Onion Routingppt226

8/13/2019 Onion Routingppt226

1/36

Anonymous Routing in

Wireless Networks: OnionRouting

Priyanka Banerjee


2/36

Organization

Introduction

Traffic Analysis overview

Onion Routing in Wired Networks

Onion Routing in Wireless Networks

conclusion


3/36

Introduction

Types of Attackers on the

web:

Active Attackers

Passive attackers


4/36

Traffic Analysis

Intercept traffic

Capture packets

Analyze packets

Deduce useful information


5/36

Traffic analysis focuses on the headers, which

contain meta data like source address,

destination address, timing information etc

Hence even if the packet content is encrypted,

Traffic analysis can reveal useful information


6/36

Importance of Traffic Analysis

Although traffic analysis provides lower qualityinformation, it is preferred over cryptanalysis because itis easier than breaking complex encrypted messages [2]

It is also cheaper because traffic data can beautomatically collected and processed to provide a highdegree of intelligence [2]

It is used for military purposes [2] and by various

organizations to track unpleasant events over theinternet


7/36

Onion Routing

Onion routing is the themechanism in which thesender (initiator) and thereceiver (responder) nodescommunicate with each other

anonymously by means ofsome intermediate nodescalled as onion routers

It relies on public keycryptoraphy


8/36

Infrastructure for Onion Routing

Network Infrastructure

Proxy Interfaces


9/36

Steps in Onion Routing

Defining a route

Constructing an anonymous connection

Moving data through an anonymous connection

Destroying the anonymous connection


10/36

Example

Let onion routers 4, 3, and 5 be randomlyselected by the onion proxy


11/36

The proxy encrypts the

data with 5s public keyfollowed by 3 and then 4

Thus an onion is createdwhich looks like

E4pu (3s IP address,E3pu ((5s IP address,(E5pu (recipients IPaddress, data)))))


12/36

The proxy then sends the

onion to the first onion

router i.e. 4

Onion router 4 peels the

outer layer of the onion

using its private key

It forwards the onion to 3

which now looks like E3pu

((5s IP address, (E5pu(recipients IP address,

data))))


13/36

Onion router 3 peels

the outer layer of theonion using its privatekey

It forwards the onionto 5 which now lookslike (E5pu (recipientsIP address, data))


14/36

Onion router 5 now peels

the outer layer of the onionusing its private key

It finds plain data and the

destination address andforwards it to thedestination


15/36

Problems and solutions

The size of the onion reduces as it nears thedestination

Hence an attacker can infer details about thedestination

To avoid this onions are padded at each onion

router to maintain the size of the onion (Onionscan be padded to same or different sizes )


16/36

Every onion router has details of only its

previous and next hop

So even if an onion router has been

compromised the attacker can only get the

encrypted onion .He will not be able to decrypt

the onion without the private keys and hence will

not infer any valuable information from it


17/36

Suppose an attacker records data going onbetween routers and is able to compromise a

router at a later stage, to acquire private key anddecrypt data.

This can be avoided by using a session key

between communicating parties.

The session key is used to encrypt data and isvalid only for the duration of the communication.


18/36

Packet delivery is not ensured

If an onion router fails on the way then the

message will not reach the destination


19/36

It is susceptible to denial of service attacks. Thiscan be done by forcing onion routers to do alarge number of cryptographic operations by

many sending packets to it. Eventually the routersimply ends up doing cryptographic operationsand is not able to forward packets

This can be mitigated using client puzzles. Herethe onion proxy/router (i.e. the server) forces arequesting client to complete a puzzle before itallocates resources

But puzzle solving has an impact on the latency


20/36

Challenges in Wireless Networks

In a wireless medium there is node mobility andlack of infrastructure. There is no central pointgoverning the flow of traffic.

So nodes rely on intermediate nodes to relaytheir data. If intermediate nodes arecompromised then onion routing fails

Also packets are broadcast into the network.Thus traffic analysis becomes easier and maygo undetected


21/36

Lack of central management makes itsusceptible to active attacks

It takes longer to construct paths due to thedynamic nature of the environment.

Key distribution for encrypting traffic is achallenge.


22/36

Wireless Anonymous Routing

(WAR) It is based on onion routing and traffic mixing

Here the keys are distributed using a RadioGram

RadioGram object is like an onion which has layersof encryption around the data content

RadioGrams are broadcast into the network and the

intended nodes along the route to the destinationdecrypt a layer at a time


23/36

The structure of a radiogram is as follows:

[tid] {[sk] [MIC] [^]} {[sk] [MIC] [^]} . {[sk] [MIC] [^]}

[content] [padding]

The information contained within the curly braces { }

represent each layer of the onion

Transmitter IDi.e. tid: It uniquely defines a radiogram.

It is a RSA public key. It is used to encrypt the session

key. And the session key is then used to encrypt the

rest of the fields

Session key i.e. sk:It is a symmetric key encrypted by

the public key of the transmitter


24/36

MIC or Checksum: It is the pre-computed hashvalue of everything the onion skin wraps except thepadding

Control Signalsi.e. ^:It tells the receiver what has tobe done with the received message. It also tellsabout the type of message and the padding

Content:This is the actual data that is beingtransmitted and can be interpreted only by the finaldestination

Padding:This is used just to maintain the size of theonion

E l


25/36

Example [A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content]

[padding]

A generates the content [content]. It then generates a random session key (16 byte) C.sk .

It sets the control signal C.^ appropriately i.e. type=MESSAGE and padding = k bits .

It prepends [C.^] to [ content]

It computes a 16 byte MIC over [C.sk] [C.^] [content] and callsit C.MIC.

It encrypts [C.MIC] [C.^] [content] under C.sk .

It encrypts C.sk using Cs public key and calls it C.sk .

It prepends [C.sk] to [C.MIC] [C.^] [content] .

Append any padding if reqired. It renames [C.sk] [C.MIC] [C.^] [content] to [content]

It repeats the above steps for (all other intermediate nodes) B.


26/36

When the nodes within the transmission range of A receive theRadiogram they perform the following steps:

They strip A.id and save it

They strip B.MIC and save it.

They strip the encrypted B.sk.

They try to decrypt B.sk to B.sk using their private key. (If it succeedsthen they are the intended recipient else they simply drop the packet.Only B is able to decrypt B.sk as it was encrypted with his public key.)

B assumes that the message is for him and now uses B.sk to decryptthe remainder of the message i.e. [B.MIC] [B.^] [content]

B checks B.^ to determine where the padding begins and the other

rules it is supposed to follow. B computes B.MIC over [B.sk] [B.^] [content].

It compares B.MIC to B.MIC. If they are equal B checks B.^ for furtherinformation. If they are unequal it implies that the packet has beenaltered and B drops it or logs it as required.

It then prepends his transmitter id and puts the packet which looks like

[B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue andbroadcasts it.

Again all the nodes in Bs range perform the above steps. But only C isable to decrypt the message and read it.

D b k f WAR


27/36

Drawbacks of WAR Key distribution is a problem

Time taken for a packet to be delivered to adestination is long because of RSA encryptionand decryption. This algorithm relies on publickey cryptography

The sender needs to know the topology of theentire network as there is no route discovery

It does not ensure packet delivery because if anintermediate node on the destination path failsthen the packet will never reach the destination


28/36

A node has to perform a certain number ofdecryptions just so that it can determine if it isthe intended node on the route to the destination

It is susceptible to DDOS attacks because anattacker can send keep broadcasting packetsand force the legitimate nodes on a route to do a

large number of decryptions. Thus a valid packetmay not be transmitted


29/36

Secure Distributed Anonymous

Routing Protocol (SDAR)

This protocol is also based on onion routing

It does not require the source node to know the

entire network topology unlike the previous WAR

protocol It is divided into three phases:

Path discovery

Path reverseData Forward


30/36

Path discovery: This allows the source node S to establish a

path up to the destination using intermediate

nodes.

The beauty of this phase is that none of theintermediate nodes can discover the identity of

any of the participating nodes except its

neighbors.

The source S creates apath discoverypacket

and broadcasts it.

Path reverse:


31/36

Path reverse:

When the receiver receives thepath discoverymessage it puts in the ids and session keys of all the

intermediate nodes into one message

It encrypts this message again and again with thesession keys of the intermediate nodes beginning fromthe last node. It then broadcasts the packet

Every node along the reverse path removes a layer ofencryption and broadcasts the packet

So when the source receives the message it has theids and keys of all the nodes on the path to thedestination. It uses these keys to encrypt the data andbroadcasts it


32/36

Data Transfer:

The source encrypts the data using the keys ofthe intermediate nodes and broadcasts it

Each node on the way decrypts a layer andforwards it

So when the message reaches the destinationall the encryption layers have been peeled offand the receiver is able to read the message

Drawbacks of the SDAR


33/36

Drawbacks of the SDAR

protocol:

There is no control over the route length sincethe path to the destination is a discoveryprocess. Hence it may take a really long time forthe actual data transfer to begin

If malicious nodes keep forwarding pathdiscovery packetamongst each other then it

may never reach the intended receiver


34/36

Advantages of the SDAR

protocol:

The source need not know the topology of the

entire network since path discovery is a dynamic

process


35/36


36/36

References: I] http://en.wikipedia.org/wiki/Traffic_analysis

II] http://www.more.net/technical/netserv/troubleshooting/trafficanalysis.html

III] http://tor.eff.org/overview.html.en

IV] http://en.wikipedia.org/wiki/Onion_routing

1] Mary Elisabeth Gaup Moe. Security Models for Anonymous Routing.Norwegian University ofScience and Technology.

2] George Danezis. Introducing traffic Analysis-Attacks, Defenses and public Policy Issues.Invited Talk.

3] Yih Chun Hu, Adrian Perrig. A Survey of Secure Wireless Ad Hoc Routing.University ofCalifornia- Berkeley, Carnegie Mellon University.

4] Adam Back, Ulf Moller, Anton Stiglic. Traffic Analysis Attacks and Trade-Offs in AnonymityProviding Systems.Zero-knowledge Systems Inc.

5] Marc O Morain, Vladislav Titov, Wendy Verbuggen. Onion Routing for AnonymousCommunication.

6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. Proxies for anonymous Routing.Naval Research Laboratory, Washington DC.

7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin. Tor: An Anonymous RoutingNetwork for Covert On-line Operations.Air Force Institute of Technology, Wright Patterson AFB.

8] Michael E. Locasto, Clayton Chen, Ajay Nambi. WAR: Wireless Anonymous Routing.Department of Computer Science, Columbia University.

9] Liu Yang, Markus Jacobson, Susanne Wetzel. Discount Anonymous On Demand Routing for

Mobile Ad hoc Networks. 10] Azzedine Boukerche, Khalil El-Khatib, Li Xu, Larry Korba. SDAR: A Secure Distributed

Anonymous Routing Protocol.University of Ottawa.

11] Dehn Sy, Rex Chen, Lichun Bao. ODAR: On-Demand Anonymous Routing in Ad-HocNetworks. University of California.

12] Stefaan Seys, Bart Preneel. ARM: Anonymous Routing Protocol for Mobile Ad hocNetworks. Department of Electrical Engineering-ESAT, SCD/COSIC
http://en.wikipedia.org/wiki/Traffic_analysishttp://en.wikipedia.org/wiki/Traffic_analysishttp://www.more.net/technical/netserv/troubleshooting/trafficanalysis.htmlhttp://tor.eff.org/overview.html.enhttp://en.wikipedia.org/wiki/Onion_routinghttp://en.wikipedia.org/wiki/Onion_routinghttp://tor.eff.org/overview.html.enhttp://www.more.net/technical/netserv/troubleshooting/trafficanalysis.htmlhttp://en.wikipedia.org/wiki/Traffic_analysis

Documents

Onion Routingppt226