Chapter 5 Comparison
5.2 Security
The comparison about security issue is shown in Table 5.2.
SurePath Cashmere Tarzan Onion/TOR AFATOR
Initiator anonymity Y Y Y Y Y
Responder anonymity Y N N N Y
Use different paths to do request & response
Y Y N N Y
Information leaking Receiver id
& public
41
Key Infrastructure (PKI) and symmetric key to protect data secrecy. Moreover, the third party they trusted is Certificate Authority (CA). Onion routing also trusts onion routers to route through the message.
AFATOR use Fuzzy Identity-Based Encryption (Fuzzy IBE) to do public &
private key generation and data encryption & decryption. Instead of CA, AFATOR use PKG.
All the systems we mentioned can achieve initiator anonymity by random routing path. Some of them, like SurePath and AFATOR, do the message forwarding and returning by different routing path. The advantage of different routing path is to avoid traffic analysis. anonymity, the information leaking of AFATOR is less than SurePath and Cashmere.
In Cashmere, if one node with m-bit identifier is compromised, then the attacker would obtain m public and private key pairs associated with each prefix. When the same case occurs in SurePath, the attacker can control N-1 share keys where network size is N. However, only one private key is revealed to the attacker during the same situation in AFATOR. Compared AFATOR with other systems, the attacker knows less information about secret keys.
Souvik et al. [26] proposed an information theoretic framework for analyzing leak of privacy in DHT. With the same routing complexity, the analytical result shows that ring-based DHT (CHORD) has the minimum information leak than the other
42
DHTs, such as tree-based, hypercube-based, and hybrid-based DHT.
CHORD-like routing protocol with ring-based DHT is used in AFATOR;
however, both Cashmere and SurePath apply Pastry, a routing protocol with hybrid-based DHT. As a result, AFATOR leaks less information than Cashmere and SurePath.
To provide sender and receiver anonymity, these systems like Tarzan [13] and Cashmere [11] require the overlay nodes to have public-private keys obtained through a trusted authority; i.e., they require a public key infrastructure (PKI). A few systems (e.g., Crowds [14]) do not require PKI, but they expose the receiver and message content.
5.3 Summary
It is commonly held that there is a tradeoff between performance and anonymity.
The routing protocol that provided best anonymity usually came with associated performance costs.
43
Chapter 6 Analysis
6.1 Threat Model
The adversaries can do the following things:
a. compromise the existing node
b. observe packets destined to itself or its local network c. collude and share information with others
d. follow the protocol and forwards all the messages pass through it
For each compromised node, the attacker will obtain the private key of itself and the error tolerant distance d. Therefore, the attacker may read the cipher text encrypted with its neighbor’s public key if they are within a certain distance d. We apply Byzantine failure model to allow compromised node behave arbitrarily.
Eavesdropper
There are two kinds of eavesdropper. The first one is global eavesdropper who can observe all the traffic of the network. Even the message is encrypted, he still can use timing attacks or statistic attacks to break anonymity: identifying the route from the initiator to the responder. But it is not realistic in overlay network with thousands of nodes. It is impossible to know the information of the whole network at any time due to lots of churn in overlays. The other one is local eavesdropper who can only observe packets destined to itself or its local network. He cannot get enough information to identify real destination.
44
6.2 Anonymity Analysis
We analyze anonymity using three parameters: N (number of nodes in the network), f (fraction of malicious nodes in the network), and L (number of intermediate nodes in the routing path).
The routing path is generated by the initiator, a non-malicious node. When the initiator decides the path, it passes the message to the first intermediate node. Due to layered encryption, every intermediate node knows only the previous hop and the next hop. The attackers in the routing path act as intermediate nodes and try to guess which node is the initiator or the responder. Since the messages are encrypted, the attackers would suspect the previous node which passes the message to itself is the initiator. We distinguish the two cases to analyze the probability that the intermediate previous node is in fact the initiator. Notation f means the probability of choosing an attacker to be an intermediate node. In contrast, the probability of choosing a non-attacker as intermediate node is 1- f.
Case I: 1st intermediate node is attacker
The attacker can guess its previous node is the initiator with probability of 1. The probability of case I is L
L iCase II: 1st intermediate node is not attacker
The attacker suspects its previous node with probability of N
1 f
1 , where
N(1- f) represents the number of non-malicious nodes in the network. The probability
of case II is L
L iThus, the probability that node x is the initiator shows as follows.
45
Figure 6.1 displays the results for the probability of guessing a node to be the initiator from the attacker with different path length and fraction of attackers. As f (fraction of attackers) increases, the probability a node to be the initiator increases.
The length of routing path L influences the variation of the initiator probability of a node. The more intermediate nodes pass by, the less probability to guess right.
Figure 6.1 Probability to be Initiator
By the similar way, we can also analyze the probability that the intermediate next node is in fact the responder.
6.3 Resilient to Node Failure
We use probability to analyze the resilience and fault tolerance. The parameters list as follows.
2m: id space;
N: number of nodes in the network, network size;
L: number of intermediate nodes in the path, the length of routing path;
d: error tolerant factor
46
Since the probability that each ID maps onto a node is Nm
2 , a node maps onto a non-existing node with the probability of Nm
12 . The number of nodes Z can help forwarding the message if any of them exists. The restriction is that the overlap of identities is larger than or equal to the error tolerant factor d. The estimation of Z lists as follows.
It is clear that Z is influenced by the value of error tolerant factor d. If all the Z nodes that can help forwarding do not exist, then the message would be failed to
1 . The routing path has L intermediate nodes to route through. If every intermediate node has at least one node that can help forwarding, then the message can be transferred successfully through the routing path.
Therefore, the probability of path success can be shown as:
Z L
means the length of routing path.
The probability that each ID maps onto non-existing node decreases with increasing N. For every node, the successful forward probability increases while Z is getting larger. However, the path length L grows inversely proportional to the forwarding probability. Therefore, the level of anonymity provided by AFATOR is inversely proportional to the successful forwarding probability of the routing path.
This is a tradeoff between efficiency and the level of anonymity.
Figure 6.2 presents the result of the forward probability with different error tolerant factors and network size. According to the system requirements, fault-tolerance can be tuned by error tolerant factor and the length of routing path.
47
Figure 6.2 Forward probability with various error tolerant factors
If the routing path fails with high probability, then the routing path should reconstruct frequently. After a large number of reconstructions, to identify the initiator participating in the path is much easier.
In AFATOR, the probability of routing path failure is very low because of the tunable error tolerant factor d. Therefore, we not only improve performance by reducing the path reconstruction time but also strengthen our robustness to the degradation attacks [43].
6.4 Against traffic Analysis
Since all the packets are encrypted in a layered manner from the last hop to the first hop by their public keys, the incoming packets and the outgoing packets for every intermediate node are different in packet headers, size, and patterns. The encryption makes the packets indistinguishable from data flows. Cover traffic, which means fake messages would be send from every node per random time period,
48
prevents a global observation from using traffic analysis to identify the initiator.
But the adversary can find some relationships between those incoming and outgoing packets for the node by using timing analysis.
6.5 Summery
The initiator can select the number of the intermediate nodes in the path and the value of the error tolerant factor to control tradeoffs between churn resilience, anonymity and overhead.
49
Chapter 7 Conclusion
Our routing protocol, AFATOR, provides anonymity against adversaries without proxies. We use layered encryption and random intermediaries to achieve anonymity.
We also achieve unlinkability between initiator and responder without being identify from adversaries. Every node in the path knows only the previous hop and the next hop. It is easy to recover the routing path without request re-transmission. By using Fuzzy Identity-Based Encryption (Fuzzy IBE) [4], a user can decrypt a cipher-text encrypted with other's public key if and only if the two users are within a certain distance. Thus, any node can easily take over message forwarding if its neighbor node fails. At last, AFATOR uses smallest key storage and leaks less information about the responder.
50
Reference
[1] Eng Keong Lua, Jon Crowcroft, Marcelo Pias, Ravi Sharma and Steven Lim, “A Survey and Comparison of Peer-to-Peer Overlay Network Schemes,” IEEE Communications survey and tutorial, Mar. 2004.
[2] Yingwu Zhu and Yiming Hu, “SurePath: An Approach to Resilient Anonymous Routing,” International Journal of Network Security (IJNS) Mar.
2008.
[3] Paul F. Syverson, David M. Goldschlag, and Michael G. Reed, “Anonymous Connections and Onion Routing,” IEEE Journal on Selected Areas in Communication Special Issue, 1998.
[4] Sahai and B. Waters, “Fuzzy Identity-Based Encryption,” In Eurocrypt 2005, LNCS 3494, pp. 457-473, Springer-Verlag, 2005.
[5] Ion Stoica, Robert Morris, David Liben-Nowell, David R. Karger, M. Frans Kaashoek, Frank Dabek, and Hari Balakrishnan, “Chord: A Scalable Peer-to-peer Lookup Protocol for Internet Applications,” IEEE/ACM Transactions on Networking.
[6] Ben Y. Zhao, John Kubiatowicz, and Anthony D. Joseph, “Tapestry: An Infrastructure for Fault-tolerant Wide-area Location and Routing,” UC Berkeley, 2001.
[7] A. Rowstron and P. Druschel, “Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems,” In Middleware, November 2001.
[8] Ben Y. Zhao, Ling Huang, Jeremy Stribling, Anthony D. Joseph, and John D.
Kubiatowicz, “Exploiting Routing Redundancy via Structured Peer-to-Peer
51
Overlays,” ICNP, 2003.
[9] Adi Shamir, “Identity-Based Cryptosystems and Signature Schemes,”
Advances in Cryptology, Lecture Notes in Computer Science, 1984
[10] Dan Boneh, and Matthew Franklin, “Identity-based Encryption from the Weil pairing,” In J. Kilian, editor, Advances in Cryptology, Springer-Verlag, Lecture Notes in Computer Science, pp. 213-229, 2001.
[11] Li Zhuang, Feng Zhou, Ben Y. Zhao, and Antony Rowstron, “Cashmere:
Resilient Anonymous Routing,” NSDI, 2005.
[12] Aameek Singh, Bugra Gedik, Ling Liu, “Agyaat: Mutual Anonymity over Structured P2P Networks,” In Emerald Internet Research Journal (Special Issue on Privacy and Anonymity in the Digital Era), Volume-16, Issue-2, 2006.
[13] Michael J. Freedman and Robert Morris, “Tarzan: a peer-to-peer anonymizing network layer,” ACM CCS, Nov. 2002.
[14] Michael K. Reiter and Aviel D. Rubin, “Crowds: anonymity for Web transactions,” ACM Transactions on Information and System Security, 1998.
[15] Nikita Borisov, and Jason Waddle, “Anonymity in Structured Peer-to-Peer Overlay Networks,” Technical report, UC Berkeley, May 2005.
[16] Michael Kinateder, Ralf Terdic, and Kurt Rothermel, “Strong pseudonymous communication for peer-to-peer reputation systems,” ACM symposium on Applied computing, Mar. 2005.
[17] Roger Dingledine, Nick Mathewson, and Paul Syverson, “Tor: The Second-Generation Onion Router,” USENIX Security Symposium, Aug. 2004.
[18] Giuseppe Ciaccio, “Recipient Anonymity in a Structured Overlay,”
AICT-ICIW, Feb. 2006.
[19] M. Caesar, M. Castro, E. Nightingale, G. O'Shea and A. Rowstron, “Virtual
52
Ring Routing: Network routing inspired by DHTs,” Sigcomm, Sep. 2006.
[20] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. Wallach, “Secure routing for structured peer-to-peer overlay networks,” In OSDI, December 2002.
[21] B. Ford, “Unmanaged Internet Protocol: Taming the edge network management crisis,” In HotNets II, November 2003.
[22] M. Choudary Gorantla, Raju Gangishetti, and Ashutosh Saxena, “A Survey on ID-Based Cryptographic Primitives,” Cryptology ePrint Archive: Report 2005/094. http://eprint.iacr.org/2005/094.
[23] J. Baek, W. Susilo and J. Zhou, “New Constructions of Fuzzy Identity-Based Encryption,” ASIACCS, Mar. 2007.
[24] Khanh V. Nguyen, “Simplifying Peer-to-Peer Device Authentication Using Identity-Based Cryptography,” ICNS 2006.
[25] Charles, “Information Leak in the Chord Lookup Protocol,” Peer-to-Peer Computing, 2004.
[26] Souvik Ray and Zhao Zhang, “An Information-Theoretic Framework for Analyzing Leak of Privacy in Distributed Hash Tables,” Peer-to-Peer Computing, Sept. 2007.
[27] Youn-Ho Lee, Heeyoul Kim, Byungchun Chung, Jaewon Lee and Hyunsoo Yoon,
“On-demand Secure Routing Protocol for Ad Hoc Network using ID based Cryptosystem,” PDCAT, 2003.
[28] Song Hong, Yang Luming, Wang Weiping, and Duan Guihua, “A Delay Demand-based Anonymous Communication Mechanism,” Communications and Networking in China, Oct. 2006.
[29] Wei Ren, Yoohwan Kim, Ju-Yeon Jo, Mei Yang and Yingtao Jiang, “IdSRF:
53
ID-based Secure Routing Framework for Wireless Ad-Hoc Networks,” ITNG, 2007.
[30] Gnutella (2002), available at: http://gnutella.wego.com/
[31] Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr, “Towards an analysis of onion routing security,” In Proc. of PET, July 2001.
[32] K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Sicker, “Low-resource routing attacks against anonymous systems,” Technical Report CU-CS-1025-07, University of Colorado at Boulder, Feb 2007.
[33] Geng Yang, Chunming Rong, Christian Veigner, Jiangtao Wang, Hongbing Cheng, “Identity-Based Key Agreement and Encryption for Wireless Sensor Networks,” IJCSNS, May 2006.
[34] Napster, available at http://www.napster.com/
[35] P. Maymounkov and D. Mazieres, “Kademlia: A Peer-to-Peer Information System Based on the XOR Metric,” Proc. IPTPS, Cambridge, MA, USA, Feb.
2002, pp. 53–65.
[36] I. Clarke et al., “Freenet: A Distributed Anonymous Information Storage and Retrieval System,” available at http://freenetproject.org/ freenet.pdf, 1999.
[37] FastTrack Peer-to-Peer Technology Company, available at http://www.fasttrack.nu/, 2001.
[38] The Overnet File-sharing Network, available at http://www.overnet.com/, 2002.
[39] G. Ciaccio. The NEBLO homepage, available at
http://www.disi.unige.it/project/neblo/.
[40] G. Ciaccio, “Improving sender anonymity in a structured overlay with imprecise routing,” In Proceedings of the Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability,
54
2006.
[41] Matthew Pirretti, Patrick Traynor, Patrick McDaniel and Brent Waters, “Secure attribute-based systems,” In Proc. of the ACM conference on Computer and communications security, 2006.
[42] Bartolini, S. and Branovic, I. and Giorgi, R. and Martinelli, E., “A Performance Evaluation of ARM ISA Extension for Elliptic Curve Cryptography over Binary Finite Fields,” Computer Architecture and High Performance Computing, 2004.
[43] Wright, M., Adler, M., Levine, B. N., and Shields, C. “An analysis of the degradation of anonymous protocols,” In Proc. of NDSS (Feb 2002).
[44] Eberle, H. and Gura, N. and Shantz, S.C. and Gupta, V. and Rarick, L. and Sundaram, S., “A public-key cryptographic processor for RSA and ECC,”
Application-Specific Systems, Architectures and Processors, 2004.