7 research outputs found
Evaluation of Anonymized ONS Queries
Electronic Product Code (EPC) is the basis of a pervasive infrastructure for
the automatic identification of objects on supply chain applications (e.g.,
pharmaceutical or military applications). This infrastructure relies on the use
of the (1) Radio Frequency Identification (RFID) technology to tag objects in
motion and (2) distributed services providing information about objects via the
Internet. A lookup service, called the Object Name Service (ONS) and based on
the use of the Domain Name System (DNS), can be publicly accessed by EPC
applications looking for information associated with tagged objects. Privacy
issues may affect corporate infrastructures based on EPC technologies if their
lookup service is not properly protected. A possible solution to mitigate these
issues is the use of online anonymity. We present an evaluation experiment that
compares the of use of Tor (The second generation Onion Router) on a global
ONS/DNS setup, with respect to benefits, limitations, and latency.Comment: 14 page
LightPIR: Privacy-Preserving Route Discovery for Payment Channel Networks
Payment channel networks are a promising approach to improve the scalability
of cryptocurrencies: they allow to perform transactions in a peer-to-peer
fashion, along multi-hop routes in the network, without requiring consensus on
the blockchain. However, during the discovery of cost-efficient routes for the
transaction, critical information may be revealed about the transacting
entities.
This paper initiates the study of privacy-preserving route discovery
mechanisms for payment channel networks. In particular, we present LightPIR, an
approach which allows a source to efficiently discover a shortest path to its
destination without revealing any information about the endpoints of the
transaction. The two main observations which allow for an efficient solution in
LightPIR are that: (1) surprisingly, hub labelling algorithms - which were
developed to preprocess "street network like" graphs so one can later
efficiently compute shortest paths - also work well for the graphs underlying
payment channel networks, and that (2) hub labelling algorithms can be directly
combined with private information retrieval.
LightPIR relies on a simple hub labeling heuristic on top of existing hub
labeling algorithms which leverages the specific topological features of
cryptocurrency networks to further minimize storage and bandwidth overheads. In
a case study considering the Lightning network, we show that our approach is an
order of magnitude more efficient compared to a privacy-preserving baseline
based on using private information retrieval on a database that stores all
pairs shortest paths
PDoT: Private DNS-over-TLS with TEE Support
Security and privacy of the Internet Domain Name System (DNS) have been
longstanding concerns. Recently, there is a trend to protect DNS traffic using
Transport Layer Security (TLS). However, at least two major issues remain: (1)
how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible
manner; and (2) how can clients trust endpoints to behave as expected? In this
paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT
includes a DNS Recursive Resolver (RecRes) that operates within a Trusted
Execution Environment (TEE). Using Remote Attestation, DNS clients can
authenticate, and receive strong assurance of trustworthiness of PDoT RecRes.
We provide an open-source proof-of-concept implementation of PDoT and use it to
experimentally demonstrate that its latency and throughput match that of the
popular Unbound DNS-over-TLS resolver.Comment: To appear: ACSAC 201
Assessing the Privacy Benefits of Domain Name Encryption
As Internet users have become more savvy about the potential for their
Internet communication to be observed, the use of network traffic encryption
technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is
enabled, users leak information about the domains they visit via DNS queries
and via the Server Name Indication (SNI) extension of TLS. Two recent proposals
to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI
(ESNI). In this paper we aim to assess the privacy benefits of these proposals
by considering the relationship between hostnames and IP addresses, the latter
of which are still exposed. We perform DNS queries from nine vantage points
around the globe to characterize this relationship. We quantify the privacy
gain offered by ESNI for different hosting and CDN providers using two
different metrics, the k-anonymity degree due to co-hosting and the dynamics of
IP address changes. We find that 20% of the domains studied will not gain any
privacy benefit since they have a one-to-one mapping between their hostname and
IP address. On the other hand, 30% will gain a significant privacy benefit with
a k value greater than 100, since these domains are co-hosted with more than
100 other domains. Domains whose visitors' privacy will meaningfully improve
are far less popular, while for popular domains the benefit is not significant.
Analyzing the dynamics of IP addresses of long-lived domains, we find that only
7.7% of them change their hosting IP addresses on a daily basis. We conclude by
discussing potential approaches for website owners and hosting/CDN providers
for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa