Cryptographic Protocols (CRYPROT)

Lecture 5

Anonymous Communication

Department of Computer Science | ENCRYPTO | Prof. Dr.-Ing. Thomas Schneider

Summary from Lecture 1: Anonymous Communication

How can I surf anonymously on the Internet?

Source: https://fossbytes.com/everything-tor-tor-tor-works/

2
Structure of Today’s Lecture

- Anonymity
- High latency anonymity systems
- Low latency anonymity systems
- Private messaging

3
ANONYMITY

4
Anonymity – Informal Definition

We cannot determine who initiated an event, e.g.,

• Who wrote this blog post?
• Who has been viewing my webpages?
• Who sent an email to patent attorneys?

After [Syverson09] 5
Anonymity – Formal Definition

Anonymity is the state of being indistinguishable within a set of subjects, called anonymity set.

Anonymity set

Alice 1

Alice 2 Bob

Alice 3

An attacker cannot distinguish which Alice communicates with Bob.

The larger the anonymity set, the stronger the anonymity.

After [Syverson09] 6
What Can the Attacker Do?

Anonymity
Alice Bob
Network
Watch Alice!

Watch (or be) Bob!

Control part(s) of the network!

After [Syverson09] 7
Anonymity is not Pseudonymity

Pseudonymity only protects real names, not identities!

“lewis587: Hey Bob, how are you?”

Alice
aka Bob
lewis587

After [Syverson09] 8
Anonymity is not Confidentiality

Encryption only protects contents, not the fact that Alice and Bob communicate!

“hfabdazger9423jfsd”

Alice Bob

After [Syverson09] 9
Anonymity is not Steganography (1/2)

The attacker knows that Alice communicates, just not with whom.

Bob 1
Anonymity
Alice
Network
Bob 2

After [Syverson09] 10
Anonymity is not Steganography (2/2)

"Suspecting a Harvard student was

behind the threats, agents checked
to see if anyone had accessed Tor
through the local wireless networks.
That led them to Kim, who promptly
confessed."
https://www.theverge.com/2013/12/18/5224130/fbi-agents-
tracked-harvard-bomb-threats-across-tor

11
Anonymizing Proxies and VPNs do not Help

Alice 1 Bob 1
HTTPS Proxy/
VPN gateway
Alice 2 Bob 2

Destination Source
anonymity only anonymity only
No anonymity

After [Wilson18] 12
Who Needs Anonymity and for What?

Who? For what?

Governments Protection against traffic analysis
Businesses Protection of sensitive business data
Human rights advocates Circumvention of censorship
Investigative journalists Protection against intimidation
Citizens Protection of privacy

After [Syverson09] 13
Anonymity Systems for the Internet

High-latency Low-latency
Chaum’s Mixes (’81) Single-hop proxies (~’95-)
anon.penet.fi (~’91-’96) Crowds (~’96)
Remailer networks such as: NRL V0 Onion Routing (~’96-’97)
cypherpunk (~’93) NRL V1 Onion Routing (~’97-’00)
mixmaster (~’95) ZKS „Freedom” (~’99-’01)
mixminion (~’02) Java Anon Proxy (~’00-)
Tor (’01-)

After [Syverson09] 14
HIGH LATENCY ANONYMITY SYSTEMS

Mix Networks

15
Mixes

• Originally designed for anonymous email [Chaum81]

• E: semantically secure public-key encryption scheme
• Mix collects messages for a specific amount of time and decrypts
• Messages are randomly shuffled (mixed) and sent in different order

Send Order Arrival Order

A1 (Permuted)
B1
E𝑝𝑘mix (B3, E𝑝𝑘!" (”X”)) 1. 1.
𝑠𝑘mix
A2 4. 2. B2
2. Mix
3. 𝑠𝑘!"
(trusted remailer)
A3 B3
3. 4.

A4 B4
Adversary knows senders and receivers,
but cannot link a sent message to a received message After [Wilson18] 16
Mix Networks

• Messages are sent through a sequence of mixes (mixnet)

• Some of the mixes may be controlled by an attacker, but even a single good mix guarantees
anonymity

A1 B1

𝑠𝑘()*+ 𝑠𝑘()*, 𝑠𝑘()*"

A2 B2
Mix1 Mix2 Mix3

A3 B3

A4 B4

17
Mixnets – Pros and Cons

+ Strong anonymity guarantees

+ Hinders timing attacks (messages may be artificially delayed)
- Requires lots of traffic
- High latency => possible for email, but not web browsing
- Expensive public-key encryption and decryption at each mix
- All traffic is encrypted using public/private key pairs => if a private key is stolen, all future
traffic and logged past traffic can be decrypted

18
LOW LATENCY ANONYMITY SYSTEMS

Onion Routing

19
Why Low Latency?

Countless applications need low latency, e.g., Web, ssh, Chat, X11, …

But: Low-latency systems are vulnerable to end-to-end correlation attacks!

Anonymity
Alice Network Bob

After [Syverson09] 20
Onion-Routing

Onion-Routing [GRS96,GRS99]:

• application-independent infrastructure for anonymous communication over a public network

• provides low-latency, anonymous and bidirectional connections for protection against

eavesdropping and connection data analysis

21
Basic Idea of Onion-Routing: Relay

Bob2, “X” “Y”

Alice 1 Bob 1

Relay
Alice 2 “X” Bob 2
Bob1, “Y”

Problem: An attacker who observes Alice sees

with which Bob Alice communicates.

After [Syverson09] 22
Encryption Could Help...

E𝑝𝑘Relay (Bob2, “X”) “Y”

Alice 1 Bob 1

Relay
Alice 2 “X” Bob 2
E𝑝𝑘Relay (Bob1, “Y”)

Problem 1: A compromised Relay can see with which Bob Alice communicates.

Problem 2: End-to-end correlation locally at the Relay is possible.

This method is used by commercial proxy providers such

as Anonymizer (www.anonymizer.com).

After [Syverson09] 23
Onion-Routing uses More Relays

Alice
communicates
Alice with R2
Bob

R1 R3
R2
communicates
with Bob

R4 R2 R5

R1
communicates
with R3

After [Syverson09] 24
Onion-Routing in Detail

Alice 𝑘+ 𝑘" Bob

𝑘+ 𝑘, 𝑘"
“X”
R1 R3

E𝑘# (E𝑘$ (E𝑘" (“X”)))

Use public-key crypto for

E𝑘" (“X”)
building the circuit, then
R2
symmetric crypto for
E𝑘$ (E𝑘" (“X”))
protecting the data 𝑘,

1) Alice establishes a (symmetric) session key with R1

2) Tunnels connection to R2
3) And then further to R3
4) And connects to Bob through the circuit
After [Syverson09] 25
Attacks Against Tor Circuits

Alice 𝑘+ 𝑘" Bob

𝑘+ 𝑘, 𝑘"
“X”
R1 R3

No source anonymity No destination

anonymity

R2

𝑘, Source and
destination anonymity

Tor users can choose any number of relays

• Default configuration is 3
After [Wilson18] 26
Comparison: Mixnets vs. Onion Routing
Mixnets
Security through the mixing done by mixes
Resist adversaries observing all traffic
everywhere
High latency introduced by waiting for many
messages to arrive before mixing is possible
Onion Routing
Security through route unpredictability in the
network
Adversaries observing both ends of the
communication can break anonymity
Low latency, no mixing necessary
27
Structure of Onions

Structure of an Onion for Relay R [GRS96]:

{
exp_time: Time until Relay R stores the Onion (against Replay),
next_hop: Address of the next relay or NULL for the last hop,
Ff: Cryptographic algorithm for data towards “forward”,
Kf: Symmetric key for data towards “forward”,
Fb: Cryptographic algorithm for data towards “backward”,
Kb: Symmetric key for data towards “backward”,
payload: User data or next onion
(padded with random bits => Onions have same size)
} PKR: Encrypted with public-key of Relay R

28
 Tor Bridges

•
29 The IP addresses of Tor relays are publicly accessible
• Many countries block traffic to these IPs (denial-of-service against Tor)

• Solution: Tor Bridges

• Tor proxies that are not publicly known
• Used to connect clients in censored areas to
the rest of the Tor network
• Tor maintains bridges in many countries
• Can get 3 tor bridges from
https://bridges.torproject.org/bridges
(protected from harvesting using CAPTCHAs)

After [Wilson18] 29
 Obfuscating Tor Traffic

•
30 Bridges alone may be insufficient to get around all types of censorship
• Deep packet inspection (DPI) can be used to locate and drop Tor frames
• E.g., Iran blocked all encrypted packets for some time (https://blog.torproject.org/iran-partially-blocks-
encrypted-network-traffic)

• Tor adopts a pluggable transport design

• Tor traffic is forwarded to an obfuscation program
• Obfuscator transforms the Tor traffic to look like some other protocol
• E.g., BitTorrent, HTTP, streaming audio, etc.
• Deobfuscator on the receiver side extracts the Tor data from the encoding

After [Wilson18] 30
Tor - The Onion Router

Largest worldwide anonymity network (>2 million users/day, >200 Gbit/s)

31
Tor Browser

https://www.torproject.org/download/
32
Tor: Recommendations

May 8, 2016: FBI Contracted Former Tor Developer To Create Torsploit Malware
„This malware was deployed through malicious websites showing a Flash video. Users
who had Flash enabled in the Tor browser would then be subject to having their real IP
address revealed. That information would be forwarded to a server controlled by the FBI,
along with a timestamp showing when the site was accessed. Torsploit has been quite a
success for the FBI so far. The Bureau was able to reveal identities of 25 suspects with
this malware, 19 of which have been convicted as of press time.”

Recommendations from https://www.torproject.org/download/download.html.en#warning to remain

anonymous despite using Tor:
• Use Tor Browser
• Do not use torrent over Tor
• Do not activate or install browser plugins
• Use HTTPS versions of websites
• Do not open downloaded documents while online
• Use Tor Bridges to hide Tor's usage
33
Number of Tor Users

https://geography.oii.ox.ac.uk/the-anonymous-internet/ 34
Tor – Pros and Cons

+ Low latency, i.e., wide range of applications

+ Expensive public key operations only for building the circuit, then cheaper symmetric key
operations for communication
+ Tor implements Perfect Forward Secrecy (PFC), i.e., the client negotiates a new key pair with
each relay => attacker might be able to eavesdrop on future traffic, but past traffic is protected
- Unclear protection level against nation state adversaries who can do network traffic analysis or
tagging attacks

35
Tor Hidden Services

• Anonymity of both users and service providers

• Providers can publish their service without revealing their identities (IP addresses)
• Users can connect to this service using a rendezvous point without knowing the provider and
revealing their identities
⇒ This also allows protection against distributed denial of service (DDoS) attacks as attackers do
not know the IP address of the service

After [Syverson09] 36
Tor Hidden Services

Alice can connect to Bob’s server without knowing where or possibly who Bob is (all connections via Tor):
Service Bob's
Lookup Server Intro Point 1 Hidden Server
xyz Service
abc Service
Intro Point 2

Alice
Intro Point 3

Rendezvous
Point

1. Bob creates onion routes to Introduction Points (Intro Point) and sends its public key (𝑝𝑘Bob )
2. Bob publishes xyz.onion address in a Service Descriptor including 𝑝𝑘Bob & Intro Points, signed with 𝑠𝑘Bob
3. Alice uses xyz.onion to get Service Descriptor at Service Lookup Server (from a distributed hash table)
4. Alice creates onion route to Rendezvous Point (RP), a randomly picked relay
5. Alice sends RP address and authorization through an Intro Point to Bob encrypted with 𝑝𝑘Bob
6. If Bob accepts Alice’s request, connects to RP and RP pairs the circuits from Alice and Bob
After [Syverson09] 37
Tor Hidden Services

Final communication channel

Bob's
Hidden Server

Alice

Rendezvous
Point

Many hidden services:

• Tor Mail, Tor Chat
• DuckDuckGo search engine
• Wikileaks
• Silk Road (2.0)
• etc.
After [Syverson09] 38
Tor Browser – Connecting to a Hidden Service

https://www.torproject.org/download/
39
The Dark Web Map

• Visualization of the structure of Tor's hidden

services, a.k.a. the dark web
• 3,747 dark web sites crawled in March 2019
• Websites with structural similarity are
connected with a line
• Similar websites are arranged into clusters.
• You can move around the map and zoom in
to areas of interest at:
https://www.hyperiongray.com/dark-web-map/

40
PRIVATE MESSAGING

41
Traditional Messaging Systems

• Modern messaging services use end-to-end encryption

(E2EE) to protect message contents, e.g., Signal, service
provider
Threema, Whatsapp, Wire
• E2EE protects contents of messages, but not metadata
• Service provider sees who communicates with whom and
when
C1 C2 C3
• Single point of failure for metadata privacy and attractive
target for mass surveillance Service provider learns the
social graph of all users.

42
Traditional Messaging Systems

• Some metadata protection can be achieved by dezentralization

service service
• E-Mail (using OpenPGP or S/MIME) – send mails from one email
provider provider
provider to users using another provider
• XMPP (using OMEMO) – users can communicate between
different XMPP servers, mail-like identifiers (user@example.org)
• Matrix (Riot) – users from a homeserver can communicate with
users from other homeservers C1 C2 C3
• No single service provider, but a network of service providers
Each service provider learns
• Standardized protocols are used to communicate between service
only partial social graph of
providers
the users.
• Service providers can still learn metadata
• But: lower feasibility of mass surveillance, data breaches
affect less people

43
Next Generation Messaging Systems

• Metadata is not protected in current messaging systems

• Some early metadata hiding techniques already exist in practice

• Private Contact Discovery (https://contact-discovery.github.io)

• Users need to determine which of their contacts also use the messaging service
• Today’s mobile messengers leak user’s address book to the service provider
[KRSSW19,HWSDS21]
• Private contact discovery solves this by using trusted execution environments (Intel SGX →
Signal) or private set intersection (PSI) → Lecture “PSI”

• Signal blog contains some interesting topics on this issue:

• Technology preview: Sealed sender for Signal - hide sender identity inside message envelope
• Technology preview: Private contact discovery for Signal - use SGX for private contact discovery
• Technology preview: Signal private group system - encrypt group state stored in a database 44
Approaches to Hide Communication Patterns (1/3)

Private messaging systems are currently being researched. Below are some examples.

• Tor Hidden Services: Pond, Ricochet

• address of hidden service is used as user’s identifier (Pond, Ricochet)
• random data is sent to hide communication frequency patterns (Pond)

• Mix Networks: Alpenhorn [LZ16], Pynchon Gate [SC05], Riffle [KLDF16]

• Shared secret is exchanged via a mix network (Alpenhorn)
• Message is routed through a mix network to provide sender anonymity (Pynchon Gate, Riffle)

• Broadcast: Riffle [KLDF16], Riposte [CBM15]

• Broadcast messages to all clients (Riffle)
• Public bulletin board is broadcasted to all users (Riposte)
45
Approaches to Hide Communication Patterns (2/3)

• PIR (→ Lecture “PIR”): DP5 [BDG15], OnionPIR [DHS17], Pynchon Gate [SC05], Riffle [KLDF16]
• PIR allows to privately query a database without leaking the query or the queried element
• Presence status is queried via PIR to hide whose presence is queried (DP5)
• Messages are retrieved via PIR to achieve receiver anonymity (OnionPIR, Pynchon Gate, Riffle)

• Reverse PIR: Riposte [CBM15]

• Write to a database without revealing to the server which row was written to

• Identity-Based Encryption (IBE): Alpenhorn [LZ16]

• Public keys of users can be non-interactively derived from their identifier (e.g., email address).
• Each user obtains secret key from n identity servers. The key remains private if at least one
identity server is honest. → Anytrust model

46
Identity-Based Encryption (IBE) [BK01,Cocks01]

• IBE allows to derive public keys from some known identifier, e.g., an email address
• Can be extended to the anytrust setting, e.g., by using multiple PKGs and nested encryption

CC BY-SA 3.0 Yaronf at English Wikipedia 47

Approaches to Hide Communication Patterns (3/3)

• AnonRAM [BHKP16]
• Use oblivious RAM (ORAM) to hide logical access patterns from remote database
• Protect access patterns and user’s identity from curious servers
• Yields sender and receiver anonymity

ORAM server
Entry 1
obliviousRead(1)

Alice obliviousWrite(2, data) Entry 2

Entry 3

48
Bibliography

[BDG15] N. Borisov, G. Danezis, I. Goldberg. DP5: A private presence service.

In PETS'15.
[BHKP16] M. Backes, A. Herzberg, A. Kate, I. Pryvalov. Anonymous RAM.
In ESORICS'16.
[BK01] D. Boneh, M. K. Franklin. Identity-based encryption from the Weil pairing.
In CRYPTO’01.
[Bloom70] B. H. Bloom. Space/time trade-offs in hash coding with allowable errors.
In Communications of the ACM’70.
[CBM15] H. Corrigan-Gibbs, D. Boneh, D. Mazières. Riposte: An anonymous messaging system
handling millions of users. In S&P'15.
[Chaum81] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. In
Communications of the ACM’81.

49
Bibliography

[Cocks01] C. Cocks. An identity based encryption scheme based on quadratic residues. In 8. IMA
International Conference on Cryptography and Coding’01.
[DHS17] D. Demmler, M. Holz, T. Schneider. OnionPIR: Effective protection of sensitive
metadata in online communication networks”. In ACNS’17.
[DingledineMS04] R. Dingledine, N. Mathewson, P. Syverson. Tor: The second-generation Onion
Router. In USENIX Security’04.
[Goldreich87] O. Goldreich. Towards a theory of software protection and simulation by oblivious
RAMs. In STOC’87.
[GRS96] D. Goldschlag, M. Reed, P. Syverson. Hiding routing information.
In ACM Information Hiding’96.
[GRS99] D. Goldschlag, M. Reed, P. Syverson. Onion routing for anonymous and private Internet
connections. In Communications of the ACM’99.

50
Bibliography

[HWSDS21] C. Hagen, C. Weinert, C. Sendner, A. Dmitrienko, T. Schneider. All the Numbers are
US: Large-scale Abuse of Contact Discovery in Mobile Messengers. In NDSS’21.
[KLDF16] A. Kwon, D. Lazar, S. Devadas, B. Ford. Riffle: An efficient communication system with
strong anonymity. In PETS'16.
[KRSSW19] D. Kales, C. Rechberger, T. Schneider, M. Senker, C. Weinert. Mobile private
contact discovery at scale. In USENIX Security’19.
[LZ16] D. Lazar, N. Zeldovich. Alpenhorn: Bootstrapping secure communication without leaking
metadata. In OSDI'16.
[SC05] L. Sassaman, B. Cohen, N. Mathewson. The pynchon gate: A secure method of
pseudonymous mail retrieval. In WPES’05.
[Syverson09] P. Syverson. Anonymous Communication with emphasis on Tor.
http://www.cs.umd.edu/~jkatz/security/f09/lectures/syverson.pdf
[Wilson18] C. Wilson. Anonymous Communications.
https://cbw.sh/static/class/5700/slides/22_Anonymous.pptx
51
THANKS FOR YOUR ATTENTION!

52