towards an analysis of onion routing security syverson, tsudik, reed, and landwehr pet 2000...
TRANSCRIPT
Towards an Analysis of Onion Routing SecurityTowards an Analysis of Onion Routing Security
Syverson, Tsudik, Reed, and LandwehrPET 2000
Presented by: Adam Lee1/26/2006
Syverson, Tsudik, Reed, and LandwehrPET 2000
Presented by: Adam Lee1/26/2006
2
Goals of the PaperGoals of the Paper
Overview of onion routing Explanation of security goals Description of network model & assumptions
Discussion of adversary types Security analysis Comparison with Crowds
Overview of onion routing Explanation of security goals Description of network model & assumptions
Discussion of adversary types Security analysis Comparison with Crowds
3
Onion RoutingOnion Routing
Onion router ≈ real time Chaum mix Store and forward with minimal delays
Onion routing connection phases Setup Transmission Teardown
Onion router ≈ real time Chaum mix Store and forward with minimal delays
Onion routing connection phases Setup Transmission Teardown
4
Setup PhaseSetup Phase
Connection initiator builds an onion Layered cryptographic structure, specifying:
Path through network Point-to-point symmetric encryption algorithms Cryptographic keys
Structure not rigorously specified in paper
At each step Router decrypts entire structure Sets up encrypted channels to predecessor and successor nodes
Forwards new onion on to successor
Connection initiator builds an onion Layered cryptographic structure, specifying:
Path through network Point-to-point symmetric encryption algorithms Cryptographic keys
Structure not rigorously specified in paper
At each step Router decrypts entire structure Sets up encrypted channels to predecessor and successor nodes
Forwards new onion on to successor
5
Transmission PhaseTransmission Phase
When connection initiator wants to send data Break data into uniform (128 bit) blocks Encrypt each block once for each router in the path Note: Use symmetric encryption here
Send data to first onion router
All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!
When connection initiator wants to send data Break data into uniform (128 bit) blocks Encrypt each block once for each router in the path Note: Use symmetric encryption here
Send data to first onion router
All onion routers connected by persistent TCP thick pipes which add another layer of encryption on top of all of this encryption!
6
Security GoalsSecurity Goals
The goal is to hide Sender activity Receiver activity Sender content Receiver content Source-destination pairs
The goal is to hide Sender activity Receiver activity Sender content Receiver content Source-destination pairs
7
Network AssumptionsNetwork Assumptions
1. Onion routers are all fully connected
2. Links are padded or bandwidth-limited to a constant rate
3. Unrestricted exit policies4. For each route, each hop is
chosen at random5. Number of nodes in a route is
chosen at random
1. Onion routers are all fully connected
2. Links are padded or bandwidth-limited to a constant rate
3. Unrestricted exit policies4. For each route, each hop is
chosen at random5. Number of nodes in a route is
chosen at random
8
Know Your Enemy…Know Your Enemy…
4 Types of adversaries Observer Disrupter Hostile user Compromised COR
4 Types of adversaries Observer Disrupter Hostile user Compromised COR
Adversary distributions Single Multiple Roving Global
Adversary distributions Single Multiple Roving Global
Note: Authors claim that a group of roving compromised CORs is most powerful (and realistic) adversary model. Is this true?
9
Security AnalysisSecurity Analysis
10
Analysis ParametersAnalysis Parameters
r : number of CORs in the system S : set of CORs in the system n : route length R = {R1, R2, …, Rn} : A specific route
c : maximum number of compromised CORs
C : set of compromised CORS
r : number of CORs in the system S : set of CORs in the system n : route length R = {R1, R2, …, Rn} : A specific route
c : maximum number of compromised CORs
C : set of compromised CORS
11
Important CasesImportant Cases
Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider. R1 C
Probability = c/r Rn C
Probability = c/r R1 and Rn C
Probability = c2/r2
Each case has it’s own important properties
Assume not all CORs are compromised (i.e., c < n). There are three important cases to consider. R1 C
Probability = c/r Rn C
Probability = c/r R1 and Rn C
Probability = c2/r2
Each case has it’s own important properties
12
Properties of AttacksProperties of Attacks
R1 C Rn C R1 and Rn C
Sender activity
Yes No Yes
Receiver activity
No Yes Yes
Sender content
No No Inferred
Receiver content
No Yes Yes
S/D linking No No Yes
13
The Attacker’s GameThe Attacker’s Game
Probability that at least one COR on the route is compromised a startup 1 - Pr(R C = ) = 1 - (r-c)n/rn
Adversary determines Rs where s = min(j [1 … n] and Rj R C) Re where e = max(j [1 … n] and Rj R C)
Attacker can easily test to see if Rs = Re, Rs = R1, or Re = Rn
Probability that at least one COR on the route is compromised a startup 1 - Pr(R C = ) = 1 - (r-c)n/rn
Adversary determines Rs where s = min(j [1 … n] and Rj R C) Re where e = max(j [1 … n] and Rj R C)
Attacker can easily test to see if Rs = Re, Rs = R1, or Re = Rn
14
The Attacker’s Game (cont.)The Attacker’s Game (cont.) At each time step
Move one step closer to R1 (e.g., Rs = Rs-1) Move one step closer to Rn (e.g., Re = Re+1) Compromise c-2 routers to try to find another link in the route Unless one endpoint is found, then can compromise c-1 routers
Worst case: max(s, n-e) rounds to reach both endpoints Don’t offer analytic solution to expected number of rounds to compromise both endpoints
At each time step Move one step closer to R1 (e.g., Rs = Rs-1) Move one step closer to Rn (e.g., Re = Re+1) Compromise c-2 routers to try to find another link in the route Unless one endpoint is found, then can compromise c-1 routers
Worst case: max(s, n-e) rounds to reach both endpoints Don’t offer analytic solution to expected number of rounds to compromise both endpoints
15
Example (n=6, r=10, c=2)Example (n=6, r=10, c=2)
Attacker Wins!Attacker Wins!
16
Thoughts on the “Game”Thoughts on the “Game” What is a round? An attacker unit of time? A defender unit of time?
How long is a round? What does this analysis tell us without knowing that?
If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?
Can we derive meaningful requirements from this analysis?
What is a round? An attacker unit of time? A defender unit of time?
How long is a round? What does this analysis tell us without knowing that?
If compromising routers is as easy as jus doing it, what security at all does onion routing offer us?
Can we derive meaningful requirements from this analysis?
17
Discussion QuestionsDiscussion Questions
What are the dangers of assumption 2 (constant bandwidth)?
Is the freedom to choose one’s routes through the network a double-edged sword?
What are the dangers of assumption 2 (constant bandwidth)?
Is the freedom to choose one’s routes through the network a double-edged sword?
18
Discussion Questions (cont.)Discussion Questions (cont.) Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?
The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?
Assumption 4 says routes are chosen at random. From an probability standpoint, is this better or worse than everyone using the same route (e.g., a Hamiltonian path through the COR network)? Is it the same?
The title of this paper is “Towards an Analysis of Onion Routing Security” and it clearly makes a good first contribution to this area. How could this analysis be improved and/or made more comprehensive?
19
Discussion Questions (cont.)Discussion Questions (cont.) Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.
Why would NRL fund this type of work? Contrast this with the previous work done in this area by groups such as the cypherpunks.