Embed Size (px)
DESCRIPTION
Message Splitting Against the Partial Adversary. Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory. Outline. Mix Systems. Criticisms. too strong threat model(!) intersection attack when >1 msg (too much data) sent Weaker threat model - PowerPoint PPT Presentation
Citation preview
Message Splitting Against the Partial Adversary
Andrei Serjantov
The Free Haven Project (UK)
Steven J Murdoch
University of Cambridge Computer Laboratory
Outline
• Mix Systems. Criticisms.– too strong threat model(!)– intersection attack when >1 msg (too much data) sent
• Weaker threat model• Sending each message via random route
– “non connection-based system”
• Empirical observations about Mixmaster Mixminion• Characteristic delay function [Dan04] is difficult to
esitmate
Mix Systems
• Well known to this audience• Implemented
– Mixmaster– Mixminion
• Threat Model– Global Passive Adversary (GPA)– GPA with some (all but one?) compromised
mixes
Criticisms
• GPA does not exist– (a matter of some debate)
• The mix system (Chaum 81) allows one fixed-sized message to be sent anonymously– Great for votes– Ok for email– Bad for Web Browsing– Awful for Bit Torrent
• If >1 message (more than 32K data), anonymity is degraded
Intersection Attack
A
B
C2 2 2
1
1
1
11
1D
E
F
Mix 1
Mix 4
Mix 3
Mix 2
Senders Receivers
Attacker
TrafficVolume of data dow nloaded through the anonymity system
0
5000
10000
15000
20000
25000
Volume of data, Kb
Nu
mb
er o
f u
sers
Intersection Attack
• [BPS00] On the Disadvantages of Free Mix Routes (PET2001)
• [WALS02] An Analysis of the Degradation of Anonymous Protocols (NDSS’02)
• [KAP02] Limits of Anonymity in Open Environments (IH2002)
• [Dan03] Statistical Disclosure (I-NetSec03)• [DS04] (IH2004)
• [Dan04] The traffic analysis of continuous-time mixes (PET2004)
etc
The Common Wisdom
• Intersection attacks are:– Realistic– Powerful (reduce anonymity quickly)– Hard to protect against
• Require lots of dummy traffic
A Weaker Model
A
B
C
1
2
Mix 3 Mix 4
Mix 1Mix 2
D
E
F
1
2
1
2
Attacker observes:not all inputsnot all outputs
Notinteresting
A Better Threat Model
• A Partial Adversary– Does not observe all Sender to Mix links– (alternatively not all mixes which senders can
send to)– Ignore compromised mixes
Observed Mix
A
B
D
E
Mix 1 Mix 2
Mix 3Mix 4
1
2
1
2
1
2
Attacker sends all his messages via one single route theough the mix system
Splitting Data
A
B
C
Mix 3
Mix 1
Mix 4
Mix 2E
F
1
2
2
11
1
1
11
Sender B splits his stream of data and sends each message via arandomly chosen route
The problem: how do you choosethe first mix?
The Details
• Problem:– mixes to send to
• compromised, the rest not (but no idea which ones)
– P packets
– What are the s.t. a random subset (attacker)
of size gives least information about
– Note that (dummy traffic)
– No proof or optimal solution in this paper!• See one possible solution next
MPP1
iPfM
fM
PPi
M
One possible scheme
• Pick (uniformly) at random a sequence of mixes
• Pick from a geometric distribution with mean . Set
• Pick from a geometric distribution with mean . Set
• etc• Another in the paper (with some analysis)
1P
1' PPP 2P
2''' PPP 2/'P
2/P
Part II
• (Looking at a particular intersection attack and finding it not as easy as it looks at first glance)
Another Intersection Attack
• Danezis 2004 (thanks for the diagrams)
The Idea:
The Details
The Characteristic Delay Function
• What is this for– Mixes– Mixmaster– Mixminion– Tor
• This maybe unfair – Danezis intended his attack for lwo latency systems (Tor)
• Nevertheless interesting
The Characteristic Delay Function
• Theory:– What is the delay of a mix (cascade/network)– Can say not very much about it (as usual)
• Details in the paper
• Practice:– Steven wrote a disciplined pinger
• Does not ping too often, hope not to affect the results by sampling
Results
Results
Comparing
• Nothing surprising– Mixmaster has longer delay– Heavy tails
Conclusions I
• It is well known that the intersection attack is powerful– No reason to abandon investigation!
• New interesting, mathematically well defined threat model
• Splitting traffic amongst first nodes– Does not have the efficiency of Tor or other
connection-based systems– Does gain anonymity advantage (but only by means of
a weaker threat model)
Conclusions II
• Characteristic function of Mixmaster, Mixminion difficult to work out in theory or estimate empirically
• Data at:
• All references at “Anonymity Bibliography”
Thank you
The Anonymity Advantage
The Network(Mixmaster)
100
17
10
5
87
The Network(Mixmaster)
100
170
10
5
87
Total observed packets
Alice
Alice
Intersection Attack
SendersReceivers
AttackerMixes
A Weaker Model
Attacker observes:not all inputsnot all outputs
Notinteresting
Observed Mix
Attacker sends all his messages via one single route theough the mix system
Splitting DataAttacker splits his stream of data and sends each message via arandomly chosen route
The problem: how do you chooseThe first mix?
Results
Results
Comparing
• Nothing surprising– Mixmaster has longer delay– Heavy tails
![[hal-00768526, v1] Partial Splitting of Longevity and ...docs.isfa.fr/labo/2013.16.pdf · Partial splitting of longevity and financial risks : the longevity nominal choosing swaptions](https://img.dokumen.tips/doc/110x75/5abb9d687f8b9a567c8cd4f3/hal-00768526-v1-partial-splitting-of-longevity-and-docsisfafrlabo201316pdfpartial.jpg)
