Anonymous Communication on Internet

S.M.Udara Rusiri Siyasinghe2005/CS/130

smudararusiri@yahoo.com

Supervisor: Dr.Chamath Keppetiyagama

June 22, 2008

Abstract

In the modern economic world purchasing products from online stores israpidly increasing. At the same time cyber criminals who steal personalinformation and tracking online activities are also increasing. Hence peopleneed to be more careful when exposing or giving out any personal infor-mation about them. On the other hand people may prefer to send privatemessages or emails in a way that, the sender and the receiver cannot bedetected by an external observer. Therefore a reliable anonymous com-munication system on Internet is very crucial. In this literature I’ll discussabout some of the available Anonymous Communication systems which, cer-tain systems may good for real time practical applications while others maynot within acceptable limits.

Contents

1 Introduction 11.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Overview 2

3 Web Proxies 4

4 MIX Based System 6

5 Onion Routing 9

6 Crowds 11

7 Evaluation 13

8 Conclusion 15

ii

List of Figures

3.1 Functionality of a Single-Hop Proxy . . . . . . . . . . . . . . 5

4.1 Functionality of a Mix . . . . . . . . . . . . . . . . . . . . . . 7

5.1 Onion Routing Network . . . . . . . . . . . . . . . . . . . . . 10

6.1 Paths in a Crowd . . . . . . . . . . . . . . . . . . . . . . . . . 12

7.1 Level of Anonymity . . . . . . . . . . . . . . . . . . . . . . . . 13

iii

Acknowledgments

I’m pleased to thank Dr. Chamath Keppetiyagama for the guidance hegave me as the supervisor and very helpful discussions. Also I would likethank Dr. H.L.Premarathna, the coordinator of this course module for giv-ing us the useful tips and sample latex codes. And Mr. Malik Silva forconducting latex sessions for us to improve our knowledge. Finally I like tothank every one who have supported me to make this survey a success.

iv

Chapter 1

Introduction

With the growth of the internet, business organizations have identified thegreater potential in online businesses. As a result of that many companieshave their own online stores and number of people who purchase goods viathe internet are increased. With this growth cyber criminals who steal per-sonal information and tracking online activities are also increasing. Hencepeople need to be more careful when exposing or giving out any personalinformation about them. The most important thing is internet users arelooking for privacy even in the unsafe internet. Therefore a reliable anony-mous communication system on internet is really important.

Anonymous communication means communicating without revealing theidentity to each other or to an outside observer. Here, the communica-tion maybe carried out over the general Telephone networks or the MobilePhone networks or the Internet. Many researchers have proposed solutionsfor achieving Anonymous communication over these types of communicationmethods. These solutions can be found in the literature as well as in theWorld Wide Web. For example, ISDN Mixes[1] can be used to take Anony-mous telephone calls. But Local telephone exchange should implement thesystem. In this literature I’m focusing on Anonymous communication onInternet.

1.1 Outline

The rest of the report is organized in the following way: Chapter 2 presentsan overview about the anonymous communication. Chapter 3 describes theWeb Proxies. Chapter 4 describes the Mix[2] based system. Chapter 5describes the architecture Onion Routing[3] which is based on the virtualcircuits. Chapter 6 describes the Crowds[4] anonymous system. Chapter 7presents the Evaluation and Chapter 8 presents some concluding remarks.

1

Chapter 2

Overview

In the context of anonymous communication we first need to understandwhat is meant by ”Anonymity” and ”Unobservability”. The anonymity is”the state of being unidentified within a set of communicating parties”. Forexample, someone needs to send an email to a lawful authority in such away that, the receiving authority shouldn’t be able to find out who sent themail. This unidentifiability is called Anonymity. There are three levels ofanonymity,

1. Sender Anonymity.

2. Receiver Anonymity.

3. Sender and Receiver Anonymity(Unlinkability).

Unobservability(which is stronger than anonymity) means that exchangeof a message cannot be detected by an outside observer. For example, whentwo people are chatting over the internet an outside observer shouldn’t beable to figure out whether they are chatting or not. This difficulty of detec-tion is called unobservability. There are two unobservability levels,

1. Sender (or Recipient) Unobservability.

2. Relationship Unobservability.

If a person needs a perfect anonymous communication system he shouldgo for a system which provides both anonymity and unobservability prop-erties. But with practical considerations it will be really difficult find aperfect solution. Researchers have proposed many solutions for anonymouscommunication with various approaches. For ease I’ll divide them in to threecategories.

1. Web Proxies.

2

2. MIX Based Systems.

3. Other Anonymous Communication Systems.

For the category type 3, I’ll talk about Onion Routing[3] and Crowds[4]anonymous communication Systems.

3

Chapter 3

Web Proxies

Many internet users are now looking for services which provide anonymousbrowsing on the web. Currently there can be found a number of differentservices which claim to provide anonymous browsing. Some of them arefree services and some are paid, with more or fewer features. Among thesesystems simplest anonymizing system will be Proxy browsing since no addi-tional softwares need to download and fewer configurations.

In this approach an additional ”trusted third party” which is a proxyis introduced between the sender and receiver in a way that, user’s all webrequests are redirected to the proxy. So the proxy will made the request fromthe web server on behalf of the user. Hence the sender’s identity is hiddenfrom the receiver. Following is a list of available proxies which providesanonymous web browsing,

• Anonymizer - http://www.anonymizer.com

• the-Cloak - http://www.the-cloak.com

• Proxify.com - http://www.proxify.com

• Proxy.org - http://www.proxy.org

Figure 3.1 shows the operation of a web proxy and Let’s see how can weachieve sender anonymity from the receiver using a single-hop proxy.

1. The user(Web browser) issues an HTTP request for the URL(www.news.lk)from the proxy server.

2. The proxy server immediately issues an HTTP request to the Webserver for this URL. Now the HTTP request appears to be originatedat the proxy server and not at the user’s computer.

3. The web server replies with sending an HTML document to the Proxy.

4

Figure 3.1: Functionality of a Single-Hop Proxy

4. The proxy will first rewrite all the links in that document so that theywill point back to the proxy instead of the web server. Finally it sendsthe document back to the user with all links rewritten.

Lets see what is happing in the link rewriting(See [5] for more informa-tion). As an example, I’ll consider the free service of the anonymizer.com.A link to http://www.news.lk/BreakingNews will rewritten to,http://anon.free.anonymizer.com/http://www.news.lk/BreakingNews.

Apart from hiding the user’s IP address from the web server proxies pro-vide some extra functionalities. Some of these are,Filtering cookies, Filtering or rewriting JavaScripts, Filtering advertisementsand banners and Faking the HTTP user agent field in the HTTP header(user’s OS and browser information will not reveal.)

Proxies only provide Sender anonymity from the receiver if the proxyitself remains uncompromised. But a Caching Proxy[5] (extension of a webproxy) will be able to provide sender and receiver unlikability property. Inmost of the free proxies the connection between the user and the proxyis not encrypted. Hence an attacker may be able analyze the web traffic.Therefore when you are using a web proxy for anonymous web browsing, becareful whether it provides a encrypted connection or not.

5

Chapter 4

MIX Based System

One of the common vulnerabilities in the proxy browsing was traffic anal-ysis attack. But there exist a system called Mix[2] which is not vulnerable tothis attack. The concept of a Mix was first introduced by David Chaum in1981. A MIX is simply a computer connected via the internet which actuallyis an enhanced proxy. A Mix is empowered to use public key cryptographyto achieve anonymity properties. In order to connect to a Mix the user mustuse another proxy so that all the communications with the Mix is carriedout by this proxy. For example, Key exchanges, message encryption anddecryption are done by the proxy deployed in the user’s computer.

Mixes hide the sender’s identity from the receiver by cryptographicallyaltering the messages being exchanged. At the same time Mixes buffer theincoming data and divide them in to equal sized chunks. When the sender orthe receiver is idle the Mix sends the dummy traffic which is also same sizedchunks. As a result of these techniques an out side observer cannot determinewho is communicating with whom and when they are communicating.

6

Figure 4.1: Functionality of a Mix

Figure 4.1 illustrates the functionality of a Mix node and how can weachieve sender and receiver anonymity. Notations used in Figure 4.1,

KMS - Public Key of the Mix Node.KR - Public Key of the Receiver.AdrsR - Address of the Receiver.Msg - Message to be sent.

When the sender needs to send an anonymous message, first he shouldencrypt the message with receiver’s public key KR(Msg). Then the resul-tant message should be encrypted along with the Address of the receiverusing Mix node’s public key KMS [KR(Msg), AdrsR]. When the encryptedmessage arrived at the Mix node, first it will decrypt the message usingit’s private key. Then it can find out the address of the recipient alongwith the encrypted message. After, the Mix will send the message to therecipient KR(Msg) with or without encrypting it because it is already en-crypted. Finally when the message received by the recipient’s proxy it willdecrypt the message using it’s private key. At last sender has sent a mes-sage anonymously to the receiver so that recipient or an out side observercannot determine who send the message and because of the dummy traffican adversary cannot determine when they are communicating.

7

The use of Mixes in anonymous communication is really important whendesigning an anonymous e-mail system because, using Mixes and publickey cryptography we can generate an untraceable return address so thatrecipient can sends back a response without the real address of the sender.Usually Mixes are used in a sequence called Mix cascade. Therefore evenif all the Mixes are compromised except one, that uncompromised Mix isenough to provide anonymous communication properties. Because of theserobust properties in Mixes most of the anonymous communication systemsare extensions of Mix-nets. For example Web Mixes[6] is an extension of theMixes and it can be used for anonymous web browsing.

8

Chapter 5

Onion Routing

Unlike previously discussed systems, the Onion Routing is a distributedanonymous communication system which is resistant to traffic analysis at-tack. It is designed to anonymize TCP based applications like web brows-ing(HTTP), Secure Shell(SSH), FTP and SMTP. The architecture providesanonymous socket connections via proxy servers like in MIX-nets.

In this approach Initiator’s proxy selects a path through the network to theResponder’s proxy and builds a virtual circuit using layered objects called”Onions”(Hence the name Onion Routing). The Onion is a data packetwhich is encrypted using a sequence of Keys which are the session key andthe public key of each Routing Node along that path. Each layer of a Onioncontains session keys and the address of the next node in the virtual circuit.Since the circuit is built upon several servers and this layered encryption,each Routing Node knows its previous and next nodes and no other nodesin that virtual circuit. Onions which, flow down the circuit are fixed-sizecells, which are unwrapped by the session key at each node(like peeling offthe layers of an onion). When the circuit is broken these session keys aredestroyed.

Figure 5.1 illustrates an established Virtual Circuit in an Onion Rout-ing network with five nodes. Among these Nodes, Node A and Node Fare Proxy/Routing nodes and others(B,C,D and E) are Routing Nodes(alsocalled Onion Routers.) Node A is the Initiator’s proxy and it has been es-tablished a circuit to the Node F which is the Responder’s proxy by firstencrypting the Onion for the Node F and then for the preceding Nodes B,C and D. All the connections between Routing nodes and Routing/Proxynodes are link encrypted connections. Therefore it is really difficult to usetraffic analysis attack to determine who is communicating with whom.

9

Figure 5.1: Onion Routing Network

Onion Routing can be used to provide real time, bidirectional, anonymouscommunication for TCP based applications which can be configured to useproxy services. Onion Routing is really useful in anonymous e-mail systems.Because a Reply Onion can be included with a messages so that it allows alater reply to the sender without knowing his real address and even whenthe original virtual circuit was broken.

10

Chapter 6

Crowds

In this section I’ll talk about another system which is totally differentin the operation than previously discussed systems. The approach is basedon the concept of being in a ”Crowd” (hence the name). It operates byforming a large group of users whose locations may even be geographicallydifferent(for better anonymity it must be). These users in the group col-lectively issues requests on behalf of each other so that one user’s actionsare hidden within many other users’ actions. The users issue web requeststo different web servers and receive replies from them. Hence the users arethe ”Senders” and web servers are the ”Receivers”. The Crowds basicallyprovides sender’s anonymity from the receivers and attackers.

In order to use the system for web browsing, a user must first join toa crowd of many users. A user is represented in the crowd by a specialproxy running on the user’s computer called a ”Jondo”. When the userstarts the Jondo on his computer it contacts a special server called the”Blender”(which manages the crowds membership) to request the permis-sion to enter the crowd. If permission granted, the Blender replies with allthe necessary information that would enables this Jondo to join the crowd.

The user’s Jondo acts as a simple proxy between the browser and the webserver which will remove identity information from the HTTP header beforesending the request to another Jondo. All the communications between theJondos are encrypted using a shared key called ”path key” which is createdby the Jondo who initiate the path. And this key is shared among all theJondos on a path. Therefore an outside observer won’t be able to find outthe content of a web request or reply, and the identity of the sender. But itis obvious that an attacker who has the control of his own Jondo can decryptthe content. But he also won’t be able to figure out who is the initiator ofthe request.

11

Figure 6.1: Paths in a Crowd

Figure 6.1 illustrates the paths that will be established when the users’requests are sent to web servers. On the other hand server replies will sendback along this path on the reverse order.

When a user request a document from a web server the request is firstsent to a randomly chosen member(Jondo) in the crowd. That member mayeither submit the request directly to the end server or forward it to anotherrandomly chosen member. When the web request is ultimately submittedto the web server, it is submitted by a random member. Therefore the webserver cannot identify the real initiator of the web request because it seemsto be originated from any member in the crowd. Apart from that even afellow crowd member cannot identify the true initiator of a request becausehis predecessor may be just forwarding the request on behalf of another.

12

Chapter 7

Evaluation

Identity theft is becoming a major problem in the internet. Thereforeinternet users must be well aware and be prepared to defend them selvesagainst it. There are may different solutions which claim to provide anonymityin the internet. But their usability is questionable because some systemseven do not have a implementation. A particular system may be good atone specific use while it will not suitable as a general solution. But somesystems can be used as a general purpose anonymizing system with lessprotection but within acceptable limits.

Figure 7.1: Level of Anonymity

Figure 7.1 present the level of anonymity provided by each system thatI have discussed earlier. According to the table Mix nets and Onion Rout-ing provides better anonymity level than Crowds and Proxies does. Onthe other hand Mix-nets and Onion Routing consumes a lot of bandwidthfor generating cover traffic and increase the CPU work load by number ofencryptions and decryptions. A user must therefore find the right balancebetween the usability and the level of security provided by a system.

Among the solutions which can be found in the literature, some of themeven don’t have a proper usable implementation. The designer deploys aprototype and he keeps it running for quite some time and suddenly the

13

system is no longer available. And in some cases the system can be usedbut attackers have found vulnerabilities and no design updates or new ver-sions are coming. Therefore the system cannot be trusted anymore. Sometimes commercial systems are the only available anonymity systems. Sothe internet users have a problem of finding a usable, reliable and availablesolution.

In my point of view instead of developing more and more new systems, anexisting reliable, usable system should improve, deploy and further supportit. As I believe, the Tor network[7] would be the right candidate because itis the Successor of Onion Routing, and it can be used with any applicationwhich can we configured to use a proxy service, And it is a community basedsystem(like Crowds) so when the number of users are increasing the level ofsecurity will also be increased.

14

Chapter 8

Conclusion

There are some systems whose level of security provided is quite remark-able. As a result of that even the Lawful authorities are unable to figureout the origin of some illegal activities. For example, some people have usedthese systems to send e-mails which contain child pornography and the au-thorities were unable to track who send these e-mails. In the worst casescenario thieves, smugglers and terrorists will use these systems to carryout their dirty work. In a system like caching proxy[5], the legality is yetto be determined because the system stores the copyrighted contents otherthan in the original location. Like in the many scientific innovations, thesesystems also have negative outcomes as well as positive outcomes.

References

[1] Michael Waidner, Andreas Pitzmann and Birgit Pitzmann. Isdn-mixes:Untraceable communication with very small bandwidth overhead. 7thIFIP International Conference on Information Security (IFIP/Sec ’91),1991. Elsevier, Amsterdam.

[2] David Chaum. Untraceable electronic mail, return addresses,and digitalpseudonyms. Communications of the ACM, 4(2):84–88, February 1981.

[3] Paul F. Syverson, David M. Goldschlag and Michael G. Reed. Hidingrouting information. International Workshop on Information Hiding,May 1996. Cambridge, UK.

[4] Michael Reiter and Aviel Rubin. Crowds: Anonymity for web transac-tions. International Workshop on Information Hiding, 1(1):66–92, 1998.Cambridge, UK.

[5] Anna M. Shubina and Sean W. Smith. Using caching for browsinganonymity. ACM SIGecom Exchanges, 4(2), September 2003.

[6] Hannes Federrath, Oliver Berthold and Stefan Kopsell. Web mixes: Asystem for anonymous and unobservable internet access. Workshop onDesign Issues in Anonymity and Unobservability, 2001. Springer-Verlag,Heidelberg.

[7] Paul Syverson, Roger Dingledine and Nick Mathewson. Tor: The second-generation onion router. Technical report, Tor Documentation.

16