W hy is anonymity so hard? Roger D ingledine T he Free Haven - PowerPoint PPT Presentation

W hy is anonymity so hard? Roger D ingledine T he Free Haven Project 1

M any people need anonymity • Polit ical dissident s in oppressive count ries • Government s want t o do operat ions secret ly. • Corporat ions are vulnerable t o t raffi c analysis ( corporat e espionage) — VPNs, encrypt ion don’t cut it . • Individuals are t racked and profi led daily. Imagine what t hey’ll have in your dossier in twenty years. • ( If t hat doesn’t scare you, t hink of your kids.) 3

A M IX node • M essages change appearance aft er decrypt ion • Each M IX bat ches and reorders messages • M essages are all t he same lengt h • St ore and forward ( slow) t o maint ain anonymity set s 6

A M IX cascade

Free-rout e M IX networks • User picks a pat h t hrough t he network • Goal is t o hide message’s pat h • Needs dummy t raffi c ( ineffi cient , poorly underst ood) t o prot ect against global adversaries ( lot s of t raffi c may work t oo?) • Example: M ixmast er 8

O nion Rout ing • Connect ion-orient ed ( low lat ency) • L ong-t erm connect ions betwee7 O nion Rout ers link padding betwee7 t he rout ers • Aims for security against t raffi c analysis, not t raffi c confi rmat ion • Users should run node, or anonymize connect ion t o fi rst node, for best privacy 11

Some t echnical problems for O nion Rout ing: 13

Convenient / Usable Proxies • Current ly we have an applicat ion proxy for each prot oco61 0w which feeds int o t he onion proxy. Users should run bot h. • B ut we really ought t o int ercept all t raffi c – ot herwise we need t o modify applicat ions so t hey don’t leak info. • ...and nobody will use it if we need all t hese proxies ( not t rue: p2p syst ems?) 14

O h yeah, and I wrot e t he O nion Rout ing code • It ’s GPL ed ... but it ’s complicat ed. • Send me mail and I’ll point you t o it . 15

Ideal t hreat model • Global passive adversary – can observe everyt hing • O wns half t he nodes 16

L ink padding and t opology • Remember t hat our goal is t o hide t he pat h • W it hout link padding, adversary can observe when new connect ions st art , and where t hey go. • n 2 link padding is insane, but anyt hing less seems unsafe. • O pen problem: what ’s t he right compromise? 17

T iming at t acks • If t he adversary owns two nodes on your pat h, he can recognize t hat t hey’re on t he same pat h •

T agging at t acks • O nion rout ing uses a st ream cipher t o encrypt t he dat a st ream going in each direct ion. • An adversary owning a node – or a link! – can fl ip a byt e in t he dat a st ream and look for an anomalous byt e at t he exit point ( say, when it t alks t o a webserver) . • T his sort of t hing is generally solved by including a hash, but it ’s more complex t han t hat . 19

Anonymity is hard for economic/ social reasons t oo • Anonymity requires ineffi ciencies in comput at ion� / F1-6( bandwidt h,) � T J F1-3.053 -27.8 1 r/ F1-6 o0 c315( r) ut a

B ut t rust bot t lenecks can break everyt hing • Nodes wit h more t raffi c must be more t rust ed • Adversary who want s more t raffi c should provide good service •

St rong anonymity requires dist ribut ed t rust • An anonymity syst em can’t be just for one ent ity • ( even a large corporat ion or government ) • So you must carry t raffi c for ot hers t o prot ect yourself • B ut t hose ot hers don’t want t o t rust t heir t raffi c t o just one ent ity eit her 26

Pseudospoofi ng: volunt eers are a danger t oo • Are half your nodes run by a single ba6 guy? • Global PK D t o ensure unique ident it ies? No. • D ecent ralize6 t rust fl ow algorit hms? Not yet . • St ill a major open problem for dynamic decent ralized anonymity

Need t o manage incent ives well •

Even cust omizat ion and preferent ial service are risky ( 1) • It ’s t empt ing t o let users choose security and robust ness paramet ers • Eg, how many replicas of my fi le should I creat e? or how many pieces should I break my fi le int o? • B ut a fi le replicat ed many t imes st ands out . 31

An example: D irect ory servers • D ist ribut e locat ion, capabilit ies, key info, performance st at s • A single direct ory server is a point of failure • Redundant direct ory servers: must be ( provably!) synchronized t o avoid part it ioning at t acks • Can dist inguish between client s t hat use st at ic list s and client s t hat updat e frequent ly 33

D irect ory servers ( 2)

Conclusion: we’re screwed • Usability is a security object ive: anonymity syst ems are not hing wit hout users. • It ’s crit ical t hat we int egrat e privacy int o t he syst ems we use t o int eract . • B ut it ’s hard enough t o build a killer app. It ’s going t o be really really hard t o solve all t he fact ors at once. • O ur current direct ions aren’t going t o work, from an incent ive and usability perspect ive. W e need t o ret hink. 35

A point of light : M ixminion • High-lat ency free-rout e mix network • Fixes many of t he problems wit h M ixmast er •

Anot her point of light : synchro919w syst ems • Each message has a deadline by which t he node must pass it on • L engt h of pat hw iw fi xed, pat hw might even be public • Anonymity iw now based on size of bat ch at widest point , even for free-rout e syst ems • Improves fl o35( de) -ing/ t rickle at t acks •

Privacy Enhancing T echnologies workshop M arch 26-28, 2003 D resden, Germany ht t p:/ / petworkshop.org/ 38