Attacks on Mixes R Newman Topics Defining anonymity
- Slides: 36
Attacks on Mixes R. Newman
Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology
Attackers Passive Attacker Local – only detect traffic to/from one node Global – detect all messages Still, can only see src and dest (assume lengths all same, contents disguised) Active Attacker Delay Destroy Modify Replay Fabricate
Attackers Active Attacker – targetting a specific msg Trickle Attack Inject attacker messages Blending Attacks Delay or drop most msgs (timed Mix) Flood Attack Can manipulate batch of msgs entering Mix Trickle or flood Aim: Only one unknown message in batch
Attackers GAAs Can treat as two separate, cooperating attackers Global Inserting Attacker Global delaying Attacker GIA Can insert any number of messages anywhere Can do this in constant time Models unauthenticated systems (what else? ) GDA Treat deleting message as infinite delay
N-1 Attack Threshold Mix Threshold = N Inject N-1 messages into batch Only the one message under attack is unknown Know where the N-1 go See where the other one goes Repeat at each Mix until true destination known
Attack Classes Exact Attacker knows destination exactly Attacker knows when attack succeeds Anonymity is 0 Certain Attack always has the power to do this Attack always works in finite time
Mix Classes By resistance to Blending Attacks Strongly Resistant No blending attack can reduce anonymity of any message at all Blending attack anonymity k No blending attack can reduce the anonymity of any message below a constant k (AS size)
Mix Classes By resistance to Blending Attacks Vulnerable to non-exact, uncertain BAs Vulnerable to exact, uncertain BAs GAA can always reduce anonymity, but never to zero GAA can always reduce anonymity to 0, but may need to spend arbitrary resources (msges, time) Vulnerable to exact, certain BAs GAA can always reduce anonymity to 0, with finite resources (msges, time)
Mix Classes By resistance to Blending Attacks Note that the list may not be in order of increasing vulnerability in a practical sense Resources matter!
Threshold Mix Fires when N messages arrive Min delay is epsilon, max is infinite Mean delay is N/2 r, where r = arrival rate Min anonymity set size is N Distinct senders, distinct receivers
Threshold Mix Fires when N messages arrive Blending attack behavior Susceptible to flooding attack Min msgs is N-1, max is 2 N-2 Does not require delay
Threshold Mix Fires when N messages arrive Blending attack behavior Susceptible to flooding attack Min msgs is N-1, max is 2 N-2 Does not require delay Mix with N=5 target Mix 1 good good Can allow other good messages to arrive, or send bad messages to flush Mix 2
Threshold Mix Fires when N messages arrive Blending attack behavior Susceptible to flooding attack Min msgs is N-1, max is 2 N-2 Does not require delay good target Delay the new good messages Mix 1 bad bad Send bad messages to flush mix Mix 2
Threshold Mix Fires when N messages arrive Blending attack behavior Susceptible to flooding attack Min msgs is N-1, max is 2 N-2 Does not require delay good Mix 1 target bad bad Watch where other message goes Know where bad messages are going Mix 2
Timed Mix Fires every T seconds Min delay is epsilon e, max is T-e Mean delay is T/2 Min anonymity set size is 0, max is infinite In theory. . . In practice, limited by rate and memory Distinct senders, distinct receivers Mean AS size is r. T, where r is arrival rate
Timed Mix Fires every T seconds Blending attack behavior Susceptible to exact, certain attack Trickle Delay target message until Mix fires Delay all but target message Takes max time of 2 T-e, min of e Does not require insertions Can happen naturally in low traffic conditions!
Threshold OR Timed Mix Fires every T seconds or when N msgs arrive Min delay is epsilon e, max is T-e Mean delay is T/2 Min anonymity set size is 0, max is N Mean AS size is. . . min(N, r. T), where r is arrival rate
Threshold OR Timed Mix Fires every T seconds or when N msgs arrive Blending attack behavior Worst of both worlds!!! Susceptible to exact, certain attack Trickle or Flood! Min of 0 insertions with max time of 2 T-e, min of e Max of 2(N-1) insertions in e seconds
Threshold AND Timed Mix Waits for at least T seconds and N msgs Min delay is epsilon e, max is infinite Mean delay is T/2 Min anonymity set size is N, max is infinite Mean AS size is. . . max(N, r. T), where r is arrival rate
Threshold AND Timed Mix Waits for at least T seconds and N msgs Blending attack behavior Combined blending attack is exact and certain Trickle and Flood! Must delay non-target messages Must insert dummy messages Max time of 2 T-e, min of e Max of 2(N-1) insertions and min of N-1 insertions
Pool Mixes Maintains a pool of F messages Initializes pool With dummy messages or. . . Waits for F initial messages before normal ops May be timed, threshold, or combination Make attacks uncertain, increase cost
Threshold Pool Mix Fires when N new messages arrive Sends uniform random selection of N, keeps F Min delay is epsilon, max is infinite Infinite even if Mix fires infinitely many times! Mean delay is 1 + F/(N+F) rounds Mean round rate is N/r where r is arrival rate Mean delay is (N/r)(1 + F/(N+F)) Anonymity set size – must resort to info theory Amax = -(1 -F/N) lg (N+F) + (F/N) lg F Min AS size is N (assumes distinct senders)
Threshold Pool Mix Blending attack behavior Generally have two phases: Flush good messages out of Mix Insert bad messages into Mix Problem: Can never be sure good message is flushed! Attack becomes uncertain! Is still exact (attacker knows when Mix is clean)
Threshold Pool Mix Blending attack behavior Exact but uncertain Prob(msg still in Mix after r rounds) = [F/(N+F)]r If there were G good messages in Mix at start, Exp(# good msgs in Mix) = G [F/(N+F)]r Prob(all good messages have left Mix by round r) = [1 – (F/(N+F))r ]M M ranges between F and N+F
Threshold Pool Mix Blending attack behavior Prob(all good messages have left Mix by round r) = [1 – (F/(N+F))r ]M Example: N = 100, F = 60 Average delay = 1. 6 rounds If M = 60 (i. e. , Mix just fired) Expected number of good messages in Mix is < 1 after 5 rounds, or 500 attacker messages Prob(all M gone) > 0. 5 after 5 rounds, and Prob(all M gond) > 0. 99 after 9 rounds
Timed Pool Mix Fires every T seconds Always retains F messages in pool If <= F in pool, it does not fire (hence Threshold AND Timed mix, technically) Min delay is epsilon e, max is infinity Min anonymity set size is F+1, max is infinite Compute effective A similar to Threshold Pool Mix
Timed Pool Mix Fires every T seconds (or not) Blending attack behavior Attacker can try to flush in one round Delay all good messages Insert B bad messages Prob(flush all F good messages) = F 2/(B+F) Well, so they say – I’m not convinced!
Timed Pool Mix Fires every T seconds (or not) Blending attack behavior Attacker can try to flush over many rounds Delay all good messages Insert 1 bad message each round Prob(flush all F good messages) = F[F/(F+1)]B Again, so they say – I’m not convinced!
Dynamic Timed Mix Fires every T seconds with threshold N Min pool size Fmin, f = fraction of msgs to send Must have at least N + Fmin msgs to fire Sends max(1, mf) messages If N=1, this is Cottrell Mix m = number of messages in Mix when firing Used in Mixmaster remailer Size of pool may change over time If constant arrival rate then equivalent to constant pool mix
Dynamic Timed Mix Message delay: Min is e, max is infinite Mean delay depends on future arrival rates At least as high as constant-pool mix, usually higher Anonymity Same properties as constant pool mix Anonymity higher since prob(stay in pool) is constant, rather than decreasing with increasing m
Dynamic Timed Mix Blending Attack Behavior Max prob(flushing a msg in one round) = f Hence, attacker can’t flush mix in one round! Attacker has to figure out pool size also Larger pool means longer time to flush Prob(flush in r rounds) is proportional to (1/f)r Anonymity still goes to zero over time
Resisting Exact Attacks All prior mixes subject to exact attacks Attacker knows when good messages are flushed Some provide uncertainty – don’t know how long it will take Binomial Mix Flush each message with some probability Hard to determine size of pool now Target specific goals: Certainty Exactness
Resisting Exact Attacks Use same tools as attacker Uncertainty Don’t let attacker know when target msg leaves pool Use dummy messages Intermix link encryption – hard to recognize chaff Intermix detours – reroute outgoing messages Stop-and-Go Mixes Inexactness Don’t let attacker know size of current pool Dynamic pool fractional approach Binomial approach
Resisting Exact Attacks Stop-and-Go (SG) Mixes Estimate arrival time of good msg at each Mix If msg is outside of window, discard it Frustrates arbitrary delay attacks But seems attacker can still manipulate system Reputation systems Prevent or diminish insertion attacks Only known senders can participate Seems hard to be both known and anonymous!
Next Up Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology Voting Ecash
- Relative clause
- Relative clauses defining and non defining
- Non essential adjective clause
- Defining and non-defining
- Defining and non defining relative clauses in telugu
- Non defining relative clauses examples
- K anonymity
- Anonymous adjective
- K anonymity
- Effrontery definition the crucible
- Anonymity vs privacy
- Blender torrent
- K anonymity
- White light mixes
- A shopkeeper sells one transistor for rs 840
- Zahra mixes 150g of metal a
- Device which mixes air and fuel
- A muscular bag secretes gastric juice
- Alligation method
- Cognitive apprenticeship collins brown and newman
- Newman college
- Gerald levey and mark newman
- Mr steven newman
- Gerald levey and mark newman
- Plastic bag theme
- Robert c newman ii
- Gerald levey and mark newman
- Milkovich newman compensation, 9th edition pdf
- Shashwitha puttaswamy
- Robert c newman
- Gerald levey and mark newman
- Newman projection of cyclohexane
- Newman projection to wedge dash
- Amy newman nida
- Barnett newman vir heroicus sublimis
- Colgajo de widman modificado
- Margaret newman theory application