Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Onion Routing
David Goldschlag, Michael Reed,
and Paul Syverson
Center for High Assurance Computer
Systems
Naval Research Laboratory
Washington, D.C.
1
Who is Talking to Whom?
In a Public Network:
u Packet headers identify recipients
u Packet routes can be tracked
Public Network
Initiator Responder
Encryption does not hide routing information.
2
Traffic Analysis Reveals
Identities
Who is talking to whom may be
confidential or private:
u Who is searching a public database?
u Which companies are collaborating?
u Who are you talking to via e-mail?
u Where do you shop on-line?
3
Objective
Design an infrastructure that
u Makes traffic analysis hard
u Separates identification from routing
u Is reusable across many applications
4
Traffic Analysis
Focus on three components:
u Hide routing headers
u Complicate statistical inferences
u Balance load
5
Onion Routing: Network
Infrastructure
Anonymous connections are
u Routed through Chaum Mixes
u Multiplexed between Mixes
Onion Routers
Initiator Responder
6
Onion Routing: Proxy
Interface
Proxies interface between Applications
and the Network Infrastructure.
X Y Z
W Onion Routing
Proxies Responder
Initiator
The Basic Configuration: Sensitive sites
control Onion Routing Proxies (which also
function as intermediate
7
Onion Routers).
Applications
Many applications can use Proxies:
u Web browsing
u Remote login
u e-mail
u File transfer
8
Threat Model: Active and
Passive Attacks
u All traffic is visible
u All traffic can be modified
u Onion Routers may be compromised
u Compromised Onion Routers may
cooperate
u Timing coincidences
9
Using Onion Routing
Four Steps:
u Define the route
u Construct the anonymous connection
u Move data through the connection
u Destroy the anonymous connection
10
Defining the Route
The InitiatorÕs Proxy, W, makes an Onion:
(X Connect to Y, )
(Y Connect to Z, )
X Y Z
W Public Network
Initiator Responder
11
Constructing the
Anonymous Connection
The Onion moves between Onion
Routers.
W X Y Z
text text
text
W X Y Z
text text
text text
text
W X Y Z
text text
destroy destroy
W X Y Z
text text
15
Reply Onions
(Z Connect to Y, )
An InitiatorÕs Onion
Routing Proxy can (Y Connect to X, )
create a Reply (X Connect to W, )
Onion that defines
a route back to him.
text text
text
W X Y Z
text text
18
Vulnerabilities
Timing Coincidences:
u Do two parties often open new
connections at the same time?
u This is not detectable in communication
between two sensitive sites.
Traffic Analysis: Load Balancing
u Tradeoff between security and cost
u Is this feasible on the Internet?
19
Onion Routing Network
Configurations
The Basic Configuration
Hierarchical like the Internet
Customer--ISP Model
u User makes onions on his PC
u PC routes through ISPÕs onion router
Even the ISP cannot determine the PCÕs
destination.
20
Other Applications
IRC: Two parties make anonymous
connections to an IRC server, which
mates the two connections.
Neither party has to trust the other.
X Y C B
W A
IRC Server
21
Hide Location of Cellular Phones
To Make a Call:
u Phone makes anonymous
connection to billing station
through local base station.
u Phone identifies itself to
billing station which
completes the call.
To Call a Cellular Phone:
u Pagethe phone over a wide
region.
Billing Station
Side Benefit:
u Verylow standby power
consumption.
22
Private Location Tracking
Home station tracks location:
Active Badges u Active badge contacts
room sensor.
Competing Goals: u Room sensor queries
database for a reply onion
Track usersÕs location. over an anonymous
But, keep location connection.
information private. u Sensor contacts home
station using reply onion.
u Home station updates
database over an
anonymous connection.
23
Discussion
u Efficiency: Cryptographic overhead is
no worse than link encryption
between routers.
u Onion Routing Proxies must also be
intermediate Onion Routers.
24
Cryptographic Overhead
Along an (n+1)-Node route:
u Data is encrypted n times
u Data is decrypted n times
But, pre-crypting provides (for free):
u Link encryption
u End to end encryption
u Data hiding: the same data looks
different to each node
25
Related Work
ChaumÕs Mixes
Babel: Mixes for e-mail
Anonymous ISDN: Mixes in a local
ISDN switch
26
Conclusion
u To be effective, Onion Routing must
be widely used.
u Onion Routing supports a wide variety
of unmodified services using proxies.
u Anonymity is placed at the application
layer.
u The goal here is anonymous routing,
not anonymity.
27
References
http://www.itd.nrl.navy.mil/ITD/5540/
projects/onion-routing
28