CSE 592INTERNET CENSORSHIP

(FALL 2015)

LECTURE 19

PHILLIPA GILL - STONY BROOK U.

WHERE WE ARE

Last time:

• Mitigating timing attacks (Astoria)

Today:

• Finish up mitigating timing attacks (LASTor)

• Other approaches to anonymity systems;

• Dissent• Aqua

Administravia:

• Mark update on Piazza.

THE DISSENT PROJECT

Goal: rethink the foundations of anonymity

Offer quantifiable and measurable anonymity

Build on primitives offering provable security

Don't just patch specific vulnerabilities, butrearchitect to address whole attack classes

http://dedis.cs.yale.edu/dissent/

Not a drop-in replacement for onion routing, but offers some systematic defense against all 5 classes of vulnerabilities

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

DINING CRYPTOGRAPHERS (DC-NETS)

• 3 cryptographers eating dinner and the waiter informs them that the meal has been paid by someone

• Cryptographers want to know if it was one of them or the NSA

• They respect each others right to make an anonymous payment …

• … but want to know if the NSA paid

• Solution: 2 stage protocol

1. Each pair of cryptographers exchanges a secret (e.g., flip a coin behind a menu)

2. Announce a bit; XOR of bits shared with neighbors (if they did not pay) or the opposite of this (if they did pay)

EXAMPLE OF DINING CRYPTOGRAPHERS

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

• ACKs: http://dedis.cs.yale.edu/dissent/pres/131024-austin.pdf

TOWARDS EFFICIENT TRAFFIC-ANALYSIS RESISTANT ANONYMITY NETWORKS

Stevens Le Blond David Choffnes Wenxuan ZhouPeter Druschel Hitesh Ballani Paul Francis

29

Snowden wants to communicate with Greenwald without Alexander to find out

Ed’s IP Glenn’s IP

THE PROBLEM OF IP ANONYMITY

Client Server

30

VPN proxy

Proxies are single point of attack(rogue admin, break in, legal, etc)

31

Proxy

Traffic analysisOnion routing (Tor)

Onion routing doesn’t resisttraffic analysis (well known)

OUTLINE

1) Overview

2) Design

3) Evaluation

4) Ongoing work

32

ANONYMOUS QUANTA (AQUA)

k-anonymity: Indistinguishable among k clients

BitTorrent

• Appropriate latency and bandwidth• Many concurrent and correlated flows

33

34

Threat model

Global passive (traffic analysis) attack

Active attack

Edge mixes aren’t compromised

Padding

35

Constant rate (strawman)

Defeats traffic analysis, but overhead proportionalto peak link payload rate on fully connected network

OUTLINE

1) Overview

2) Design

• Padding at the core• Padding at the edges• Bitwise unlinkability• Receiver’s anonymity (active attacks)

3) Evaluation

4) Ongoing work

36

37

Multipath

Multipath reduces thepeak link payload rate

Padding

VARIABLE UNIFORM RATE

38

Reduces overhead by adapting tochanges in aggregate payload traffic

OUTLINE

1) Overview

2) Design

• Padding at the core• Padding at the edges• Bitwise unlinkability• Receiver’s anonymity (active attacks)

3) Evaluation

4) Ongoing work

39

K-ANONYMITY SETS (KSETS)

40

Send ksetRecv kset

Provide k-anonymity by ensuring correlatedrate changes on at least k client links

Padding

FORMING EFFICIENT KSETS

41

Epochs1 2 3

Peer

s’ ra

tes

1

2

3

Are there temporal and spatialcorrelations among BitTorrent flows?

OUTLINE

1) Overview

2) Design

• Padding at the core• Padding at the edges• Bitwise unlinkability• Receiver’s anonymity (active attacks)

3) Evaluation

4) Ongoing work

42

METHODOLOGY: TRACE DRIVEN SIMULATIONS

Month-long BitTorrent trace with 100,000 users

• 20 million flow samples per day• 200 million traceroute measurements

Models of anonymity systems

• Constant-rate: Onion routing v2• Broadcast: P5, DC-Nets• P2P: Tarzan• Aqua

43

OVERHEAD @ EDGES

44

Models

Ove

rhea

d

Much better bandwidth efficiency

THROTTLING @ EDGES

45

Models

Thro

ttlin

g

Efficiently leveragescorrelations in BitTorrent flows

OUTLINE

1) Overview

2) Design

2) Evaluation

3) Ongoing work

46

ONGOING WORK

47

Prototype implementation

Aqua for VoIP traffic

• “tiny-latency” (RTT <330ms)

Intersection attacks

Workload independence

TAKE HOME MESSAGESEfficient traffic-analysis resistance by exploiting existing correlations in BitTorrent traffic

At core:

• Multipath reduces peak payload rate

• Variable uniform rate adapts to changes in aggregate payload traffic

At edges, ksets:

• Provide k-anonymity by sync rate on k client links• Leverage temporal and spatial correlations of BitTorrent flows

48

HANDS ON ACTIVITY

(Try at home )

Dissent source code is publicly available:

https://github.com/DeDiS/Dissent

Try downloading/installing/running the system

49