Slicing the Onion: Anonymous Routing without PKI

1
Slicing the Onion Anonymous Routing without PKI
CS 259
http//nms.lcs.mit.edu/sachin/slicing.html

• Saurabh Shrivastava

2
What is Onion Routing

• - packets are encrypted in layers
• - each node decrypts the packet using its key,
  figures out the next hop
• - usually public/private key pairs used, but here
  symmetric keys will be used
• - how to distribute the keys to nodes? use
  information slicing split the key into lots of
  pieces, send them on disjoint paths to the
  respective target nodes

3
Key Distribution

• Bob reassembles message it received from Ne and
  Nb to yield IB1, IB2 meant for him and also Ia1
  to be sent to Na, Id2 to be sent to Nd.
• here there are 3 stages (L), split factor is 2
  (d)

4
Anonymity

• Degree of Anonymity
• Measured as entropy of the system
• Unlinkability
• of different actions by a single user
• Source/Destination anonymity
• Source is hidden from all nodes including
  destination, (same argument for destination)
• We will focus on Source anonymity

5
Observations

• If the adversary is in control of a stage, it can
  get all information about keys and nodes in
  subsequent stages
• If the adversary doesnt control all the nodes in
  a stage, it is as good as controlling only 1 node
  in that stage.
• Adversary cannot correlate information if its
  nodes are not in consecutive stages
• Best case scenario is when
• 1st stage is compromised or else
• the adversary has only 1 node in consecutive
  stages

6
Adversary Model

• Adversary controls a fraction of nodes in the
  graph
• It is able to figure out if it has nodes in
  consecutive stages and if it has multiple nodes
  in some stage
• It knows about the parameters L (number of
  stages) and d (splitting factor)
• It tries to find the single largest chain of its
  nodes and tries to guess that the node prior to
  its chain head is the source (its guess will be
  good only if its chain head lies in the first
  stage)

7
Analysis

• Given L, d, f, figure out all possible
  arrangements of adversary nodes in the graph
  (hard). More later.
• For each arrangement figure out what is the
  longest chain of adversary nodes possible (easy)
• Given the length of the chain, find out the
  likelihood of correct guess of the source (easy)
  e.g. if L is 10, chain length is 7, chances are
  0.25 that the head is in stage 1
• The authors did it differently they assumed a
  network of N100,000 nodes, of which fraction f
  were malicious, chose Ld nodes from N (some of
  which were malicious) and ran simulations to find
  chain lengths.

8
Anonymity dependent on L

• If L increases, the adversary nodes are spread
  out and it is more difficult to form unbroken
  chains with nodes in consecutive stages.
• Broken chains render adversary nodes useless
  because it cannot correlate nodes if not part of
  the same chain

9
Anonymity dependent on d

• When f is low, increasing d creates more chances
  for the adversary to have nodes in consecutive
  stage
• When f is high, there is high likelihood that
  adversary controls an entire stage, so increasing
  d will break this scenario

10
Analysis 2

• Didnt use Murphi, or any tool, used C programs
  to achieve the hard part (Given L, d, f,
  figure out all possible arrangements of adversary
  nodes in the graph)
• given L (6) , d (4), f (.25), m (6) L d
  f
• find all partitions of m such that none of the
  terms is gt d
• find out how many 1-chain, 2-chain, 3-chain ..
  m-chains can be made
• ./arrangements 6 4 ../partitions/p6 m6d4
• 2 28 gt given 2 stages with d4, how
  many ways can we choose places for 6 adversary
  nodes (partitions used 2,4 3,3 4,2)
• for all possible permutations of m adversary
  nodes in Ld nodes find out frequency of 1 chain,
  2 chain 3 chain ... m-chain
• ./chains 6 4 .25 L6d4f25
• 0xb 3 2 604800.000000 gt 3 stages in which
  adversary nodes present (0 0 1 0 1 1) but the
  effective chain length is only 2. 604800 all
  possible combinations of 6 adversary nodes when
  present in 3 stages with d4.