slicing the onion: anonymity using unreliable overlays sachin katti jeffrey cohen & dina katabi
TRANSCRIPT
Slicing the Onion: Anonymity Using Unreliable
Overlays
Sachin KattiJeffrey Cohen & Dina Katabi
Problem Statement
Leverage existing popular P2P overlays to send confidential, anonymous messages without keys
Overlays rock!
• Thousands of nodes
• Plenty of traffic to hide anonymous communication
• Diverse membership Nodes unlikely to collude
• Dynamic Hard to track
Ideal for anonymous communication
Overlays suck!
• Nodes don’t have public keys
• Nodes are not trustworthy
• Nodes are unreliable
This talk:Information Slicing
• Message confidentiality, and source and destination anonymity
• No public keys• Churn resilient
1. Message Confidentiality Without Keys
Confidentiality via Information Slicing
Split message to random pieces and send pieces along node-disjoint paths
“aaspdgfqw”“asdlfrwe” Random pieces
“Borat: Cultural”“Leanings of America” Split into two
“Borat: Cultural
Leanings of America” Original Message
Randomize them!
22a
21a
12a
11a “Borat: Cultural”
“Leanings of America”
Me D
Confidentiality via Information Slicing
“aaspdgfqw”1211 a,a
“asdlfrwe”2221 a,a
Message Recovery by destination
Received random pieces“aaspdgfqw”,a,a 1211
“asdlfrwe”,a,a 2221
“aaspdgfqw”“asdlfrwe” Matrix inversion
1
2221
1211
aa
aa
Pieces of original message
“Borat: Cultural”“Leanings of America”
Original Message“Borat: Cultural
Leanings of America”
Destination gets all pieces can decode
Even an attacker that gets all but one piece cannot decode!
2. Anonymity without Keys
System Setup
Anonymous communication has two phases
• Route Setup• A node learns how to forward a received
message
• Data transmission• Just follow the routes
Setup Anonymous Routes
• Each node knows its next hop• No one else knows the next hop of a node • Why not tell each node the ID of its next hop
in a confidential message?
Idea : Build anonymity by confidentially sending to each node
it’s routing info!
Idea : Build anonymity by confidentially sending to each node
it’s routing info!
Exponential Blowup!
Naïve way to send to a node its next hop
V
W R
Z
Z2Z1 I,IZ’s next hop information:
R’s next hop information: R2R1 I,I
Challenge: Exponential Blowup
Solution: Reuse nodes without giving them too much information
Challenge: Exponential Blowup
Solution: Reuse nodes without giving them too much information
V
W R
Z
V and W will know Z and R’s next hops
Z2I
Z1I
R1I
R2I
V
W R
ZZ1I
R1I
Reuse V to send pieces that belong to different nodes
Challenge: Exponential Blowup
Solution: Reuse nodes without giving them too much information
V
W R
Z
Z2I
Z1I
R1I
R2I
Reuse nodes to send multiple pieces as long as the pieces belong to different messages
Reuse nodes to send multiple pieces as long as the pieces belong to different messages
Challenge: Exponential Blowup
Solution: Reuse nodes without giving them too much information
Slicing Protocol
S
S’
Source has multiple IP addresses
R
V
W
Z
Slicing Protocol
S
S’
D
X
Source organizes nodes into stages
R
V
W
Z
Slicing Protocol
S
S’
D
X
Destination D is placed randomly (here in last stage)
R
V
W
Z
Slicing Protocol
S
S’
D
X
Source confidentially tells each node its next hop info
R
V
W
Z
Slicing Protocol
S
S’
D
X
V receives the ids of its next hops along disjoint paths
V2I
V1I
R
V
W
Z
Slicing Protocol
S
S’
D
X
V also receives one piece meant for Z and one for R,but cannot decipher their next hops
R2V2 II ,
Z1V1 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
W also receives its info and pieces for Z and RW cannot decipher Z’s and R’s next hops
R2V2 II ,
Z1V1 II ,
R1W1 II ,
Z2W2 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
V and W have pieces meant for Z and R
R2Z1 II ,
R1Z2 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
V and W forward the pieces meant for Z and R
Z2I
Z1I
R2I
R1I
R2V2 II ,
Z1V1 II ,
R1W1 II ,
Z2W2 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
Node disjoint paths to deliver to Z itsV and W do not have enough pieces to know Z’s info
Z2I
Z1I
R2I
R1I
R2V2 II ,
Z1V1 II ,
R1W1 II ,
Z2W2 II ,
Z2Z1 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
Z2I
Z1I
R2I
R1I
R2V2 II ,
Z1V1 II ,
R1W1 II ,
Z2W2 II ,
The same for R
R
V
W
Z
Slicing Protocol
S
S’
D
X
V and W are reused without revealing anything about Z and R’s routing information
Z2I
Z1I
R2I
R1I
R2V2 II ,
Z1V1 II ,
R1W1 II ,
Z2W2 II ,
R
V
W
Z
Slicing Protocol
S
S’
D
X
Similarly source constructs entire graph
R
V
W
Z
Slicing Protocol
S
S’
D
X
Anonymity without keys!
3. Dealing With Churn
Slicing Protocol - Churn• What if node V departs?
R
V
W
ZS
S’
D
X
Slicing Protocol - Churn• What if node V departs?• Destination cannot decode
R
V
W
ZS
S’
D
X
X
How Do We Combat Churn?
• Churn causes data loss
• Typical solution Add Redundancy
• Use coding to efficiently add redundancy
Source Coding the Data
• Source Coding (Erasure Codes)• Split into 3 pieces instead of 2
• Any 2 pieces suffice to retrieve data
• Added redundancy of (1/2) = 50%
3231
2221
1211
aa
aa
aa
2
1
m
m
3
2
1
I
I
I
3
2
I
I1
3231
2221
aa
aa
2
1
m
m
Source Coding For Robustness
S
S1
V
W R
Z D
X
S2 U P Y
X
• Destination D gets two pieces Can decodeSource coding can tolerate one node failure in the
network
Source coding can tolerate one node failure in the
network
S
S1
V
W R
Z D
X
S2 U P Y
X
• What if a second node (here Z) fails?
Source Coding For Robustness
S
S1
V Z
S2
X X
W R
D
X
U P Y
• What if a second node (here Z) fails?• Destination D cannot decode
Source Coding For Robustness
Coding partially solves problem
Z
X
R
S
S1
V
S2
X
W
U P
D
X
Y
• Focus on node R
Coding partially solves problem
R
2I
1I
Due to upstream node failure, R receives
2 pieces instead of 3
Coding partially solves problem
R
2I
1I
R can only send out two pieces now,
Initial redundancy is destroyed
2I
1I
Regenerating Redundancy
R
2I
1I
Pieces are linear combinations of message fragments
2221212
2121111
mamaI
mamaI
Network Coding
R
2I
1I2221212
2121111
mamaI
mamaI
R can create a linear combination of the pieces he received to generate a new piece
Take Linear combination of the pieces
222121211121'3 )maa)maaII I ((
New piece
'3I
Network Coding
R
2I
1I
R can now send out 3 pieces instead of 2
Redundancy is regenerated inside the network
2I
1I
'3I
Network Coding
R
2I
1I
Can tolerate downstream node failures
2I
1I
'3I
Network coding can tolerate one node failure in every
stage
Network coding can tolerate one node failure in every
stage
General Network Coding• Nodes send linear combinations of incoming pieces• Technique generalizes to any number of extra pieces
For k extra pieces, network coding tolerates k failures in
every stage
For k extra pieces, network coding tolerates k failures in
every stage
4. Evaluation
Evaluation Environment
• Implementation in Python• Evaluated both in simulation and on PlanetLab• Evaluate anonymity, performance and churn
resilience• Each metric is evaluated against the optimal
existing baseline
Anonymity• Simulate an overlay of 10000 nodes• Attackers are placed randomly in the network• Attackers can control nodes, snoop on their
edges, and collude• Comparison with Chaum mixes (optimal baseline)• Entropy is standard anonymity metric
x N
xPxP
)log(
))(log()(Anonymity
How anonymous is information slicing?
Fraction of Attacking Nodes
An
onym
ity
High anonymity despite no keys
High anonymity despite no keys
Source Anonymity
Info. Slicing
Chaum mix
Churn Resilience
• Compared against practical anonymity system Onion Routing
• For fairness, onion routing is modified to have redundancy using source coding
• Metric:
• Prob. of successfully sending a message, given a particular redundancy
Churn Resilience
Info. Slicing
Onion Routing
with source coding
Pro
bab
ility
of S
ucc
ess
Added Redundancy
Large increase in probability of success because of network coding
Large increase in probability of success because of network coding
Results for a Probability of Node Failure = 0.3
Implementation on PlanetLab
Churn Resilience - Planetlab
00.10.20.30.40.50.60.70.80.9
1
0 0.5 1 1.5
Information Slicing
Onion Routing with source coding
Added Redundancy
Pro
bab
ility
of S
ucc
ess
Network Coding nearly doubles the churn resilience with the same
overhead!
Network Coding nearly doubles the churn resilience with the same
overhead!
Performance
No. of Stages
Th
rou
ghp
ut (
Mb/
s)
Th
rou
ghp
ut (
Mb/
s)No. of Stages
Info. Slicing
Onion Routing Onion Routing
• Two nodes in each stage and five stages
Local Network PlanetLab
Parallel paths Increased throughput
Parallel paths Increased throughput
Info. Slicing
Conclusion
• Confidentiality Node disjoint paths
• Low Cost Anonymity Node Reuse
• Churn Resilience Network Coding
Enabled anonymous communication in P2P overlays with no keys.
Information Slicing provides