University of Colorado, Boulder CU Scholar Computer Science Graduate Theses & Dissertations Computer Science Spring 1-1-2011 Improving Security and Performance in Low Latency Anonymous Networks Kevin Scott Bauer University of Colorado at Boulder, [email protected] Follow this and additional works at:http://scholar.colorado.edu/csci_gradetds Part of theInformation Security Commons Recommended Citation Bauer, Kevin Scott, "Improving Security and Performance in Low Latency Anonymous Networks" (2011).Computer Science Graduate Theses & Dissertations.Paper 21. This Dissertation is brought to you for free and open access by Computer Science at CU Scholar. It has been accepted for inclusion in Computer Science Graduate Theses & Dissertations by an authorized administrator of CU Scholar. For more information, please contact [email protected]. Improving Security and Performance in Low Latency Anonymous Networks by Kevin Scott Bauer B.S., University of Denver, 2005 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science 2011 This thesis entitled: Improving Security and Performance in Low Latency Anonymous Networks written by Kevin Scott Bauer has been approved for the Department of Computer Science Prof. Dirk Grunwald Prof. Douglas Sicker Prof. Shivakant Mishra Prof. Nikita Borisov Prof. Stefan Savage Date The final copy of this thesis has been examined by the signatories, and we find that both the content and the form meet acceptable presentation standards of scholarly work in the above mentioned discipline. Bauer, Kevin Scott (Ph.D., Computer Science) Improving Security and Performance in Low Latency Anonymous Networks Thesis directed by Co-Chairs Prof. Dirk Grunwald and Prof. Douglas Sicker Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems. To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopo- litical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the network’s scarce bandwidth. To reduce the con- gestion produced by bulk downloaders in networks such as Tor, we design, implement, and analyze an anonymizing network tailored specifically for the BitTorrent peer-to-peer file sharing protocol. We next analyze Tor’s security and anonymity properties and empirically show that Tor is vulner- able to practical end-to-end traffic correlation attacks launched by relatively weak adversaries that inflate their bandwidth claims to attract traffic and thereby compromise key positions on clients’ paths. We also explore the security and performance trade-offs that revolve around path length design decisions and we show that shorter paths offer performance benefits and provide increased resilience to certain attacks. Finally, we discover a source of performance degradation in Tor that results from poor congestion and flow control. To improve Tor’s performance and grow its user base, we offer a fresh approach to congestion and flow control inspired by techniques from IP and ATM networks. Dedication To my parents. Acknowledgements This thesis is the culmination of over five years of work and I wish to thank the many people who have made invaluable contributions both to this thesis and to my professional development as a researcher. First, I thank my academic advisers, Dirk Grunwald and Doug Sicker, without whose encouragement and support this work would not have been possible. Second, I thank my thesis committee, Nikita Borisov, Shiv Mishra, and Stefan Savage, for their invaluable comments and suggestions. I would also like to thank the many research collaborators and co-authors for their con- tributions to this thesis and to my professional development. I am particularly thankful to J. Trent Adams, Mark Allman, Mashael AlSabah, Eric Anderson, Aaron Beach, Markus Breitenbach, Nikita Borisov, Anders Drachen, Ian Goldberg, Harold Gonzales, Ben Greenstein, Greg Grudic, Dirk Grunwald, Asa Hardcastle, Joshua Juen, Yoshi Kohno, Hyunyoung Lee, Janne Lindqvist, Qin (Christine) Lv, Damon McCoy, Sears Merritt, Vern Paxson, Caleb Phillips, Stefan Savage, Micah Sherr, Doug Sicker, Robin Sommer, Parisa Tabriz, Rob Veitch, Geoff Voelker, and Gary Yee. In addition, I am grateful to Nikita Borisov, Roger Dingledine, Paul Syverson, and countless anonymousreviewersforofferinghelpfulandconstructivecommentsandsuggestionsthatimproved the quality of various parts of this thesis. I also especially thank Roger Dingledine for his two visits to UCSD in August and December 2010, during which time he offered invaluable expert guidance through Tor’s various layers of congestion control and flow control. I would like to especially acknowledge J. Trent Adams at The Internet Society and Tom Lookabaugh formerly at PolyCipher for their generous financial support that, in part, made this vi research possible. In addition, I thank Stefan Savage, Geoff Voelker, and Damon McCoy for spon- soring my brief stint as research staff at UCSD from August–December 2010, during which time part of this thesis was completed. Lastly, I thank Vern Paxson for sponsoring my research visit to the International Computer Science Institute’s Center for Internet Research (ICSI/ICIR) in Berkeley, CA during summer 2010, where I became fully immersed in the challenges of large-scale Internet measurement and network-based intrusion detection. If I’ve learned anything in graduate school, I learned that research is a social activity. This thesis contains text, figures, tables, data, and ideas drawn from the following jointly authored papers: [49,54–56,60–63,158,159]. Finally, and most importantly, I thank my family for encouraging me to follow my dreams and for providing the emotional and financial support that enabled me to complete my education. Of course I would be remiss if I neglected to thank my furry friends Snoopy, Bridget, and Murphy (one canine, two felines) for not excessively peeing and pooping on the carpet or otherwise trashing our apartment while I worked many long nights to finish this thesis. Lastly, I thank Catherine, my friendandpartnerinlife, forherloveandsupportthatmakeseverythingIdoworthwhile. vii Contents Chapter 1 Introduction 1 1.1 Need for Privacy Enhancing Technologies . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Better Performance Leads to Better Anonymity . . . . . . . . . . . . . . . . . . . . . 3 1.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 Fundamental Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.5 Dissertation Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Background and Related Work 7 2.1 Preliminaries and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Anonymity Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.1 High Latency Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.2 Low Latency Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3 Anonymity Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.1 Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.2 Tarzan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.3 Tor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.4 IPpriv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.3.5 UDP-OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.3.6 Freedom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 viii 2.3.7 HerbivoreFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.3.8 Anonymous Remailers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.3.9 P5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.3.10 Nonesuch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.3.11 AP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.3.12 Cashmere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.3.13 Salsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.14 Java Anonymous Proxy (JAP) . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.15 Freenet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.16 Privacy-preserving File Sharing Protocols . . . . . . . . . . . . . . . . . . . . 39 2.4 Anonymity Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.4.1 Degrees of Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.4.2 An Information-theoretic Approach. . . . . . . . . . . . . . . . . . . . . . . . 41 2.4.3 Metrics for Low-latency Systems . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5 Anonymity Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.5.1 Traffic Analysis with Packet Sizes and Timing . . . . . . . . . . . . . . . . . 44 2.5.2 Packet Counting and Timing Analysis Attacks . . . . . . . . . . . . . . . . . 44 2.5.3 Predecessor Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.5.4 Disclosure, Intersection, and Statistical Disclosure Attacks . . . . . . . . . . . 46 2.5.5 Onion Routing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3 Characterizing a Popular Low Latency Anonymous Network 50 3.1 Data Collection Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.2 Protocol Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.2.1 Interactive vs. Non-interactive Web Traffic . . . . . . . . . . . . . . . . . . . 54 3.2.2 Is Non-interactive Traffic Hurting Performance?. . . . . . . . . . . . . . . . . 54 ix 3.2.3 Insecure Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.3 Malicious Router Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.3.1 Detection Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.3.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.3.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.4 Misbehaving Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.5 Geopolitical Client and Router Distributions . . . . . . . . . . . . . . . . . . . . . . 59 3.5.1 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.2 Modeling Router Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6 Circuit-level Performance Measurements . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6.1 Diurnal Patterns in Traffic Load . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.6.2 End-to-end Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.6.3 End-to-end Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.6.4 Circuit Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.6.5 Circuit Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.6.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.7 Ethics and Community Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.8 Broader Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 4 Practical Attacks against Low Latency Anonymous Networks 80 4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.1.1 Tor’s Router Selection Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 83 4.1.2 Tor’s Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.2 Compromising Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.2.1 Phase One: Setting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.2.2 Phase Two: Linking Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . 87