Chapter 2 Background
2.3 Summary
In Chapter 2, we give a brief introduction and backgrounds of overlay networks and ID-based cryptosystems.
9
Chapter 3 Related Work
There are many research on anonymous systems such as Crowds, Onion Routing, TOR, Tarzan, Cashmere, Agyaat, and Surepath. We give a brief introduction about their features, advantages and disadvantages.
3.1 Corwds
Crowds [14] simply uses no public-key encryption, so any node on a circuit can read users’ traffic. It provides anonymity by having messages route through anonymous paths involving a randomly chosen sequence of nodes. The initiator sends the message to a randomly-chosen node called “jondo.” Upon the message, each jondo randomly decides to either send the message to the responder or to forward it to another jondo.(see Figure 3.1)
Figure 3.1 Crowds network
In such systems, each node is a mix and an anonymous path can follow any possible path through the system. However, the resulting anonymous paths are vulnerable to node failures: If a node on a tunnel is down, the request/reply message is
10
not able to route through the tunnel to the destination. Consequently, node failures pose a functionality problem for anonymous paths.
3.2 Onion/ Tor
Onion Routing [3] uses a static set of dedicated onion routers to redirect network traffic. Before sending a message, the sender selects a set of currently active routers to forward through. Session keys are distributed to the chosen routers during the setup phase. The sender creates an onion by encrypting the message with the public key for every router in the routing path.
To transfer a message, each onion router decrypts the outside layer by its private key. After that, it discovers the next hop and forwards the message. Every relay node knows only its previous and next hops.
Node churns, frequent node arrivals, departures, and failures, limit the scalability of Onion Routing.
Tor [17], the second generation of Onion Routing, is one of the most popular privacy enhancing systems. Its goal is to provide initiator anonymity and responder anonymity against non-global adversaries by using rendezvous points.
Tor proposes using a directory server to maintain router information but this approach is also limited in scalability. It has also been shown that if the first or last router is compromised in an Onion Routing network (see Figure 3.2), the source or destination is revealed [31].
11
Figure 3.2 Onion network
In their current implementations, all of the approaches do not allow client applications to choose routes that adhere to application-specific criteria. Routes are chosen using pre-defined immutable heuristics.
Recent work has shown that the Tor anonymity network is vulnerable to an attack in which eavesdroppers exploit this homogeneous routing policy by falsely advertising high bandwidth links, drawing traffic towards mixes under its control [32].
3.3 Tarzan
Tarzan [13] provides anonymity with high resistance against traffic analysis by using layered encryption, multi-hop routing, cover traffic and a special mix selection protocol.
The source chooses a set of relays to act as a path and iteratively establishes a tunnel through these relays with symmetric keys between them. The creation of a tunnel incurs both significant computation overhead and delay. The source wraps the packets in several layers of encryption and sends it through relay nodes. The relay node strip off one layer and sends it to next relay node. The exit point of the tunnel,
12
pseudonymous network address translator (PNAT), decrypts the last layer to extract the original packet, and operates as a network address translator (NAT). After translating the private address to one of PNAT’s real addresses, PNAT forwards the message to the Internet (See Figure 3.3). The response repeats the process in reverse.
Figure 3.3 Tarzan network
Since none of the peers on a tunnel know the whole path, an adversary cannot figure out communicating peers. But this design is still vulnerable if an adversary can observe traffic throughout the Internet.
Another vulnerability of Tarzan is the resilience of node failures. The message cannot reach the destination if any node on a tunnel fails. Consequently, node failures pose a functionality problem for anonymous paths. The tunnels are static and any relay failure requires formation of a new tunnel.
Although Tarzan provides a high level of sender and recipient anonymity, the sender still has to know the address of the recipient in order to communicate.
3.4 Agyaat
Agyaat [12] provides a compromise between anonymity and efficiency by means of a two-level hybrid organization in which the Chord structured overlay works together with the Gnutella unstructured system, Gnutella-like “clouds” are connected
13
with one another by means of a Chord ring.
As shown in Figure 3.4, initiator S can flood its request to every peer in its cloud A. One of those peers takes the request out of the cloud, onto the main DHT ring. A normal DHT lookup takes over to locate the cloud to which the responding peer D belongs. At the responder’s end, some peers in the cloud of the responder get the request and then broadcast it in its cloud. After receiving the request, the responder peer replies by following a similar path back to the initiator’s cloud.
Figure 3.4 Agyaat network
Normal DHT maps a key onto a peer, but Agyaat makes a key mapping onto a cloud which links to the appropriate peer.
3.5 Cashmere
Cashmere [11], a resilient anonymous routing on structured overlay networks, provides both source anonymity and unlinkabality of source and destination.
Cashmere is designed to use a prefix-routing based on structured overlay network, such as Tapestry and Pastry. The routing path used in Cashmere is a set of distributed
14
relay groups rather than a single node. There are k unique prefixes and public/private key pairs for each k-bit nodeID. Each relay group has a m-bit GID, where 1≦m≦k.
Layered encryption is applied on the routing path encryption by the public/private key pair shared with all members of each relay group. Except all the members of the relay group in the routing path fail, the routing path is remained valid.
The source node can randomly orders the relay groups to hide the destination relay group containing the destination node. All nodes in a relay group are capable of decrypting a message (only the forwarding path information) which was addressed to that relay group. While a node receives and decrypts the message, it sends the result to the next relay group and broadcasts the result to all the other members in its relay group.
The key benefit of Cashmere over traditional approaches is that it provides an increased resilience to node failures and node churns which generally degrades the performance of traditional anonymous routing protocols based on Chaum-Mixes.
Traditionally Chaum-Mixes based routing protocols achieve anonymity by relaying the traffic through a sequence of nodes, such that any two nodes, which are not adjacent to each other along the path, are unable to identify each other. Thus, if the relayed path contains more than two nodes, then there is no way the destination can identify the source. More specifically, no downstream node can identify the upstream nodes.
15
Figure 3.5 Cashmere network
3.6 SurePath
In SurePath [2], a node seeking initiator anonymity generates a small number of RSAs containing session keys, deploys the RSAs into the DHT overlay, forms an anonymous path using a subset of the deployed RSAs, and sends messages through the resulting anonymous path. Like a normal file, a RSA is stored on k nodes whose nodeIds are numerically closest to its associated rsetId. These k nodes are the replica set for the RSA and k is the replication factor. Leveraging the DHT routing infrastructure and data replication mechanism, SurePath is fault-tolerant to node failures. A malicious node can disclose the RSAs stored in its local storage to other colluding nodes such that the malicious nodes can pool their RSAs to break anonymity of other users.
16
Figure 3.6 SurePath network
The following are the advantages:
a) To improve resilience of anonymous routing in overlay networks
b) Leveraging the DHT routing infrastructure and data replication mechanism, SurePath is fault-tolerant to node failures.
c) By carefully choosing the replication factor and tunnel length, SurePath can strike a balance between functionality and anonymity.
d) SurePath’s performance optimized tunnelling mechanism can greatly improve routing performance.
e) Users seeking anonymity must reform their tunnels periodically against colluding malicious nodes in dynamic P2P networks to reduce the risk of having their anonymity compromised.
And the disadvantages list as follows.
a) SurePath lacks the ability to control future hops along a tunnel. It trades this ability for functionality.
b) The admission control problem in SurePath has not been addressed. In securing routing, the certified nodeIds could control the admission of peers,
17
and we believe trust management could be used to control the admission and exclude malicious peers from the system. In addition, other incentive mechanisms could possibly be introduced to encourage nodes to protect others’ anonymity.
c) SurePath does not have a mechanism to detect compromised tunnels. It requires users to reformtheir tunnels periodically against colluding malicious nodes.
3.7 Summary
In Chapter 3, we describe several related works of anonymous network system. It includes Crowds, Onion/TOR, Agyaat, Tarzan, Cashmere and SurePath.
18
Chapter 4
Proposed Scheme: AFATOR
There are three main phases in AFATOR:
• Phase1: Node Registration
In the first phase, Private Key Generator (PKG) would do the Setup operation. Every node must do registration from PKG to get some system parameters and its private key while joining the network.
• Phase2: Topology Formation
Chord-like protocol is used to setup network topology including route discover and routing table maintenance. It can route bi-direction by using routing table with several predecessors and successors.
• Phase3: Content Request
For content request phase, we use layered encryption and random intermediaries to achieve anonymity. Every node in the path knows only the previous hop and the next hop.
We also apply Fuzzy Identity-Based Encryption (Fuzzy-IBE) scheme for tolerance of node failures in the routing path. By using Fuzzy-IBE, a user can decrypt a cipher-text encrypted with other's public key if and only if the two users are within a certain distance. Thus, any node can easily take over message forwarding if its neighbor node fails.
We have investigated the use of the different constructions [23] [41] for Fuzzy IBE scheme. The new construction we used [23] is more efficient in both extract and encryption operations.
19
4.1 Notation
At first, we shall introduce the notations used in this protocol. The notations and their interpretations are listed in Table 4.1.
Symbol Description
S Initiator
Ri The intermediaries chosen from the initiator S Ri’ The real existing node whose id is close to Ri F The file which initiator requests
D The destination which stores the file F IDX Identities of X
SK Secret key produced by S
PuKX, PrKX Public key and private key for X TB Return path specified by S
Q Query
Table 4.1 Notation
20
4.2 Primitives
We give a brief review of admissible bilinear pairing [10]. Let G1 and G2 be groups of the same prime order p. An admissible bilinear map, denoted by ê, has the following properties: 3. Efficiently computable:
A efficient algorithm to compute ê (g,g) exists for any g G1
Recall that we apply Fuzzy IBE scheme for allowing a cipher text created by identity w can be decrypted with a private key of identity w’ where | w∩w’ | ≧ d. Let G1 be a bilinear group of prime order p and make g a generator of G1. And let the bilinear map ê: G1G1 G2.
The definition of university U is {0*20, 1*20, …, 0*2n-1, 1*2n-1}. For each identity is viewed as a set of attributes or bits, w = {wn, wn-1, …, w2, w1}. The identities of nodes will be element subsets in the universe U. Each element would be associated with a unique integer in U.
The Lagrange coefficient Δi,S(X) for iZp and a set, S, of elements in Zp:
21
4.3 Node Registration
Private Key Generator (PKG) first generates a group G1 of prime order q. and constructs a bilinear map ê: G1G1 G2, where G2 is a group of the same order q.
PKG picks a generator g of the group G1.
Second, PKG randomly picks g1 G1, sZ*q and compute g2=gs. Then, PKG chooses a hash function H: Z*q G1and selects an error tolerance factor d. After that, PKG generates its master key: <G1, G2, ê, g, q, H, g1, g2, s> and keeps it secret. PKG also generates system parameters which contain an error tolerant factor d and publishes them to other registered nodes: <G1, G2, ê, g, q, H, g1, g2, d>.
Third, for any node provides its ID: (μ1,…, μn) to PKG, PKG picks a random polynomial p(.) of degree d-1 over Zq such that p(0) is equal to s. Then, PKG computes each private key component Dμi for i=1, …,n:
Dμi = ( γ μi, δ μi ) = ( (g1 H(μi))p(μi), gp(μi) ).
As result, the private key of identity ID is composed of n components as follows:
PrKID=< Dμ, …, Dμn >=<((g1 H(μ1))p(μ1), gp(μ1)), …, ( (g1 H(μn))p(μn), gp(μn) )>
After finishing computation, PKG returns private key PrKID = (Dμ, …, Dμn).
Figure 4.1 Procedure of key extraction
For example, node A can get its private key PrKA from PKG by providing its IDA.
22
The procedure of key extraction is shown in Figure 4.1.
As you can see in Figure 4.2, for each of the attributes or bits associated with a user’s identity, PKG will issue a private key component that is tied to the user’s random polynomial p(x). Each identity with the same restriction that the value at point 0 for each polynomial are the same, that is p(0) = s.
The private keys of different users are generated from different random polynomials. No group of users should be able to combine their keys in such a way that they can decrypt a cipher that none of them could. That is the adversaries cannot combine their keys to form a new one for decrypting some other cipher text.
Figure 4.2 Private key components
23
4.4 Topology Formation
AFATOR can be built over a structured overlay network, which provides a scalable routing substrate for building resilient, large-scale decentralized systems. The routing protocol used in such overlay substrate is similar to Chord [5], where every node is assigned a unique identifier from a large key space, and the routing between any two nodes typically contains O(logN) hops, where N is the total number of nodes.
Chord-like protocol is used to setup network topology, including route discovery and routing table maintenance.
Each node, acting as a proxy and router, stores information about only a small amount of its neighbors. But the information generally is not enough to determine the node where data located. The information can be used by attackers to compromise the anonymity of storage nodes, i.e. recipient anonymity. The data maps onto a node by using identity. The data is assigned to the first node whose identifier is equal to or follows the identifier of the data. The distance between data and node is within d.
When a node joins the overlay network, it first finds a neighbor node and initializes its routing table. The new joined node exchanges some information with neighbors and updates the routing table. Each node maintains a neighbor set of m nodes (m/2 neighbors clockwise and m/2 neighbors counter clockwise). Whenever a node wants to lookup data, it can choose clockwise way or counter clockwise way to route the message.
We give an example to show how to route a message through the CHORD ring network. As you can see in Figure 4.3, N8 wants to route the request to the node which stores data 50 by checking its neighbor list. After finding the closest neighbor to data 50, N32, N8 routes the request through N32. Upon N32 receiving the request,
24
it checks its neighbor, finds the neighbor that close to data 50, and routes the message to the neighbor.
Figure 4.3 Network topology
If a node cannot find an active neighbor which acts as proxy to join the network, it creates a new ring after a timeout. The network can contain multiple rings.
The correctness of Chord-like routing protocol relies on every node knows the previous hop and the next hop. The nodes which is compromised or failed will lead to incorrect lookups. In order to increase the robustness, it is important to pick a suitable m. The problem is dependent with Chord and I’m not going to discuss it in this thesis.
It’s easier to detect path failure by using soft state than hard state. Each node periodically broadcast hello message to see if its neighbors are active or not. Without any response from the neighbor node, it can mark the neighbor as failed node in the routing table. The node can remove the failed neighbor node from the routing table after a period without any messages. A hello message also indicates that sender is active.
25
Figure 4.4 Failure detection in Chord-like protocol
As shown in Figure 4.4, N8 originally routes to N50 through N60. While N8 detects that N60 is not active, N8 chooses another neighbor N1 to send lookup message and marks N60 as faulty node in the neighbor set. If N60 is still not active after a period, N8 removes N60 from the neighbor set. Otherwise, N8 clears the faulty mark of N60.
26
4.5 Content Request
We use layered encryption and random intermediaries to achieve anonymity.
Every node in the path knows only the previous hop and the next hop.
We separate it into two parts as the routing path formation and the routing path stripping process. Initiator can randomly choose the intermediate nodes and create a message onion by encrypting with the intermediate nodes’ public keys. The paths between initiator and intermediate nodes may pass through some other nodes in network. When the intermediaries get the packets, they strip off the outside layer and then forward the message to the next hop. After receiving the request, Responder would reply it using the return path specified by initiator.
For any node S wants to request file F in the network, it can perform the following procedures, return path formation and return path formation.
Figure 4.5 illustrate the flow diagram of return path formation. Followed the flow diagram, S firstly generates fakeOnion and decides the length of the return path.
After generating L random intermediate nodes (R1, …, RL), S does the encryption with fakeOnion, system parameters, and L random intermediate nodes: R1, …, RL. Finally, the result is TB which indicates the return path that the responder can follow.
While S finishes the return path formation, S would use the result TB, Query Q, and session key SK to do the forward path formation. Since the data is stored on the node which identity is the most closest to the data identity, S use the hash value of the data identity as public key to encrypt the message: <Q, TB, SK>. Therefore, the node who stores the data can decrypt the cipher text due to the Fuzzy IBE scheme. After that, S decides the path length, generates node identities and encrypts the routing message (See Figure 4.6).
27
Figure 4.5 Return path formation
Figure 4.6 Forward path formation
The following equation presents the generation of the intermediate nodes’
identifies in a formal way.
IDRj = hash(t, IDF, IDS)
A uniform collision-resistant hash function such as SHA-1 can be used. Time t and the identifier of file are added to avoid collision.
28
S encrypts the message M in a layered manner from the last hop to the first hop in the routing path by their public keys which are the hash value of their identities.
To do encryption operation with IDRi: (μ1, …, μn), S choose a random value r Zp. Recall that the publish parameters <G1, G2, ê, g, q, H, g1, g2, d> are given during the node registration. S generates CRi:
< IDRi, U, Vμ1, …, Vμn, W > = < IDRi, gr, H(μ1)r, …, H(μn)r, ê(g1, g2) rM >.
While any intermediate node (Ri’) receives the encrypted message, it can perform the routing path stripping process in Figure 4.7.
Figure 4.7 Routing path stripping process
Due to︱IDRi∩IDRi’︱≧d, Ri’ does the following steps to decrypt CRi which is
Due to︱IDRi∩IDRi’︱≧d, Ri’ does the following steps to decrypt CRi which is