A Survey Anonymity and Anonymous File-Sharing

1
A Survey Anonymity and Anonymous File-Sharing

• Tom Chothia
• (Joint work with Konstantinos Chatzikokolakis)

2
Outline of Talk

• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of
  file-sharing software.

3
Introduction

• This is a light weight introduction to anonymity
• Definitions
• Design
• Real Systems
• Some Analysis of the Systems
• Next week you will see more on the technical
  definitions and modeling with process calculi.

4
The Theory of Anonymity

• Anonymity means different things to different
  users.
• The right definitions are key to understand any
  system.

On the Internet nobody knows youre a dog
5
The Theory of Anonymity

• Anonymity is a difficult notion to define.
• Systems have multiple agents
• which have different views of the system
• and wish to hide different actions
• to variable levels.
• Sometimes you just want some doubt, sometimes you
  want to act unseen.

6
The Theory of Anonymity

• In a system of anonymous communication you can
  be
• A sender
• A receive / responder
• A helpful node in the system
• An outsider (who may see all or just some of the
  communications).
• We might want anonymity for any of these, from
  any of these.

7
Example Anonymous File-Sharing

• One node sends a request for a file (sender)
• Other nodes receive this request (the nodes)
• Maybe one of the nodes replies with a file
  (receiver/responder).
• The attacker may be any of these or an outside
  observer.

?
8
Example Anonymous File-Sharing

• The user may wish to hide
• that they are offering files
• that they are taking part in data transfer
• that they are running the software at all.
• The user may want to have plausible deniability
  or go complete unnoticed.

?
9
The Theory of Anonymity

• There are many definitions.
• Some are too weak,
• Delov-Yao style Provable Anonymity
• Some are too strong,
• Information flow.
• There will be more on these definitions next week.

10
Levels of Anonymity

• Reiter and Rubin provide the classification
• Beyond suspicion the user appears no more likely
  to have acted than any other.
• Probable innocence the user appears no more
  likely to have acted than to not to have.
• Possible innocence there is a nontrivial
  probability that it was not the user.

11
Beyond suspicion

• All users are Beyond suspicion

Prob
A
B
C
D
E
Users
12
Beyond suspicion

• Only B and D are Beyond suspicion

Prob
A
B
C
D
E
Users
13
Beyond suspicion

• Now, only B is Beyond suspicion

Prob
A
B
C
D
E
Users
14
Probable Innocence

• All users are Probably Innocence

50
Prob
A
B
C
D
E
Users
15
Probable Innocence

• All users are Probably Innocence

50
Prob
A
B
C
D
E
Users
16
Probable Innocence

• All users are Probably Innocence

50
Prob
A
B
C
D
E
Users
17
Probable Innocence

• All users are Probably Innocence

50
Prob
A
B
C
D
E
Users
18
Probable Innocence

• All users are Probably Innocence

50
Prob
A
B
C
D
E
Users
19
Example The Anonymizer

• An Internet connection reveals your IP number.
• The Anonymizer promise Anonymity
• Connection made via The Anonymizer.
• The Server see only the Anonymizer.

?
S
20
Example The Anonymizer

• The sender is Beyond Suspicion to the server.
• The server knows The Anonymizer is being used.
• If there is enough other traffic, you are
  Probably Innocence to a global observer.
• The global observer knows you are using the The
  Anonymizer
• There is no anonymity to the The Anonymizer

21
Example The Anonymizer

• From the small print
• we disclose personal information only in the
  good faith belief that we are required to do so
  by law, or that doing so is reasonably necessary
  
• Note to European Customers The information you
  provide us will be transferred outside the
  European Economic Area

22
Summary The Theory of Anonymity

• There are many agents in a system each of which
  have different views.
• There are a number of different actions.
• We need to define the level of anonymity an user
  has when performing a certain action, given the
  attackers view of the system.

23
Outline of Talk

• The theory of Anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of
  file-sharing software.

24
Theoretical Designs for Anonymity

• We have seen an example of anonymity from a
  Proxy.
• In Friend-to-Friend networks
• nodes have fixed neighbours,
• only direct neighbours know IP addresses,
• nodes act as proxies for there neighbours.
• Anonymity to your neighbour is by trust or by
  claiming you are just acting as a proxy.

25
Ants

• The Ants protocol is for ah-hoc networking.
• Each node has a pseudo ID.
• A node broadcasts a request, labeled with its own
  ID.
• Nodes record IDs it receives over each
  connections.

A
26
Ants

• If another nodes wishes to reply to the request
• It sends packets labeled with its own ID
• The packets are sent along the most used
  connection for the to ID.

A
27
MIXes

• MIXes are proxies that forward messages between
  them
• A user contacts a MIX to send a message
• The MIX waits until it has received a number of
  messages, then forwards them in different order

28
MIXes

• It is difficult to trace the route of each
  message.
• Provides beyond suspicion S-R unlinkability even
  w.r.t. a global attacker.
• Messages have to be delayed (can be solved with
  dummy traffic).
• More complicated when sending series of packets

29
Onion Routing

• Messages are routed through a number of nodes
  called Core Onion Routers (COR)
• The initiator selects the whole route and
  encrypts the message with all keys in reverse
  order
• Each node unwraps a layer (onion) and forwards
  the message to the next one

30
Onion Routing

• Each node only learns the next one in the path
• Can be used together with MIXing.
• End-users can run their own COR
• Better anonymity
• or use an existing one
• More efficient
• User's identity is revealed to the COR

31
Crowds

• A crowd is a group of n nodes
• The initiator selects randomly a node (called
  forwarder) and forwards the request to it
• A forwarder
• With prob. 1-pf selectsrandomly a new node
  andforwards the request to him
• With prob. pf sends therequest to the server

32
Crowds

• Beyond suspicion w.r.t. the server
• Some of the nodes could be corrupted.
• The initiator could forward the message to a
  corrupted node.
• Probable innocence w.r.t. a node(under
  conditions on the number of corrupted nodes).

33
Dining Cryptographers

• Nodes form a ring
• Each adjacent pair picks a random number
• Each node broadcasts the sum (xor) of the
  adjacent numbers
• The user who wants to send amessage also adds
  the message
• The total sum (xor) isr1r2r2r3r3r4r4r5r
  5r1m m

m
34
Dinning Cryptographers

• It's impossible to tell who added m.
• Beyond suspicion even w.r.t. to a global
  attacker.
• Very inefficient everyone must send the same
  amount of data as the real sender.
• More info in Catuscia's talk

35
Mutli-casting

• Broadcast the message to the whole network.
• Provides beyond suspicion for the receiver.
• No anonymity for the sender.
• Multicasting is an efficient technique for
  broadcasting messages.
• but very inefficient to send just one message.

36
Spoofed UDP

• IP packets on the Internet contain the IP address
  of the sender
• This address is not used by routers, only by
  higher-level protocols such as TCP
• UDP does not use this address
• A random address can be used instead to provide
  sender anonymity
• Method prohibited by many ISPs

37
Summary of methods
38
Outline of Talk

• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results from the analysis of
  file-sharing software.

39
Mute

• Mute is an open source project based on the Ants
  protocol.
• Mute uses a complicated 3 stage time-to-live
  counter that allows an attack.
• In Mute all the probabilistic choices are fixed
  when a node starts. This protects against
  statistical attacks.

40
Ants

• Ants is also an open source project based on the
  Ants protocol.
• There is a probabilistic change of dropping a
  search request. Avoiding some attacks but giving
  little control over searches.
• Ants send most reply packets over the best route
  but sends some by other routes. This is done for
  efficiency by it also stops some attacks by
  inside nodes.

41
Mantis

• Mantis is an academic project that uses the Ants
  protocol.
• But the sender may make its IP address public and
  receive the file by address spoofed UDP.
• Hence only the responder is anonymous, but the
  system is very efficient.

42
Anonymous Peer-to-Peer File-Sharing (APFS)

• APFS is based on Onion Routing
• Volunteer nodes act as proxies.
• Centralised servers store an onion routes for
  files.
• Searching is carried out by asking a server for
  an onion route for a file.
• Pro Secure system, Con Hard to set up and
  maintain.

43
Freenet and Free Haven

• There are a number of anonymous publishing
  system.
• For example Freenet and the MIX based Free Haven.
• These systems make the original author of a file
  anonymous, not the responder.
• Nodes will often cache files.Therefore you can
  trick a node into storing and offering a
  file.

44
Waste

• Waste is a friend-to-friend network. It is
  designed for small groups (under 50 nodes).
• The sender and receive are known to network
  insiders, but anonymous to an outside attacker.
• Dummy traffic traffic is sent between nodes
  whenever they are idle.

45
Tor

• Tor is an anonymous transport layer.
• It does not implement a file-sharing but
  file-sharing software can be run on top of it.
• Tor implements onion routing without MIXes.
• Its possible that a program run on top of Tor
  will reveal its IP address.

46
Some Other Systems

• AP3 Crowds Mislove et al.
• Entropy Freenet
  entrop.stop1984.com
• GNUnet MIXes gnunet.org
• I2P Onion routing www.i2p.net
• Nodezilla Freenet www.nodezilla.net
  
• Napshare Ants napshare.sourceforge.net
• SSMP Secret sharing Dingledine et al.
• onion routing
• There are others!

47
Outline of Talk

• The theory of anonymity.
• Designs for anonymity.
• Anonymous file-sharing software.
• Some early results for the analysis of
  file-sharing software.

48
Goals for Anonymous File-Sharing using Ants

• The attacker is a node in the network and must
  discover the pseudo ID of its nieghbours.
• Sender (requesting files) is Probable Innocence
  to nodes and responder.
• Responder (offering files for download) is
  Probable Innocence to nodes and sender.

49
The Model

• The model of the network is a connected weighted
  graph.
• The weights are the times it takes for a message
  to travel along that connection.
• Travel times are fixed.
• A single attacker, no timed-based attacks.
• No time-to-live counter.

50
The Attackers View

• Its connections and the real addresses of the
  nodes each of these connections leads too.
• The pseudo IDs from the messages it has seen.
• For each pseudo ID, the ordered over which the
  attacker receives message
• The to'' and from'' pseudo address of all the
  messages past across it.

51
The Attackers View

• The attacker may also send messages.
• It can form message out of its own random values,
  its own address or any address is has seen.
• In particular, it can send messages the wrong
  way.

52
Time-Based Attacks

• The quickest reply along any connection will come
  from the direct neighbour.
• The attacker may try random request, and note the
  reply times.
• The pseudo ID with the fastest reply time over
  any connection is assume to be the neighbour.
• If a node shares any files at all, it is not
  anonymous to its neighbour.

53
Result

• Assuming no timed-based attacks, there is still a
  problem
• The attacker might just see one pseudo ID over a
  connection.
• Or have a unique pseudo ID bounced back.
• i.e., anonymity depends on how the nodes are
  connected.

54
Result

• One node on its own is not anonymous.
• Only node one node fastest along a connection is
  not anonymous.

55
Result

• Active attacks allow more discrimination.
• A receives two IDs first over each connection.
• But N3 and N4 are bounced back
• Therefore the attack can identify N1 and N2.

N3
N4
N1
N2
A
56
Result

• If we assume that the attackers neighbours might
  never share files then Ants is anonymous.
• Otherwise
• The Ants protocol can be broken by a timed
  attack.
• If any connection is not used by at least two
  different pairs of nodes to communicate then the
  nodes on this connection are not anonymous to
  each other.

57
Protected Addresses

• Attacker can make a message with another nodes
  pseudo ID as the from address.
• This lets it disrupt communication.
• We can generate a key pair and use the
  authentication key as the pseudo ID.
• The sender signs the message ID.
• Hence the attacker cannot fake messages.

58
Other Kinds of Attack

• Global Attacker
• System Membership
• Time-to-Live Attacks (Mute, Mantis)
• Multiple Attackers (Mute)
• Statistical Attacks (MIXes)
• Forced Repeat (Crowds)
• Nodes Joining and Leaving
• Denial of Service (Mute)

59
Outline of Talk

• The theory of Anonymity.
• Designs for Anonymity
• Anonymous file-sharing software
• Some early results for the analysis of
  file-sharing software.

60
Further Work

• Ants Protocol
• Finish formal model and testing,
• Time delays,
• Deciding when a network is safe,
• MIXes for file-sharing.
• General purpose formal methods for anonymous
  systems.

61
Questions?
62
Example Anonymous File-Sharing

• The user may wish to hide
• that they are offering files
• that they are taking part in data transfer
• that they are running the software at all.
• The user may want to have plausible deniability
  or go complete unnoticed.

63
Example Anonymous File-Sharing

• The user may wish to hide
• that they are offering files
• that they are taking part in data transfer
• that they are running the software at all.
• The user may want to have plausible deniability
  or go complete unnoticed.

64
Forced Repeat Attack Crowds
65
Time-to-live Attack Mute
66
Time-to-live Attack Mantis