VeraSel: Verifiable Random Selection for Mixnets Construction

The security and performance of Mixnets depends on the trustworthiness of the Mixnodes in the network. The challenge is to limit the adversary's influence on which Mixnodes operate in the network. A trusted party (such as the Mixnet operator) may ensure this, however, it is a single point of failure in the event of corruption or coercion. Therefore, we study the problem of how to select a subset of Mixnodes in a distributed way for Mixnet construction. We present VeraSel, a scheme that enables Mixnodes to be chosen according to their weights in a distributed, unbiased, and verifiable fashion using Verifiable Random Functions (VRFs). It is shown that VeraSel enables any party to learn and verify which nodes has been selected based on the commitments and proofs generated by each Mixnode with VRF

Stopping Silent Sneaks: Defending against Malicious Mixes with Topological Engineering

Mixnets provide strong meta-data privacy and recent academic research and industrial projects have made strides in making them more secure, performance, and scalable. In this paper, we focus our work on stratified Mixnets -- a popular design with real-world adoption -- and identify that there still exist heretofore inadequately explored practical aspects such as: relay sampling and topology placement, network churn, and risks due to real-world usage patterns. We show that, due to the lack of incorporating these aspects, Mixnets of this type are far more susceptible to user deanonymization than expected. In order to reason and resolve these issues, we model Mixnets as a three-stage ``Sample-Placement-Forward'' pipeline, and using the results of our evaluation propose a novel Mixnet design, Bow-Tie. Bow-Tie mitigates user deanonymization through a novel adaption of Tor's guard design with an engineered guard layer and client guard-logic for stratified mixnets. We show that Bow-Tie has significantly higher user anonymity in the dynamic setting, where the Mixnet is used over a period of time, and is no worse in the static setting, where the user only sends a single message. We show the necessity of both the guard layer and client guard-logic in tandem as well as their individual effect when incorporated into other reference designs. Ultimately, Bow-Tie is a significant step towards addressing the gap between the design of Mixnets and practical deployment and wider adoption because it directly addresses real-world user and Mixnet operator concerns

Diversity and traffic confirmation in the Tor network

The Internet is an invaluable invention, yet it does not offer privacy to its users by default. Research in privacy-preserving communication has offered different designs to overcome this issue, with various security and performance properties. The Tor network is the most popular distributed, and volunteer-based deployed system, offering anonymous paths through the Internet to millions of people seeking online privacy while browsing the web, or using other Internet services. The Tor network provides some level of diversity to the users, which aims at minimizing the probability for an attacker to observe the paths taken through the network. Free and open-source, the Tor Project encourages audit and improvements coming from academic research. This thesis contributes to the Tor Project, and the privacy enhancing technologies community, with innovative proposals to improve the network diversity against some adversary, which aims at increasing the anonymity. Our proposals face the primary constraint to maintain the performance the Tor network currently provides. This thesis starts with a study of low-latency anonymous networks weaknesses and ends up to discover a new one. Our work features low-cost and efficient attacks to deanonymize Tor users and onion services based on a flexibility property of the routing protocol, called forward compatibility. Like any distributed system, the Tor network can be composed of relays with different versions. Forward compatibility prevents clients or relays from generating unrecoverable errors with other peers running forward versions of the protocol. We argue that preventing attacks exploiting forward compatibility would require changes within the routing protocol that would be difficult to set up, and would require further research if forward compatibility has to be maintained. To increase the diversity of the network, we explore the innermost feature to provide anonymity, namely the path selection algorithm, and show with light and local modifications of the current path selection how to achieve more diversity within the distribution of paths while maintaining a similar level of performance for Tor users. Furthermore, this part of the thesis offers a worst-case evaluation entropy metrics to assess the level of security of the network against some adversary, at a static point in time. This metric measures some notion of the network diversity, with the expectation on the number of relays that the adversary needs to compromise to deanonymize any Tor user. The final part of this thesis takes a more ambitious research direction to increase the Tor network diversity. We design and implement a new set of payment protocols to incentive relay participation through monetary retributions. Our design offers a secure, anonymous and efficient payment system including a tax system allowing the Tor Project to collect a fraction of each payment and to redistribute it to favor any diversity notion. Our approach leverages the latest advances in cryptocurrency research toward a design that is directly integrated into the existing Tor architecture and covers economic policies, novel payment algorithms, and networking implementations.(FSA - Sciences de l'ingénieur) -- UCL, 201

Dropping on the Edge: Flexibility and Traffic Confirmation in Onion Routing Protocols

The design of Tor includes a feature that is common to most distributed systems: the protocol is flexible. In particular, the Tor protocol requires nodes to ignore messages that are not understood, in order to guarantee the compatibility with future protocol versions. This paper shows how to exploit this flexibility by proposing two new active attacks: one against onion services and the other against Tor clients.Our attack against onion services is a new low-cost side-channel guard discovery attack that makes it possible to retrieve the entry node used by an onion service in one day, without injecting any relay in the network. This attack uses the possibility to send dummy cells that are silently dropped by onion services, in accordance with the flexible protocol design, and the possibility to ob-serve those cells by inspecting public bandwidth measurements, which act as a side channel.Our attack against Tor clients, called the dropmark attack, is an efficient 1-bit conveying active attack that correlates flows. Simulations performed in Shadow show that the attack succeeds with an overwhelming prob-ability and with no noticeable impact on user performance. Finally, we open the discussion regarding a trade-off be-tween flexibility and security in anonymous communication systems, based on what we learned within the scope of our attacks

Waterfilling: Balancing the Tor network with maximum diversity

We present the Waterfilling circuit selection method, which we designed in order to mitigate the risks of a successful end-to-end traffic correlation attack. Waterfilling proceeds by balancing the Tor network load as evenly as possible on endpoints of user paths. We simulate the use of Waterfilling thanks to the TorPS and Shadow tools. Applying several security metrics, we show that the adoption of Waterfilling considerably increases the number of nodes that an adversary needs to control in order to be able to mount a successful attack, while somewhat decreasing the minimum amount of bandwidth required to do so. Moreover, we evaluate Waterfilling in Shadow and show that it does not impact significantly the performance of the network. Furthermore, Waterfilling reduces the benefits that an attacker could obtain by hacking into a top bandwidth Tor relay, hence limiting the risks raised by such relays. Waterfilling does not require any major change in Tor, and can co-exist with the current circuit selection algorithm