Michael BackesSaarland University
MPI-SWS
Aniket KateMPI-SWS
Ian GoldbergUniversity of Waterloo
Esfandiar MohammadiSaarland University
Practical and Provably Secure Onion Routing[IEEE CSF '12]
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
GoogleAliceAIDS
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
GoogleAliceAIDS
AIDS
Insurance
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
GoogleAliceAIDS
AIDS
Insurance
We should talk.
What happened now?
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
GoogleAliceAIDS
AIDS
Insurance
We should talk.
What happened now?
Next time I anonymize my search via Tor.
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
GoogleAliceAIDS
AIDS
Insurance
We should talk.
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing
2
anonymizing
Tor
• established system for anonymous web browsing• But: analyzing Tor is challenging
Practical and Provably Secure OR - Esfandiar Mohammadi
Anonymous Web Browsing: Tor
3
anonymizing
Tor
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
Anonymity against a malicious server
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
Anonymity against a malicious server
Phase 1: Establish Circuit
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
Anonymity against a malicious server
Phase 1: Establish Circuit
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid
2cid
Anonymity against a malicious server
Phase 1: Establish Circuit
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid
2cid
Anonymity against a malicious server
Phase 1: Establish Circuit
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid3cid
2cid
Anonymity against a malicious server
Phase 1: Establish Circuit
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid3cid
4cid
2cid
Anonymity against a malicious server
Phase 2: Send message
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
E(k1,E(k2,E(k3,E(k4, m))))
1cid3cid
4cid
cid ||1
2cid
Anonymity against a malicious server
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
E(k1,E(k2,E(k3,E(k4, m))))
1cid3cid
4cid
cid ||1
2cid
Anonymity against a malicious server
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
E(k2,E(k3,E(k4, m)))
1cid3cid
4cid
cid ||2
2cid
Anonymity against a malicious server
E(k3,E(k4, m))
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid3cid
4cid
cid ||3
2cid
Anonymity against a malicious server
E(k4, m)
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
1cid3cid
4cid
cid ||4
2cid
Anonymity against a malicious server
m
k4
k3
k2
k1
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
4
m
1cid3cid
4cid
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
5
m
k4
k3
k2
k1
Anonymity against a malicious server
6
m
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
5
m
k4
k3
k2
k1
• analyzing tor is difficult
• typical approach– abstract OR as a black-box
6
Practical and Provably Secure OR - Esfandiar Mohammadi
Tor: An Onion Routing Network
5
m
k4
k3
k2
k1
• analyzing tor is difficult
• typical approach– abstract OR as a black-box
6
But does such a black-box abstraction capture all attacks?
Practical and Provably Secure OR - Esfandiar Mohammadi
Our Contribution
• We introduce a comprehensive black-box for onion routing
– We bridge the gap between a known black-box abstraction and the onion routing (OR) protocol
• Our result even holds in the presence of universal composability (UC)
• We apply our result by introducing a definition for forward secrecy– We make a first step towards proving forward secrecy
6
Practical and Provably Secure OR - Esfandiar Mohammadi
Our Contribution
• We introduce a comprehensive black-box for onion routing
– We bridge the gap between a known black-box abstraction and the onion routing (OR) protocol
• Our result even holds in the presence of universal composability (UC)
• We apply our result by introducing a definition for forward secrecy– We make a first step towards proving forward secrecy
6
Practical and Provably Secure OR - Esfandiar Mohammadi
Our Contribution
• We introduce a comprehensive black-box for onion routing
– We bridge the gap between a known black-box abstraction and the onion routing (OR) protocol
• Our result even holds in the presence of universal composability (UC)
• We apply our result by introducing a definition for forward secrecy– We make a first step towards proving forward secrecy
6
UC ➡ Timing attacks are not covered
Practical and Provably Secure OR - Esfandiar Mohammadi
Outline
• Recall UC
• Discussing our Black-Box
• Challenges with the current Tor protocol
• Main Result & Applications
7
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
8
callingprotocol
protocol P
protocol P
callingprotocol
Attacker models:• Compromised protocol parties• Compromised network links
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
9
callingprotocol
callingprotocol
Trusted Party(black-box)
computing the result of Pmodelling honest parties
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
10
callingprotocol
callingprotocol
Trusted Party(black-box)
computing the result of Pmodelling honest parties
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
10
callingprotocol
callingprotocol
Trusted Party(black-box)
computing the result of Pmodelling honest parties
callingprotocol
protocol P
protocol P
callingprotocol
Comparing two worlds
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
11
callingprotocol
callingprotocol
Trusted Party(black-box)
computing the result of Pmodelling honest parties
callingprotocol
protocol P
protocol P
callingprotocol
∀ ∃
≈
callingprotocol
callingprotocol
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
12
callingprotocol
protocol P
callingprotocol
protocol P
∀ ∃
≈
Trusted Party(black-box)
computing the result of Pmodelling honest parties
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
13
Trusted Party(black-box)
computing the result of Pmodelling honest parties
protocol P
protocol P
∃∀ ∀
Practical and Provably Secure OR - Esfandiar Mohammadi
Universal Composability
13
Trusted Party(black-box)
computing the result of Pmodelling honest parties
protocol P
protocol P
∃∀ ∀
b*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)
Suser with probability
xattacker
b : fraction of compromised nodes
Practical and Provably Secure OR - Esfandiar Mohammadi
An elegant black-box for OR
14
by Feigenbaum, Johnson, and Syverson (to appear in TISSec)
b*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)
Suser with probability
xattacker
b : fraction of compromised nodes Why is this not sufficient?
Practical and Provably Secure OR - Esfandiar Mohammadi
An elegant black-box for OR
14
by Feigenbaum, Johnson, and Syverson (to appear in TISSec)
• abstraction is sound if no circuit is reused
b*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)
Suser with probability
xattacker
b : fraction of compromised nodes Why is this not sufficient?
Practical and Provably Secure OR - Esfandiar Mohammadi
An elegant black-box for OR
14
by Feigenbaum, Johnson, and Syverson (to appear in TISSec)
Practical and Provably Secure OR - Esfandiar Mohammadi
How does the simulation work?
15
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
16
(-,S)
S
Establish a fresh circuit CSend 0 to S over C
SC
b : fraction of compromised nodes
with probabilityb*b x := (U,S)(1-b)*b x := (-,S)b*(1-b) x := (U,-)(1-b)*(1-b) x := (-,-)
1
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
17
m1
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
17
2
m1
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
17
This circuit has been reused.
m2m1
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
17
This circuit has been reused.
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
18
m12m
This circuit has been reused.
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits
18
m12m
This circuit has been reused.
If h = - draw a fresh handle helse check whether h is valid
b*b x := (h,U,S,m)(1-b)*b x := (h,-,S,m)b*(1-b) x := (h,U,-)(1-b)*(1-b) x := (h,-,-)
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits (Overapproximation)
19
(S, m, h)user
with probabilityx
attacker
b : fraction of compromised nodesm 1m 2
This circuit has
been reused
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
20
(h,-,S,m)
(S,m,h)
If h is not known establish a circuit Celse look up CSend m to S over C
SC
If h = - draw a fresh handle helse check whether h is valid
b*b x := (h,U,S,m)(1-b)*b x := (h,-,S,m)b*(1-b) x := (h,U,-)(1-b)*(1-b) x := (h,-,-)
with probability
b : fraction of compromised nodes
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
20
(h,-,S,m)
(S,m,h)
If h is not known establish a circuit Celse look up CSend m to S over C
SC
If h = - draw a fresh handle helse check whether h is valid
b*b x := (h,U,S,m)(1-b)*b x := (h,-,S,m)b*(1-b) x := (h,U,-)(1-b)*(1-b) x := (h,-,-)
with probability
b : fraction of compromised nodes
Drawback: we leak the reusage of a circuit via h
draw a random circuitdraw a handle (h,P,Q) for every ciphertext between P,Qleak these handles
Practical and Provably Secure OR - Esfandiar Mohammadi
Reusing Circuits (tighter)
21
user
attacker
S m 1m 2
This circuit has
been reused
Practical and Provably Secure OR - Esfandiar Mohammadi
A different Corruption Scenario
22
This circuit has been reused
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(m,S)
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l)
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l)
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
h
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,S)
Black-box
h
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
E(k4, m))
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
E(k4, m))
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
Practical and Provably Secure OR - Esfandiar Mohammadi
The simulator
23
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
m
Practical and Provably Secure OR - Esfandiar Mohammadi
Our Black-Box
• Allows reusing circuits– Performs circuit construction– Maintains circuits
– Draws a fresh handle for every ciphertext
24
Practical and Provably Secure OR - Esfandiar Mohammadi
Are we done?
25
• How to prove circuit creation secure?– Goldberg, Stebila, and Ustaoglu introduced an efficient &
secure one-way AKE [DCC].– Perfectly suited for our proof.
Practical and Provably Secure OR - Esfandiar Mohammadi
Are we done?
25
• How to prove circuit creation secure?– Goldberg, Stebila, and Ustaoglu introduced an efficient &
secure one-way AKE [DCC].– Perfectly suited for our proof.
• For non-malleable encryption schemes that's it.
Practical and Provably Secure OR - Esfandiar Mohammadi
Are we done?
25
• How to prove circuit creation secure?– Goldberg, Stebila, and Ustaoglu introduced an efficient &
secure one-way AKE [DCC].– Perfectly suited for our proof.
• For non-malleable encryption schemes that's it.
• But Tor uses the malleable detCTR scheme:
Practical and Provably Secure OR - Esfandiar Mohammadi
Are we done?
25
• How to prove circuit creation secure?– Goldberg, Stebila, and Ustaoglu introduced an efficient &
secure one-way AKE [DCC].– Perfectly suited for our proof.
• For non-malleable encryption schemes that's it.
• But Tor uses the malleable detCTR scheme:
Practical and Provably Secure OR - Esfandiar Mohammadi
Are we done?
25
E(k, m)⊕ c = E(k, m⊕ c)
E(k1,E(k2,E(k3,E(k4, m))))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
E(k1,E(k2,E(k3,E(k4, m))))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
E(k2,E(k3,E(k4, m)))
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
E(k2,E(k3,E(k4, m)))⊕ c
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
E(k2,E(k3,E(k4, m⊕ c)))
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
E(k3,E(k4, m⊕ c))
E(k4, m⊕ c)
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
m⊕ c
⊕c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
26
m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
Recall what we have to prove
27
Trusted Party(black-box)
computing the result of Pmodelling honest parties
protocol P
protocol P
∃∀ ∀
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(m,S)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-boxE(k2,E(k3, 0l))⊕ c
E(k2,E(k3, 0l ⊕ c))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l ⊕ c)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l ⊕ c)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,S)
Black-box
h
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
E(k4, m))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
E(k4, m))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
m �=m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
28
(h,P1,P2,P3)
(m,P3,P4,S)
(m,S)
Black-box
h
Practical and Provably Secure OR - Esfandiar Mohammadi
Predictable Malleability
• It turns out:We can predict the changes in the plaintext.
• There is a poly-time S and T s.t.
S(w,w') = T and T(m) = D(k,w')
• Generalized: Predictable Malleabilityfor stateful encryption schemes (details in the paper)
➡ Remedy: black-box additionally allows the simulator to send a transformation T
29
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(m,S)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
E(k2,E(k3, 0l))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-boxE(k2,E(k3, 0l))⊕ c
E(k2,E(k3, 0l ⊕ c))
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l ⊕ c)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
E(k3, 0l ⊕ c)
T(m) := m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(m,S)
Black-box
(h, T)
T(m) := m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(T(m),P3,P4,S)
(m,S)
Black-box
(h, T)
T(m) := m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(T(m),P3,P4,S)
(m,S)
Black-box
(h, T)
T(m) := m⊕ c
E(k4, m⊕ c)
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(T(m),P3,P4,S)
(m,S)
Black-box
(h, T)
T(m) := m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
A Problem with Malleability
30
(h,P1,P2,P3)
(T(m),P3,P4,S)
(m,S)
Black-box
(h, T)
m⊕ c
Practical and Provably Secure OR - Esfandiar Mohammadi
Our main result
• The Tor protocol – allowing to reuse circuits– with a strengthened integrity check
– with secure one-way AKE– against (partially) global active attackers
(details in the paper)
• realizes our black-box
31
Practical and Provably Secure OR - Esfandiar Mohammadi
Applications of this result
• For the OR anonymity analysis of Feigenbaum, Johnson, and Syverson– we show the exact conditions under which their result
applies.
• We did a first step towards proving forward secrecy
32
Practical and Provably Secure OR - Esfandiar Mohammadi
Future Work
• Incorporate timing attacks into the analysis
• Is a black-box leaking the reusage of a circuit useful?• Implications of removing the TLS link between routers
– the circuit ids are leaked to a network attacker
• Predictable malleability might be a useful notion for simulation-based proofs– e.g., for protocols that use efficient but malleable stream
ciphers
33
If h = - then draw a fresh handle h
b*b x := (h,U,S,m)(1-b)*b x := (h,-,S,m)b*(1-b) x := (h,U,-)(1-b)*(1-b) x := (h,-,-)
Practical and Provably Secure OR - Esfandiar Mohammadi
Recall the elegant Overapproximation
34
(S, m, h)user
with probabilityx
attacker
m 1m 2
I know this routeb : fraction of compromised nodes
Practical and Provably Secure OR - Esfandiar Mohammadi
Future Work
• Incorporate timing attacks into the analysis
• Is a black-box leaking the reusage of a circuit useful?• Implications of removing the TLS link between routers
– the circuit ids are leaked to a network attacker
• Predictable malleability might be a useful notion for simulation-based proofs– e.g., for protocols that use efficient but malleable stream
ciphers
35
Thank you!
Questions?
Practical and Provably Secure OR - Esfandiar Mohammadi
Top Related