Onion Routing.ppt

5,828 views

Published on

Onion Routing.ppt

  1. 1. Anonymous Routing in Wireless Networks: Onion Routing Priyanka Banerjee
  2. 2. Organization <ul><li>Introduction </li></ul><ul><li>Traffic Analysis overview </li></ul><ul><li>Onion Routing in Wired Networks </li></ul><ul><li>Onion Routing in Wireless Networks </li></ul><ul><li>conclusion </li></ul>
  3. 3. Introduction <ul><li>Types of Attackers on the web: </li></ul><ul><li>Active Attackers </li></ul><ul><li>Passive attackers </li></ul>
  4. 4. Traffic Analysis <ul><li>Intercept traffic </li></ul><ul><li>Capture packets </li></ul><ul><li>Analyze packets </li></ul><ul><li>Deduce useful information </li></ul>
  5. 5. <ul><li>Traffic analysis focuses on the headers, which contain meta data like source address, destination address, timing information etc </li></ul><ul><li>Hence even if the packet content is encrypted, Traffic analysis can reveal useful information </li></ul>
  6. 6. Importance of Traffic Analysis <ul><li>Although traffic analysis provides lower quality information, it is preferred over cryptanalysis because it is easier than breaking complex encrypted messages [2] </li></ul><ul><li>It is also cheaper because traffic data can be automatically collected and processed to provide a high degree of intelligence [2] </li></ul><ul><li>It is used for military purposes [2] and by various organizations to track unpleasant events over the internet </li></ul>
  7. 7. Onion Routing <ul><li>Onion routing is the the mechanism in which the sender (initiator) and the receiver (responder) nodes communicate with each other anonymously by means of some intermediate nodes called as onion routers </li></ul><ul><li>It relies on public key cryptoraphy </li></ul>
  8. 8. Infrastructure for Onion Routing <ul><li>Network Infrastructure </li></ul><ul><li>Proxy Interfaces </li></ul>
  9. 9. Steps in Onion Routing <ul><li>Defining a route </li></ul><ul><li>Constructing an anonymous connection </li></ul><ul><li>Moving data through an anonymous connection </li></ul><ul><li>Destroying the anonymous connection </li></ul>
  10. 10. Example <ul><li>Let onion routers 4, 3, and 5 be randomly selected by the onion proxy </li></ul>
  11. 11. <ul><li>The proxy encrypts the data with 5’s public key followed by 3 and then 4 </li></ul><ul><li>Thus an onion is created which looks like </li></ul><ul><li>E4pu (3’s IP address, E3pu ((5’s IP address, (E5pu (recipient’s IP address, data))))) </li></ul>
  12. 12. <ul><li>The proxy then sends the onion to the first onion router i.e. 4 </li></ul><ul><li>Onion router 4 peels the outer layer of the onion using its private key </li></ul><ul><li>It forwards the onion to 3 which now looks like E3pu ((5’s IP address, (E5pu (recipient’s IP address, data)))) </li></ul>
  13. 13. <ul><li>Onion router 3 peels the outer layer of the onion using its private key </li></ul><ul><li>It forwards the onion to 5 which now looks like (E5pu (recipient’s IP address, data)) </li></ul>
  14. 14. <ul><li>Onion router 5 now peels the outer layer of the onion using its private key </li></ul><ul><li>It finds plain data and the destination address and forwards it to the destination </li></ul>
  15. 15. Problems and solutions <ul><li>The size of the onion reduces as it nears the destination </li></ul><ul><li>Hence an attacker can infer details about the destination </li></ul><ul><li>To avoid this onions are padded at each onion router to maintain the size of the onion (Onions can be padded to same or different sizes ) </li></ul>
  16. 16. <ul><li>Every onion router has details of only its previous and next hop </li></ul><ul><li>So even if an onion router has been compromised the attacker can only get the encrypted onion .He will not be able to decrypt the onion without the private keys and hence will not infer any valuable information from it </li></ul>
  17. 17. <ul><li>Suppose an attacker records data going on between routers and is able to compromise a router at a later stage, to acquire private key and decrypt data. </li></ul><ul><li>This can be avoided by using a session key between communicating parties. </li></ul><ul><li>The session key is used to encrypt data and is valid only for the duration of the communication. </li></ul>
  18. 18. <ul><li>Packet delivery is not ensured </li></ul><ul><li>If an onion router fails on the way then the message will not reach the destination </li></ul>
  19. 19. <ul><li>It is susceptible to denial of service attacks. This can be done by forcing onion routers to do a large number of cryptographic operations by many sending packets to it. Eventually the router simply ends up doing cryptographic operations and is not able to forward packets </li></ul><ul><li>This can be mitigated using client puzzles. Here the onion proxy/router (i.e. the server) forces a requesting client to complete a puzzle before it allocates resources </li></ul><ul><li>But puzzle solving has an impact on the latency </li></ul>
  20. 20. Challenges in Wireless Networks <ul><li>In a wireless medium there is node mobility and lack of infrastructure. There is no central point governing the flow of traffic. </li></ul><ul><li>So nodes rely on intermediate nodes to relay their data. If intermediate nodes are compromised then onion routing fails </li></ul><ul><li>Also packets are broadcast into the network. Thus traffic analysis becomes easier and may go undetected </li></ul>
  21. 21. <ul><li>Lack of central management makes it susceptible to active attacks </li></ul><ul><li>It takes longer to construct paths due to the dynamic nature of the environment. </li></ul><ul><li>Key distribution for encrypting traffic is a challenge. </li></ul>
  22. 22. Wireless Anonymous Routing (WAR) <ul><li>It is based on onion routing and traffic mixing </li></ul><ul><li>Here the keys are distributed using a RadioGram </li></ul><ul><li>RadioGram object is like an onion which has layers of encryption around the data content </li></ul><ul><li>RadioGrams are broadcast into the network and the intended nodes along the route to the destination decrypt a layer at a time </li></ul>
  23. 23. <ul><li>The structure of a radiogram is as follows: </li></ul><ul><li>[tid] {[sk] [MIC] [^]} {[sk] [MIC] [^]} …. {[sk] [MIC] [^]} [content] [padding] </li></ul><ul><li>The information contained within the curly braces { } represent each layer of the onion </li></ul><ul><li>Transmitter ID i.e. tid: It uniquely defines a radiogram. It is a RSA public key. It is used to encrypt the session key. And the session key is then used to encrypt the rest of the fields </li></ul><ul><li>Session key i.e. sk: It is a symmetric key encrypted by the public key of the transmitter </li></ul>
  24. 24. <ul><li>MIC or Checksum: It is the pre-computed hash value of everything the onion skin wraps except the padding </li></ul><ul><li>Control Signals i.e. ^: It tells the receiver what has to be done with the received message. It also tells about the type of message and the padding </li></ul><ul><li>Content: This is the actual data that is being transmitted and can be interpreted only by the final destination </li></ul><ul><li>Padding: This is used just to maintain the size of the onion </li></ul>
  25. 25. Example <ul><li>[A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content] [padding] </li></ul><ul><li>A generates the content [content]. </li></ul><ul><li>It then generates a random session key (16 byte) C.sk . </li></ul><ul><li>It sets the control signal C.^ appropriately i.e. type= MESSAGE and padding = k bits . </li></ul><ul><li>It prepends [C.^] to [ content] </li></ul><ul><li>It computes a 16 byte MIC over [C.sk] [C.^] [content] and calls it C.MIC. </li></ul><ul><li>It encrypts [C.MIC] [C.^] [content] under C.sk . </li></ul><ul><li>It encrypts C.sk using C’s public key and calls it C.sk’ . </li></ul><ul><li>It prepends [C.sk’] to [C.MIC] [C.^] [content] . </li></ul><ul><li>Append any padding if reqired. </li></ul><ul><li>It renames [C.sk’] [C.MIC] [C.^] [content] to [content] </li></ul><ul><li>It repeats the above steps for (all other intermediate nodes) B. </li></ul>
  26. 26. <ul><li>When the nodes within the transmission range of A receive the Radiogram they perform the following steps: </li></ul><ul><li>They strip A.id and save it </li></ul><ul><li>They strip B.MIC and save it. </li></ul><ul><li>They strip the encrypted B.sk’. </li></ul><ul><li>They try to decrypt B.sk’ to B.sk using their private key. (If it succeeds then they are the intended recipient else they simply drop the packet. Only B is able to decrypt B.sk’ as it was encrypted with his public key.) </li></ul><ul><li>B assumes that the message is for him and now uses B.sk to decrypt the remainder of the message i.e. [B.MIC] [B.^] [content] </li></ul><ul><li>B checks B.^ to determine where the padding begins and the other rules it is supposed to follow. </li></ul><ul><li>B computes B.MIC’ over [B.sk] [B.^] [content]. </li></ul><ul><li>It compares B.MIC’ to B.MIC. If they are equal B checks B.^ for further information. If they are unequal it implies that the packet has been altered and B drops it or logs it as required. </li></ul><ul><li>It then prepends his transmitter id and puts the packet which looks like [B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue and broadcasts it. </li></ul><ul><li>Again all the nodes in B’s range perform the above steps. But only C is able to decrypt the message and read it. </li></ul>
  27. 27. Drawbacks of WAR <ul><li>Key distribution is a problem </li></ul><ul><li>Time taken for a packet to be delivered to a destination is long because of RSA encryption and decryption. This algorithm relies on public key cryptography </li></ul><ul><li>The sender needs to know the topology of the entire network as there is no route discovery </li></ul><ul><li>It does not ensure packet delivery because if an intermediate node on the destination path fails then the packet will never reach the destination </li></ul>
  28. 28. <ul><li>A node has to perform a certain number of decryptions just so that it can determine if it is the intended node on the route to the destination </li></ul><ul><li>It is susceptible to DDOS attacks because an attacker can send keep broadcasting packets and force the legitimate nodes on a route to do a large number of decryptions. Thus a valid packet may not be transmitted </li></ul>
  29. 29. Secure Distributed Anonymous Routing Protocol (SDAR) <ul><li>This protocol is also based on onion routing </li></ul><ul><li>It does not require the source node to know the entire network topology unlike the previous WAR protocol </li></ul><ul><li>It is divided into three phases: </li></ul><ul><li> Path discovery </li></ul><ul><li> Path reverse </li></ul><ul><li> Data Forward </li></ul>
  30. 30. <ul><li>Path discovery: </li></ul><ul><li>This allows the source node S to establish a path up to the destination using intermediate nodes. </li></ul><ul><li>The beauty of this phase is that none of the intermediate nodes can discover the identity of any of the participating nodes except its neighbors. </li></ul><ul><li>The source S creates a path discovery packet and broadcasts it. </li></ul>
  31. 31. <ul><li>Path reverse: </li></ul><ul><li>When the receiver receives the path discovery message it puts in the ids and session keys of all the intermediate nodes into one message </li></ul><ul><li>It encrypts this message again and again with the session keys of the intermediate nodes beginning from the last node. It then broadcasts the packet </li></ul><ul><li>Every node along the reverse path removes a layer of encryption and broadcasts the packet </li></ul><ul><li>So when the source receives the message it has the ids and keys of all the nodes on the path to the destination. It uses these keys to encrypt the data and broadcasts it </li></ul>
  32. 32. <ul><li>Data Transfer: </li></ul><ul><li>The source encrypts the data using the keys of the intermediate nodes and broadcasts it </li></ul><ul><li>Each node on the way decrypts a layer and forwards it </li></ul><ul><li>So when the message reaches the destination all the encryption layers have been peeled off and the receiver is able to read the message </li></ul>
  33. 33. Drawbacks of the SDAR protocol: <ul><li>There is no control over the route length since the path to the destination is a discovery process. Hence it may take a really long time for the actual data transfer to begin </li></ul><ul><li>If malicious nodes keep forwarding path discovery packet amongst each other then it may never reach the intended receiver </li></ul>
  34. 34. Advantages of the SDAR protocol: <ul><li>The source need not know the topology of the entire network since path discovery is a dynamic process </li></ul>
  35. 36. References: <ul><li>I] http:// en.wikipedia.org/wiki/Traffic_analysis </li></ul><ul><li>II] http://www.more.net/technical/netserv/troubleshooting/trafficanalysis.html </li></ul><ul><li>III] http:// tor.eff.org/overview.html.en </li></ul><ul><li>IV] http:// en.wikipedia.org/wiki/Onion_routing </li></ul><ul><li>1] Mary Elisabeth Gaup Moe. “Security Models for Anonymous Routing”. Norwegian University of Science and Technology. </li></ul><ul><li>2] George Danezis. “Introducing traffic Analysis- Attacks, Defenses and public Policy Issues”. Invited Talk. </li></ul><ul><li>3] Yih Chun Hu, Adrian Perrig. “ A Survey of Secure Wireless Ad Hoc Routing”. University of California- Berkeley, Carnegie Mellon University. </li></ul><ul><li>4] Adam Back, Ulf Moller, Anton Stiglic. “Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems”. Zero-knowledge Systems Inc. </li></ul><ul><li>5] Marc O’ Morain, Vladislav Titov, Wendy Verbuggen. “Onion Routing for Anonymous Communication”. </li></ul><ul><li>6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. “Proxies for anonymous Routing”. Naval Research Laboratory, Washington DC. </li></ul><ul><li>7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin . “Tor: An Anonymous Routing Network for Covert On-line Operations.” Air Force Institute of Technology, Wright Patterson AFB. </li></ul><ul><li>8] Michael E. Locasto, Clayton Chen, Ajay Nambi. “WAR: Wireless Anonymous Routing” . Department of Computer Science, Columbia University. </li></ul><ul><li>9] Liu Yang, Markus Jacobson, Susanne Wetzel. “Discount Anonymous On Demand Routing for Mobile Ad hoc Networks”. </li></ul><ul><li>10] Azzedine Boukerche, Khalil El-Khatib, Li Xu, Larry Korba. “SDAR: A Secure Distributed Anonymous Routing Protocol”. University of Ottawa. </li></ul><ul><li>11] Dehn Sy, Rex Chen, Lichun Bao. “ODAR: On-Demand Anonymous Routing in Ad-Hoc Networks” . University of California. </li></ul><ul><li>12] Stefaan Seys, Bart Preneel. “ARM: Anonymous Routing Protocol for Mobile Ad hoc Networks” . Department of Electrical Engineering-ESAT, SCD/COSIC </li></ul>

×