Privacy and anonymity in dataPrivacy and anonymity in data ...
Anonymity Networks and Censorship Resistance
Transcript of Anonymity Networks and Censorship Resistance
![Page 1: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/1.jpg)
Anonymity Networks and
Censorship Resistance
Vitaly Shmatikov
CS 6431
![Page 2: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/2.jpg)
Privacy on Public Networks
Internet is designed as a public network
Routing information is public
• IP packet headers identify source and destination
• Even a passive observer can easily figure out who is talking to whom
Encryption does not hide identities
• Encryption hides payload, but not routing headers
• Even IP-level encryption (VPNs, tunnel-mode IPsec) reveals IP addresses of gateways
slide 2
![Page 3: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/3.jpg)
Chaum’s Mix
Early proposal for anonymous email
• David Chaum. “Untraceable electronic mail, return addresses, and digital pseudonyms”. Communications of the ACM, February 1981.
Public-key crypto + trusted re-mailer (Mix)
• Untrusted communication medium
• Public keys used as persistent pseudonyms
Modern anonymity systems use Mix as the basic building block
slide 3
![Page 4: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/4.jpg)
slide 4
Basic Mix Design
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix)
{r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversary knows all senders and
all receivers, but cannot link a sent
message with a received message
![Page 5: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/5.jpg)
slide 5
Mix Cascades and Mixnets
Messages are sent through a sequence of mixes
• Can also form an arbitrary network of mixes (“mixnet”)
Some of the mixes may be controlled by attacker, but even a single good mix ensures anonymity
Pad and buffer traffic to foil correlation attacks
![Page 6: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/6.jpg)
Disadvantages of Basic Mixnets
Public-key encryption and decryption at each mix are computationally expensive
Basic mixnets have high latency
• Ok for email, but not for Web browsing
Challenge: low-latency anonymity network
• Use public-key crypto to establish a “circuit” with pairwise symmetric keys between hops
• Then use symmetric decryption and re-encryption to move data along the established circuits
slide 6
![Page 7: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/7.jpg)
slide 7
Second-generation onion routing network
• http://tor.eff.org
• Specifically designed for low-latency anonymous Internet communications (e.g., Web browsing)
• Running since October 2003
Hundreds of nodes on all continents
Over 2,500,000 users
“Easy-to-use” client
• Freely available, can use it for anonymous browsing
![Page 8: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/8.jpg)
slide 8
Tor Circuit Setup (1)
Client proxy establishes a symmetric session key and circuit with Onion Router #1
![Page 9: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/9.jpg)
slide 9
Tor Circuit Setup (2)
Client proxy extends the circuit by establishing a symmetric session key with Onion Router #2
• Tunnel through Onion Router #1
![Page 10: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/10.jpg)
slide 10
Tor Circuit Setup (3)
Client proxy extends the circuit by establishing a symmetric session key with Onion Router #3
• Tunnel through Onion Routers #1 and #2
![Page 11: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/11.jpg)
slide 11
Using a Tor Circuit
Client applications connect and communicate over the established Tor circuit
• Datagrams decrypted and re-encrypted at each link
![Page 12: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/12.jpg)
slide 12
Tor Management Issues
Many TCP connections can be “multiplexed” over one anonymous circuit
Directory servers
• Lists of active onion routers, their locations, current public keys, etc.
• Control how new routers join the network
– “Sybil attack”: attacker creates a large number of routers
• Directory servers’ keys ship with Tor code
![Page 13: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/13.jpg)
Location Hidden Services
Goal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it
Accessible from anywhere
Resistant to censorship
Can survive a full-blown DoS attack
Resistant to physical attack
• Can’t find the physical server!
slide 13
![Page 14: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/14.jpg)
slide 14
Server creates circuits
to “introduction points”
Server gives intro points’
descriptors and addresses
to service lookup directory
Client obtains service
descriptor and intro point
address from directory
Deploying a Hidden Service
![Page 15: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/15.jpg)
slide 15
Using a Hidden Service
Client creates a circuit
to a “rendezvous point”
Client sends address of the
rendezvous point and any
authorization, if needed, to
server through intro point
If server chooses to talk to client,
connect to rendezvous point
Rendezvous point
splices the circuits
from client & server
![Page 16: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/16.jpg)
slide 16
![Page 17: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/17.jpg)
slide 17
Silk Road Shutdown
Ross Ulbricht, alleged operator of the Silk Road Marketplace, arrested by the FBI on Oct 1, 2013
= ?
![Page 18: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/18.jpg)
slide 18
Silk Road Shutdown Theories
A package of fake IDs from Canada traced to an apartment to San Francisco?
A fake murder-for-hire arranged by DPR?
A Stack Overflow question accidentally posted by Ulbricht under his real name?
• “How can I connect to a Tor hidden service using curl in php?”
• … a few seconds later, changed username to “frosty”
• … oh, and the encryption key on the Silk Road server ends with the substring "frosty@frosty"
Probably not weaknesses in Tor
![Page 19: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/19.jpg)
slide 19
How Was Silk Road Located?
FBI agent Tarbell’s testimony:
• Agents examined the headers of IP packets as they interacted with the Silk Road’s login screen, noticed an IP address not associated with any Tor nodes
• As they typed this address into the browser, Silk Road’s CAPTCHA prompt appeared
• Address led to rented server in a data center in Iceland
Common problem: misconfigured software does not send all traffic via Tor, leaks IP address
• Is this really what happened with the Silk Road server?
![Page 20: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/20.jpg)
slide 20
Main (?) Tor Problem
Traffic correlation and confirmation
![Page 21: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/21.jpg)
Traffic Confirmation Techniques
Congestion and denial-of-service attacks
• Attack a Tor relay, see if circuit slows down
Throughput attacks
Latency leaks
Website fingerprinting
slide 21
![Page 22: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/22.jpg)
Tor Adversaries
A realistic model of Tor adversaries needs to incorporate:
Autonomous systems and Internet exchange points
Evolution of Internet topology over time
Traffic generated by typical applications over time
slide 22
[Johnson et al. “Users Get Routed”.
CCS 2013]
![Page 23: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/23.jpg)
slide 23
Using Tor Circuits
1. Clients begin all circuits with a selected guard
2. Relays define individual exit policies
3. Clients multiplex streams over a circuit
![Page 24: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/24.jpg)
slide 24
Using Tor Circuits
1. Clients begin all circuits with a selected guard
2. Relays define individual exit policies
3. Clients multiplex streams over a circuit
4. New circuits replace existing ones periodically
![Page 25: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/25.jpg)
slide 25
Node Adversaries
![Page 26: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/26.jpg)
slide 26
Link Adversaries
AS1 AS2 AS3 AS4 AS5
AS6
AS8
AS7 AS6
Adversary has fixed location, may control one or more
autonomous systems or Internet exchange points (IXP)
Some ASes and IXPs handle much more traffic than others!
![Page 27: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/27.jpg)
slide 27
Modeling User Behavior
20-minute traces
Gmail/GChat
Gcal/GDocs
Web search
IRC
BitTorrent
Typical
Session schedule
One session at 9:00, 12:00, 15:00, and 18:00 Su-Sa
Repeated sessions 8:00-17:00, M-F
Repeated sessions 0:00-6:00, Sa-Su
![Page 28: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/28.jpg)
TorPS: The Tor Path Simulator
Realistic client software model based on the current Tor
Reimplemented path selection in Python
Major path selection features:
• Bandwidth weighting
• Exit policies
• Guards and guard rotation
• Hibernation
• /16 and family conflicts
slide 28
![Page 29: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/29.jpg)
Node Adversary Success
Time to first
compromised stream
Fraction of
compromised streams
Adversary with total
100 MiB/s bandwidth
(83.3 guard, 16.7 exit)
slide 29
![Page 30: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/30.jpg)
Link Adversary Success
Time to first
compromised stream
Fraction of
compromised streams
Adversary controls one AS
“best” = most secure client AS, “worst” = least secure
slide 30
![Page 31: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/31.jpg)
Not a Theoretical Threat!
Sybil attack + traffic confirmation
In 2014, two CMU CERT “researchers” added 115 fast relays to the Tor network
• Accounted for about 6.4% of available guards
• Because of Tor’s guard selection algorithm, these relays became entry guards for a significant chunk of users over their five months of operation
The attackers then used these relays to stage a traffic confirmation attack
slide 31
![Page 32: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/32.jpg)
slide 32
RELAY_EARLY Cell
Special control cell sent to the other end of the circuit (not just the next hop, like normal cell)
Used to prevent building very long Tor paths
![Page 33: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/33.jpg)
slide 33
RELAY_EARLY Sent Backward
Any number of RELAY_EARLY cells can be sent backward along the circuit
No legitimate reason for this, just an oversight
![Page 34: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/34.jpg)
slide 34
Traffic Confirmation
Malicious exit node encodes the name of hidden service in the pattern of relay and padding cells
Malicious guard learns which hidden service the client is accessing
Hidden service descriptor Wants to access
a hidden service
![Page 35: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/35.jpg)
Fighting Internet Censorship
Key use of anonymity networks – circumventing Internet censorship
slide 35
![Page 36: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/36.jpg)
The Non-Democratic
Republic of Repressistan
Blocked
destination
Tor network
Tor bridge
“Classic” Tor may not be effective anymore!
Gateway
Active probes
Easily recognizable
at the network level
Deep packet inspection
(DPI)
Using Tor for Circumvention
slide 36
![Page 37: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/37.jpg)
slide 37
The Non-Democratic
Republic of Repressistan
Let’s Play Hide-and-Seek
For example, make this look like a Skype connection
![Page 38: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/38.jpg)
Goal: Unobservability
Censors should not be able to identify circumvention traffic, clients, or servers through passive, active, or proactive techniques
slide 38
![Page 39: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/39.jpg)
Unobservability by Imitation
“Parrot systems” imitate a popular protocol like Skype or HTTP
• SkypeMorph (CCS 2012)
• StegoTorus (CCS 2012)
• CensorSpoofer (CCS 2012)
slide 39
![Page 40: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/40.jpg)
'E's dead, that's what's wrong with it!
What's, uh...
What's wrong with it?
slide 40
![Page 41: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/41.jpg)
Censorship region The Internet
A Tor node SkypeMorph
bridge
Traffic shaping
SkypeMorph
client
slide 41
SkypeMorph
![Page 42: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/42.jpg)
Incorrect Packet Headers
The start of message (SoM) header field is MISSING
This is a single-packet identifier for SkypeMorph traffic
• No need for sophisticated statistical traffic analysis
slide 42
![Page 43: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/43.jpg)
A Tor node SkypeMorph
bridge
TCP control
SkypeMorph
client
Censorship region The Internet
slide 43
Missing Control Channels
![Page 44: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/44.jpg)
No, no.....No,
'e's stunned!
slide 44
![Page 45: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/45.jpg)
SkypeMorph+
Let’s imitate the missing parts!
Problem: hard to mimic dynamic behavior
• Active and proactive tests
slide 45
![Page 46: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/46.jpg)
Dropping UDP Packets
slide 46
![Page 47: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/47.jpg)
Test Skype SkypeMorph+
Flush Supernode cache
Serves as a SN Rejects all Skype messages
Drop UDP packets Burst of packets in TCP control
No reaction
Close TCP channel Ends the UDP stream No reaction
Delay TCP packets Reacts depending on the type of message
No reaction
Close TCP connection to a SN
Initiates UDP probes No reaction
Block the default TCP port
Connects to TCP ports 80 and 443
No reaction
slide 47
Other Tests
![Page 48: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/48.jpg)
'E's not pinin'!
'E's expired and gone to meet 'is maker!
No no!
'E's pining!
slide 48
![Page 49: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/49.jpg)
StegoTorus
client A Tor node StegoTorus
bridge
HTTP
HTTP
Skype
Ventrilo
Censorship region The Internet
StegoTorus
slide 49
HTTP
![Page 50: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/50.jpg)
StegoTorus Chopper
Dependencies between links
slide 50
![Page 51: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/51.jpg)
StegoTorus-HTTP
Does not look like any HTTP server!
Most HTTP methods not supported!
slide 51
![Page 52: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/52.jpg)
Now that's what
I call a dead parrot
slide 52
![Page 53: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/53.jpg)
Lesson #1
Unobservability by imitation is
fundamentally flawed!
slide 53
![Page 54: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/54.jpg)
A complex protocol in it entirety
Inter-dependent sub-protocols with
complex, dynamic behavior
Bugs in specific versions of the software
User behavior
Not enough to mimic a "protocol," need to mimic
a specific implementation with all its quirks
slide 54
Imitating a Real System Is Hard
![Page 55: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/55.jpg)
Lesson #2
Partial imitation is worse
than no imitation
slide 55
Bad imitation of Skype is easier to recognize than Tor
![Page 56: Anonymity Networks and Censorship Resistance](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c4f7ef79a6af39311ac48b/html5/thumbnails/56.jpg)
slide 56