On the Anonymity of Anonymity Systems Andrei Serjantov [email protected] (anonymous)
Anonymity and Covert Channels in Simple, Timed Mix-firewalls
description
Transcript of Anonymity and Covert Channels in Simple, Timed Mix-firewalls
![Page 1: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/1.jpg)
1
Anonymity and Covert Channels in Simple, Timed
Mix-firewalls
Richard E. Newman --- UF
Vipan R. Nalla -- UF
Ira S. Moskowitz --- NRL
{nemo,vreddy}@cise.ufl.edu, [email protected]://chacs.nrl.navy.mil
![Page 2: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/2.jpg)
2
Motivation
Anonymity --- Linkages – sender/message/recipient
optional desire or mandated necessity?
Hide who is sending what to whom.
What – covered by crypto.
Who/which/whom – covered by Mix networks.
Even if one cannot associate a particular message with a sender, it is still possible to leak information from sender to observer – covert channel.
![Page 3: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/3.jpg)
3
Mixes
A Mix is a device intended to hide source/message/destination associations.
A Mix can use crypto, delay, shuffling, padding, etc. to accomplish this.
Others have studied ways to “beat the Mix”
--active attacks to flush the Mix.
--passive attacks may study probabilities.
![Page 4: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/4.jpg)
4
Prior measures of anonymity
• AT&T Crowds-degree of anonymity, pfoward message– Not Mix-based
• Dresden: Anonymity (set of senders) Set size N, log(N) – Does not include observations by Eve
• Cambridge: effective size, assign probs to senders between 0 and log(N)– We show (later): maximal entropy (most noise) does not assure anonymity
• K.U. Leuven: normalize above
• We want something that measures before & afterThat is Shannon’s information theory
![Page 5: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/5.jpg)
5
Aim of this Work
• We wish to provide another tool better to understand and to measure anonymity
• Limits of anonymity
• Application of classical techniques
• Follows WPES, CNIS work
![Page 6: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/6.jpg)
6
Covert Channels
A communication channel that exists, contrary to system design, in a computer system or network
Typically in the realm of MLS systems: non-interference
Classically measure threat by capacity
![Page 7: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/7.jpg)
7
Quasi-Anonymous Channels
Less than perfect anonymity = quasi-anonymity
Quasi-anonymity allows covert channel =
quasi-anonymous channel
Quasi-anonymous channel is
(1) Illegal communication channel in its own right
(2) A way of measuring anonymity
![Page 8: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/8.jpg)
8
NRL Covert Channel Analysis Lab
• John McDermott & Bruce Montrose
• Actual network set-up to exploit these quasi-anonymous channels
• First attempt: detect gross changes in traffic volume
• Future work may be a more fine-tuned detection of the mathematical channels discussed here
![Page 9: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/9.jpg)
9
Our Earlier Scenario WPES 2003
Mix Firewalls separating 2 enclaves.
Enclave 1 Enclave 2
Eve
Alice& Cluelessi
Timed Mix, total flush per tick
Eve: counts # message per tick – perfect sync, knows # Cluelessi
Cluelessi are IID, p = probability that Cluelessi does not send a message
Alice is clueless w.r.t to Cluelessi
overt channel --- anonymous
covert channel
![Page 10: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/10.jpg)
10
This System Model
• Alice (malicious insider) and N other senders (Cluelessi’s, 1=1,…,N)
• M observable destinations (Rj, j=1,…,M)• “Nobody” destination R0
• Each tick, each sender can send a message (to a destination Rj) or not (“send” to R0)
• Cluelessi are i.i.d.• Eve sees message counts to Rj’s each tick
![Page 11: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/11.jpg)
11
Multiple Receiver Model
Alice
CluelessN
Clueless1
[Nobody = R0]
R1Clueless2
Eve
Mix-firewall
RN
R2
…
……
![Page 12: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/12.jpg)
12
Toy Scenario – N=1, M=1
Alice can: not send a message (0), or send (1)
Only two input symbols to the (covert) channel
What does Eve see? 0,1, or 2 messages.
0
1
2
0
1
AliceEve
p
p
q
q
![Page 13: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/13.jpg)
13
Discrete Memoryless Channel
0 1 2
0 p q 0
1 0 p q
X Yanonymizingnetwork
X
Y
X is the random variable representingAlice, the transmitter to the ccX has a prob distP(X=0) = xP(X=1) = 1-x
Y represents Eveprob dist derived from X and channel matrix
![Page 14: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/14.jpg)
14
Channel Capacity
In general P(X = xi) = p(xi), similarly p(yk)
H(X) = -∑i p(xi)log[p(xi)] Entropy of X
H(X|Y) = -∑kp(yk) ∑ip(xi|yk)log[p(xi|yk)]
Mutual information I(X,Y) = H(X) – H(X|Y) = H(Y)-H(Y|X)
Capacity is the maximum over dist X of I
![Page 15: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/15.jpg)
15
Capacity for Toy Scenario
C = max x { -( pxlogpx +[qx+p(1-x)]log[qx+p(1-x)] +q(1-x)logq(1-x) )
–h(p) }
where h(p) = -{ p logp + (1-p) log(1-p) }
![Page 16: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/16.jpg)
16
Capacity and optimal x vs. p
![Page 17: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/17.jpg)
17
Earlier Scenario: 1 Receiver,N Cluelessi
0
1
N
N+1
0
1
pN
qN
NpN-1q
NqN-1p
qN
pN ...
![Page 18: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/18.jpg)
18
Capacity vs. N (M=1)
![Page 19: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/19.jpg)
19
Observations
• Highest capacity when very low or very high clueless traffic
• Capacity (of p) bounded below by C(0.5) x=.5
thus even at maximal entropy, not anonymous
• Capacity monotonically decreases to 0 with N• C(p) is a continuous function of p• Alice’s optimal bias is function of p, and is
always near 0.5
![Page 20: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/20.jpg)
20
Comments
1. Lack of anonymity leads to comm. channel
2. Use this quasi-anonymous channel to measure the anonymity
3. Capacity is not always the correct measure---might want just mutual info, or number of bits passed
![Page 21: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/21.jpg)
21
New Results
• Analysis for M>1 receivers
• Numerical (but not theoretical) results show best for Clueless to be uniform
• Numerical results for Clueless uniform over actual receivers (not R0)
• Numerical results for Alice uniform over actual receivers (not R0)
• Best for Alice to be uniform
![Page 22: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/22.jpg)
22
Earlier Scenario Revisited:1 Receiver, N Cluelessi
<N+1,0>
<N,1>
<1,N>
<0,N+1>
0
1
pN
qN
NpN-1q
NqN-1p
qN
pN ...
![Page 23: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/23.jpg)
23
M=2 Receivers, N=1 Cluelessi
<2,0,0>
<1,1,0>
<0,1,1>
<0,0,2>
0
2
p
q/2
1
<1,0,1>
<0,2,0>
q/2
pq/2
q/2
q/2
q/2
p
![Page 24: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/24.jpg)
24
Channel Matrix for N=1, M=2
<2,0,0><1,1,0><1,0,1><0,2,0><0,1,1><0,0,2>
p q/2 q/2 0 0 0
0 p 0 q/2 q/2 0
0 0 p 0 q/2 q/2M1,2 = ( )
(Note: typo in pre-proceedings section 3.2, M0.2[i,j]=Pr(ej|A=i), not A=ai)
![Page 25: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/25.jpg)
25
Capacity for N=1,M=2
C = max A I(A,E)
= max x1,x2 - {px0logpx0
+[qx0/2+p(x1)]log[qx0/2+p(x1)]
+[qx0/2+p(x2)]log[qx0/2+p(x2)]
+[qx1/2]log[qx1/2]
+[qx1/2+ qx2/2]log[qx1/2+ qx2/2]
+[qx2/2]log[qx2/2]
–h2(p) }
where h2(p) = -(1-p) log (1-p)/2 – p log p
![Page 26: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/26.jpg)
26
Capacity LB vs. p (N=1-4,M=2)
![Page 27: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/27.jpg)
27
Mutual Info vs. X0, N=1, M=2
![Page 28: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/28.jpg)
28
Mutual Info vs. p, N=2, M=2
![Page 29: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/29.jpg)
29
Best x0 vs. p for M=3,N=1-4
![Page 30: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/30.jpg)
30
Effect of Suboptimal x0 (M=3)
![Page 31: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/31.jpg)
31
Capacity LB vs. p (N=1, M=1-5)
![Page 32: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/32.jpg)
32
Capacity (N,M)
![Page 33: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/33.jpg)
33
Equivalent Sender Group Size
![Page 34: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/34.jpg)
34
Conclusions1. Highest capacity when very low or very
high clueless traffic2. Multiple receivers induces asymmetry for
clueless sending vs. not sending3. Capacity monotonically decreases to 0
with N4. Capacity monotonically increases with M,
bounded by log(M+1)5. Alice’s optimal bias is function of p, and
is always near 1/(M+1)
![Page 35: Anonymity and Covert Channels in Simple, Timed Mix-firewalls](https://reader035.fdocuments.us/reader035/viewer/2022081520/56815a81550346895dc7ea19/html5/thumbnails/35.jpg)
35
Future Work
• Relax IID assumption on Cluelessi
• More realistic distributions for Cluelessi
• If Alice has knowledge of Cluelessi behavior…
• More general timed Mixes• Threshold Mixes, pool Mixes, Mix networks• Effective sender set size• Relationship of CC capacity to anonymity