ABSTRACT
Low-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by "local" adversaries who control only a few machines, and have low enough delay to support anonymous use of network services like web browsing and remote login. One consequence of these goals is that these services leak some information about the network latency between the sender and one or more nodes in the system. This paper reports on three experiments that partially measure the extent to which such leakage can compromise anonymity. First, using a public dataset of pairwise round-trip times (RTTs) between 2000 Internet hosts, we estimate that on average, knowing the network location of host A and the RTT to host B leaks 3.64 bits of information about the network location of B. Second, we describe an attack that allows a pair of colluding web sites to predict, based on local timing information and with no additional resources, whether two connections from the same Tor exit node are using the same circuit with 17% equal error rate. Finally, we describe an attack that allows a malicious website, with access to a network coordinate system and one corrupted Tor router, to recover roughly 6.8 bits of network location per hour.
- TOR (the onion router) servers. http://proxy.org/tor.shtml, 2007.Google Scholar
- Aikat, J., Kaur, J., Smith, F. D., and Jeffay, K. Variability in TCP round-trip times. In IMC '03: Proc. 3rd ACM SIGCOMM conference on Internet measurement (New York, NY, USA, 2003), pp. 279--284. Google ScholarDigital Library
- Back, A., Möller, U., and Stiglic, A. Traffic analysis attacks and trade-offs in anonymity providing systems. In Proc. Information Hiding Workshop (IH 2001) (April 2001), LNCS 2137, pp. 245--257. Google ScholarDigital Library
- Blum, A., Song, D., and Venkataraman, S. Detection of interactive stepping stones: Algorithms and confidence bounds. Proc. 7th Intl Symposium on Recent Advances in Intrusion Detection (RAID) (2004).Google ScholarCross Ref
- Chaum, D. L. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24, 2 (1981), 84--88. Google ScholarDigital Library
- Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., and Bowman, M. Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3 (2003), 3--12. Google ScholarDigital Library
- Costa, M., Castro, M., Rowstron, A., and Key, P. PIC: Practical internet coordinates for distance estimation. In ICDCS '04: Proc. 24th Intl. Conf. on Distributed Computing Systems (Washington, DC, USA, 2004), IEEE Computer Society, pp. 178--187. Google ScholarDigital Library
- Dabek, F., Cox, R., Kaashoek, F., and Morris, R. Vivaldi: a decentralized network coordinate system. In SIGCOMM '04 (New York, NY, USA, 2004), ACM Press, pp. 15--26. Google ScholarDigital Library
- Danezis, G. Statistical disclosure attacks: Traffic confirmation in open environments. In Proc. Security and Privacy in the Age of Uncertainty, (SEC2003) (Athens, May 2003), IFIP TC11, Kluwer, pp. 421--426.Google ScholarCross Ref
- Danezis, G., Dingledine, R., and Mathewson, N. Mixminion: Design of a Type III Anonymous Remailer Protocol. In SP '03: Proc. 2003 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2003), IEEE Computer Society, p. 2. Google ScholarDigital Library
- Díaz, C., and Serjantov, A. Generalising mixes. In Proc. 3rd Privacy Enhancing Technologies workshop (PET 2003) (March 2003), R. Dingledine, Ed., Springer-Verlag, LNCS 2760.Google ScholarCross Ref
- Dingledine, R., et al. Anonymity bibliography. http://freehaven.net/anonbib, 1999 - 2007.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. F. Tor: The second-generation onion router. In Proc. 13th USENIX Security Symposium (August 2004). Google ScholarDigital Library
- Fawcett, T. An introduction to ROC analysis. Pattern Recogn. Lett. 27, 8 (2006), 861--874. Google ScholarDigital Library
- Federrath, H., et al. JAP: Java anonymous proxy. http://anon.inf.tu-dresden.de/.Google Scholar
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. IETF RFC 2616: Hypertext transfer protocol - HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt, 1999. Google ScholarDigital Library
- Gil, T. M., Kaashoek, F., Li, J., Morris, R., and Stribling, J. The "King" data set.http://pdos.csail.mit.edu/p2psim/kingdata/, 2005.Google Scholar
- Gueye, B., Ziviani, A., Crovella, M., and Fdida, S. 2006. Constraint-based geolocation of internet hosts. IEEE/ACM Trans. Netw. 14, 6 (Dec. 2006), 1219--1232. Google ScholarDigital Library
- Gummadi, K. P., Saroiu, S., and Gribble, S. D. King: estimating latency between arbitrary Internet end hosts. Proc. 2nd SIGCOMM Workshop on Internet measurement (2002), 5--18. Google ScholarDigital Library
- Hintz, A. Fingerprinting websites using traffic analysis. In Proc. 2nd Privacy Enhancing Technologies workshop (PET 2002) (April 2002), R. Dingledine and P. Syverson, Eds., Springer-Verlag, LNCS 2482.Google Scholar
- jrandom, et al. I2P. http://www.i2p.net/, 2007.Google Scholar
- Kesdogan, D., Egner, J., and Büschkes, R. Stop-and-go MIXes: Providing probabilistic anonymity in an open system. In Proc. Information Hiding Workshop (IH 1998) (1998), Springer-Verlag, LNCS 1525.Google ScholarCross Ref
- Ledlie, J., Gardner, P., and Seltzer, M. Network coordinates in the wild. In Proc. 4th USENIX Symposium on Network Systems Design and Implementation (April 2007). Google ScholarDigital Library
- Mathewson, N., and Dingledine, R. Practical traffic analysis: Extending and resisting statistical disclosure. In Proc. 4th Privacy Enhancing Technologies workshop (PET 2004) (May 2004), vol. 3424 of LNCS, pp. 17--34.Google Scholar
- Moeller, U., Cottrell, L., Palfrader, P., and Sassaman, L. IETF draft: Mixmaster protocol version 2. http://www.ietf.org/internet-drafts/draft-sassaman-mixmaster-03.txt, 2005.Google Scholar
- Murdoch, S. J. Hot or not: Revealing hidden services by their clock skew. 13th ACM Conference on Computer and Communications Security (CCS) (2006). Google ScholarDigital Library
- Murdoch, S. J., and Danezis, G. Low-Cost Traffic Analysis of Tor. In SP '05: Proc. 2005 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2005), IEEE Computer Society, pp. 183--195. Google ScholarDigital Library
- Ng, T. E., and Zhang, H. A network positioning system for the Internet. Proc. USENIX Conference (2004). Google ScholarDigital Library
- Oikarinen, J., and Reed, D. IETF RFC 1459: Internet relay chat protocol. http://www.ietf.org/rfc/rfc1459.txt, 1993. Google ScholarDigital Library
- Øverlier, L., and Syverson, P. Locating Hidden Servers. In SP '06: Proc. 2006 IEEE Symposium on Security and Privacy (S&P '06) (Washington, DC, USA, 2006), IEEE Computer Society, pp. 100--114. Google ScholarDigital Library
- Reiter, M. K., and Rubin, A. D. Crowds: anonymity for web transactions. ACM Transactions on Information and System Security 1, 1 (1998), 66--92. Google ScholarDigital Library
- Rennhard, M., and Plattner, B. Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection. In WPES '02: Proc. 2002 ACM workshop on Privacy in the Electronic Society (New York, NY, USA, 2002), ACM Press, pp. 91--102. Google ScholarDigital Library
- Rosenberg, J., et al. SIP: Session Initiation Protocol. IETF RFC 3261, http://tools.ietf.org/html/rfc3261, 2002. Google ScholarDigital Library
- Serjantov, A., and Sewell, P. Passive attack analysis for connection-based anonymity systems. In Proc. ESORICS 2003 (October 2003).Google ScholarCross Ref
- Spring, N., Wetherall, D., and Anderson, T. Scriptroute: A public Internet measurement facility. USENIX Symposium on Internet Technologies and Systems (USITS) (2003), 225--238. Google ScholarDigital Library
- Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. Towards an analysis of onion routing security. In Designing Privacy Enhancing Technologies: Proc. Workshop on Design Issues in Anonymity and Unobservability (July 2000), H. Federrath, Ed., Springer-Verlag, LNCS 2009, pp. 96--114. Google ScholarDigital Library
- Wong, B., Stoyanov, I., and Sirer, E. G. 2006. Geolocalization on the internet through constraint satisfaction. In Proc. USENIX WORLDS 2006. Google ScholarDigital Library
- Wright, M., Adler, M., Levine, B. N., and Shields, C. Defending anonymous communication against passive logging attacks. In Proc. 2003 IEEE Symposium on Security and Privacy (May 2003). Google ScholarDigital Library
Index Terms
- How much anonymity does network latency leak?
Recommendations
How much anonymity does network latency leak?
Low-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by “local” adversaries who control only a few machines and have low enough delay to support anonymous use of ...
Measuring the user's anonymity when disclosing personal properties
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and MetricsAnonymous credentials allow to selectively disclose personal properties included in the credential, while hiding the other information. For instance, a user could only disclose that he is an adult using a credential in which zip code and date of birth ...
(α, k)-anonymity: an enhanced k-anonymity model for privacy preserving data publishing
KDD '06: Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data miningPrivacy preservation is an important issue in the release of data for mining purposes. The k-anonymity model has been introduced for protecting individual identification. Recent studies show that a more sophisticated model is necessary to protect the ...
Comments