that's it.


Are we done?

25




• But Tor uses the malleable detCTR scheme:


Are we done?

25




• But Tor uses the malleable detCTR scheme:


Are we done?

25

E(k, m)⊕ c = E(k, m⊕ c)

E(k1,E(k2,E(k3,E(k4, m))))


A Problem with Malleability

26

E(k2,E(k3,E(k4, m)))

⊕c



26

⊕c



26

E(k2,E(k3,E(k4, m)))⊕ c

⊕c



26

E(k2,E(k3,E(k4, m⊕ c)))

⊕c



26

E(k3,E(k4, m⊕ c))

E(k4, m⊕ c)

⊕c



26

m⊕ c

⊕c



26

m⊕ c


Recall what we have to prove

27



protocol P

protocol P

∃∀ ∀



28

(m,S)



28

(h,P1,P2,P3)

(m,S)

Black-box

E(k2,E(k3, 0l))



28

(h,P1,P2,P3)

(m,S)

Black-box



28

(h,P1,P2,P3)

(m,S)

Black-boxE(k2,E(k3, 0l))⊕ c

E(k2,E(k3, 0l ⊕ c))



28

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l ⊕ c)



28

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l ⊕ c)



28

(h,P1,P2,P3)

(m,S)

Black-box

h



28

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h

E(k4, m))



28

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h

m �=m⊕ c



28

(h,P1,P2,P3)

(m,P3,P4,S)

(m,S)

Black-box

h


Predictable Malleability

• It turns out:We can predict the changes in the plaintext.

• There is a poly-time S and T s.t.

S(w,w') = T and T(m) = D(k,w')

• Generalized: Predictable Malleabilityfor stateful encryption schemes (details in the paper)

➡ Remedy: black-box additionally allows the simulator to send a transformation T

29



30

(m,S)



30

(h,P1,P2,P3)

(m,S)

Black-box

E(k2,E(k3, 0l))



30

(h,P1,P2,P3)

(m,S)

Black-box



30

(h,P1,P2,P3)

(m,S)

Black-boxE(k2,E(k3, 0l))⊕ c

E(k2,E(k3, 0l ⊕ c))



30

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l ⊕ c)



30

(h,P1,P2,P3)

(m,S)

Black-box

E(k3, 0l ⊕ c)

T(m) := m⊕ c



30

(h,P1,P2,P3)

(m,S)

Black-box

(h, T)

T(m) := m⊕ c



30

(h,P1,P2,P3)

(T(m),P3,P4,S)

(m,S)

Black-box

(h, T)

T(m) := m⊕ c

E(k4, m⊕ c)



30

(h,P1,P2,P3)

(T(m),P3,P4,S)

(m,S)

Black-box

(h, T)

T(m) := m⊕ c



30

(h,P1,P2,P3)

(T(m),P3,P4,S)

(m,S)

Black-box

(h, T)

m⊕ c


Our main result

• The Tor protocol – allowing to reuse circuits– with a strengthened integrity check

– with secure one-way AKE– against (partially) global active attackers

(details in the paper)

• realizes our black-box

31


Applications of this result

• For the OR anonymity analysis of Feigenbaum, Johnson, and Syverson– we show the exact conditions under which their result

applies.

• We did a first step towards proving forward secrecy

32


Future Work

• Incorporate timing attacks into the analysis

• Is a black-box leaking the reusage of a circuit useful?• Implications of removing the TLS link between routers

– the circuit ids are leaked to a network attacker

• Predictable malleability might be a useful notion for simulation-based proofs– e.g., for protocols that use efficient but malleable stream

ciphers

33

If h = - then draw a fresh handle h



Recall the elegant Overapproximation

34

(S, m, h)user

with probabilityx

attacker

m 1m 2

I know this routeb : fraction of compromised nodes


Future Work

• Incorporate timing attacks into the analysis

• Is a black-box leaking the reusage of a circuit useful?• Implications of removing the TLS link between routers

– the circuit ids are leaked to a network attacker

• Predictable malleability might be a useful notion for simulation-based proofs– e.g., for protocols that use efficient but malleable stream

ciphers

35

Thank you!

Questions?


practical and provably secure onion routing · 2012-07-16 · practical and provably secure onion...

Documents