2. Types of Anonymity
Pseudonymity
– Susceptible to subpoenas
Sender
– Receiver / observer can’t
identify sender
Receiver
– Observer can’t identify receiver
Sender-receiver
– Observer can’t identify that
communication has been sent
3. Uses of Anonymity
Positive
Free speech for political claims as well as non-political
comments
engage in whistle-blowing
conduct commercial transactions
freedom from detection, retribution, and embarrassment
New York Times Co. vs. Sullivan, 1964
"an author's decision to remain anonymous...is an aspect
of the freedom of speech protected by the First
Amendment"
4. Uses of Anonymity
Negative
Spam
DoS -
Illegal activity – anonymous bribery,
copyright infringement, harassment, financial
scams, disclosure of trade secrets
5. Assumptions
Weak attacker
– Eavesdrops on first and last hop
– Can introduce messages here
Strong attacker
– Eavesdrops on all links
– Can introduce messages anywhere
Attacker has finite time, computing power
Multiple users
6. Types of Attackers
Local eavesdropper
– Observes inbound and outbound messages on
user’s computer
Administrator
– Operator or group of operators of anonymizing
systems attempting to foil their own system
Remote attack
– Observation at the remote end by eavesdropper or
attack by the remote host
7. Attacks
Timing Attack, Volume Attack
– Watches shape of traffic instead of content
Flooding Attack
– With batch size n, attacker sends n-1 messages
Usage Pattern Attack
– Consistent usage patterns leads to predictability
8. Levels of Anonymity
Absolute
Privacy
Beyond
Suspicion
Probable
Innocence
Possible
Innocence
Exposed Provably
Exposed
•Beyond Suspicion
•Attacker can see evidence of a sent message, but the sender appears no
more likely to be the originator than any other potential sender in the system
•Probable Innocence
•The sender is more likely the originator than any other potential sender, but
there is equal likelihood the sender is not the originator
•Possible Innocence
•The sender appears more likely to be the originator than to not be the
originator, but there’s still a non-trivial probability that the originator is
someone else
10. Proxy Anonymizers
Use trusted centralized servers
Anonymous remailers - Helsingius
Anonymizer.com
Hides IP address - NAT
Users not anonymous to proxy server
Susceptible to traffic analysis
11. Mixes
Source routing chosen by user
Shuffles order of packets
Mix cascade consists of several mixes under
separate operators
Encrypted for each mix in the path
Processes packets in batches
Used to counter traffic analysis
12. Mixes
A1, C1(A3, C3(A2, C2(S, M, r2), r3), r1)
A3, C3(A2, C2(S, M, r2), r3)
A2, C2(S, M, r2)
S, M
Mix 1
Mix 4Mix 3
Mix 2
1.
2.
3.
4.
1.
2.
3.
4.
Ai = Next Hop Address
Ci = Message encrypted with public key of Mix i
S = Destination Host address
M = Original message
13. Mixes
Fine for non real-time (email)
Not sufficient for VoIP, video, web
Mix waits to accumulate inputs to process as
a batch (especially slow for low traffic)
14. Enhancements
Messages all the same length
Buffers messages until several can be sent at
once
Dummy messages inserted
– Between mixes
– Between mixes and user
Balance end to end throughput with anonymity
– Duration to wait for mixes to accumulate traffic
– Percentage of dummy traffic
15. P5
Decentralized
– Harder to attack
Allows choice of tradeoff between anonymity /
throughput
Encrypted with public key of each node in route
Nodes change packet order
Fixed message size
Users have broadcast map and route map
Noise packets counter statistical traffic analysis
16. User A
User B
User A can send an anonymous message to User B via group */0, 1/1, 111/3, etc
User A can route messages between 00/2 and 01/2
01/2 is a subset of */0 – more efficient but less anonymous
Hash of User’s public key provides choice of groups.
17. P5
Within a channel, P5
functions as a mix cascade
Between channels, P5
provides greater anonymity per
bandwidth
– For 8192 users, 1.5 Mbps provides 200Kbps with 40% loss
Resistant to Timing/Volume and DoS attacks
Susceptible to Flood Attack (Mob Attack)
– User’s channel is flooded, prompting him to reveal more of his
mask to gain efficiency, thereby reducing his anonymity
18. Conclusion
Costly to be anonymous (Use
Anonymous VPN Service)
– Tradeoff with throughput
Can not be completely anonymous anyway
– No protection from monitoring usage patterns
Aside from this, practical anonymity can be
achieved