Anonymous networks and timing attacks: principles of building secure systems (conclusion)
- Transfer
Introduction | Tor | Tarzan and MorphMix | Low Cost Attack | Low Cost Attack on Tarzan and Morphmix | Principles of building secure systems (conclusion)
For a successful low-cost attack, two basic conditions must be met. First, the malicious node must know all the other network nodes. Without this, the attack in question is impossible. Second, arising delays should characterize the amount of traffic transmitted by the node.
Based on the results of the study, we made the following conclusions. A low-cost attack can be eliminated in one of two ways:
By adopting any of these techniques, you can build a secure system with low latency, able to withstand a low-cost attack.
Note that everything that Murdoch and Danezis 2005 relies on in their work collapses when using the second method. However, as they noted, determining the right amount of covering traffic is a difficult task. No matter, in any case, the attack can be prevented using the first method.
Using the second method can significantly increase the anonymity that the network provides, but for systems with low latencies it is difficult to apply.
This is due to the basic requirement for the system - to minimize delays. Reducing delays to an acceptable level leads to the fact that the transmission unit cannot mix or make its incoming and outgoing streams indistinguishable. This gives the attacker a clue in the end to break the anonymity created by the system. However, the use of several transmission nodes in the anonymizing tunnel significantly complicates the attack, and leads to the fact that the attacker must be able to control all nodes of the network or all communications between nodes. Those. to be a “global observer”.
Develop an anonymizing system
Systems like Tor claim to be able to withstand the attacker described above. However, they did not provide an attack option that could be carried out without a global observer. In an effort to comply with time constraints and refusing to cover traffic, Tor became vulnerable to a low-cost attack that fits into the weak threat model used. This model needs to be expanded.
Our study showed that the attack is applicable to low latency systems that allow a node to get a list of all other network nodes. Otherwise, if this condition is not met, a weak threat model remains acceptable.
Therefore, if a weak threat model is used in the development of an anonymizing system, this must be taken into account. Each node should be able to get a list of only its neighbors, but not a list of all nodes in the network.
Based on the foregoing, we conclude that for anonymizing systems it is better to use the peer-to-peer architecture, rather than dedicated servers. This is due to the fact that peer-to-peer networks have a large number of nodes. Even if the attacker manages to get a list of all network nodes, he will most likely be outdated, as it is difficult to detect all nodes in a short time.
In this article, we investigated one of the attacks on anonymous low latency communications networks, which is called a low-cost traffic analysis attack. This attack is very important because it is affected by systems like Tor, whose development systems were based on a weak threat model. We showed in which cases the attack will not work. Also, we have identified several important properties that a system must possess in order to withstand such attacks.
For a successful low-cost attack, two basic conditions must be met. First, the malicious node must know all the other network nodes. Without this, the attack in question is impossible. Second, arising delays should characterize the amount of traffic transmitted by the node.
Based on the results of the study, we made the following conclusions. A low-cost attack can be eliminated in one of two ways:
- Make it impossible to obtain information about all network nodes.
- Add cover traffic in such a way that the characteristics of individual flows are leveled.
By adopting any of these techniques, you can build a secure system with low latency, able to withstand a low-cost attack.
Note that everything that Murdoch and Danezis 2005 relies on in their work collapses when using the second method. However, as they noted, determining the right amount of covering traffic is a difficult task. No matter, in any case, the attack can be prevented using the first method.
Further discussion
Using the second method can significantly increase the anonymity that the network provides, but for systems with low latencies it is difficult to apply.
This is due to the basic requirement for the system - to minimize delays. Reducing delays to an acceptable level leads to the fact that the transmission unit cannot mix or make its incoming and outgoing streams indistinguishable. This gives the attacker a clue in the end to break the anonymity created by the system. However, the use of several transmission nodes in the anonymizing tunnel significantly complicates the attack, and leads to the fact that the attacker must be able to control all nodes of the network or all communications between nodes. Those. to be a “global observer”.
Develop an anonymizing system
- able to withstand the global observer
- while minimizing delays to an acceptable level
Systems like Tor claim to be able to withstand the attacker described above. However, they did not provide an attack option that could be carried out without a global observer. In an effort to comply with time constraints and refusing to cover traffic, Tor became vulnerable to a low-cost attack that fits into the weak threat model used. This model needs to be expanded.
Our study showed that the attack is applicable to low latency systems that allow a node to get a list of all other network nodes. Otherwise, if this condition is not met, a weak threat model remains acceptable.
Therefore, if a weak threat model is used in the development of an anonymizing system, this must be taken into account. Each node should be able to get a list of only its neighbors, but not a list of all nodes in the network.
Based on the foregoing, we conclude that for anonymizing systems it is better to use the peer-to-peer architecture, rather than dedicated servers. This is due to the fact that peer-to-peer networks have a large number of nodes. Even if the attacker manages to get a list of all network nodes, he will most likely be outdated, as it is difficult to detect all nodes in a short time.
Conclusion
In this article, we investigated one of the attacks on anonymous low latency communications networks, which is called a low-cost traffic analysis attack. This attack is very important because it is affected by systems like Tor, whose development systems were based on a weak threat model. We showed in which cases the attack will not work. Also, we have identified several important properties that a system must possess in order to withstand such attacks.