Bit Blender LightWeight Anonymity for Bit Torrent Kevin

Bit. Blender: Light-Weight Anonymity for Bit. Torrent Kevin Bauer Damon Mc. Coy Dirk Grunwald Douglas Sicker Department of Computer Science University of Colorado at Boulder Workshop on Applications of Private and Anonymous Communications September 22, 2008 Istanbul, Turkey

This work proposes an anonymity mechanism designed for Bit. Torrent • Are “light-weight” anonymity protocols ever appropriate? • We argue that peer-to-peer file sharing is wellsuited to this form of anonymity • We propose Bit. Blender to provide light-weight anonymity for Bit. Torrent Bit. Blender: Lightweight Anonymity for Bit. Torrent 2

Privacy Problems in Bit. Torrent • Bit. Torrent requires a full membership list to facilitate efficient peer discovery Peers who are sharing 123 213 142 155. 156. 152 … Who is sharing? Mallory Trivial to determine who is sharing a file [Piatek et. al Hot. Sec ‘ 08] Bit. Blender: Lightweight Anonymity for Bit. Torrent 3

Preserving Privacy in Bit. Torrent • Main idea: Introduce uncertainty in the membership list Peers who are sharing 123 2. 2 123 213 3. 3 142 155. 156. 152 4. 4 … 155. 156. 152 … Add special peers to act as proxies Now Mallory must conduct active traffic analysis Bit. Blender: Lightweight Anonymity for Bit. Torrent 4

Why Anonymous Bit. Torrent? • Bit. Torrent has no support for anonymous file sharing • A recent study by Mc. Coy et. al showed that a large portion of Tor traffic is Bit. Torrent [PETS ‘ 08] HTTP 285 GB (40%) Bit. Torrent Other 411 GB (58%) Clear demand for anonymous Bit. Torrent 13 GB (2%) 0 500 Gigabytes of traffic observed Bit. Blender: Lightweight Anonymity for Bit. Torrent 5

Achieving Online Anonymity • Traditional anonymous networks are built upon: Alice Bob Bitwise unlinkability Secure against a global Mix – Mix networks passive adversary Techniques: Public key encryption, message High latency batching, shuffling, delays, cover traffic Not always practical Examples: Mixmaster, Mixminion Bob – Onion routing networks Techniques: Layered symmetric key encryption Example: Tor Low latency Alice Bit. Blender: Lightweight Anonymity for Bit. Torrent End-to-end traffic correlation 6

Onion Routing Networks Alice M Alice encrypts message M with shared keys: Krouter 1(Krouter 2(Krouter 3(M))) Tor router 1 Tor router 2 Tor router 3 Bob M Decrypt with Krouter 1 Decrypt with Krouter 2 Decrypt with Krouter 3 • Source routing through multiple Tor routers with layered encryption provides unlinkability and data confidentiality; only the last node can see the plaintext M • For example: Tor Bit. Blender: Lightweight Anonymity for Bit. Torrent 7

Crowds: Loose Anonymous Routing • However, sometimes data confidentiality within the network is not desired (or required) • Crowds provides source anonymity for web transactions [Reiter and Rubin ‘ 98] • Crowds allows users to route their web requests through a set of intermediate “Jondo” nodes with a certain probability Search: “Democracy” SSL to prevent eavesdroppers 123 Knows requestor 123 Two Jondos ? ? 22. 22. 22 3. 3 Search: “Democracy” Bit. Blender: Lightweight Anonymity for Bit. Torrent Requestor looks like 3. 3 8

Introducing Bit. Blender • Inspired by Crowds, we propose an anonymity solution for Bit. Torrent called Bit. Blender • Bit. Blender’s goals: – “Light-weight” form of anonymity called “plausible deniability” for Bit. Torrent traffic – Tunable “degrees” of anonymity – Compatible with current Bit. Torrent protocol – Better expected performance than other heavyduty anonymity solutions such as Tor Bit. Blender: Lightweight Anonymity for Bit. Torrent 9

Presentation Outline • • Bit. Torrent background Reasoning about anonymity Bit. Blender design principles Attacks against Bit. Blender Performance evaluation Protocol extensions Conclusions and future work Bit. Blender: Lightweight Anonymity for Bit. Torrent 10

Bit. Torrent Background • Bit. Torrent is a decentralized peer-to-peer “Torrent” file “swarming” file-sharing protocol Video file to share: Tracker: http: //tracker. host. com: 6969/announce File length: 256 MB Piece size 1 MB Number of pieces 256 1 Break original file into several fixed-size pieces (i. e. , 1 MB) 2 Compute a hash (i. e. , SHA 1) for each piece to ensure integrity 3 Create a torrent metafile: Piece size, number of pieces, hashes, URI of tracker server Bit. Blender: Lightweight Anonymity for Bit. Torrent 11

Bit. Torrent Background (2) • To download the file: 1 Download the desired torrent file 2 Contact the tracker and obtain list of other peers Peer Who is sharing this file? 128. 138. 207. 2, 182. 203. 21. 4, … Tracker server 3 Request pieces from the other peers I want piece #94 Here’s piece #94 I want piece #23 Here’s piece #23 Bit. Blender: Lightweight Anonymity for Bit. Torrent 12

Key Observations about Bit. Torrent • Content is publically available – Confidentiality is not a primary concern • No dynamic content – No personally identifying information • Highly transparent – Trackers advertise identities of all peers participating These features are unique to Bit. Torrent Make providing anonymity a bit easier Bit. Blender: Lightweight Anonymity for Bit. Torrent 13

Anonymity Expressed as a Spectrum • Given the demand for anonymous Bit. Torrent, what “degree” of anonymity is appropriate? • In Crowds, anonymity regarded as a spectrum • Determine the sender with probability p We define “plausible deniability”: 0 < p < 1 p=0 Absolute privacy p=1 p ≈ 0. 5 Beyond Probable suspicion innocence Possible Exposed innocence Bit. Blender: Lightweight Anonymity for Bit. Torrent Provably exposed 14

Bit. Blender: Anonymity for Bit. Torrent • Bit. Blender achieves plausible deniability for peers who are listed by a tracker • Achieved by introducing “relay peers” to proxy piece requests and replies for other peers Normal Bit. Torrent: Alice Bit. Blender: Alice I want piece #23 Here’s piece #23 Mallory Robert I want piece #23 R I want piece #23 Here’s piece #23 Bit. Blender: Lightweight Anonymity for Bit. Torrent Mallory Alice is sharing the file Robert is sharing the file 15

Design Principles • Bit. Blender’s design achieves the following: – Better performance than other (stronger) anonymity solutions; no cryptography – Easily integrates into Bit. Torrent’s architecture – Provides source anonymity in the form of plausible deniability – The “level” of anonymity is tunable with a system parameter Bit. Blender: Lightweight Anonymity for Bit. Torrent 16

Threat Model • The threat model Bit. Blender assumes is similar to other low-latency anonymous networks – The adversary can monitor the tracker list – The adversary may control a subset of the participating peers – The adversary cannot monitor arbitrary links between peers, i. e. , no local eavesdroppers (this can be relaxed with just a little extra work) Bit. Blender: Lightweight Anonymity for Bit. Torrent 17

Relay Peers: How do they join? • Relay peers are organized by a directory server Request called a Blender Relay peer 3. Each relay generates a random number r Join if r ≤ n / total # relays On average, n relays join Tracker server piece 3 R Here’s piece 3 1. Register with the blender 2. We want n relay peers Bit. Blender: Lightweight Anonymity for Bit. Torrent “Blender” directory server 18

Discussion • An adversary now cannot determine participants by just examining tracker list – Now the adversary must participate in the protocol • Trivial attacks: – Adversary knows every relay (given by Blender) – If adversary removes every relay peer from torrent, then the normal peers are revealed – To address this, every normal peer should also register with the Blender • Important: Only peers who participate in Bit. Blender enjoy source anonymity Bit. Blender: Lightweight Anonymity for Bit. Torrent 19

Traffic Analysis • Addressing traffic analysis attacks in Crowds and Bit. Blender remains an open problem • Intentional non-deterministic delays, selective caching, and cover traffic help mitigate attacks • Bit. Blender’s key accomplishment is that it forces the adversary to become active and expend resources to participate in the protocol Bit. Blender: Lightweight Anonymity for Bit. Torrent 20

Discussion • An adversary now cannot determine participants by just examining tracker list – Now the adversary must participate in the protocol • Trivial attacks: – Adversary knows every relay (given by Blender) – If adversary removes every relay peer from torrent, then the normal peers are revealed – To address this, every normal peer should also register with the Blender • Important: Only peers who participate in Bit. Blender enjoy source anonymity Bit. Blender: Lightweight Anonymity for Bit. Torrent 21

Performance Evaluation: Setup • The relay peers are implemented in enhanced ctorrent Bit. Torrent client • Conducted experiments on Planetlab testbed – 1 MB file to share – 1 KB piece size – 1 tracker server – 20 normal peers – Number of relay peers varies from 0 to 20 Bit. Blender: Lightweight Anonymity for Bit. Torrent 22

Performance Evaluation: Results 250 Bit. Torrent + Tor 200 150 100 Bit. Blender Average download time (s) 50 0 Lower is better 27. 9 0 29 34 34. 5 0. 25 0. 75 Ratio of relay peers to normal peers Bit. Blender: Lightweight Anonymity for Bit. Torrent 36. 7 1 23

Protocol Extensions • Confidentiality and access control mechanisms – Establish TLS connection between peers to prevent local eavesdroppers • Traffic analysis countermeasures – Introduce intentional random delays • Selective caching policies – Store a subset of pieces forwarded by a relay – Improves performance and can help frustrate traffic analysis Bit. Blender: Lightweight Anonymity for Bit. Torrent 24

Additional Details in Paper • Expected path length as number of relay peers varies • Detailed comparison to Tor • More details about protocol extensions • Discussion of the legal issues Bit. Blender: Lightweight Anonymity for Bit. Torrent See paper 25

Conclusion and Future Work • We presented Bit. Blender, a light-weight anonymity protocol just for Bit. Torrent – Requires no cryptography – Works seamlessly with existing Bit. Torrent protocol – Provides “plausible deniability” for tracker lists – Offers tunable level of anonymity • Future work – Continue to study traffic analysis attacks – Continue to quantify the level of anonymity provided by systems like Crowds/Bit. Blender: Lightweight Anonymity for Bit. Torrent 26

The End Bit. Blender: Lightweight Anonymity for Bit. Torrent 27

Backup Slides Bit. Blender: Lightweight Anonymity for Bit. Torrent 28

Traffic Analysis Attacks • Now suppose the adversary participates in the protocol Repeated piece requests: Robert R I want piece #23 Robert is sharing a relay the file peer Time t elapses… Mallory Solution: 1. Normal peers can issue repeated piece requests (Same idea as cover traffic) 2. Relay peers can also cache pieces to avoid repeats Bit. Blender: Lightweight Anonymity for Bit. Torrent 29

Traffic Analysis Attacks (2) • Predecessor attack – An intermediate node uses information (timing) to determine if the previous node is initiator or relay Time T Alice I want piece #23 T, T’ – time elapsed from request to response Mallory. Here’s piece #23 Time T’ Robert I want piece #23 R Here’s piece #23 If T << T’, then adversary can reasonably assume that Robert is a relay Mallory Bit. Blender: Lightweight Anonymity for Bit. Torrent 30

Expected Path Length Details Expected path length E[l] is defined as an infinite geometric sequence where: r = # relay / # total Examples: r = 0. 25, E[l] = 1. 33 r = 0. 50, E[l] = 2. 00 r = 0. 75, E[l] = 4. 00 Bit. Blender: Lightweight Anonymity for Bit. Torrent 31