Docstoc

Pairing-Based Onion Routing

Document Sample
Pairing-Based Onion Routing Powered By Docstoc
					    Pairing-Based Onion Routing

Aniket Kate, Greg Zaverucha and Ian Goldberg
                 PET 2007
      David R. Cheriton School of Computer Science




                   July 04, 2007
Motivation: Internet Anonymity




    http://weskenney.net/?p=232
2                            Pairing-Based Onion Routing   Aniket Kate
Contributions


      One-way and two-way anonymous and pseudonymous key
      agreement protocols in an identity-based infrastructure

      A single pass circuit construction for onion routing with
      practical forward secrecy

      Significantly less computations and communication in
      circuit construction than that of Tor

      Use of an identity-based infrastructure to eliminate the
      need of public key authentication for onion routers




3                    Pairing-Based Onion Routing             Aniket Kate
Outline


      Pairing-Based Cryptography

      Anonymous Key Agreement Protocols

      Anonymity Networks

      Pairing-Based Onion Routing
          Circuit Construction
          Comparison with Tor

      Systems Issues

      Conclusion



4                   Pairing-Based Onion Routing   Aniket Kate
Symmetric Bilinear Pairings

    Given an additive cyclic group G and a multiplicative cyclic
    group GT of the same prime order n, for a symmetric bilinear
    map e : G × G → GT

     1   Bilinearity: For any P, Q ∈ G, e(aP, bQ) = e(P, Q)ab
     2   Non-degeneracy: The map does not send all pairs in
         G × G to unity in GT
     3   Computability: There is an efficient algorithm to compute
         e(P, Q) for any P, Q ∈ G
    The modified Weil pairing (Verheul [Eurocrypt’01]) is an
    example



5                      Pairing-Based Onion Routing              Aniket Kate
Boneh-Franklin Identity-Based Encryption (BF-IBE)
Setup


    A trusted authority called Private Key Generator (PKG)
        chooses groups G and GT of order n

        chooses a full-domain cryptographic hash function
        H : {0, 1}∗ → G

        selects a master secret s ∈ Z∗ and
                                     n

        generates private keys di = sH(IDi ) ∈ G for clients using
        their well-known identities (IDi )




6                     Pairing-Based Onion Routing            Aniket Kate
SOK Key Agreements in BF-IBE Setup

          Alice(IDA )                     Bob(IDB )
    QA = H(IDA ), dA = sQA          QB = H(IDB ), dB = sQB

    Sakai, Ohgishi, and Kasahara (Non-interactive) [SISC’00]

           e(dA , QB )                        e(QA , dB )
                         KAB = e(QA , QB    )s




7                    Pairing-Based Onion Routing            Aniket Kate
Anonymous Key Agreements in BF-IBE Setup

          Alice(IDA )                  Bob(IDB )
    QA = H(IDA ), dA = sQA       QB = H(IDB ), dB = sQB

    Two-way Anonymous (This Paper)
    PA = rA QA , sPA = rA dA PB = rB QB , sPB = rB dB
                            PA , PB
                            ⇐⇒
          e(sPA , PB )                 e(PA , sPB )
                   KAB = e(QA , QB )rA rB s




8                   Pairing-Based Onion Routing           Aniket Kate
Anonymous Key Agreements in BF-IBE Setup

          Alice(IDA )                    Bob(IDB )
    QA = H(IDA ), dA = sQA         QB = H(IDB ), dB = sQB

    Two-way Anonymous (This Paper)
    PA = rA QA , sPA = rA dA PB = rB QB , sPB = rB dB
                            PA , PB
                            ⇐⇒
          e(sPA , PB )                 e(PA , sPB )
                   KAB = e(QA , QB )rA rB s

    One-way Anonymous (Non-interactive)(This Paper)
    PA = rA QA , sPA = rA dA       QB , dB
                              PA
                            =⇒
                   KAB   = e(QA , QB )rA s



8                   Pairing-Based Onion Routing             Aniket Kate
Anonymous Key Agreement

     A participant confirms that the other participant is a client
     of the same PKG, but does not obtain her identity
     Authenticated key agreement using any secure
     symmetric-key based mutual authentication scheme
     For persistent pseudonymity instead of anonymity,
     pseudonyms can be reused




9                   Pairing-Based Onion Routing             Aniket Kate
Anonymous Key Agreement

        A participant confirms that the other participant is a client
        of the same PKG, but does not obtain her identity
        Authenticated key agreement using any secure
        symmetric-key based mutual authentication scheme
        For persistent pseudonymity instead of anonymity,
        pseudonyms can be reused
    In one-way anonymous protocol:
        Non-interactive key agreement with implicit key
        authentication
        Explicit Key Confirmation using a symmetric-key based
        challenge-response protocol



9                      Pairing-Based Onion Routing             Aniket Kate
Security and Anonymity

     Unconditional Anonymity
     It is impossible for the other participant, the PKG or any third
     party to learn the identity of an anonymous participant




10                       Pairing-Based Onion Routing             Aniket Kate
Security and Anonymity

     Unconditional Anonymity
     It is impossible for the other participant, the PKG or any third
     party to learn the identity of an anonymous participant

     No Impersonation
     It is infeasible for a malicious client of the PKG to impersonate
     another (non-anonymous) client in a protocol run
     In persistent pseudonymity, it is not feasible for a malicious
     entity to communicate using a different entity’s pseudonym




10                       Pairing-Based Onion Routing             Aniket Kate
Security and Anonymity

     Unconditional Anonymity
     It is impossible for the other participant, the PKG or any third
     party to learn the identity of an anonymous participant

     No Impersonation
     It is infeasible for a malicious client of the PKG to impersonate
     another (non-anonymous) client in a protocol run
     In persistent pseudonymity, it is not feasible for a malicious
     entity to communicate using a different entity’s pseudonym

     Session Key Secrecy
     It is infeasible for anyone other than the two participants or the
     PKG to compute a session key generated during a protocol run



10                       Pairing-Based Onion Routing             Aniket Kate
Anonymous Key Agreement: Applications



     Anonymous communication in any setting which has a
     BF-IBE setup without any extra effort
     Prominent Example: Ad-hoc Networks
     Persistent pseudonymity may be applicable in few contexts
     We focus on a new pairing-based onion routing protocol
     which achieves forward secrecy and constructs circuits
     without telescoping




11                 Pairing-Based Onion Routing          Aniket Kate
Anonymous Online Communication




12            Pairing-Based Onion Routing   Aniket Kate
Anonymous Online Communication

                  Anonymizor.com




12            Pairing-Based Onion Routing   Aniket Kate
Anonymous Online Communication

                          Anonymizor.com




     Drawback:Traffice Analysis, Trust on Anonymizor.com



12                    Pairing-Based Onion Routing         Aniket Kate
Onion Routing




     Aim:Frustrate attackers from linking multiple communications to
                          or from a single user


13                     Pairing-Based Onion Routing            Aniket Kate
Onion Routing




     Aim:Frustrate attackers from linking multiple communications to
                          or from a single user


13                     Pairing-Based Onion Routing            Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




14                 Pairing-Based Onion Routing          Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




14                 Pairing-Based Onion Routing          Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




14                 Pairing-Based Onion Routing          Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




14                 Pairing-Based Onion Routing          Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




14                 Pairing-Based Onion Routing          Aniket Kate
First Generation Onion Routing
      Single Pass Construction using Public Key Encryption




                Drawback: No forward secrecy



14                 Pairing-Based Onion Routing          Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
             Telescoping-Based Construction




15              Pairing-Based Onion Routing   Aniket Kate
Second Generation Onion Routing: Tor
                 Telescoping-Based Construction




     Drawback: establishing a circuit of length requires O( 2 )
         network communications, and O( 2 ) symmetric
                    encryptions/decryptions

15                   Pairing-Based Onion Routing           Aniket Kate
Pairing-Based Onion Routing


     In an identity-based infrastructure, public keys do not need to
     be authenticated




16                      Pairing-Based Onion Routing             Aniket Kate
Pairing-Based Onion Routing


     In an identity-based infrastructure, public keys do not need to
     be authenticated
     Setup
         The service provider, working as the PKG, runs the BF-IBE
         setup
         It generates (U, sU ) pair, common for all users and
         provides each OR node private key di for its identity IDi
         The users precompute the SOK keys e(sU, H(IDi )) for the
         ORs




16                      Pairing-Based Onion Routing             Aniket Kate
Pairing-Based Onion Routing: Circuit Construction
     A user
      1   chooses ORs from the available pool
      2   generates separate pseudonyms and computes session
          keys for communicating with each of them
      3   uses them to construct a message with nested layers of
          encryption (onion)




17                     Pairing-Based Onion Routing          Aniket Kate
Pairing-Based Onion Routing: Circuit Construction
     A user
      1   chooses ORs from the available pool
      2   generates separate pseudonyms and computes session
          keys for communicating with each of them
      3   uses them to construct a message with nested layers of
          encryption (onion)
     An OR
      1   uses the received pseudonym and its private key to obtain
          the session key
      2   decrypt an onion layer to determine the next OR and
          message for it
      3   forwards the user’s pseudonym and the onion to the
          respective OR

17                      Pairing-Based Onion Routing             Aniket Kate
Pairing-Based Onion Routing: Protocol




     A three OR nodes Circuit Construction

18                     Pairing-Based Onion Routing   Aniket Kate
Pairing-Based Onion Routing: Protocol




     1 ⇒ rA U, {B, rB U, {C, rC U, {∅}KU C }KU B }KU A

18                       Pairing-Based Onion Routing     Aniket Kate
Pairing-Based Onion Routing: Protocol




     2⇒ rB U, {C, rC U, {∅}KU C }KU B

18                      Pairing-Based Onion Routing   Aniket Kate
Pairing-Based Onion Routing: Protocol




     3 ⇒ rC U, {∅}KU C

18                       Pairing-Based Onion Routing   Aniket Kate
Pairing-Based Onion Routing: Forward Secrecy
     Validity Period for Private Keys
         specifies duration after which ORs discard their current
         private keys and obtain new keys from the PKGs
          batching can help
         exposure time a circuit has against compromises of the
         ORs that it uses
         recommended period : short, on the order of an hour




19                     Pairing-Based Onion Routing             Aniket Kate
Pairing-Based Onion Routing: Forward Secrecy
     Validity Period for Private Keys
         specifies duration after which ORs discard their current
         private keys and obtain new keys from the PKGs
          batching can help
         exposure time a circuit has against compromises of the
         ORs that it uses
         recommended period : short, on the order of an hour

     Validity Period for the Master Secret
         specifies the circuit’s exposure time against compromises
         of the master secret s
         recommended period : longer than that for the private
         keys, perhaps on the order of a day

19                     Pairing-Based Onion Routing             Aniket Kate
Comparison with Tor

     Significantly less computation and communications in circuit
     construction by avoiding telescoping.

            Operation           Time          Tor         PB-OR
                                         client OR     client OR
              Pairing         2.9 ms        0     0       0    1
         RSA decryption       2.7 ms        0     1       0    0
      Modular exponentiation 1.5 ms        2      2       0    0
        Multiplication in G   1.0 ms        0     0            0
       Exponentiation in GT   0.2 ms        0     0            0
         RSA encryption       0.1 ms              0       0    0
              Total time (ms)             3.1    5.7    1.2   2.9
      Total AES-encrypted messages          ( + 1)          2
     Experiment Environment: 3.0 GHz Pentium DualCore Desktop with
     PBC Library


20                      Pairing-Based Onion Routing             Aniket Kate
Comparison with Tor (Cont.)

      The absence of telescoping also provides flexibility to the
      user to modify a circuit on the fly

                   U ⇔ A ⇔ ···      ⇔K⇔            ··· ⇔ N
                                        ⇓
                   U ⇔ A ⇔ ··· ⇔ K ⇔ ··· ⇔ N

      The certifying authorities in Tor need to be less trusted
      than the PKG in our scheme.

      With a short validity period for private keys and master
      secret (compared to the key replacement period in Tor),
      our PKG need to be online with greater reliability.



21                   Pairing-Based Onion Routing             Aniket Kate
System Issues

     PKG
       As the PKG becomes single point of failure, we suggest
       use of a distributed PKG
       We propose the use of t out of m threshold distributed key
       generation protocol like Pedersen’s scheme [Eurocrypt’91]
       to implement the distributed PKG
       The PKGs only communicate with ORs, making the
       distributed implementation practical
       They could even be situated as hidden services
       We expect a geographically and politically distributed
       implementation of the PKG



22                   Pairing-Based Onion Routing                Aniket Kate
System Issues

     Replay Prevention
     ORs should store received pseudonyms for the duration of
     validity period of private key and drop onions which re-use a
     pseudonym.

     Directory Server
     Directory servers in Tor provide signed credentials about the
     ORs along with their availability status
     In our setting, storing the public keys is unnecessary

     Channel Security
     A distributed implementation of the PKG provides robustness
     as an attacker must subvert t secure channels to obtain an
     OR’s private key


23                      Pairing-Based Onion Routing            Aniket Kate
Conclusion

     We extended the SOK key agreement in BF-IBE setup to
     allow one-way or two-way anonymous or pseudonymous
     key agreement
     We used our extension to define a new single pass circuit
     construction for onion routing networks, with practical
     forward secrecy
     Our protocol performs significantly less computation and
     communication than circuit construction in Tor
     These improvements can be used to enhance the
     scalability of low-latency anonymity networks




24                 Pairing-Based Onion Routing          Aniket Kate
Conclusion

     We extended the SOK key agreement in BF-IBE setup to
     allow one-way or two-way anonymous or pseudonymous
     key agreement
     We used our extension to define a new single pass circuit
     construction for onion routing networks, with practical
     forward secrecy
     Our protocol performs significantly less computation and
     communication than circuit construction in Tor
     These improvements can be used to enhance the
     scalability of low-latency anonymity networks

                        Questions ?


24                 Pairing-Based Onion Routing          Aniket Kate

				
DOCUMENT INFO