Hashing it Out in PublicCommon Failure Modes of DHT-based Anonymity

Schemes

Andrew Tran, Nicholas Hopper, Yongdae Kim

Presenter: Josh Colvin, Fall 2011

Anonymous Networks

• Serve as an important tool– Online privacy– Censorship resistance– Surveillance evasion– Safeguarding freedom of expression online

Anonymity Guidelines

• Hiding among more users provides stronger anonymity• Usability, latency, and scalability

therefore contribute to security

Clarification

• All schemes considered here fall under certain specific criteria–Based on the circuit model–Provide low-latency connections–Anonymity based on limited knowledge of

the circuit

Tor

• Rely on a global list of all active nodes in the network–Limited scalability due to quadratic

communication costs

Distributed Hash Table

• Node is assigned an identifier (nodeID)• Specific data are also assigned keys• Overlay designates ownership of a set of keys

to a single live node (root)• Each node maintains a routing table• Every routing table maintains a number of

distinct entries

DHT Queries

• Two main types of queries–Recursive– Iterative

• Both processes take O(log n) steps

Recursive Queries

• Source gives control of the query to the closest node to the target

• Process repeats until the root is found (or not)• Passes data back

Iterative Queries

• Requests data from node in routing table with greatest prefix match

• Queried node responds with location of node with greater prefix match

• Source node continues chain of queries until no greater match can be found

• The result must now be the intended target (if it exists)

Recursive Query Example

A

C

D

B

Iterative Query Example

A

C

D

B

Note on Routing Types

• Node failure does not necessarily identify the source of the failure for recursive routing– Selective uncooperation is possible without

running the risk of being blacklisted• Iterative routing does not share this problem– Passive attacks on anonymity can occur

DHT Attacks

• Two main security issues– Passing a query through a malicious node is

statistically likely– Query result accuracy is difficult to verify

Query Capture

• Query is captured if any hops used are controlled by an attacker

• With a small fraction ( < 20%) of compromised nodes, this can be very likely

Adversary’s Options

• Once an attacker has a captured query, he has three options– Forward the query to a malicious (or possibly

nonexistent) node– Drop the query– Log the query

Mitigating Attacks

• Several options for minimizing the ability of adversaries to operate effectively– Make nodeID’s verifiable– Redundant queries– “density check”

Verifiable nodeID’s

• Can be implemented by hashing IP addresses for use as nodeID’s

• Attackers cannot place a malicious node without controlling an IP address that maps to the desired space

• Unable to easily support NAT boxes without a security tradeoff

Redundant Queries

• Multiple routes are followed• Precautions must be taken to prevent path

convergence• Increases bandwidth overhead• Increased likelihood of identity compromise• On average, the majority of paths will be

compromised– Cannot easily distinguish valid responses

“Density Check”

• Tests if the distance between a result node and the key is consistent with the distribution of nodeID’s near the source

• If this distance is too large (e.g. 1.5x greater), the result of the query is rejected

• Must have a sufficiently large number of nodes to be accurate

Insecure Relay Selection

• Lack of proper security measures applied to DHT lookups

• In general, traditional security methods are insufficient to prevent a bias towards selecting malicious nodes

• No clear method to verify if a particular peer is the current root of a key– A malicious node could claim to be the correct

result of a query

Insecure Relay Selection, Cont.

• A malicious node may return offline nodes• A threshold-type scheme may also prove

unreliable– On average, the majority of redundant routes will

pass through a malicious node

Vulnerable Schemes

• Out of ten different DHT-based anonymous overlay networks:– Two specify mechanisms to prevent DHT lookup

failures– Five use overlay circuit extension with no

provisions for redundant routing– The remaining three make no provisions for

robustness

Questions?