ETH Library Secure High-Speed Anonymity Systems on Future Internet Architectures Master Thesis Author(s): Asoni, Daniele Enrico Publication date: 2015 Permanent link: https://doi.org/10.3929/ethz-a-010540726 Rights / license: In Copyright - Non-Commercial Use Permitted This page was generated automatically upon download from the ETH Zurich Research Collection. For more information, please consult the Terms of use. Secure High-Speed Anonymity Systems on Future Internet Architectures Master Thesis Daniele Enrico Asoni April 13, 2015 Advisors: Dr. D. Barrera, Prof. Dr. A. Perrig Department of Computer Science, ETH Zu¨rich Abstract WedesignandevaluateHORNET,aprotocolforanonymouscommuni- cations that operates at the network level. HORNET allows endpoints to communicate anonymously as long as not all nodes on a path are compromised. The protocol uses asymmetric cryptography only for the setup, and symmetric cryptography for data forwarding, enabling low-latency anonymous communication suitable for realtime chat and video. WeevaluatethesecurityofHORNETbyanalyzingpossibleattacksand showing the strengths and limits of the protocol in defending against them. We also evaluate HORNET’s performance by implementing it and simulating the processing of data packets, and find that the over- head introduced by the protocol is typically under 2 ms, one tenth of theaveragenetworkdelay. The current version of HORNET proves to be fast, scalable and secure, making it a well suited protocol to be part of the next generation of Internetarchitectures. i Contents Contents iii 1 Introduction 1 1.1 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Background 3 2.1 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1.1 OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.2 Network Infrastructure . . . . . . . . . . . . . . . . . . 5 2.1.3 Future Internet Architectures . . . . . . . . . . . . . . . 6 2.2 Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1 Symmetric-Key Cryptographic Primitives . . . . . . . . 8 2.2.2 Cryptographic Hash Functions . . . . . . . . . . . . . . 10 2.2.3 Asymmetric Cryptography . . . . . . . . . . . . . . . . 10 3 Anonymous Communications 13 3.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2 Mix Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.1 Sphinx . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3 Onion Routing Networks . . . . . . . . . . . . . . . . . . . . . 18 3.3.1 Lightweight Anonymity for FIAs. . . . . . . . . . . . . 19 4 HORNET: High-speed Onion Routing at the NETwork Layer 21 4.1 Design objectives and assumptions . . . . . . . . . . . . . . . . 21 4.1.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . 22 4.1.2 Requirements for Performance and Scalability . . . . . 23 4.1.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 24 4.1.4 Security Goals . . . . . . . . . . . . . . . . . . . . . . . . 25 4.2 Protocol Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 27 iii Contents 4.2.2 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.2.3 Forwarding Segment Collection and Distribution . . . 29 4.2.4 Session Setup Phase . . . . . . . . . . . . . . . . . . . . 33 4.2.5 Data Transmission Phase . . . . . . . . . . . . . . . . . 37 4.3 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.3.1 Session Re-establishment . . . . . . . . . . . . . . . . . 38 4.3.2 End-to-End Secure Channel . . . . . . . . . . . . . . . . 39 5 Analysis and Discussion 41 5.1 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.1.1 Passive Attacks on Anonymity . . . . . . . . . . . . . . 41 5.1.2 Active Attacks on Anonymity . . . . . . . . . . . . . . 43 5.1.3 Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . 45 5.1.4 Protecting the Nodes: DDoS attacks . . . . . . . . . . . 46 5.2 Anonymous Path Retrieval . . . . . . . . . . . . . . . . . . . . 47 5.3 Memory-Bandwidth Trade-off. . . . . . . . . . . . . . . . . . . 47 5.4 Composability with Other Protocols . . . . . . . . . . . . . . . 48 6 Evaluation 49 6.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 6.1.1 Interfaces and Modularity . . . . . . . . . . . . . . . . . 50 6.1.2 Notable Issues and Lessons Learned. . . . . . . . . . . 50 6.2 Initial Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 6.3 Performance Measurements . . . . . . . . . . . . . . . . . . . . 52 6.3.1 Experiment Design . . . . . . . . . . . . . . . . . . . . . 52 6.3.2 Payload Size and Maximum Path Length . . . . . . . . 54 6.3.3 Performance Results . . . . . . . . . . . . . . . . . . . . 55 7 Conclusions 59 7.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Bibliography 61 iv Chapter 1 Introduction Transparencyisforthosewhocarryoutpublicdutiesand exercisepublicpower. Privacyisforeveryoneelse. —GlennGreenwald,NoPlacetoHide: EdwardSnowden, theNSA,andtheU.S.SurveillanceState Over the last decade the design of the Internet has shown increasingly alarming problems of scalability, manageability and security, prompting researchers to investigate alternative designs for a next-generation Inter- net [35][47]. Among the most important problems is the surveillance prone natureoftoday’sInternet,whichwasrecentlybroughttotheattentionofthe public in the context of the leaks about the U.S. National Security Agency’s masssurveillanceprograms[19].LargevolumesofglobalInternettraffictra- verseasmallsetofrouters,manyofwhicharelocatedinjurisdictionswhere large-scale data collection is legal. However, in these future Internet archi- tecturesanonymityandcensorshipresistancewere almostneverconsidered first class citizen. IntheNationalSecurityAgency(NSA)leaks,EdwardSnowden,formerdata analyst for the NSA, revealed classified programs which targeted indiscrim- inately the online browsing activities, emails, and phone calls of hundreds of millions of people. Supporters of these programs often claim that only thosewhoengageincriminalactivitieshave“somethingtohide”[43].There are however clear cases in which anonymity would be desirable for (non- criminal) end users. For example, anonymity allows users to look up sensi- tive information, e.g., medical data, without revealing their interest in that information. Itallowsjournaliststoreportwhileavoidingcensorshipandre- taliation, and without revealing their sources. Medical privacy and freedom of expression are issues that, indeed, affect everyone, not only criminals. Some solutions have been proposed to help users regain some of their lost 1 1. Introduction privacy, some of them even specifically for future Internet architectures. To date, however, proposed solutions tend to trade-off one or more of security, usabilityorperformance,leavinguserswithsolutionsthatarehighlysecure butveryslow,veryuserfriendlybutnotsecure,orveryfastbutnotresistant to sophisticated attacks. This limits their use to only a very small subset of the users of the Internet. in this thesis we present HORNET (High-speed Onion Routing at the NET- work layer), a new highly scalable solution based on next-generation Inter- net architectures, which enables secure high-speed and low latency anony- mous communications. HORNET does not trade off security for speed, and works transparently with upper layer protocols, requiring no user-facing changes to software. HORNET allows endpoints to establish anonymous communication channels such that no observer (be it a government-level adversary or an ISP) can see who is communicating. To achieve this, HOR- NET uses layered encryption to completely mask communications at each point in the network. It requires mostly only very efficient computations to achieve low latency, and it uses packet-carried state, which obviates the need forrouterstokeepstate,achievingoptimalscalability. Withtheseproperties HORNET ise an ideal candidate for bringing anonymity into the core of the network architecture of the future Internet. HORNET is the result of joint work together with C. Chen (first author of the research), Dr. D. Barrera, and Prof. Dr. A. Perrig, from ETH Zu¨rich, and with Prof. Dr. G. Danezis from UCL. 1.1 Organization The remainder of this thesis is organized as follows. In chapter 2 we dis- cuss the background topics of computer networking and of cryptography. We cover the high level structure of network protocols and architectures, providing some further information on future Internet architectures. For cryptography we describe the fundamental functionalities (primitives) that are needed to understand the details of HORNET. In chapter 3, we present anonymous communications, getting the reader acquainted with the termi- nology of the field, and with some of the existing work. In chapter 4, we present the details of HORNET. The potential attacks on our scheme and its defenses, as well as a number of other aspects of the protocol, are dis- cussed in chapter 5. We evaluate the performance of HORNET in chapter 6. Chapter 7 discusses conclusion and future work. 2 Chapter 2 Background In this chapter we provide some background on computer networking and a very short description of the cryptographic primitives that will be used. A reader who is already familiar with these topics may want to skip this chapter, and come back to it later through references if needed. 2.1 Networking The Internet is a global infrastructure which interconnects a multitude of computer networks, allowing billions of users (private individuals, compa- nies and organizations) to communicate with each other. Though mostly hidden to the average user, the degree of technological complexity of this infrastructureisveryhigh: itincludesamyriadofaspects,rangingfromthe details of physical transmission of information to the protocols that handle routing of data packets through the networks, and from the handling of end- to-end data flows to the high-level application protocols (which enable for instance email and web browsing). It is beyond the scope of this thesis to present all of these parts, and we will assume that the reader has some familiarity with the topic. Here we will only briefly describe the Open Systems Interconnection (OSI) model by the International Standards Organization (ISO), which is an abstraction widely used for computer networks. We present more details only for one part of this model, the network layer, which is the one that actually allows internetworking, and could arguably be defined as the core of the Internet. Afterwards, in subsection 2.1.3, we talk about proposals for alternative ar- chitecturesfortheInternet,whichwillbeoffundamentalimportanceinthis thesis. 3