Anonymous Communication
1 Digitally signed by Dr.
Dr. Nirmalya Nirmalya Kar
Kar Date: 2024.04.01
11:04:26 +05'30'
Privacy on Public Networks
} Internet is designed as a public network
} Machines on your LAN may see your traffic, network routers
see all traffic that passes through them
} Routing information is public
} IP packet headers identify source and destination
} Even a passive observer can easily figure out who is talking to
whom
} Encryption does not hide identities
} Encryption hides payload, but not routing information
} Even IP-level encryption (tunnel-mode IPSec/ESP) reveals IP
addresses of IPSec gateways
2
� Applications of Anonymity (I)
} Privacy
} Hide online transactions, Web browsing, etc. from intrusive
governments, marketers and archivists
} Untraceable electronic mail
} Corporate whistle-blowers
} Political dissidents
} Socially sensitive communications (online AA meeting)
} Confidential business negotiations
} Law enforcement and intelligence
} Sting operations and honeypots
} Secret communications on a public network
Applications of Anonymity (II)
} Digital cash
} Electronic currency with properties of paper money (online
purchases unlinkable to buyer’s identity)
} Anonymous electronic voting
} Censorship-resistant publishing
4
� What is Anonymity?
} Anonymity is the state of being not identifiable within a set
of subjects
} You cannot be anonymous by yourself!
} Hide your activities among others’ similar activities
} Unlinkability of action and identity
} For example, sender and his email are no more related after
observing communication than they were before
} Unobservability (hard to achieve)
} Any item of interest (message, event, action) is indistinguishable
from any other item of interest
Attacks on Anonymity
} Passive traffic analysis
} Infer from network traffic who is talking to whom
} To hide your traffic, must carry other people’s traffic!
} Active traffic analysis
} Inject packets or put a timing signature on packet flow
} Compromise of network nodes
} Attacker may compromise some routers
} It is not obvious which nodes have been compromised
} Attacker may be passively logging traffic
} Better not to trust any individual router
} Assume that some fraction of routers is good, don’t know which
6
� Outline
} Protocols for anonymous communication
} High-latency
} Chaum Mixes as a building block, onion routing
} Low-latency
} Optimized Onion Routing and Tor
} Dining Cryptographers
Chaum’s Mix
} Early proposal for anonymous email
} David Chaum. “Untraceable electronic mail, return addresses,
and digital pseudonyms”. Communications of the ACM,
February 1981.
Before spam, people thought
anonymous email was a good idea J
} Public key crypto + trusted re-mailer (Mix)
} Untrusted communication medium
} Public keys used as persistent pseudonyms
} Modern anonymity systems use Mix as the basic building
block
8
� Basic Mix Design
B
{r1,{r0,M}pk(B),B}pk(mix)
{r0,M}pk(B),B
A
{r5,M’’}pk(B),B
C E
{r2,{r3,M’}pk(E),E}pk(mix)
{r3,M’}pk(E),E
D
Mix Adversary knows all senders and
{r4,{r5,M’’}pk(B),B}pk(mix) all receivers, but cannot link a sent
message with a received message
Anonymous Return Addresses
M includes {K1,A}pk(mix), K2 where K2 is a fresh public key
{r1,{r0,M}pk(B),B}pk(mix)
{r0,M}pk(B),B
B
MIX
A,{{r2,M’}K2}K1 {K1,A}pk(mix), {r2,M’}K2
Response MIX
Secrecy without authentication
(good for an online confession service J)
10
� Mix Cascade
} Messages are sent through a sequence of mixes
} Can also form an arbitrary network of mixes (“mixnet”)
} Some of the mixes may be controlled by attacker, but even a
single good mix guarantees anonymity
} Pad and buffer traffic to foil correlation attacks
11
Idea: Randomized Routing
} Hide message source by routing it randomly
} Popular technique: Crowds, Freenet, Onion routing
} Routers don’t know for sure if the apparent source of a
message is the true sender or another router
12
� Onion Routing [Reed, Syverson, Goldschlag ’97]
R R4 R
R
R3 R
R1
R2 R
Alice
R Bob
} Sender chooses a random sequence of routers
} Some routers are honest, some controlled by attacker
} Sender controls the length of the path
13
Route Establishment
Alice R2 R4
R3 Bob
R1
{M}pk(B)
{B,{ }} pk(R4)
{R3 ,{ {R4, } } pk(R3) } }}pk(R2)
{R2 ,{ }} pk(R1)
• Routing info for each link encrypted with router’s public key
• Each router learns only the identity of the next router
14
� Disadvantages of Basic Mixnets/Onion
Routing
} Public-key encryption and decryption at each mix/router
are computationally expensive
} Basic mixnets have high latency
} Ok for email, not Ok for anonymous Web browsing
} Challenge: low-latency anonymity network
15
Outline
} Protocols for anonymous communication
} High-latency
} Chaum Mixes as a building block
} Low-latency
} Onion Routing and Tor
} Dining Cryptographers
16
� Tor
} Second-generation onion routing network
} http://tor.eff.org
} Developed by Roger Dingledine, Nick Mathewson and Paul
Syverson
} Specifically designed for low-latency anonymous Internet
communications
} Running since October 2003
} Thousands of nodes, 2MM+ users
} “Easy-to-use” client proxy
} Freely available, can use it for anonymous browsing
17
Tor Circuit Setup
} Client proxy establishes symmetric session keys with
onion routers
18
� Tor Circuit Setup (details)
Alice R2 R4
R3 Bob
R1
{M}pk(B)
{B,k4}pk(R4),{ }k4
{R4,k3}pk(R3),{ }k3
{R3,k2}pk(R2),{ }k2
{R2,k1}pk(R1),{ } k1
• Routing info for each link encrypted with router’s public key
• Each router learns only the identity of the next router and
symmetric key with source
19
Using a Tor Circuit
} Client applications connect and communicate over the
established Tor circuit
} Note onion now uses only symmetric keys for routers
20
� Using a Tor Circuit(details)
Alice R2 R4
R3 Bob
R1
{M}pk(B)
{B,{ }}k4
{R3 ,{ {R4, } k3 }}k2
{R2 ,{ }} k1
Note onion now uses only symmetric keys for routers
21
Fig: Image courtesy torproject.org
22
� Fig: Image courtesy torproject.org
23
Fig: Image courtesy torproject.org
24
� Tor Management Issues
} Many applications can share one circuit
} Multiple TCP streams over one anonymous connection
} Tor router doesn’t need root privileges
} Encourages people to set up their own routers
} More participants = better anonymity for everyone
} Directory servers
} Maintain lists of active onion routers, their locations, current
public keys, etc.
} Control how new routers join the network
} “Sybil attack”: attacker creates a large number of routers
} Directory servers’ keys ship with Tor code
25
The 3 Traditional Threats to Tor's Security:
q DNS Leaks
q Traffic Analysis
q Malicious Exit Nodes
26
�Threat 1: DNS Leaks
Ø DNS requests not sent through
Tor network by default
Ø Attacker could see what
websites are being visited
Ø external software such as
Foxyproxy and Privoxy can be
used to route DNS requests
through tor network, but this is
_not_ default behavior
27
Threat 2:Traffic Analysis
ü "Traffic-analysis is extracting and inferring
information from network meta-data,
including the volumes and timing of network
packets, as well as the visible network
addresses they are originating from and
destined for.”
ü Tor is a low latency network, and thus is
vulnerable to an attacker who can see both
ends of a connection.
28
�Threat 3: Rogue Exit Nodes
ü Traffic going over Tor is not
encrypted, just anonymous
ü Malicious exit node can observe
traffic
ü Swedish researcher Dan Egerstad
obtained emails from embassies
belonging to Australia, Japan, Iran,
India and Russia, publishes them
on the net.
ü Sydney Morning Herald called it
“hack of the year” in interview
with Egerstad
29
Outline
} Protocols for anonymous communication
} High-latency
} Chaum Mixes as a building block
} Low-latency
} Onion Routing and Tor
} Dining Cryptographers
30
� Dining Cryptographers
} Clever idea how to make a message public in a perfectly
untraceable manner
} David Chaum. “The dining cryptographers problem: unconditional
sender and recipient untraceability.” Journal of Cryptology, 1988.
} Guarantees information-theoretic anonymity for message
senders
} This is an unusually strong form of security: defeats adversary who
has unlimited computational power
} Impractical, requires huge amount of randomness
} In group of size N, need N random bits to send 1 bit
31
Three-Person DC Protocol
Three cryptographers are having dinner.
Either NSA is paying for the dinner, or
one of them is paying, but wishes to remain anonymous.
1. Each diner flips a coin and shows it to his left neighbor.
} Every diner will see two coins: his own and his right neighbor’s
2. Each diner announces whether the two coins are the same. If he is
the payer, he lies (says the opposite).
3. Odd number of “same” Þ NSA is paying;
even number of “same” Þ one of them is paying
} But a non-payer cannot tell which of the other two is paying!
32
� Non-Payer’s View: Same Coins
“same” “different” “same” “different”
? ?
payer payer
Without knowing the coin toss
between the other two, non-payer
cannot tell which of them is lying
33
Non-Payer’s View: Different Coins
“same” “same” “same” “same”
? ?
payer payer
Without knowing the coin toss
between the other two, non-payer
cannot tell which of them is lying
34
� Superposed Sending
} This idea generalizes to any group of size N
} For each bit of the message, every user generates 1 random
bit and sends it to 1 neighbor
} Every user learns 2 bits (his own and his neighbor’s)
} Each user announces own bit XOR neighbor’s bit
} Sender announces own bit XOR neighbor’s bit XOR
message bit
} XOR of all announcements = message bit
} Every randomly generated bit occurs in this sum twice (and is
canceled by XOR), message bit occurs once
35
DC-Based Anonymity is Impractical
} Requires secure pairwise channels between group
members
} Otherwise, random bits cannot be shared
} Requires massive communication overhead and large
amounts of randomness
} DC-net (a group of dining cryptographers) is robust even
if some members collude
} Guarantees perfect anonymity for the other members
36
� Thanks! Questions
} Acknowledgement: This lecture uses a number of slides
provided by Vitaly Shmatikov
37
Location Hidden Servers
} Goal: deploy a server on the Internet that anyone can
connect to without knowing where it is or who runs it
} Accessible from anywhere
} Resistant to censorship
} Can survive full-blown DoS attack
} Resistant to physical attack
} Can’t find the physical server!
38
� Creating a Location Hidden Server
Server creates onion routes
to “introduction points”
Client obtains service
descriptor and intro point
address from directory
Server gives intro points’
descriptors and addresses
to service lookup directory
39
Using a Location Hidden Server
Client creates onion route Rendezvous point
If server chooses to talk to client,
to a “rendezvous point” mates the circuits
connect to rendezvous point
from client & server
Client sends address of the
rendezvous point and any
authorization, if needed, to
server through intro point
40
� A simple idea: Basic Anonymizing Proxy
} Channels appear to come from proxy, not true originator
} Appropriate for Web connections etc.: SSL, TLS (Lower
cost symmetric encryption)
} Example: The Anonymizer
} Simple, focuses lots of traffic for more anonymity
} Main disadvantage: Single point of failure, compromise,
attack
41
