Vuvuzela a scalable private messaging system David Lazar Jelle van den Hooff, Matei Zaharia, Nickolai Zeldovich
Motivation Alice Bob (Oncologist)
Encryption Z28gUGF0cmlvdHMhCg c2VhaGF3a3Mgc3Vjawo Alice Bob (Oncologist)
Problem: metadata Z28gUGF0cmlvdHMhCg Ex-boyfriend Pfizer Lawyer c2VhaGF3a3Mgc3Vjawo AA Alice Bob (Oncologist) Hospital Lawyer Snowden Guardian NY Times White House
Goal: hide metadata Vuvuzela Ex-boyfriend Pfizer Lawyer AA Alice Bob (Oncologist) Hospital Lawyer Snowden Guardian NY Times White House
Goal: hide metadata Vuvuzela Ex-boyfriend Pfizer Lawyer AA Alice Bob (Oncologist) Hospital Lawyer Snowden Guardian NY Times White House
Goal: scalability Vuvuzela Ex-boyfriend Pfizer Lawyer AA Alice Bob (Oncologist) Hospital Lawyer Snowden Guardian NY Times White House
Tor is scalable Alice Bob Tor network
Tor is insecure Alice Bob Tor network
Tor is insecure Low-Cost Traffic Analysis of Tor Steven J. Murdoch and George Danezis University of Cambridge, Computer Laboratory 15 JJ Thomson Avenue, Cambridge CB3 0FD United Kingdom Users Get Routed: { Steven.Murdoch,George.Danezis } @cl.cam.ac.uk Traffic Correlation on Tor by Realistic Adversaries Abstract Other systems, based on the idea of a mix, were de- veloped to carry low latency traffic. ISDN mixes [33] Aaron Johnson 1 Chris Wacek 2 Rob Jansen 1 Micah Sherr 2 Paul Syverson 1 Tor is the second generation Onion Router, supporting propose a design that allows phone conversations to be the anonymous transport of TCP streams over the Inter- anonymised, and web-mixes [6] follow the same design pat- 1 U.S. Naval Research Laboratory, Washington DC 2 Georgetown University, Washington DC {aaron.m.johnson, rob.g.jansen, paul.syverson}@nrl.navy.mil {cwacek, msherr}@cs.georgetown.edu net. Its low latency makes it very suitable for common terns to anonymise web traffic. A service based on these ideas, the Java Anon Proxy (JAP) 1 has been implemented tasks, such as web browsing, but insecure against traffic- analysis attacks by a global passive adversary. We present and is running at the University of Dresden. These ap- Alice Bob new traffic-analysis techniques that allow adversaries with proaches work in a synchronous fashion, which is not well ABSTRACT The traffic correlation problem in Tor has seen much attention only a partial view of the network to infer which nodes are adapted for the asynchronous nature of widely deployed in the literature. Prior Tor security analyses often consider entropy We present the first analysis of the popular Tor anonymity network Circuit Fingerprinting Attacks: being used to relay the anonymous streams and therefore TCP/IP networks [8]. or similar statistical measures as metrics of the security provided that indicates the security of typical users against reasonably realis- by the system at a static point in time . In addition, while prior tic adversaries in the Tor network or in the underlying Internet. Our Passive Deanonymization of Tor Hidden Services metrics of security may provide useful information about overall results show that Tor users are far more susceptible to compromise usage, they typically do not tell users how secure a type of behav- than indicated by prior work. Specific contributions of the paper ior is. Further, similar previous work has thus far only considered include (1) a model of various typical kinds of users, (2) an adver- adversaries that control either a subset of the members of the Tor Albert Kwon † , Mashael AlSabah ‡§† ∗ , David Lazar † , Marc Dacier ‡ , and Srinivas Devadas † † Massachusetts Institute of Technology, { kwonal,lazard,devadas } @mit.edu ‡ Qatar Computing Research Institute, mdacier@qf.org.qa § Qatar University, malsabah@qu.edu.qa This paper sheds light on crucial weaknesses in the As a result, many sensitive services are only accessi- design of hidden services that allow us to break the ble through Tor. Prominent examples include human anonymity of hidden service clients and operators pas- rights and whistleblowing organizations such as Wik- Tor network sively. In particular, we show that the circuits , paths ileaks and Globalleaks, tools for anonymous messag- established through the Tor network, used to commu- ing such as TorChat and Bitmessage, and black markets nicate with hidden services exhibit a very different be- like Silkroad and Black Market Reloaded. Even many havior compared to a general circuit. We propose two non-hidden services, like Facebook and DuckDuckGo, attacks, under two slightly different threat models, that recently have started providing hidden versions of their
Related work Tor Pond Scalability Riposte [Oakland 2015] Dissent [OSDI 2012] Privacy
Contribution Tor Pond Vuvuzela Scalability Riposte [Oakland 2015] Dissent [OSDI 2012] Privacy
Contribution • Vuvuzela : the first private messaging system that hides metadata from powerful adversaries for millions of users • Vuvuzela scales linearly with the number of users • Differential privacy for millions of messages per user for one million users • 37s end-to-end message latency • 60,000 messages / second throughput • Good match for private text-based messaging
Vuvuzela overview • Handful of servers arranged in a chain • Users send/receive messages through the first server Alice Bob Server 1 Server 2 Server 3 • Last server decides who gets Charlie what messages and sends them back down the chain
Vuvuzela’s two protocols Dialing protocol: Initiate conversation session between two users Alice Bob Conversation protocol: Exchange messages between two users Charlie
Threat model • All but one server are compromised • Adversary is active (can knock users offline, tamper with messages, etc) Alice Bob • All users might be malicious (besides you and your friends) Charlie • PKI: users know each other’s keys
Metadata privacy Scenario 1 Scenario 2 Scenario 3 Alice Bob Charlie Alice Bob Charlie Alice Bob Charlie Vuvuzela Vuvuzela Vuvuzela
Metadata privacy Scenario 1 Scenario 2 Scenario 3 Alice Bob Charlie Alice Bob Charlie Alice Bob Charlie Vuvuzela Vuvuzela Vuvuzela ? ? ? traffic analysis 47D1FC9A… hacked servers
Approach to scalable privacy • Use efficient cryptography to encrypt as much metadata as possible. • Add noise to metadata that we can’t “encrypt.” • Use differential privacy to reason about how much privacy the noise gives us.
Dead drops prevent users from talking directly Alice Dead drop: a place to leave a message that Bob another user can pick up Charlie
Talking via dead drops Dead drop: zzp8ns0nrxt3g9efb6c Alice Message: “Hi Bob! How’s it going?” Bob Dead drop: zzp8ns0nrxt3g9efb6c Message: “” Charlie
Conversation protocol Dead drop: zzp8ns0nrxt3g9efb6c Alice Message: “Hi Bob! How’s it going?” Bob Dead drop: zzp8ns0nrxt3g9efb6c Message: “” Charlie Round 1
Conversation protocol D e a d d r o p : F s d d 5 v P M L H 3 K M A e R s q s a E g 2 a e : “ ” Alice a 2 E q R A K 3 H L M P v 5 d d s F : p o r d d a e D ” ! s k n a h t , d o o g m ’ “ I Bob : e g a s s e M Charlie Round 2
Conversation protocol Alice Bob Charlie Round 3
Conversation protocol Alice Bob Charlie Round 4
Messages are encrypted D e a d d r o p : F s d d 5 v P M L H 3 K M A e R s q s a E g 2 a e : W C z d j L 5 w B N p J U t t 9 t E 7 … Alice a 2 E q R A K 3 H L M P v 5 d d s F : p o r d d a … e D E j g 6 P u 4 W q 8 k V s W Q 1 T j y Bob : e g a s s e M Charlie
Idle clients send cover traffic D e a d d r o p : F s d d 5 v P M L H 3 K M A e R s q s a E g 2 a e : W C z d j L 5 w B N p J U t t 9 t E 7 … Alice a 2 E q R A K 3 H L M P v 5 d d s F : p o r d d a … e D E j g 6 P u 4 W q 8 k V s W Q 1 T j y Bob : e g a s s e M Charlie
Idle clients send cover traffic D e a d d r o p : F s d d 5 v P M L H 3 K M A e R s q s a E g 2 a e : W C z d j L 5 w B N p J U t t 9 t E 7 … Alice a 2 E q R A K 3 H L M P v 5 d d s F : p o r d d a … e D E j g 6 P u 4 W q 8 k V s W Q 1 T j y Bob : e g a s s e M Dead drop: uy06ZOuTTvrERU7rCh Message: JwXpDGH5reB627KOs0… Charlie
Dead drops give privacy D e a d d r o p : F s d d 5 v P M L H 3 K M A e R s q s a E g 2 a e : W C z d j L 5 w B N p J U t t 9 t E 7 … Alice a 2 E q R A K 3 H L M P v 5 d d s F : p o r d d a … e D E j g 6 P u 4 W q 8 k V s W Q 1 T j y Bob : e g a s s e M Dead drop: uy06ZOuTTvrERU7rCh Message: JwXpDGH5reB627KOs0… Charlie
More recommend