Post on 21-Jan-2018
Online Anonymitybeyond TorDr. Mar�n Schmiedecker
Outline
Online Anonymity
Tor
Alterna�ves to Tor
Interes�ng Times Ahead
2/38
Online Anonymity
Online Anonymity
3/38
Online Anonymity
4/38
Anonymity Set
• Anonymity requires a peer group/set• Well-defined group of individuals• The bigger the be�er
”Anonymity is the state of being not iden�fiable within a set ofsubjects, the anonymity set.” [Pfitzmann, 2000]
5/38
Anonymity Set
6/38
Degrees Of Anonymity
• Pseudonymity• Sender/Recipient anonymity:
◦ Sender/Recipient of a message cannot be determined• Unlinkability:
◦ Messages cannot be a�ributed to a pair of users• Unobservability:
◦ Cannot be determined if specific user sent messages at all
7/38
Chaum Mix
• Base of modern anonymity systems• David Chaum: ”Untraceable electronic mail, returnadresses, and digital pseudonyms”, Communica�ons ofthe ACM, 1981
• Chaum Mix◦ Order of sent messages != order of received messages◦ Messages are split into equal chunks and padded◦ Hinders de-anonymiza�on based on analyzing the network
traffic
8/38
One-hop mix
Figure: Basic Mix, George Danezis, UCL 9/38
Chaum mix proper�es
• unlinkability: use of cryptography, message chunking• traffic analysis: reordering of messages
10/38
Broken Mix: no reordering but FIFO
Figure: FIFO Mix, George Danezis, UCL
A�ackers can link senders to recipients by observing the mix. 11/38
Protec�on against traffic analysis
Figure: Mix Batching / Pooling, George Danezis, UCL
Threshold sends all messages once certain number ofmessages reached (Chaum), pooling: some messages are keptback.
12/38
Tor
13/38
Tor
14/38
Tor
15/38
Tor
16/38
Tor
17/38
TorNSA: Tor = King of Anonymity1
• “S�ll the King of high secure, low latency InternetAnonymity”
• no new a�ack found in these files• but: Tor users can be tagged• some of the files by the NSA on Tor:http://media.encrypted.cc/files/nsa/
1http://www.theguardian.com/world/2013/oct/04/
nsa-gchq-attack-tor-network-encryption18/38
Alterna�ves to Tor
Garlic Rou�ng
• Founda�on of the Invisible Internet Project (I2P)• Layer-based encryp�on
◦ Basic idea: Chaum mixes / Onion Rou�ng• Messages are bundled
◦ Messages are merged into Bulbes/Cloves• ElGamal/AES + SessionTag
◦ Combina�on of asymmetric and symmetric encryp�on methods
19/38
Example Garlic Rou�ng: I2P
• Based on Java, ac�ve development since 2003• I2P Router creates local proxy (4444/TCP)• I2P Applica�ons
◦ Filesharing (BitTorrent, eMule, Gnutella)◦ E-Mail (Postman, I2P-Bote)◦ Instant messaging (I2P Messenger)◦ Publishing (Syndie)◦ Distributed file-system/storage (Tahoe-LAFS)
20/38
Garlic Rou�ng: I2P
• Tunnels to other I2P nodes are created(incoming / outgoing tunnels)
• Use focuses on “Darknet“ applica�ons (as opposed to Tor)
21/38
Anonymity systems overview
22/38
Interes�ng Times Ahead
OTR, Signal and more
• key protocol for (un-)authen�cated encryp�on• OTR, mpOTR, axolotl• part of Signal, Whatsapp, Wire• open libraries available• forward secrecy
23/38
Ricochet
• builds on Tor2
• spawns hidden service• allows for anonymous cha�ng• no party has to reveal iden�ty• implicitly authen�cated
2https://ricochet.im24/38
HORNET (2015) [1]
• onion-rou�ng on the network layer• no local states• all relevant informa�on in headers• only symmetric cryptography• can achieve close to 100 Gbit/s
25/38
Dissent (2012) [2]
• provable privacy• (groups of) client-server• based on DC-net shuffles• anytrust, one honest server needed• more efficient as DC-nets (linear!)• trade-offs: intersec�on a�acks, scalability
26/38
Riffle (2016) [3]
• improves Dissent• can handle many more clients• efficient symmetric crypto• bandwidth propor�onal to messages
27/38
Aqua (2013) [4]
• Tor-like infrastructure• mix-based• each client has one edge mix• k-anonymity among k honest clients
28/38
Vuvuzela (2015) [5]
• uses differen�al privacy• scales to millions of users• hides most metadata• onion-like relaying• s�ll somewhat efficient
29/38
Alpenhorn (2016) [6]
• protocol for ini�a�ng communica�on• employs forward secrecy (key ratchet)• uses iden�ty-based encryp�on• added to Vuvuzela
30/38
Riposte (2015) [7]
• usable for broadcas�ng• few writers, many readers• provable privacy (reverse PIR)• protects against traffic analysis
31/38
Loopix (2017) [8]
• sender- and receiver anonymity• unobservability!• traffic analysis resistance against a global network
adversary!• mix-based, very low latency
32/38
To conclude
• Tor leads the way• DC-nets vs. mixes• much more to come
33/38
Ques�ons?
References I[1] Chen Chen, Daniele E Asoni, David Barrera, George
Danezis, and Adrain Perrig.Hornet: High-speed onion rou�ng at the network layer.In Proceedings of the 22nd ACM SIGSAC Conference onComputer and Communica�ons Security, pages 1441–1454.ACM, 2015.
[2] David Isaac Wolinsky, Henry Corrigan-Gibbs, Bryan Ford,and Aaron Johnson.Dissent in numbers: Making strong anonymity scale.In 8th USENIX Symposium on Opera�ng Systems Designand Implementa�on, pages 179–182, 2012. 34/38
References II[3] Albert Kwon, David Lazar, Srinivas Devadas, and Bryan
Ford.Riffle.Proceedings on Privacy Enhancing Technologies,2016(2):115–134, 2016.
[4] Stevens Le Blond, David Choffnes, Wenxuan Zhou, PeterDruschel, Hitesh Ballani, and Paul Francis.Towards efficient traffic-analysis resistant anonymitynetworks.In ACM SIGCOMM Computer Communica�on Review,volume 43, pages 303–314. ACM, 2013. 35/38
References III
[5] Jelle Van Den Hooff, David Lazar, Matei Zaharia, andNickolai Zeldovich.Vuvuzela: Scalable private messaging resistant to trafficanalysis.In Proceedings of the 25th Symposium on Opera�ngSystems Principles, pages 137–152. ACM, 2015.
[6] David Lazar and Nickolai Zeldovich.Alpenhorn: Bootstrapping secure communica�on withoutleaking metadata.
36/38
References IV
In Proceedings of the 12th Symposium on Opera�ngSystems Design and Implementa�on (OSDI), Savannah, GA,2016.
[7] Henry Corrigan-Gibbs, Dan Boneh, and David Mazieres.Riposte: An anonymous messaging system handlingmillions of users.In Security and Privacy (SP), 2015 IEEE Symposium on,pages 321–338. IEEE, 2015.
37/38
References V
[8] Ania Piotrowska, Jamie Hayes, Tariq Elahi, Sebas�anMeiser, and George Danezis.The loopix anonymity system.arXiv preprint arXiv:1703.00536, 2017.
38/38