[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[freehaven-cvs] partial draft of notes for wpes04 talk

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] partial draft of notes for wpes04 talk
From: arma@seul.org (Roger Dingledine)
Date: Fri, 15 Oct 2004 04:47:25 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Fri, 15 Oct 2004 04:47:48 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones

Added Files:
	slides-notes 
Log Message:
partial draft of notes for wpes04 talk
checkpointing before i sleep, will rearrange more tomorrow
feel free to fix them up too, or add items we should be sure
to say.


--- NEW FILE: slides-notes ---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Overview
 - The problem we're trying to solve.
 - Background: anonymity systems
 - Background: Internet routing
 - Some things we learned
 - Questions we still need to answer

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

The big picture

Alice wants to transact with Bob on the Internet (fetch a web page,
send an email) without letting anybody link them together.

Alice wants to be safe from somebody watching her or somebody watching
Bob.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

A trusted proxy isn't good enough

<picture of single-hop proxy>

These proxies are trust and performance bottlenecks.
Add a constraint: want to be safe from a compromised middle node too.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

So: distributed trust

<picture of network of nodes>

By using multiple hops, no single node can link Alice to Bob.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Tor and Mixmaster

Two widely deployed anonymity networks (thousands of users each).

Tor is for TCP streams (low-latency).

Mixmaster is for email (high-latency).

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Two major attack classes

Follow-the-transaction attack: try to learn each hop of a
transaction and follow it from beginning to end.

Endpoint attack: use statistics to match a transaction coming into the
network to a transaction leaving the network.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Three major defense classes

Batching and pooling: delay messages to get a large batch, and mix them
together to hinder the adversary from linking Alice's message to Alice.

Padding: senders provide decoy traffic as well as normal traffic.

Dispersal: reduce the chance that the adversary sees enough of the
network to complete his attack.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Dispersal approaches

Grow the network so a given adversary sees less.

Arrange the topology so messages can enter or exit at many
places (e.g. cascade vs free route).

Location arbitrage: spread each transaction over multiple jurisdictions.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Many different families of locations

Areas controlled by a single country, state, company, ...

We focus here on the family of locations that are ISPs. More
correctly, \emph{autonomous systems} (ASes).

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

The key insight is that while we typically think of a connection as going
from Alice to Node1, actually it traverses many different ASes for that
single hop.

This is how BGP works in a slide.

Used Oregon RouteViews Project data -- Mao says our passive AS-level
path estimation technique will probably be >80% right.

Location independence metric: what is the chance that some AS is on both
the path from Alice to the mix-net, and also the path from the mix-net
to Bob?

Looking at IP prefix is not the same. In practice, we see several cases
of same-AS nodes with different prefixes -- many of those are even in
different class A prefixes.

Attacks inside the network.
 - to follow a transaction
 - to weaken the defenses tor gets from using 3 hops.

Sufficient to look at endpoints of the network.
Endpoints can be first and last node, but they can also be Alice and Bob.

We picked some reasonable sounding Alices and Bobs, mostly in the US.

Top two AS-level between-node observers in the US, to both Tor and
Mixmaster: Level 3 and Abovenet

Best node placement for protection against the AS-level adversary is in
ASes that have the most links to other ASes: tier-1 ISPs.

Future work:
- Do this analysis for different location metrics, such as countries.
- Consider Alices and Bobs outside the country.
- Caching at exit nodes (when feasible) changes the equation.
- Do we *hurt* anonymity by restricting path choices, against larger
  adversaries who can take advantage of knowing our algorithm?
- How to get routing info to Alice in a practical way?
- Akamai? Different routing; also dangerous observer.
- How sensitive is this metric to adding or subtracting a few nodes?
- What about repeated web fetches, using different entry and exit points
  each time -- how quickly does Alice's location independence degrade?
- Others?


***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Author: [freehaven-cvs] Add a section and a little.
Next by Author: [freehaven-cvs] finish first draft of wpes04 slides
Next by thread: [freehaven-cvs] finish first draft of wpes04 slides
Index(es):
- Author
- Thread