Onion Routing.ppt
36
Anonymous Routing in Anonymous Routing in Wireless Networks: Wireless Networks: Onion Routing Onion Routing Priyanka Banerjee Priyanka Banerjee
-
Upload
networkingcentral -
Category
Documents
-
view
5.108 -
download
4
description
Transcript of Onion Routing.ppt
Anonymous Routing in Anonymous Routing in Wireless Networks: Wireless Networks:
Onion RoutingOnion Routing
Priyanka BanerjeePriyanka Banerjee
OrganizationOrganization
IntroductionIntroduction Traffic Analysis overviewTraffic Analysis overview Onion Routing in Wired NetworksOnion Routing in Wired Networks Onion Routing in Wireless NetworksOnion Routing in Wireless Networks conclusionconclusion
IntroductionIntroduction
Types of Attackers on the Types of Attackers on the web:web:
Active AttackersActive Attackers Passive attackersPassive attackers
Traffic AnalysisTraffic Analysis
Intercept trafficIntercept traffic Capture packetsCapture packets Analyze packetsAnalyze packets Deduce useful informationDeduce useful information
Traffic analysis focuses on the headers, Traffic analysis focuses on the headers, which contain meta data like source which contain meta data like source address, destination address, timing address, destination address, timing information etcinformation etc
Hence even if the packet content is Hence even if the packet content is encrypted, Traffic analysis can reveal encrypted, Traffic analysis can reveal useful informationuseful information
Importance of Traffic Importance of Traffic AnalysisAnalysis
Although traffic analysis provides lower quality Although traffic analysis provides lower quality information, it is preferred over cryptanalysis information, it is preferred over cryptanalysis because it is easier than breaking complex because it is easier than breaking complex encrypted messages [2]encrypted messages [2]
It is also cheaper because traffic data can be It is also cheaper because traffic data can be automatically collected and processed to provide automatically collected and processed to provide a high degree of intelligence [2]a high degree of intelligence [2]
It is used for military purposes [2] and by various It is used for military purposes [2] and by various organizations to track unpleasant events over the organizations to track unpleasant events over the internetinternet
Onion RoutingOnion Routing Onion routing is the the Onion routing is the the
mechanism in which the mechanism in which the sender (initiator) and the sender (initiator) and the receiver (responder) nodes receiver (responder) nodes communicate with each communicate with each other anonymously by other anonymously by means of some means of some intermediate nodes called intermediate nodes called as onion routersas onion routers
It relies on public key It relies on public key cryptoraphycryptoraphy
Infrastructure for Onion Infrastructure for Onion RoutingRouting
Network Network InfrastructureInfrastructure
Proxy InterfacesProxy Interfaces
Steps in Onion RoutingSteps in Onion Routing
Defining a routeDefining a route Constructing an anonymous connectionConstructing an anonymous connection Moving data through an anonymous Moving data through an anonymous
connectionconnection Destroying the anonymous connectionDestroying the anonymous connection
ExampleExample
Let onion routers 4, 3, and 5 be randomly Let onion routers 4, 3, and 5 be randomly selected by the onion proxyselected by the onion proxy
The proxy encrypts the The proxy encrypts the data with 5’s public data with 5’s public key followed by 3 and key followed by 3 and then 4then 4
Thus an onion is Thus an onion is created which looks created which looks like like
E4pu (3’s IP address, E4pu (3’s IP address, E3pu ((5’s IP address, E3pu ((5’s IP address, (E5pu (recipient’s IP (E5pu (recipient’s IP address, data))))) address, data)))))
The proxy then sends the The proxy then sends the onion to the first onion router onion to the first onion router i.e. 4i.e. 4
Onion router 4 peels the outer Onion router 4 peels the outer layer of the onion using its layer of the onion using its private key private key
It forwards the onion to 3 It forwards the onion to 3 which now looks like E3pu ((5’s which now looks like E3pu ((5’s IP address, (E5pu (recipient’s IP address, (E5pu (recipient’s IP address, data))))IP address, data))))
Onion router 3 Onion router 3 peels the outer peels the outer layer of the onion layer of the onion using its private using its private key key
It forwards the It forwards the onion to 5 which onion to 5 which now looks like now looks like (E5pu (recipient’s (E5pu (recipient’s IP address, data))IP address, data))
Onion router 5 now Onion router 5 now peels the outer layer of peels the outer layer of the onion using its the onion using its private key private key
It finds plain data and It finds plain data and the destination address the destination address and forwards it to the and forwards it to the destinationdestination
Problems and solutionsProblems and solutions
The size of the onion reduces as it nears The size of the onion reduces as it nears the destination the destination
Hence an attacker can infer details about Hence an attacker can infer details about the destinationthe destination
To avoid this onions are padded at each To avoid this onions are padded at each onion router to maintain the size of the onion router to maintain the size of the onion (Onions can be padded to same or onion (Onions can be padded to same or different sizes )different sizes )
Every onion router has details of only its Every onion router has details of only its previous and next hopprevious and next hop
So even if an onion router has been So even if an onion router has been compromised the attacker can only get compromised the attacker can only get the encrypted onion .He will not be able to the encrypted onion .He will not be able to decrypt the onion without the private keys decrypt the onion without the private keys and hence will not infer any valuable and hence will not infer any valuable information from itinformation from it
Suppose an attacker records data going on Suppose an attacker records data going on between routers and is able to between routers and is able to compromise a router at a later stage, to compromise a router at a later stage, to acquire private key and decrypt data. acquire private key and decrypt data.
This can be avoided by using a session key This can be avoided by using a session key between communicating parties. between communicating parties.
The session key is used to encrypt data The session key is used to encrypt data and is valid only for the duration of the and is valid only for the duration of the communication.communication.
Packet delivery is not ensuredPacket delivery is not ensured If an onion router fails on the way then the If an onion router fails on the way then the
message will not reach the destinationmessage will not reach the destination
It is susceptible to denial of service It is susceptible to denial of service attacks. This can be done by forcing onion attacks. This can be done by forcing onion routers to do a large number of routers to do a large number of cryptographic operations by many sending cryptographic operations by many sending packets to it. Eventually the router simply packets to it. Eventually the router simply ends up doing cryptographic operations ends up doing cryptographic operations and is not able to forward packetsand is not able to forward packets
This can be mitigated using client puzzles. This can be mitigated using client puzzles. Here the onion proxy/router (i.e. the Here the onion proxy/router (i.e. the server) forces a requesting client to server) forces a requesting client to complete a puzzle before it allocates complete a puzzle before it allocates resources resources
But puzzle solving has an impact on the But puzzle solving has an impact on the latencylatency
Challenges in Wireless Challenges in Wireless NetworksNetworks
In a wireless medium there is node In a wireless medium there is node mobility and lack of infrastructure. There is mobility and lack of infrastructure. There is no central point governing the flow of no central point governing the flow of traffic. traffic.
So nodes rely on intermediate nodes to So nodes rely on intermediate nodes to relay their data. If intermediate nodes are relay their data. If intermediate nodes are compromised then onion routing failscompromised then onion routing fails
Also packets are broadcast into the Also packets are broadcast into the network. Thus traffic analysis becomes network. Thus traffic analysis becomes easier and may go undetectedeasier and may go undetected
Lack of central management makes it Lack of central management makes it susceptible to active attackssusceptible to active attacks
It takes longer to construct paths due to It takes longer to construct paths due to the dynamic nature of the environment.the dynamic nature of the environment.
Key distribution for encrypting traffic is a Key distribution for encrypting traffic is a challenge.challenge.
Wireless Anonymous Wireless Anonymous Routing (WAR)Routing (WAR)
It is based on onion routing and traffic mixingIt is based on onion routing and traffic mixing
Here the keys are distributed using a Here the keys are distributed using a RadioGramRadioGram
RadioGram object is like an onion which has RadioGram object is like an onion which has layers of encryption around the data contentlayers of encryption around the data content
RadioGrams are broadcast into the network RadioGrams are broadcast into the network and the intended nodes along the route to the and the intended nodes along the route to the destination decrypt a layer at a timedestination decrypt a layer at a time
The structure of a radiogram is as follows:The structure of a radiogram is as follows:
[tid] {[sk] [MIC] [^]} {[sk] [MIC] [^]} …. {[sk] [tid] {[sk] [MIC] [^]} {[sk] [MIC] [^]} …. {[sk] [MIC] [^]} [content] [padding][MIC] [^]} [content] [padding]
The information contained within the curly The information contained within the curly braces { } represent each layer of the onionbraces { } represent each layer of the onion
Transmitter IDTransmitter ID i.e. i.e. tid: tid: It uniquely defines a It uniquely defines a radiogram. It is a RSA public key. It is used to radiogram. It is a RSA public key. It is used to encrypt the session key. And the session key is encrypt the session key. And the session key is then used to encrypt the rest of the fieldsthen used to encrypt the rest of the fields
Session key i.e. sk:Session key i.e. sk: It is a symmetric key It is a symmetric key encrypted by the public key of the transmitterencrypted by the public key of the transmitter
MIC or Checksum:MIC or Checksum: It is the pre-computed It is the pre-computed hash value of everything the onion skin wraps hash value of everything the onion skin wraps except the paddingexcept the padding
Control SignalsControl Signals i.e. i.e. ^:^: It tells the receiver It tells the receiver what has to be done with the received what has to be done with the received message. It also tells about the type of message. It also tells about the type of message and the paddingmessage and the padding
Content:Content: This is the actual data that is being This is the actual data that is being transmitted and can be interpreted only by transmitted and can be interpreted only by the final destinationthe final destination
Padding:Padding: This is used just to maintain the size This is used just to maintain the size of the onionof the onion
ExampleExample [A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content] [A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content]
[padding][padding]
A generates the content [content].A generates the content [content]. It then generates a random session key (16 byte) C.sk .It then generates a random session key (16 byte) C.sk . It sets the control signal C.^ appropriately i.e. type= MESSAGE It sets the control signal C.^ appropriately i.e. type= MESSAGE
and padding = k bits .and padding = k bits . It prepends [C.^] to [ content] It prepends [C.^] to [ content] It computes a 16 byte MIC over [C.sk] [C.^] [content] and calls It computes a 16 byte MIC over [C.sk] [C.^] [content] and calls
it C.MIC.it C.MIC. It encrypts [C.MIC] [C.^] [content] under C.sk .It encrypts [C.MIC] [C.^] [content] under C.sk . It encrypts C.sk using C’s public key and calls it C.sk’ .It encrypts C.sk using C’s public key and calls it C.sk’ . It prepends [C.sk’] to [C.MIC] [C.^] [content] .It prepends [C.sk’] to [C.MIC] [C.^] [content] . Append any padding if reqired.Append any padding if reqired. It renames [C.sk’] [C.MIC] [C.^] [content] to [content]It renames [C.sk’] [C.MIC] [C.^] [content] to [content] It repeats the above steps for (all other intermediate nodes) B.It repeats the above steps for (all other intermediate nodes) B.
When the nodes within the transmission range of A receive the Radiogram When the nodes within the transmission range of A receive the Radiogram they perform the following steps:they perform the following steps:
They strip A.id and save itThey strip A.id and save it They strip B.MIC and save it.They strip B.MIC and save it. They strip the encrypted B.sk’.They strip the encrypted B.sk’. They try to decrypt B.sk’ to B.sk using their private key. (If it succeeds then They try to decrypt B.sk’ to B.sk using their private key. (If it succeeds then
they are the intended recipient else they simply drop the packet. Only B is they are the intended recipient else they simply drop the packet. Only B is able to decrypt B.sk’ as it was encrypted with his public key.)able to decrypt B.sk’ as it was encrypted with his public key.)
B assumes that the message is for him and now uses B.sk to decrypt the B assumes that the message is for him and now uses B.sk to decrypt the remainder of the message i.e. [B.MIC] [B.^] [content]remainder of the message i.e. [B.MIC] [B.^] [content]
B checks B.^ to determine where the padding begins and the other rules it B checks B.^ to determine where the padding begins and the other rules it is supposed to follow.is supposed to follow.
B computes B.MIC’ over [B.sk] [B.^] [content].B computes B.MIC’ over [B.sk] [B.^] [content]. It compares B.MIC’ to B.MIC. If they are equal B checks B.^ for further It compares B.MIC’ to B.MIC. If they are equal B checks B.^ for further
information. If they are unequal it implies that the packet has been altered information. If they are unequal it implies that the packet has been altered and B drops it or logs it as required.and B drops it or logs it as required.
It then prepends his transmitter id and puts the packet which looks like It then prepends his transmitter id and puts the packet which looks like [B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue and [B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue and broadcasts it.broadcasts it.
Again all the nodes in B’s range perform the above steps. But only C is able Again all the nodes in B’s range perform the above steps. But only C is able to decrypt the message and read it.to decrypt the message and read it.
Drawbacks of WARDrawbacks of WAR Key distribution is a problemKey distribution is a problem
Time taken for a packet to be delivered to a Time taken for a packet to be delivered to a destination is long because of RSA encryption destination is long because of RSA encryption and decryption. This algorithm relies on public and decryption. This algorithm relies on public key cryptographykey cryptography
The sender needs to know the topology of the The sender needs to know the topology of the entire network as there is no route discoveryentire network as there is no route discovery
It does not ensure packet delivery because if It does not ensure packet delivery because if an intermediate node on the destination path an intermediate node on the destination path fails then the packet will never reach the fails then the packet will never reach the destinationdestination
A node has to perform a certain number of A node has to perform a certain number of decryptions just so that it can determine if decryptions just so that it can determine if it is the intended node on the route to the it is the intended node on the route to the destinationdestination
It is susceptible to DDOS attacks because It is susceptible to DDOS attacks because an attacker can send keep broadcasting an attacker can send keep broadcasting packets and force the legitimate nodes on packets and force the legitimate nodes on a route to do a large number of a route to do a large number of decryptions. Thus a valid packet may not decryptions. Thus a valid packet may not be transmittedbe transmitted
Secure Distributed Anonymous Secure Distributed Anonymous Routing Protocol (SDAR)Routing Protocol (SDAR)
This protocol is also based on onion This protocol is also based on onion routingrouting
It does not require the source node to It does not require the source node to know the entire network topology unlike know the entire network topology unlike the previous WAR protocolthe previous WAR protocol
It is divided into three phases:It is divided into three phases:
Path discovery Path discovery
Path reversePath reverse
Data ForwardData Forward
Path discovery:Path discovery: This allows the source node S to establish This allows the source node S to establish
a path up to the destination using a path up to the destination using intermediate nodes.intermediate nodes.
The beauty of this phase is that none of The beauty of this phase is that none of the intermediate nodes can discover the the intermediate nodes can discover the identity of any of the participating nodes identity of any of the participating nodes except its neighbors. except its neighbors.
The source S creates a The source S creates a path discoverypath discovery packet and broadcasts it. packet and broadcasts it.
Path reverse: Path reverse:
When the receiver receives the When the receiver receives the path discoverypath discovery message it puts in the ids and session keys of all message it puts in the ids and session keys of all the intermediate nodes into one messagethe intermediate nodes into one message
It encrypts this message again and again with It encrypts this message again and again with the session keys of the intermediate nodes the session keys of the intermediate nodes beginning from the last node. It then broadcasts beginning from the last node. It then broadcasts the packetthe packet
Every node along the reverse path removes a Every node along the reverse path removes a layer of encryption and broadcasts the packetlayer of encryption and broadcasts the packet
So when the source receives the message it has So when the source receives the message it has the ids and keys of all the nodes on the path to the ids and keys of all the nodes on the path to the destination. It uses these keys to encrypt the the destination. It uses these keys to encrypt the data and broadcasts itdata and broadcasts it
Data Transfer: Data Transfer:
The source encrypts the data using the keys The source encrypts the data using the keys of the intermediate nodes and broadcasts itof the intermediate nodes and broadcasts it
Each node on the way decrypts a layer and Each node on the way decrypts a layer and forwards it forwards it
So when the message reaches the destination So when the message reaches the destination all the encryption layers have been peeled off all the encryption layers have been peeled off and the receiver is able to read the messageand the receiver is able to read the message
Drawbacks of the SDAR Drawbacks of the SDAR protocol:protocol:
There is no control over the route length There is no control over the route length since the path to the destination is a since the path to the destination is a discovery process. Hence it may take a discovery process. Hence it may take a really long time for the actual data really long time for the actual data transfer to begintransfer to begin
If malicious nodes keep forwarding path If malicious nodes keep forwarding path discovery packetdiscovery packet amongst each other then amongst each other then it may never reach the intended receiverit may never reach the intended receiver
Advantages of the SDAR Advantages of the SDAR protocol:protocol:
The source need not know the topology of The source need not know the topology of the entire network since path discovery is the entire network since path discovery is a dynamic processa dynamic process
References:References: I] I] http://http://en.wikipedia.org/wiki/Traffic_analysisen.wikipedia.org/wiki/Traffic_analysis II] II] http://www.more.net/technical/netserv/troubleshooting/trafficanalysis.htmlhttp://www.more.net/technical/netserv/troubleshooting/trafficanalysis.html III] III] http://http://tor.eff.org/overview.html.entor.eff.org/overview.html.en IV] IV] http://http://en.wikipedia.org/wiki/Onion_routingen.wikipedia.org/wiki/Onion_routing 1] Mary Elisabeth Gaup Moe. 1] Mary Elisabeth Gaup Moe. “Security Models for Anonymous Routing”.“Security Models for Anonymous Routing”. Norwegian Norwegian
University of Science and Technology.University of Science and Technology. 2] George Danezis. 2] George Danezis. “Introducing traffic Analysis- Attacks, Defenses and public Policy “Introducing traffic Analysis- Attacks, Defenses and public Policy
Issues”.Issues”. Invited Talk. Invited Talk. 3] Yih Chun Hu, Adrian Perrig. “3] Yih Chun Hu, Adrian Perrig. “A Survey of Secure Wireless Ad Hoc Routing”.A Survey of Secure Wireless Ad Hoc Routing”. University University
of California- Berkeley, Carnegie Mellon University.of California- Berkeley, Carnegie Mellon University. 4] Adam Back, Ulf Moller, Anton Stiglic. 4] Adam Back, Ulf Moller, Anton Stiglic. “Traffic Analysis Attacks and Trade-Offs in “Traffic Analysis Attacks and Trade-Offs in
Anonymity Providing Systems”.Anonymity Providing Systems”. Zero-knowledge Systems Inc. Zero-knowledge Systems Inc. 5] Marc O’ Morain, Vladislav Titov, Wendy Verbuggen. 5] Marc O’ Morain, Vladislav Titov, Wendy Verbuggen. “Onion Routing for Anonymous “Onion Routing for Anonymous
Communication”. Communication”. 6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. 6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. “Proxies for anonymous “Proxies for anonymous
Routing”. Routing”. Naval Research Laboratory, Washington DC.Naval Research Laboratory, Washington DC. 7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin. “Tor: An Anonymous Routing . “Tor: An Anonymous Routing
Network for Covert On-line Operations.” Network for Covert On-line Operations.” Air Force Institute of Technology, Wright Air Force Institute of Technology, Wright Patterson AFB. Patterson AFB.
8] Michael E. Locasto, Clayton Chen, Ajay Nambi. 8] Michael E. Locasto, Clayton Chen, Ajay Nambi. “WAR: Wireless Anonymous Routing”“WAR: Wireless Anonymous Routing”. . Department of Computer Science, Columbia University.Department of Computer Science, Columbia University.
9] Liu Yang, Markus Jacobson, Susanne Wetzel. 9] Liu Yang, Markus Jacobson, Susanne Wetzel. “Discount Anonymous On Demand “Discount Anonymous On Demand Routing for Mobile Ad hoc Networks”.Routing for Mobile Ad hoc Networks”.
10] Azzedine Boukerche, Khalil El-Khatib, Li Xu, Larry Korba. 10] Azzedine Boukerche, Khalil El-Khatib, Li Xu, Larry Korba. “SDAR: A Secure “SDAR: A Secure Distributed Anonymous Routing Protocol”.Distributed Anonymous Routing Protocol”. University of Ottawa. University of Ottawa.
11] Dehn Sy, Rex Chen, Lichun Bao. 11] Dehn Sy, Rex Chen, Lichun Bao. “ODAR: On-Demand Anonymous Routing in Ad-Hoc “ODAR: On-Demand Anonymous Routing in Ad-Hoc Networks”Networks”. University of California.. University of California.
12] Stefaan Seys, Bart Preneel. 12] Stefaan Seys, Bart Preneel. “ARM: Anonymous Routing Protocol for Mobile Ad hoc “ARM: Anonymous Routing Protocol for Mobile Ad hoc Networks”Networks”. Department of Electrical Engineering-ESAT, SCD/COSIC. Department of Electrical Engineering-ESAT, SCD/COSIC
