Anonymity & Censorship-free Communication
Remailers
Type-1 (Cypherpunk)
Sustainability
- Mix decrypts messages
- Uses PGP
- CAST5 & ElGamal
Mixmaster (1998–)
- Layered encryption
- Batching and re-ordering
- Based on Chaum Mix (1981)
- 3DES & RSA (PKCS #1 v1.5)
There is no one security criterion for anonymity
Quantifying and Measuring Anonymity, Murdoch
Who needs anonymity?
- Military personnel
- Law enforcement
- Bloggers
- Activists and whistle-blowers
- Ordinary people
Encryption doesn't work
TLS, PGP, S/MIME only hide what is being said
- Alice uploaded a gigabyte to CNN 6 hours before footage of human rights abuses were aired
- Bob, who just joined our criminal organization sent an encrypted email to the FBI a week before our boss got arrested
- Charlie keeps browsing our website of illegal material, maybe we should give him fake data?
Abuse
← 98% 2% →
The Web
3.67% of the most popular 1,000 websites block Tor
Directory crypto
- List of nodes and their public keys maintained by 8 directory authorities
- Consensus algorithm to create agreed set and together signed with RSA-2048
- Each node signs descriptor with RSA-1024
- Will be moving to ED25519 to replace RSA-1024 and 2048
Node selection for security and performance
Metrics for Security and Performance in Low-Latency Anonymity Systems, Murdoch and Watson
Link encryption
- Confidentiality and integrity
- Weak resistance to traffic analysis
- Covertness (not so useful now)
- TLS configured in similar way to web browser and client (RSA-1024 authenticating ECDH P-256 & AES)
- Server to client authenticated
- (client to server uses custom auth)
Do You See What I See? Differential Treatment of Anonymous Users, Khattak et al.
E2E encryption
- E2E MAC verified by exit node
- When MAC is verified to end of the path has been reached
- Some bits set to zero to optimise the check
- Payload contains command, Stream ID and data
Equivalent systems
Circuit encryption
- Cannot expand ciphertext so as to hide path length without padding
- AES CTR, with no MAC (malleable)
- Keys negotiated using nTor algorithm
- One-way authenticated Diffie Hellman (approx.)
- Curve25519 elliptic curves
- Cells contain Circuit ID
Open proxies ≈ penet.fi
VPN (IPSEC) ≈ Type-0
MixMinion ≈ Tor
Censorship resistance
Fingerprinting and developing blocking rules
SoK: Making Sense of Censorship Resistance Systems, Khattak et al.
Steven J. Murdoch
VASCO & University College London
penet.fi (1993–1996)
- Simply stripped headers off emails sent via remailer
- Allowed replies to be sent
- Easy to use, but single point of compromise
- Shut down following compromise by CoS
Incentives
- Many users are unable to pay (tragedy of the commons)
- Giving better performance to users who contribute could reduce anonymity
- If money is changing hands, volunteers may give up
Mixminion (2002–)
- Fixed many problems
- Introduced replies
- AES, SHA-1, RSA OEAP
- LIONESS wide-block cipher to resist tagging
Web browsing is hard to secure
- Requires low latency
- High variability
- Low tolerance to padding