116 research outputs found
Introducing Accountability to Anonymity Networks
Many anonymous communication (AC) networks rely on routing traffic through
proxy nodes to obfuscate the originator of the traffic. Without an
accountability mechanism, exit proxy nodes risk sanctions by law enforcement if
users commit illegal actions through the AC network. We present BackRef, a
generic mechanism for AC networks that provides practical repudiation for the
proxy nodes by tracing back the selected outbound traffic to the predecessor
node (but not in the forward direction) through a cryptographically verifiable
chain. It also provides an option for full (or partial) traceability back to
the entry node or even to the corresponding user when all intermediate nodes
are cooperating. Moreover, to maintain a good balance between anonymity and
accountability, the protocol incorporates whitelist directories at exit proxy
nodes. BackRef offers improved deployability over the related work, and
introduces a novel concept of pseudonymous signatures that may be of
independent interest.
We exemplify the utility of BackRef by integrating it into the onion routing
(OR) protocol, and examine its deployability by considering several
system-level aspects. We also present the security definitions for the BackRef
system (namely, anonymity, backward traceability, no forward traceability, and
no false accusation) and conduct a formal security analysis of the OR protocol
with BackRef using ProVerif, an automated cryptographic protocol verifier,
establishing the aforementioned security properties against a strong
adversarial model
Low-latency mix networks for anonymous communication
Every modern online application relies on the network layer to transfer information, which exposes the metadata associated with digital communication. These distinctive characteristics encapsulate equally meaningful information as the content of the communication itself and allow eavesdroppers to uniquely identify users and their activities. Hence, by exposing the IP addresses and by analyzing patterns of the network traffic, a malicious entity can deanonymize most online communications. While content confidentiality has made significant progress over the years, existing solutions for anonymous communication which protect the network metadata still have severe limitations, including centralization, limited security, poor scalability, and high-latency. As the importance of online privacy increases, the need to build low-latency communication systems with strong security guarantees becomes necessary. Therefore, in this thesis, we address the problem of building multi-purpose anonymous networks that protect communication privacy. To this end, we design a novel mix network Loopix, which guarantees communication unlinkability and supports applications with various latency and bandwidth constraints. Loopix offers better security properties than any existing solution for anonymous communications while at the same time being scalable and low-latency. Furthermore, we also explore the problem of active attacks and malicious infrastructure nodes, and propose a Miranda mechanism which allows to efficiently mitigate them. In the second part of this thesis, we show that mix networks may be used as a building block in the design of a private notification system, which enables fast and low-cost online notifications. Moreover, its privacy properties benefit from an increasing number of users, meaning that the system can scale to millions of clients at a lower cost than any alternative solution
Practical privacy enhancing technologies for mobile systems
Mobile computers and handheld devices can be used today to connect to services available on the Internet. One of the predominant technologies in this respect for wireless Internet connection is the IEEE 802.11 family of WLAN standards. In many countries, WLAN access can be considered ubiquitous; there is a hotspot available almost anywhere. Unfortunately, the convenience provided by wireless Internet access has many privacy tradeoffs that are not obvious to mobile computer users. In this thesis, we investigate the lack of privacy of mobile computer users, and propose practical enhancements to increase the privacy of these users.
We show how explicit information related to the users' identity leaks on all layers of the protocol stack. Even before an IP address is configured, the mobile computer may have already leaked their affiliation and other details to the local network as the WLAN interface openly broadcasts the networks that the user has visited. Free services that require authentication or provide personalization, such as online social networks, instant messengers, or web stores, all leak the user's identity. All this information, and much more, is available to a local passive observer using a mobile computer.
In addition to a systematic analysis of privacy leaks, we have proposed four complementary privacy protection mechanisms. The main design guidelines for the mechanisms have been deployability and the introduction of minimal changes to user experience. More specifically, we mitigate privacy problems introduced by the standard WLAN access point discovery by designing a privacy-preserving access-point discovery protocol, show how a mobility management protocol can be used to protect privacy, and how leaks on all layers of the stack can be reduced by network location awareness and protocol stack virtualization. These practical technologies can be used in designing a privacy-preserving mobile system or can be retrofitted to current systems
Quantitative Analysis of Information Leakage in Probabilistic and Nondeterministic Systems
This thesis addresses the foundational aspects of formal methods for
applications in security and in particular in anonymity. More concretely, we
develop frameworks for the specification of anonymity properties and propose
algorithms for their verification. Since in practice anonymity protocols always
leak some information, we focus on quantitative properties, which capture the
amount of information leaked by a protocol.
The main contribution of this thesis is cpCTL, the first temporal logic that
allows for the specification and verification of conditional probabilities
(which are the key ingredient of most anonymity properties). In addition, we
have considered several prominent definitions of information-leakage and
developed the first algorithms allowing us to compute (and even approximate)
the information leakage of anonymity protocols according to these definitions.
We have also studied a well-known problem in the specification and analysis of
distributed anonymity protocols, namely full-information scheduling. To
overcome this problem, we have proposed an alternative notion of scheduling and
adjusted accordingly several anonymity properties from the literature. Our last
major contribution is a debugging technique that helps on the detection of
flaws in security protocols.Comment: thesis, ISBN: 978-94-91211-74-
On Privacy Notions in Anonymous Communication
Many anonymous communication networks (ACNs) with different privacy goals
have been developed. However, there are no accepted formal definitions of
privacy and ACNs often define their goals and adversary models ad hoc. However,
for the understanding and comparison of different flavors of privacy, a common
foundation is needed. In this paper, we introduce an analysis framework for
ACNs that captures the notions and assumptions known from different analysis
frameworks. Therefore, we formalize privacy goals as notions and identify their
building blocks. For any pair of notions we prove whether one is strictly
stronger, and, if so, which. Hence, we are able to present a complete
hierarchy. Further, we show how to add practical assumptions, e.g. regarding
the protocol model or user corruption as options to our notions. This way, we
capture the notions and assumptions of, to the best of our knowledge, all
existing analytical frameworks for ACNs and are able to revise inconsistencies
between them. Thus, our new framework builds a common ground and allows for
sharper analysis, since new combinations of assumptions are possible and the
relations between the notions are known
Recommended from our members
Improving Security and Performance in Low Latency Anonymous Networks
Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems.
To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopolitical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the networkâs scarce bandwidth. To reduce the congestion produced by bulk downloaders in networks such as Tor, we design, implement, and analyze an anonymizing network tailored specifically for the BitTorrent peer-to-peer file sharing protocol. We next analyze Torâs security and anonymity properties and empirically show that Tor is vulnerable to practical end-to-end traffic correlation attacks launched by relatively weak adversaries that inflate their bandwidth claims to attract traffic and thereby compromise key positions on clientsâ paths. We also explore the security and performance trade-offs that revolve around path length design decisions and we show that shorter paths offer performance benefits and provide increased resilience to certain attacks. Finally, we discover a source of performance degradation in Tor that results from poor congestion and flow control. To improve Torâs performance and grow its user base, we offer a fresh approach to congestion and flow control inspired by techniques from IP and ATM networks
- âŠ