1021
Security / Re: Brainstorming the ideal anonymity network
« on: June 09, 2013, 03:58 am »
5. How should we obtain our goals?
A. Untraceability
This means that an attacker cannot tell where traffic they observed originated from. Pretty much all anonymity networks put some focus on untraceability because it is required for essentially all other properties that anonymity networks strive for.
B. Unlinkability
This means that an attacker cannot tie multiple actions to the same user.
C. Deniability
This means that an attacker cannot prove beyond a reasonable doubt that a user originally published or intentionally accessed certain published information. The attacker may know that a certain user published certain information, but they cannot determine that they originally or knowingly published it. Likewise, they may know that a certain user requested certain information, but they cannot determine if the user intentionally accessed the published information. This strategy is strongly utilized by Freenet, and to a lesser extent by I2P. Tor is the only one of the networks that puts absolutely no focus on deniability.
D. Membership Concealment
This means that an attacker cannot determine who is using the network. Tor and Freenet both put an emphasis on membership concealment, these days Tor puts a very strong focus on it with the advent of their steganographic bridge links. On the other hand I2P has essentially zero membership concealment, essentially the entire user list of the network is an open book.
E. Censorship resistance / blocking resistance
This means that an attacker cannot prevent users from accessing the network, and also cannot prevent publishers from publishing content. Tor focuses a large amount of effort into preventing attackers from blocking users from accessing the network, but it is currently quite weak to attackers censoring content published through the network. I2P puts essentially no effort into preventing users from being blocked from accessing the network, but it does make it hard to censor services from being accessed through the network (due to multi homed service support). Freenet puts effort into preventing blocking and also does a spectacular job of preventing content from being censored from the network (it is extremely difficult to censor content on freenet).
6. What are some attacks that we know we need to give consideration to?
A. Timing attacks
A timing attack is when an attacker can link packets together through statistical analysis of their arrival times to multiple locations. There are two known ways to prevent timing attacks; mixing can offer very strong defenses from internal and external timing attacks, and plausible deniability via variable length tunnels and forced routing can protect from internal (but probably not external..) timing attacks coming to any certain conclusions.
B. Byte counting attacks
A byte counting attack follows a flow through the network by counting how many bytes it consists of. The only way to protect from a byte counting attack is by using padding. If all flows are padded to the same size, as is the case with modern remailer networks, then byte counting attacks are impossible. If all flows are padded rounded to the nearest byte, then packet counting attacks become less reliable, as is the case in Tor (where all traffic flows are rounded up to the next multiple of 512 bytes) and I2P (where all traffic flows are rounded up to the next multiple of 1KB). Of course there are two sorts of byte counting attack, counting the bytes of individual packets (easily prevented by padding all packets to the same size) and counting the bytes of individual traffic flows (harder to prevent unless all flows are padded to the same size, accuracy can be reduced with any amount of padding though).
C. Watermarking attacks / tagging attacks
These are less sophisticated than timing attacks but work in a similar fashion. A watermarking attack is when the attacker modifies a traffic stream to make it identifiable at a later point. One way of accomplishing this is by delaying individual packets to embed a detectable interpacket arrival time fingerprint in the flow. Time delayed mixing can protect from watermarking attacks, because the mix gathers all packets prior to forwarding them on, and this removes the embedded watermark. Networks like Tor and I2P are weak to watermarking attacks because the relay nodes forward packets on as they get them, so the interpacket arrival characteristics stay consistent once modified.
D. Intersection attacks
Intersection attacks work by identifying multiple crowds that the target must be in, and then removing all nodes from the suspect crowds that do not appear in all of the suspect crowds. For example, if you can enumerate all of the nodes on a network during the time that the target sends communications to you, you can determine that the target is one of the nodes currently on the network. After doing this many times, you can reduce the size of the suspect list, due to the natural node churn. Intersection attacks have a variety of different manifestations.
E. Traffic identification attacks
Traffic identification is the most trivial of attacks to protect from. If you send traffic through a series of nodes without layer encrypting it, a node can identify traffic it previously routed at a later point simply by looking for the same traffic at a later point. I2P and Tor protect from this attack by using layers of encryption, Freenet does *not* protect from internal traffic identification attacks (only external), but it doesn't really need to because it relies so much on its strong plausible deniability techniques.
F. All of the known mix attacks, like flushing etc
I already explained this previously
Anyway I am a bit tired of typing and I cannot possible summarize all of the things we would need to take into consider anyway, so I will wrap this up with some suggestions.
First of all I think that low latency networks are already covered with Tor and I2P. It is not likely that we are going to be able to make any significant advances to the state of low latency anonymity, and if we were going to it would be by convincing the Tor developers to make some tweaks, not by designing a brand new network. I think that high latency networks are too slow to attract many users, and although they technically can be used for browsing the internet etc, they are too slow to do so. So I think that a variable latency network is the best bet. There is some research already done on this in the context of mix networks, it is called Alpha mixing or Tau mixing. As far as using a mix network goes, this is a bit of a tough call. On the one hand I think mixing is by far the most researched and proven way of providing strong anonymity, on the other hand I would really like to have a P2P anonymity network like I2P, and I would worry that a very large network would dilute the concentration of messages to mix together. Perhaps this can be slightly ameliorated by the utilization of dummy traffic, which would be more realistic on a P2P network with lots of bandwidth.
I definitely think that any new networks should support access to the clearnet. Networks that are only for hidden services simply do not attract as many people as networks that can be used for surfing the regular internet. Additionally, allowing access to the clearnet essentially guarantees a large pool of cover traffic for mixing, and that translates into more anonymity with less time delay. On the other hand, I think that I prefer the freenet strategy of hosting content distributed through out the network. I think that this will encourage more people to actually run hidden services, as they will not need to learn how to configure a server and more importantly they wont need to buy a server in the first place. The primary disadvantage with this is that we will need to create use case specific applications, such as a software package for forums, one for emails, one for blogging, etc. If Tor hidden services have shown us anything, it is that people who want to run hidden service servers don't have the technical expertise required to do so securely. I also like how resistant Freenet hidden services are to DDoS and similar censoring attacks.
I think that deniability is an important aspect that we should definitely utilize. Mixing traffic can protect from timing attacks being carried out, deniability techniques can prevent timing attacks from being used to prove anything after they are carried out. We would primarily be focusing on a fairly medium latency user base, people who want to access sites fast enough to surf the internet, but who require enough anonymity that they can wait a minute or two. By having variable time delays, traffic of all latencies is given an anonymity advantage, even traffic without any delay at all. This means that just having some people using the network in a high latency fashion, the average user base using it in a medium latency capacity will have increased anonymity. By having time delays at all we will be able to protect some from timing attacks, of course ideally you have multi hour delays to protect from timing attacks, but even 0 seconds to 1 minute per hop should make the network more resistant to timing attacks than Tor or I2P are. Having variable length paths and having all clients route by default will provide plausible deniability as well. All of these things in combination should offer significant protection from timing attacks.
Another thing we need to consider is our padding strategy. It is very easy to pad all packets to the same size and of course we should do this. However, it is also extremely ideal if all traffic flows consist of a single packet. The more padding that is used the more likely it is that an arbitrary webpage can be loaded with a single fixed size packet (ie: if all packets are 1MB, then all webpages 1MB and below can be loaded with a single packet). On the other hand, larger packet sizes leads to inefficient and impossible to scale networks (ie: if all packets are 1MB, then you just spent 1MB * number of routing nodes utilized to send your three byte "lol" message). Perhaps swarming can be used to help hide the size of large messages, or something sort of like I2P's unidirectional tunnels (except it would be more like hydra tunnels).
I am a big fan of layer encrypted networks, and of course for mixing to be utilized layer encryption has to be utilized as well.
Another possibility is using PIR somewhere. The bleeding edge theoretical mix networks use PIR rather than SURB mixing for message retrieval.
A. Untraceability
This means that an attacker cannot tell where traffic they observed originated from. Pretty much all anonymity networks put some focus on untraceability because it is required for essentially all other properties that anonymity networks strive for.
B. Unlinkability
This means that an attacker cannot tie multiple actions to the same user.
C. Deniability
This means that an attacker cannot prove beyond a reasonable doubt that a user originally published or intentionally accessed certain published information. The attacker may know that a certain user published certain information, but they cannot determine that they originally or knowingly published it. Likewise, they may know that a certain user requested certain information, but they cannot determine if the user intentionally accessed the published information. This strategy is strongly utilized by Freenet, and to a lesser extent by I2P. Tor is the only one of the networks that puts absolutely no focus on deniability.
D. Membership Concealment
This means that an attacker cannot determine who is using the network. Tor and Freenet both put an emphasis on membership concealment, these days Tor puts a very strong focus on it with the advent of their steganographic bridge links. On the other hand I2P has essentially zero membership concealment, essentially the entire user list of the network is an open book.
E. Censorship resistance / blocking resistance
This means that an attacker cannot prevent users from accessing the network, and also cannot prevent publishers from publishing content. Tor focuses a large amount of effort into preventing attackers from blocking users from accessing the network, but it is currently quite weak to attackers censoring content published through the network. I2P puts essentially no effort into preventing users from being blocked from accessing the network, but it does make it hard to censor services from being accessed through the network (due to multi homed service support). Freenet puts effort into preventing blocking and also does a spectacular job of preventing content from being censored from the network (it is extremely difficult to censor content on freenet).
6. What are some attacks that we know we need to give consideration to?
A. Timing attacks
A timing attack is when an attacker can link packets together through statistical analysis of their arrival times to multiple locations. There are two known ways to prevent timing attacks; mixing can offer very strong defenses from internal and external timing attacks, and plausible deniability via variable length tunnels and forced routing can protect from internal (but probably not external..) timing attacks coming to any certain conclusions.
B. Byte counting attacks
A byte counting attack follows a flow through the network by counting how many bytes it consists of. The only way to protect from a byte counting attack is by using padding. If all flows are padded to the same size, as is the case with modern remailer networks, then byte counting attacks are impossible. If all flows are padded rounded to the nearest byte, then packet counting attacks become less reliable, as is the case in Tor (where all traffic flows are rounded up to the next multiple of 512 bytes) and I2P (where all traffic flows are rounded up to the next multiple of 1KB). Of course there are two sorts of byte counting attack, counting the bytes of individual packets (easily prevented by padding all packets to the same size) and counting the bytes of individual traffic flows (harder to prevent unless all flows are padded to the same size, accuracy can be reduced with any amount of padding though).
C. Watermarking attacks / tagging attacks
These are less sophisticated than timing attacks but work in a similar fashion. A watermarking attack is when the attacker modifies a traffic stream to make it identifiable at a later point. One way of accomplishing this is by delaying individual packets to embed a detectable interpacket arrival time fingerprint in the flow. Time delayed mixing can protect from watermarking attacks, because the mix gathers all packets prior to forwarding them on, and this removes the embedded watermark. Networks like Tor and I2P are weak to watermarking attacks because the relay nodes forward packets on as they get them, so the interpacket arrival characteristics stay consistent once modified.
D. Intersection attacks
Intersection attacks work by identifying multiple crowds that the target must be in, and then removing all nodes from the suspect crowds that do not appear in all of the suspect crowds. For example, if you can enumerate all of the nodes on a network during the time that the target sends communications to you, you can determine that the target is one of the nodes currently on the network. After doing this many times, you can reduce the size of the suspect list, due to the natural node churn. Intersection attacks have a variety of different manifestations.
E. Traffic identification attacks
Traffic identification is the most trivial of attacks to protect from. If you send traffic through a series of nodes without layer encrypting it, a node can identify traffic it previously routed at a later point simply by looking for the same traffic at a later point. I2P and Tor protect from this attack by using layers of encryption, Freenet does *not* protect from internal traffic identification attacks (only external), but it doesn't really need to because it relies so much on its strong plausible deniability techniques.
F. All of the known mix attacks, like flushing etc
I already explained this previously
Anyway I am a bit tired of typing and I cannot possible summarize all of the things we would need to take into consider anyway, so I will wrap this up with some suggestions.
First of all I think that low latency networks are already covered with Tor and I2P. It is not likely that we are going to be able to make any significant advances to the state of low latency anonymity, and if we were going to it would be by convincing the Tor developers to make some tweaks, not by designing a brand new network. I think that high latency networks are too slow to attract many users, and although they technically can be used for browsing the internet etc, they are too slow to do so. So I think that a variable latency network is the best bet. There is some research already done on this in the context of mix networks, it is called Alpha mixing or Tau mixing. As far as using a mix network goes, this is a bit of a tough call. On the one hand I think mixing is by far the most researched and proven way of providing strong anonymity, on the other hand I would really like to have a P2P anonymity network like I2P, and I would worry that a very large network would dilute the concentration of messages to mix together. Perhaps this can be slightly ameliorated by the utilization of dummy traffic, which would be more realistic on a P2P network with lots of bandwidth.
I definitely think that any new networks should support access to the clearnet. Networks that are only for hidden services simply do not attract as many people as networks that can be used for surfing the regular internet. Additionally, allowing access to the clearnet essentially guarantees a large pool of cover traffic for mixing, and that translates into more anonymity with less time delay. On the other hand, I think that I prefer the freenet strategy of hosting content distributed through out the network. I think that this will encourage more people to actually run hidden services, as they will not need to learn how to configure a server and more importantly they wont need to buy a server in the first place. The primary disadvantage with this is that we will need to create use case specific applications, such as a software package for forums, one for emails, one for blogging, etc. If Tor hidden services have shown us anything, it is that people who want to run hidden service servers don't have the technical expertise required to do so securely. I also like how resistant Freenet hidden services are to DDoS and similar censoring attacks.
I think that deniability is an important aspect that we should definitely utilize. Mixing traffic can protect from timing attacks being carried out, deniability techniques can prevent timing attacks from being used to prove anything after they are carried out. We would primarily be focusing on a fairly medium latency user base, people who want to access sites fast enough to surf the internet, but who require enough anonymity that they can wait a minute or two. By having variable time delays, traffic of all latencies is given an anonymity advantage, even traffic without any delay at all. This means that just having some people using the network in a high latency fashion, the average user base using it in a medium latency capacity will have increased anonymity. By having time delays at all we will be able to protect some from timing attacks, of course ideally you have multi hour delays to protect from timing attacks, but even 0 seconds to 1 minute per hop should make the network more resistant to timing attacks than Tor or I2P are. Having variable length paths and having all clients route by default will provide plausible deniability as well. All of these things in combination should offer significant protection from timing attacks.
Another thing we need to consider is our padding strategy. It is very easy to pad all packets to the same size and of course we should do this. However, it is also extremely ideal if all traffic flows consist of a single packet. The more padding that is used the more likely it is that an arbitrary webpage can be loaded with a single fixed size packet (ie: if all packets are 1MB, then all webpages 1MB and below can be loaded with a single packet). On the other hand, larger packet sizes leads to inefficient and impossible to scale networks (ie: if all packets are 1MB, then you just spent 1MB * number of routing nodes utilized to send your three byte "lol" message). Perhaps swarming can be used to help hide the size of large messages, or something sort of like I2P's unidirectional tunnels (except it would be more like hydra tunnels).
I am a big fan of layer encrypted networks, and of course for mixing to be utilized layer encryption has to be utilized as well.
Another possibility is using PIR somewhere. The bleeding edge theoretical mix networks use PIR rather than SURB mixing for message retrieval.