Slicing the licing the Onion: Onion: Anonymity Without PKI - PowerPoint PPT Presentation

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti Dina Katabi & Katya Puchala

State of the art: Onio Onion Rout n Routing over P2P ing over P2P

n Routing over P2P ing over P2P Bob Onion Rout Onio State of the art: Alice

ing over P2P n Routing over P2P Bob Encr ypt packet s in layer s Onion Rout Onio State of the art: Alice

n Routing over P2P ing over P2P Bob Onion Rout Onio State of the art: Alice

State of the art: Onio Onion Rout n Routing over P2P ing over P2P Alice Bob • Each node only knows its previous hop and next hop • Bob does not know the identity of Alice either

Bob catch? tch? Centralized trusted PKI the ca What’s the Wha Alice

PK PKI Sho I Showst stopp oppers rs! • Key distribution • Key updates • Compulsion attacks • Trust model Can we Ca we ha have ve an anon onymit ymity y Can we Ca we ha have ve an anon onymit ymity y without PKI? without PKI? without PKI? without PKI?

This This ta talk… Ho How to d w to do anonym onymous ous co communica mmunicati tion w on with thou out t PKI

What What kin kind of an of anonymity? onymity? • Message confidentiality • Source anonymity • Destination anonymity

Confidentia nfidentiality witho y without PKI t PKI Sour ce split s message M M int o t wo par t s M 1 M 2 Source Destination Source sends M 1 and M 2 along node disj oint pat hs

Confi nfiden entia tiality wi y withou thout t PKI Message “Lets meet at 5 pm” “Lets meet” Split into two “at 5 pm” A 1 A 2 “Lets meet” A Randomize them! “at 5 pm” “aaspdgf qw” Random slices “asdlf rwe”

Confi nfiden entia tiality wi y withou thout t PKI A 1 “ aaspdgfqw” A 2 “ asdlfrwe” Source Destination Reconstruct original information from the slices

Confi nfiden entia tiality wi y withou thout t PKI A 1 “aaspdgf qw ” Received random slices A 2 “asdlf rwe” - 1 “aaspdgf qw” Matrix inversion A 1 A 2 “asdlf rwe” “Lets meet” Original pieces of “at 5 pm” message “Lets meet at 5 pm” Original message

What about What about anonymity? anonymity? Id Idea : B : Build an anon onym ymit ity fro from co confid iden entialit lity

What about What about anonymity? anonymity? Idea : B Id : Build an anon onym ymit ity fro from co confid iden entialit lity Source tells each relay the ID of its next hop in a confidential message

Challenge Challenge Exponential Exponential b blowup! up! Exponential Exponential b blowup! up!

Challenge Challenge : : Exponential Blowup xponential Blowup Solu lution : : No Node R de Reuse Solu lution : : No Node R de Reuse

Il Illustra lustrati tive Examp ve Example S S’ Source has multiple I P addresses

Source picks relays and organizes them in stages Y X ve Example tive Examp Z R lustrati Illustra W V Il S’ S

Y X ve Example Destination is placed randomly tive Examp Z R lustrati Illustra W V Il S’ S

Y X ve Example tive Examp R Z lustrati Illustra W V Il S’ S

Illustra Il lustrati tive Examp ve Example S V Z X {Z 1 R 1 } {Z 2 R 2 } R Y S’ W V needs t o know Z and R

Il Illustra lustrati tive Examp ve Example S V Z X {Z 1 R 1 } {Z 2 R 2 } R Y S’ W {Z 1 R 1 } V combines t he t wo {Z 2 R 2 } slices t o get it s next hops Z and R {Z R}

Y X ve Example tive Examp R Z lustrati Illustra W V Il S’ S

Il Illustra lustrati tive Examp ve Example S V Z X {Y 1 X 1 } {Y 1 X 1 } {Y 2 X 2 } {Y 2 X 2 } R Y S’ W R can combine incoming slices t o get X and Y R needs t o know X and Y

Il Illustra lustrati tive Examp ve Example S V Z X R Y S’ W Node disj oint pat hs t o R

Il Illustra lustrati tive Examp ve Example S V Z X R Y S’ W Node disj oint pat hs t o Y

Il Illustra lustrati tive Examp ve Example S V Z X R Y S’ W Node V is reused t o const ruct disj oint pat hs t o R and Y

Il Illustra lustrati tive Examp ve Example S V Z X {Z 1 R 1 } {Y 1 X 1 } {Z 1 R 1 } {Y 1 X 1 } { Z R 2 } 2 {Z 1 R 1 }{Y 2 X 2 } {Y 2 X 2 } R Y S’ W Send slices in the same packet

Il Illustra lustrati tive Examp ve Example S V Z X {Z 1 R 1 }{Y 1 X 1 }{ rnd 1 } {Y 1 X 1 }{rnd 1 } { rnd 1 } {Z 1 R 1 } } } X 2 2 d n Y 2 r { { {Y 1 X 1 } {rnd 1 } { Z R 2 } 2 {Z 1 R 1 }{Y 2 X 2 }{rnd 2 } {Y 2 X 2 }{ rnd 2 } { rnd 2 } R Y S’ W Small number of nodes

Slicin Slicing Protoc g Protocol ol • Parameters – No. of stages ! L – Splitting factor ! d • Information for each relay I – Next hop IP addresses – Receiver flag – Symmetric session key (no PKI problems)

Slicin Slicing Protoc g Protocol ol • Source picks L*d relays including the receiver • Relays are organized into L stages of d nodes each • For each relay source computes I • Source divides each I into d random slices (I 1 ,… … , I d )

Slicin Slicing Protoc g Protocol ol • Relay X has to get the d slices (I x1 ,… … , I xd ) S V Z X (I x1 ,I x2 ) S’ W R Y

Slicin Slicing Protoc g Protocol ol • For each stage prior to X divide the d slices randomly between the d nodes in that stage S V Z X (I x1 ,I x2 ) (I x1 ) (I x1 ) (I x2 ) (I x2 ) (I x1 ) (I x2 ) S’ W R Y

Slicin Slicing Protoc g Protocol ol • Slices are following node disjoint paths (I X1 ) (I X2 ) S V Z X (I X1 ,I X2 ) (I X1 ) (I X1 ) (I X2 ) (I X2 ) (I X1 ) (I X2 ) S’ W R Y

Slicin Slicing Protoc g Protocol ol • Slices are following node disjoint paths (I Y1 ) (I Y2 ) S V Z X (I X1 I Y1 ) (I X1 I Y2 ) (I X1 ,I X2 ) (I X2 I Y1 ) (I Y1 ,I Y2 ) (I X1 I Y2 ) (I X2 I Y2 ) (I X2 I Y1 ) S’ W R Y

Slicin Slicing Protoc g Protocol ol • Source organizes L*d relays into L stages of d nodes • Source divides node information I into d random slices (I 1 ,… … , I d ) • Relay X gets the d random slices (I x1 ,… … , I xd ) • If X is in stage k – Source goes to stages k-1 to 1 – Assigns the d slices of node X randomly to the d nodes in that stage

Slicin Slicing Protoc g Protocol ol - Decodin ecoding • Node uses the d slices from its parents to decode its information I x1 I P addresses of decoding I x next hops r econst r uct Receiver Flag X Symmet ric Key I xd

Slicing Protocol licing Protocol – Data ata Transmission Transmission • Each node in the graph has a symmetric key assigned by the source • Source uses normal onion routing to transmit data

Why Why this is is is ex exci citing? ng? • No PKI ! Truly distributed P2P anonymous overlays • Scales to large number of nodes • Simple matrix multiplications ! Efficient anonymity Prac actical anonymity tical anonymity Prac actical anonymity tical anonymity

What we are doing… What we are doing… • Resilience to node churn • Anonymity similar to Chaum mixes (i.e., onion routing) • Resilience to traffic analysis attacks • Implementing it on Planetlab

To To c conc nclude… Fundamentally new way to provide anonymity that does not need PKI