Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Anonymity and censor-free communication (IFIP Summerschool)

This talk discusses the history of anonymous communication systems, their applications (including censorship resistance), how they are designed, and what cryptographic mechanisms they use.

Steven Murdoch

on 25 August 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Anonymity and censor-free communication (IFIP Summerschool)

Who needs anonymity?
Military personnel
Law enforcement
Activists and whistle-blowers
Ordinary people
Anonymity & Censorship-free Communication
penet.fi (1993–1996)
The Web
Web browsing is hard to secure
Censorship resistance
Simply stripped headers off emails sent via remailer
Allowed replies to be sent
Easy to use, but single point of compromise
Shut down following compromise by CoS
Mixmaster (1998–)
Layered encryption
Batching and re-ordering
Based on Chaum Mix (1981)
3DES & RSA (PKCS #1 v1.5)
Type-1 (Cypherpunk)
Mix decrypts messages
Uses PGP
CAST5 & ElGamal
Mixminion (2002–)
Fixed many problems
Introduced replies
LIONESS wide-block cipher to resist tagging
Number of users ≈ 0
Requires low latency
High variability
Low tolerance to padding
Equivalent systems
Open proxies ≈ penet.fi
VPN (IPSEC) ≈ Type-0
MixMinion ≈ Tor
Many users are unable to pay (tragedy of the commons)
Giving better performance to users who contribute could reduce anonymity
If money is changing hands, volunteers may give up
Encryption doesn't work
TLS, PGP, S/MIME only hide what is being said
Alice uploaded a gigabyte to CNN 6 hours before footage of human rights abuses were aired
Bob, who just joined our criminal organization sent an encrypted email to the FBI a week before our boss got arrested
Charlie keeps browsing our website of illegal material, maybe we should give him fake data?
Steven J. Murdoch
VASCO & University College London

← 98% 2% →
Link encryption
Circuit encryption
E2E encryption
Confidentiality and integrity
Weak resistance to traffic analysis
Covertness (not so useful now)
TLS configured in similar way to web browser and client (RSA-1024 authenticating ECDH P-256 & AES)
Server to client authenticated
(client to server uses custom auth)
Cannot expand ciphertext so as to hide path length without padding
AES CTR, with no MAC (malleable)
Keys negotiated using nTor algorithm
One-way authenticated Diffie Hellman (approx.)
Curve25519 elliptic curves
Cells contain Circuit ID
E2E MAC verified by exit node
When MAC is verified to end of the path has been reached
Some bits set to zero to optimise the check
Payload contains command, Stream ID and data
Directory crypto
List of nodes and their public keys maintained by 8 directory authorities
Consensus algorithm to create agreed set and together signed with RSA-2048
Each node signs descriptor with RSA-1024
Will be moving to ED25519 to replace RSA-1024 and 2048
Fingerprinting and developing blocking rules
SoK: Making Sense of Censorship Resistance Systems, Khattak et al.
Do You See What I See? Differential Treatment of Anonymous Users, Khattak et al.
Quantifying and Measuring Anonymity, Murdoch
Node selection for security and performance
Metrics for Security and Performance in Low-Latency Anonymity Systems, Murdoch and Watson
There is no one security criterion for anonymity
3.67% of the most popular 1,000 websites block Tor
Onion service
Full transcript