tarzan
play

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. - PowerPoint PPT Presentation

Feb 13, 2024 •542 likes •976 views

Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002 http://pdos.lcs.mit.edu/tarzan/ The Grail of Anonymization Participant can communicate anonymously with non-participant User ? ?

  1. Tarzan: A Peer-to-Peer Anonymizing Network Layer Michael J. Freedman, NYU Robert Morris, MIT ACM CCS 2002 http://pdos.lcs.mit.edu/tarzan/

  2. The Grail of Anonymization • Participant can communicate anonymously with non-participant User ? ? • User can talk to CNN.com • Nobody knows who user is November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 2

  3. Our Vision for Anonymization • Thousands of nodes participate • Bounce traffic off one another • Mechanism to organize nodes: peer-to-peer • All applications can use: IP layer November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 3

  4. Alternative 1: Proxy Approach User Proxy • Intermediate node to proxy traffic • Completely trust the proxy Anonymizer.com November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 4

  5. Threat model • Corrupt proxy(s) – Adversary runs proxy(s) – Adversary targets proxy(s) and compromises, possibly adaptively • Network links observed – Limited, localized network sniffing – Wide-spread (even global) eavesdropping e.g., Carnivore, Chinese firewall, ISP search warrants November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 5

  6. Failures of Proxy Approach User Proxy Proxy • Proxy reveals identity • Traffic analysis is easy November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 6

  7. Failures of Proxy Approach X User X Proxy • Proxy reveals identity • Traffic analysis is easy • CNN blocks connections from proxy • Adversary blocks access to proxy (DoS) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 7

  8. Alternative 2: Centralized Mixnet Relay User Relay Relay Relay • MIX encoding creates encrypted tunnel of relays – Individual malicious relays cannot reveal identity • Packet forwarding through tunnel Onion Routing, Freedom Small-scale, static network November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 8

  9. Failures of Centralized Mixnet Relay X User Relay Relay Relay • CNN blocks core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 9

  10. Failures of Centralized Mixnet Relay Relay User Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 10

  11. Alternative 2: Centralized Mixnet Relay Relay User Relay Relay Relay • CNN blocks core routers • Adversary targets core routers • So, add cover traffic between relays – Hides data traffic among cover November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 11

  12. Failures of Centralized Mixnet Relay User Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 12

  13. Failures of Centralized Mixnet Relay User Relay Relay Relay Relay Relay Relay Relay • CNN blocks core routers • Adversary targets core routers • Still allows network-edge analysis November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 13

  14. Failures of Centralized Mixnet Relay Relay User Relay Relay Relay Relay Relay Relay Relay Relay • Internal cover traffic does not protect edges • External cover traffic prohibitively expensive? – n 2 communication complexity November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 14

  15. Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all edges – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 15

  16. Tarzan: Me Relay, You Relay • Thousands of nodes participate – CNN cannot block everybody – Adversary cannot target everybody November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 16

  17. Tarzan: Me Relay, You Relay • Thousands of nodes participate • Cover traffic protects all nodes – Global eavesdropping gains little info November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 17

  18. Benefits of Peer-to-Peer Design ? ? ? ? ? • Thousands of nodes participate • Cover traffic protects all nodes • All nodes also act as relays – No network edge to analyze – First hop does not know he’s first November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 18

  19. Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all nodes – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 19

  20. Tarzan: Joining the System User 1. Contacts known peers to learn neighbor lists 2. Validates each peer by directly pinging November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 20

  21. Tarzan: Generating Cover Traffic User 4. Nodes begin passing cover traffic with mimics: – Nodes send at some traffic rate per time period – Traffic rate independent of actual demand – All packets are same length and link encrypted November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 21

  22. Tarzan: Selecting tunnel nodes PNAT User 5. To build tunnel: Iteratively selects peers and builds tunnel from among last-hop’s mimics November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 22

  23. But, Adversaries Can Join System PNAT User November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 23

  24. But, Adversaries Can Join System PNAT User • Adversary can join more than once by spoofing addresses outside its control � Contact peers directly to validate IP addr and learn PK November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 24

  25. But, Adversaries Can Join System PNAT User • Adversary can join more than once by running many nodes on each machine it controls � Randomly select by subnet “domain” (/16 prefix, not IP) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 25

  26. But, Adversaries Can Join System PNAT User • Adversary can join more than once by running many nodes on each machine it controls � Randomly select by subnet “domain” (/16 prefix, not IP) November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 26

  27. But, Adversaries Can Join System PNAT User • Colluding adversary can only select each other as neighbors � Choose mimics in universally-verifiable random manner November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 27

  28. Tarzan: Selecting mimics K16 = H(H(U.IP/16)) lookup(K16) K32 = H(H(U.IP)) lookup(K32) H 4 (U.IP) H 3 (U.IP) H(18.26) H(216.16.108.10) A D H(216.165) H i (A.IP) H 2 (U.IP) H(216.16.31.13) User H(128.2) H(216.16.54.8) H i (B.IP) H i (C.IP) H(13.1) IP H(169.229) B C IP/16 3. Nodes pair-wise choose (verifiable) mimics November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 28

  29. Tarzan goals • No distinction between anon proxies and clients – Peer-to-peer model • Anonymity against corrupt relays – MIX-net encoding – Robust tunnel selection – Prevent adversary spoofing or running many nodes • Anonymity against global eavesdropping – Cover traffic protects all nodes – Restrict topology to make cover practical – Choose neighbors in verifiably-random manner • Application-independence – Low-latency IP-layer redirection November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 29

  30. Tarzan: Building Tunnel PNAT User Real Public IP Tunnel Private Address Alias Address Address 5. To build tunnel: Public-key encrypts tunnel info during setup Maps flowid � session key, next hop IP addr November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 30

  31. Tarzan: Tunneling Data Traffic IP X APP IP PNAT User 6. Reroutes packets over this tunnel Diverts packets to tunnel source router November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 31

  32. Tarzan: Tunneling Data Traffic APP IP PNAT User IP IP 6. Reroutes packets over this tunnel NATs to private address 192.168.x.x Pads packet to fixed length November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 32

  33. Tarzan: Tunneling Data Traffic APP IP IP PNAT User IP IP 6. Reroutes packets over this tunnel Layer encrypts packet to each relay Encapsulates in UDP, forwards to first hop November 20, 2002 Tarzan: a Peer-to-Peer Anonymizing Network Layer Page 33

Recommend

More recommend