More Anonymous Onion Routing Through Trust

Aaron Johnson and Paul Syverson22nd IEEE Computer Security Foundations Symposium

July 2009

How Onion Routing Works

User u running client Internet destination d

Routers running servers

u d1 2

1. u creates l-hop circuit through routers

2. u opens a stream in the circuit to d

3. Data is exchanged

{{{m}3}4}1 1 2

{{m}3}4

{m’}3

{{m’}3}4

{{{m’}3}4}1 1 2

Onion Routing• Practical design with low latency and overhead

• Open source implementation (http://www.torproject.org/)

• Over 1500 volunteer routers• Estimated 200,000 users

Adversaryu 2

Adversaryu 1 2

• Active & Local

Adversaryu 1 2

• Active & Local

• Correlation attack

Adversaryu 1 2

• Active & Local

• Correlation attack

Using Trust

• Adversarial routers

Using Trust

• Adversarial routers• User doesn’t know where the adversary is.

Using Trust

• Adversarial routers• User doesn’t know where the adversary is.• User may have some idea of which routers are

likely to be adversarial.

• Router ri has trust ti. An attempt to compromise a router succeeds with probability ci = 1-ti.

• User will choose circuits using a known distribution.

• Adversary attempts to compromise at most k routers, KR.

• After attempts, users actually choose circuits.

• For anonymity, minimize correlation attack• Probability of compromise:

c(p,K) = r,sK prs cr cs

• Problem:– Input: Trust values t1,…,tn

– Output: Distribution p* on router pairs such that

p* argminp maxKR:|K|=k c(p,K)

Algorithm• Turn into a linear program• Variables: prs r,sR

t (slack variable)• Constraints:– Probability distribution:

0 prs 1r,sR prs = 1

– Minimax:t – c(p,K) 0 KR:|K|=k

• Objective function : t

Algorithm• Turn into a linear program• Variables: prs r,sR

t (slack variable)• Constraints:– Probability distribution:

0 prs 1r,sR prs = 1

– Minimax:t – c(p,K) 0 KR:|K|=k

• Objective function : tProblem: Exponential-size linear program

Independent-Choice Approximation

1. Let c(p) = maxKR:|K|=k rK pr cr.2. Choose routers independently using

p* argminp c(p)

1. Let c(p) = maxKR:|K|=k rK pr cr.2. Choose routers independently using

p* argminp c(p)Let = argmini ci.Let p1(r) = 1.Let p2(ri)= /ci, where = (i 1/ci)-1.Theorem:

c(p*) =c(p1) if c kc(p2) otherwise

ri1ri2

ri3ri4

Proof:Independent-Choice Approximation

ri1ri2

ri3ri4

Proof:

1. Adversary chooses k routers with largest pici.

ri1ri2

ri3ri4

Proof:

1. Adversary chooses k routers with largest pici.2. cij

cij+1or swapping would be an improvement.

ri1ri2

ri3ri4

Proof:

3. Can assume that pi ci = pjcj; i,j>= k.

ri1ri2

ri3ri4

Proof:

3. Can assume that pi ci = pjcj; i,j>= k.4. Can assume that pi ci = pjcj; i,j>= 2.

ri1ri2

ri3ri4

Proof:

3. Can assume that pi ci = pjcj; i,j>= k.4. Can assume that pi ci = pjcj; i,j>= 2.5. Adjusting p1 changes c(p) linearly. Therefore one

extreme is a minimum.

ri1ri2

ri3ri4

Proof:

ri1ri2

ri3ri4

Proof:

Theorem: The approximation ratio of independent selection is (n).

Proof sketch:Let In = (c1, . . . , cn, k) be such that

1. c1 = O(1/n)2. c2 > c, c (0, 1)3. k = o(n)4. k = (1)

Let p*(r1,ri) 1/(cr1 cri

).Then c(In, p1)/c(In, p*) = (n/k)and c(In, p2)/c(In, p*) = (k).

1. c1 = O(1/n)2. c2 > c, c (0, 1)3. k = o(n)4. k = (1)

Trust Model• Two trust levels: t1 t2

• U = {ri | ti=t1}, V = {ri | ti=t2}

• U = {ri | ti=t1}, V = {ri | ti=t2}Theorem: Three distributions can be optimal:

1. p(r,s) crcs for r,sR

2. p(r,s) c1

2 if r,sU

0 otherwiseU

2. p(r,s)

3. p(r,s)

if r,sU0 otherwisec1

2(n(n-1)-v0(v0-1))if r,sU

c22(m(m-1)-v1(v1-1))

if r,sV0 otherwise

where v0 = max(k-m,0) and v1 = (max(k-n,0))

Generalization and Other Applications

• Pick a subset of size j• Minimize the chance that all are compromised• Examples:

1. Heterogenous sensor networks2. Distributed computation (e.g. SETI@home)3. Data integrity in routing

Future Work

• Generalization to other problems• Heterogeneous trust– Users choose paths differently– User profiling– Adversary may not know trust values

• Roving adversary

More Anonymous Onion Routing Through Trust

Documents

Anonymous Connections And Onion Routing

Lightweight Anonymous Routing in NoC based SoCs

Network coding combined with onion routing for anonymous and secure communication in a wireless mesh network

Onion routing and tor: Fundamentals and Anonymity

The Onion Routing (TOR)

Pairing-Based Onion Routing with Improved Forward Secrecyiang/pubs/PBOR-TISSEC.pdf · Pairing-Based Onion Routing with Improved Forward Secrecy ... Pairing-Based Onion Routing with

(Nothing else) MATor(s): Monitoring the Anonymity of Tor’s ...mohammadi/paper/mator.pdf · 1 Introduction The onion routing network Tor is a widely employed low-latency anonymous

A Study of VoIP Performance in Anonymous Network - The ......A Study of VoIP Performance in Anonymous Network - The Onion Routing (Tor) Dissertation for the award of the degree “Doctor

Homomorphic Cryptography Based Anonymous Routing

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable

Provably Secure and Practical Onion Routing

A Formal Treatment of Onion Routing

Onion Routing Report

Improving the Eﬃciency of Anonymous Routing for MANETsvijay/pubs/jrnl/12comcom.pdfImproving the Eﬃciency of Anonymous Routing for MANETs Jiefeng (Terence) Chena,b,∗, Roksana

Anonymity on the Web: Onion routing and Crowds. 2 Outline the problem of user privacy basic concepts of anonymous communication MIXes Onion routing

Practical and Provably Secure Onion Routing · 2012-07-16 · Practical and Provably Secure Onion Routing [IEEE CSF '12] Practical and Provably Secure OR - Esfandiar Mohammadi Anonymous

A CODING ENABLED ANONYMITY NETWORK · that use the concept of onion routing. Tor [7], the second generation onion router, is a low latency anonymous system which incrementaly builds

Anon ymous Connections and Onion Routing

Onion Routing Ppt

The onion routing network(tor)