mixminion design of a type iii anonymous remailer
play

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger - PowerPoint PPT Presentation

Dec 23, 2022 •235 likes •656 views

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven Project 1 Threat Model (what we aim to defend against) Global passive adversary can observe everything Owns half the nodes We are not

  1. Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven Project 1

  2. Threat Model (what we aim to defend against) • Global passive adversary – can observe everything • Owns half the nodes We are not real-time, packet-based, or steganographic 2

  3. Direct Forwarder A B 1 M, to B M But: an observer of Alice can just read M and know it’s going to Bob 3

  4. Add Encryption A B 1 E(M, to B) M But: 1 still knows Alice sent M to Bob 4

  5. Multiple Hops A E ...(E (M,to B), to 2) B E ...(M,to B) M 1 2 1 2 2 Assume: Not all hops will collude and reveal A But: How do you know what the servers are? 5

  6. Statistics servers (directory servers) Mixmaster Latent-Hist Latent Uptime-Hist Uptime Options ---------------------------------------------------------------- winter 111032010010 :42 ++++++++++++ 100.0% PR O xganon 000000000000 :03 ++++++++++++ 100.0% PR green 00000000000? :09 +++++++++++0 97.8% 2 O lcs 151231221221 1:30 +++++++++7++ 97.8% M • Have several servers to avoid single point of failure • They can send test messages and tell users which nodes are up 6

  7. Direct Reply (Trying to hide A’s location) B A 1 M,"alice" M “alice”=an4691@anon.penet.fi ( A has told 1 her location.) This and the direct forward gets you type 0 remailers (anon.penet.fi) But: observers still know it goes to A . And 1 knows where A lives. 7

  8. Reply Blocks B A E(E(...(M))) M,"alice" E(M),D("alice") 1 2 ... • “alice” = 1 , E 1 (2 , ...E n ( A )) • Hard for B to get a reply block from A. 8

  9. Nymserver B A M,alice@nym.alias.net M, "alice" E(E(...(M))) NS ... NS knows A ’s reply block but not her location. 9

  10. Anonymized Reply B A E(E(...(M))) E(E(...(M), to "NS")) M, "alice" NS ... ... • NS doesn’t know A or B • If you stop here you get type 1 (cypherpunk) remailers. 10

  11. Batching and Mixing Encryption doesn’t matter if there’s only one message. ... ... ... A B 1 E(...M,B) M ... ... ... But: Different-sized messages can still be distinguished. 11

  12. Fixed length messages by re-padding 2 3 1 3 ... ... M M 3 • Add random junk to the bottom to replace the header you strip off • Everything’s encrypted, so it looks ok. But: Replay attacks – a given message always decrypts the same way! 12

  13. Replay cache • When a message comes in, hash it and add it to the replay cache. • If it’s already in the cache, drop it. But: you have to remember all the hashes forever! 13

  14. Expiration dates • Exp date is chosen randomly between 3 days ago and 3 days from now. • Each node checks exp date; if more than 7 days old, drop. • Now adversary can’t tell when the message was sent from its exp date; and servers can forget hashes that are > 7 days old. 14

  15. Flooding attack But you can flood a node so you know all but one message in the batch. A B 1 E(...M,B) M 15

  16. Pooling • Not all messages come out at each flush. Keep a minimum number in the pool, always. • Now it’s harder to target an individual message. 16

  17. • But: Trickle attack – what if you’re the only one who sends a message into the node in a given interval? • More broadly, what if you’re the only one who sends a message into the whole network, in that interval? 17

  18. Dummy messages • Users sometimes send decoy messages even if they have nothing to send. • Hopefully there will be enough messages that the adversary will be confused. • Dummies go several hops and stop (hard to decide convincing destinations). • If you stop here, you get type 2 (Mixmaster) remailers. 18

  19. Passive subpoena attack • Eve can record messages for later subpoena She can also recognize her own messages, which helps with flooding attacks • Fix: Link encryption with ephemeral keys (rekeyed every message / few minutes) 19

  20. Active subpoena attack • Mallory can still record messages from the node she runs, and arrive later with a subpoena. • Fix: Periodic key rotation 20

  21. Partition attack on client knowledge (1) • Adversary can distinguish between clients that use static node lists and clients that frequently update from the directory servers. • Fix: Clients must all use the same algorithm for updating from the directory servers. Directory servers must be part of the spec! 21

  22. Partition attack on client knowledge (2) • Directory servers can be out of sync; evil directory servers can give out rigged subsets to trace clients. • Fix: DSs must successively sign directory bundles; a threshold of servers is assumed good. 22

  23. Partition attack on message expiration date • Delaying a message a few days will push its exp date to one end of the valid window – so they won’t be uniformly distributed. • Fix: No expiration dates. Keep all hashes until key rotates. 23

  24. Tagging attack on headers • Mixmaster headers have a hash to integrity-check the fields for that hop. But it doesn’t check the rest of the header. • So we can flip some bits later in the header, and if we own the node later in the path that corresponds to the header we just broke, we can recognize the message. • We must make the hash cover the entire header. 24

  25. Tagging attack on payload • Flip some bits in the payload, and try to recognize altered messages when they’re delivered. • Fix: Make the hash cover the payload too. 25

  26. We’re still using Cypherpunk replies • No replay detection, no batching, messages change length at each hop, etc. • Fix: Do all this stuff for replies too. Since we want to encrypt replies at each hop, use a cryptosystem where decrypt is as strong as encrypt. 26

  27. But you can’t write a reply block without knowing the payload! • Since the author of the reply block can’t guess the right hashes for the payload, we’ve reintroduced the payload tagging attack. • Actually, that’s ok. Since we’re encrypting at each hop, only the recipient can recognize the tag. 27

  28. But forward messages and replies must now be distinguishable • Forward messages need hashes, and replies can’t have them. • Assuming replies are rare relative to forwards, replies are easy to track. 28

  29. We support three delivery types • Forward messages, only Alice remains anonymous • Direct replies, only Bob remains anonymous • Anonymized reply messages where Alice and Bob remain anonymous Parties that get anonymity must run our software. 29

  30. Messages have two headers and a payload Divide the path into two legs, one for each header • For forward messages, Alice chooses both legs • For direct replies, Alice can use the reply block directly • For anonymized replies, Alice chooses the first leg and uses Bob’s reply block for the second. 30

  31. Legs are connected by the Crossover Point • One of the hops in the first header is marked as a crossover point • At the crossover point, we decrypt the second header with a hash of the payload, and then swap the headers. 31

  32. Forward messages are anonymous: • If the second header or the payload are tagged in the first leg, then the second header is unrecover- able. • If tagged in the second leg, we’ve already gotten anonymity from the first. 32

  33. Replies are anonymous: • The adversary can never recognize his tag. 33

  34. Multiple-message tagging attacks • If Alice sends multiple messages along the same path, Mallory can tag some, recognize the pattern at the crossover point, and follow the rest. • Only works if Mallory owns the crossover point. • Fix: Alice picks k crossover points (and hopes Mallory doesn’t own most of them) 34

  35. Nymservers and single-use reply blocks • Work like imap servers • User anonymously sends a bunch of reply blocks to receive the mail that’s waiting for him. 35

  36. If you stop here, you get the current Mixminion remailer design. 36

  37. Open problem: reputation on the directory servers How do we let clients learn which nodes are good, without: Letting the adversary do partitioning attacks on clients Letting the adversary get more traffic by behaving well 37

  38. Open problem: trickle attack on directory servers • Malicious nodes can hold a message and release it later, when circumstances are different. • More broadly, we’re still in an arms race against flooding and trickle attacks 38

  39. Open problem: long-term intersection attack • The fact that not all users are sending messages all the time leaks information. • By observing these patterns over time, we can learn more and more confidently who is sending mail, to whom, when, etc. • Major unsolved problem in anonymity systems. 39

  40. Privacy Enhancing Technologies workshop March 26-28, 2003 Dresden, Germany http://petworkshop.org/ 40

  41. Play with our code http://mixminion.net/ 41

Recommend

Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net

Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net

Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net Our Goals Fix holes in Mixmaster (Type-II) remailers Conservative design Working implementation; deployed network Our Adversary

447 views • 9 slides
Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson 1 Outline Background Related systems A few improvements over past work Secure single-use reply block mechanism 2 Anonymous,

544 views • 22 slides
Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine

Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine

Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine The Free Haven Project {nickm,arma}@freehaven.net Scope Introduction to anonymity How we got started Introduction to mix-nets

649 views • 27 slides
M ixminion: D esign of a T ype III Anonymous Remailer Prot ocol Roger D ingledine T he Free

M ixminion: D esign of a T ype III Anonymous Remailer Prot ocol Roger D ingledine T he Free

M ixminion: D esign of a T ype III Anonymous Remailer Prot ocol Roger D ingledine T he Free Haven Project 1 T hreat M odel ( what we aim t o defend against ) Global passive adversary can observe M ult iple Hops A E ...(E (M,to B),

290 views • 15 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Two cool ideas: Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons and/or menu items in your VectorGraphics project Three approaches for responding to the events from selecting those buttons /

406 views • 6 slides
12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship of men and women who share their experience, strength and hope with each other that they may solve their common problem and help others to recover

1.11k views • 76 slides
The Zcash Anonymous Cryptocurrency or zk-SNARKs for the interested layperson Sven M. Hallberg 29

The Zcash Anonymous Cryptocurrency or zk-SNARKs for the interested layperson Sven M. Hallberg 29

The Zcash Anonymous Cryptocurrency or zk-SNARKs for the interested layperson Sven M. Hallberg 29 Dec 2016 33rd Chaos Communication Congress, Hamburg What is Zcash Based on Bitcoin (altcoin) Adds a second type of address ( t XXXX, z

553 views • 26 slides
CS 671 Automated Reasoning Extending Nuprls Type Theory 1. Design Decisions for Nuprls Type

CS 671 Automated Reasoning Extending Nuprls Type Theory 1. Design Decisions for Nuprls Type

CS 671 Automated Reasoning Extending Nuprls Type Theory 1. Design Decisions for Nuprls Type Theory 2. Product, Union, and List Types 3. The Curry-Howard Isomorphism, formally 4. Empty and Unit Types Design Decisions for Nuprls Type Theory

556 views • 8 slides
Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The CA Group Cocaine Anonymous Is The 12 Steps Cocaine Anonymous Is Not Spirituality History of Cocaine Anonymous Sponsorship

700 views • 37 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr Kuznetsov Telecom ParisTech I am here to talk about ... the computability issues of failure-prone anonymous broadcast models. Anonymous Model

660 views • 21 slides
THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous , the concept, God as you understand Him including everyone. In 2017 not so much How Many Atheists are there? (last updated May 31,

400 views • 21 slides
The Free Haven project: Distributed Anonymous Storage Service R. Dingledine (MIT), M.J.

The Free Haven project: Distributed Anonymous Storage Service R. Dingledine (MIT), M.J.

http://www.freehaven.net The Free Haven project: Distributed Anonymous Storage Service R. Dingledine (MIT), M.J. Freedman(MIT) and S. Molnar(Harvard) Proceedings of the Workshop on Design Issues in Anonymity and Unobservability, July 2000

446 views • 40 slides
Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free Haven Project http://tor.eff.org/ April 12, CFP 2005 Talk Outline Motivation: Why anonymous communication? Myth 1: This is only for privacy

488 views • 33 slides
Chicago Type, Double Leaf, Trunnion, Bascule Bridge Chicago Type design evolved from research

Chicago Type, Double Leaf, Trunnion, Bascule Bridge Chicago Type design evolved from research

Chicago Type, Double Leaf, Trunnion, Bascule Bridge Chicago Type design evolved from research in late 1890s by the Chicago Bridge Department to find a patent free design for both land and water based traffic Double Leaf two

658 views • 32 slides
Anonymous Communications (I) 01010010010101010101010101 01001010010010111010100

Anonymous Communications (I) 01010010010101010101010101 01001010010010111010100

010100100101010101010101010101010101001001001011 010100100101110101001011100100101000010101100 100101010001010101010001001000011110 0010101011100110010101001011100 10010101010011101001011100101 Anonymous Communications (I)

641 views • 29 slides
Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A.

Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A.

Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A. Logo are registered trademarks of Cocaine Anonymous World Services, Inc. All rights reserved. Some of the items contained in this presentation are

439 views • 29 slides
Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven Project Electronic Frontier Foundation http://tor.eff.org/ 17 September 2005 Talk Outline Motivation: Why anonymous communication? Myth 1:

703 views • 47 slides
Hardware Design with VHDL Design Example: SRAM ECE 443 External SRAM A common type of system

Hardware Design with VHDL Design Example: SRAM ECE 443 External SRAM A common type of system

Hardware Design with VHDL Design Example: SRAM ECE 443 External SRAM A common type of system RAM is asynchronous static RAM (SRAM). Access is more complicated than internal memory -- here data, address and control signals must be asserted in a

285 views • 27 slides
Design principles II 1. Typography 2. Layout 3. Color Typography Fonts and how to use them

Design principles II 1. Typography 2. Layout 3. Color Typography Fonts and how to use them

Design & Presentation Design principles II 1. Typography 2. Layout 3. Color Typography Fonts and how to use them Via Type On Screen Via Type On Screen Type classication Via The Non-Designer's Design Book Via The Non-Designer's

652 views • 54 slides
Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous, Censorship-Resistant Networks Dennis Kgler Federal Office for Information Security, Germany Dennis.Kuegler@bsi.bund.de 1 Anonymous,

488 views • 16 slides
R V EMINGTON & ERNICK ENGINEERS 922 FAYETTE STREET, CONSHOHOCKEN, PA 19428 PH: (610)

R V EMINGTON & ERNICK ENGINEERS 922 FAYETTE STREET, CONSHOHOCKEN, PA 19428 PH: (610)

COUNTY DISTRICT ROUTE SECTION SHEET 6-0 MONTGOMERY 000 CPT 4 OF 6 HATBORO BOROUGH REVISION REVISIONS DATE BY NUMBER OAKDA LE AV E NU E M H TYPE 1 ADA TYPE 1 ADA CURB RAMP CURB RAMP DESIGN/BUILD DESIGN/BUILD C O N C U S

198 views • 3 slides
Facemask FACEBOOK + YIKYAK = FACEMASK TODD MAEGERLE AND CARSON LIPSCOMB An Anonymous Way to

Facemask FACEBOOK + YIKYAK = FACEMASK TODD MAEGERLE AND CARSON LIPSCOMB An Anonymous Way to

Facemask FACEBOOK + YIKYAK = FACEMASK TODD MAEGERLE AND CARSON LIPSCOMB An Anonymous Way to Communicate with people around you u Yik Yak u gathers posts by geolocation u anonymous An Anonymous Way to Communicate with people around you

205 views • 3 slides

More recommend