security in p2p environments anonymity on the internet
TRANSCRIPT
Security in P2P environments
Anonymity on the internet
What is anonymity?
• “Generally speaking, our purpose is to hide the relationship between an observable action (for example, a message sent across a public network) and the identity of the users involved with this action”*
* A Survey of Anonymous Peer-to-Peer File-Sharing (Tom Chothia and Konstantinos Chatzikokolakis)
So who knows?
The internet service provider (ISP) know who you are.
For example my IP address is: [Example]
Visit www.Al-Qaeda.evil
An e-mail [Example]
The ISP would know that I did that
So?
Your IP address is your digital fingerprint, the ISP can link that to you
So if, for example, you are sharing music in an unprotected system, the RIAA / IFPI / whatever, can file a subpoena against your ISP to tell them who you are
Then you will properly get a nasty letter
A more extreme case
•Companies •Health insurance (Visiting netdoktor.dk a lot?)•Marketing (Only visiting book sites?)
•Governments•Perhaps I am a potential terrorist
Who could be interested in your
browsing habits?
People using the internet for nasty stuff
Hackers
Terrorists
Copyright infringement
People watching child pornography
People using the internet for “illegal” stuff
Political activist in, for example, China
People using the internet for legal stuff
Us? (Active session)
A few examples
Journalist (Investigative reporters)?
Socially sensitive communication (Illness, abuse)?
Law enforcement (Anonymous tips)?
People with marketing paranoia
Just to name a few
Is it relevant ?
This summer, France suggested that in EU, the internet traffic should be monitored so you could be “excluded” from the internet, if you did something they deemed illegal 3 times.
The Swedish “FRA-lov” allows the Swedish government to monitor all traffic going in and out of Sweden (using a very powerful computer).
Last Wednesday, the Danish ISP Tele2, was force to close access to the bit torrent site “Pirate Bay”
You could encrypt your message but
That does not ensure anonymity
It is still known who sent it, and where it was sent to
You could go to an internet cafe but
You are properly logged and videotaped while being there / going there (extreme case)
People will properly remember you being there (again extreme case)
You could use a proxy server but
You can find a proxy server at http://www.anonymizer.com/
Can you trust the proxy server?
Single point of failure
Single point of “lawsuit”
You can install a Trojan on another computer
It’s tedious
It’s illegal
It’s only complicating the search for you, somewhere you properly still left a digital fingerprint
Agenda
TOR
Freenet
MUTE
TOR
Archiving anonymity
Problems with basic routing
Routing – chain of nodes
Cryptostuff
The onion reveals!
Breakable?
Basic routing
Every router knows YOU!
ECHELON is listening !!
Claims
Total client anonymity, hidden routing information
Compromised routers/proxies does not break anonymity!
Traffic analysis in practice impossible
TOR solves this - http://tor.eff.org
The Onion Router
Remember Ogres = TOR
But how ???!
Connects through a chain of proxynodes
Encrypts messages in layers for each node
Each node only knows its neighbors in the chain
Routing information is also encrypted (important)
Routing chain 1
Routing chain 2
Routing chain 3
Cryptostuff
Cryptostuff
Cryptostuff
Public/private key encryption is slow
TOR uses this only for estabilishing symmetric key based encrypted link (faster)
Hiding routing info
1 •Client establishes routing path
2 •Each message is encrypted in layers with nodes public key
3 •Each node can unwrap their layer
4 •Each node decrypts the information and only gets encrypted ciphertext and IP on next node
5 •And so forth…
Requirements
Volunteers
You can't get anonymity alone
Distributed trust (more than one node)
Preferably nodes are as worldwide and spread as possible
Security increases with larger network (makes traffic analysis harder)
Neat features
General purpose TCP proxy – not just HTTP
Low latency
Easy to participate
Configurable – only relay HTTP traffic for example
Comes with bundled browser
[Example]and Vuze [Example]
Breakable?
Active session – what weaknesses can you see in this approach?
• Identification of a client is possible, by comparing the list of known ”stable” nodes, with nodes hopping on and off (probably end clients)
• Is 3 hops enough?• How about DNS lookups? If your ISP logs your DNS requests, it is
easy to see which sites you're visiting
Freenet
INTERNET
INTERNET
FREENET
YOU
CLIENTS
SERVERS
END-POINTS
DECENTRALIZEDPUBLISHERS
CONSUMERS
HOW DO I LOCATE
MY NEIGHBORS?
Somewhat
paranoid
Opennet
Truly paranoidDarknet
Content distribution
Publishing websites or 'freesites'
Communicating via message boards
Sending e-mail messages
Reading/updating wikis
WHAT IS FREENET USED FOR?
UNIQUE RESOURCE IDENTIFIERS
Content Hash Key (CHK)
• Great for content that does not change• Examples: images, audio files, copies of secret CIA documents
Signed Subspace Key (SSK)
• Like an Internet domain name, but using crypto stuff• Useful for content that changes (sites, discussions, etc.)
Keyword-Signed Keys (KSK)
• Easy to remember, but not very secure
HARD DRIVE SPACE
BANDWIDTH BY DEMAND
DEMO
MUTE
Mute is a P2P file sharing system
Designed with anonymity in mind
Classical search (you may know this)
Uses an algorithm inspired by ants
Designed for ad-hoc networks
[Example]
What is MUTE
So how does it work?
Each node have a pseudo identity
To search the network, a node broadcasts a message with its own pseudo identity, a unique message identifier and a time to live (TTL) counter.
This is sent to all the nodes neighbours and they send it to their neighbours
Until the TTL expire
Uses a non-deterministic time-to-live counter (decided up start up)
There are three phases
First phase: A count down to zero (To hide the originating node)
Second phase: Standard 5 hop counter
Third phase: Non-deterministic forwarding (A node will drop a message with ¾ probability and forward the message to n neighbours with 1 / (3*22)
When a node receives a message it records the pseudo address of the sender and the connection upon it was received
Each node builds and maintains this routing table for all the pseudo identities it sees
A node can respond over the most used connection (if it already has it in the routing table) or send the response to all its neighbours
You neighbours know your IP address but they do NOT know your virtual address
Each neighbour connection is encrypted so even though you could tap into the traffic between your neighbour, it would be unreadable
Normal P2P system
113.18.92.15: Madonna_Holiday.m
p3
In MUTE7213..DCA5:
Madonna_Holiday.mp3
So how would this look?
Should you trust these systems?
Winny (P2P file sharing)
2 people using it got arrested (movie sharing)
And the author (Researcher at Tokyo CS department)
REFERENCES
• @book{oram01peer, title = {Peer-To-Peer: Harnessing the Benefits of a Disruptive Technology}, editor = {Andy Oram}, publisher = {O'Reilly \& Associates}, year = {2001}}
• @article{surveyP2P, title = {A Survey of Anonymous Peer-to-Peer File-Sharing}, author= {Tom Chothia and Konstantinos Chatzikokolakis}, year = {2005}}
• @article{piCalculus, title = {Analysing the MUTE Anonymous File-Sharing System Using the Pi-Calculus}, author= {Tom Chothia}, year = {2006}}
• @webpages{MUTE, FreeNet and TOR respectively:http://mute-net.sourceforge.net/http://freenetproject.org/http://www.torproject.org/
}
• @article{lowcost, title = {Low-Cost Traffic Analysis of Tor}, author= {Steven J. Murdoch and George Danezis}, year = {2005}}
• @slides{tor, title = {Anonymous Communications for the United States Department of Defense...and you}, author= {Roger Dingledine}, year = {2005}}