From: Christoph Egger Date: Sun, 10 Aug 2014 13:47:26 +0000 (+0200) Subject: Cleanup X-Git-Url: https://git.siccegge.de//index.cgi?a=commitdiff_plain;h=f182ea55a9fe4d1933e0d3857689aae8ce9b443c;p=talk%2Fattack-i2p-raid2013.git Cleanup --- diff --git a/beamer.tex b/beamer.tex index 813bdc7..8c49759 100644 --- a/beamer.tex +++ b/beamer.tex @@ -1,4 +1,4 @@ -\documentclass[handout]{beamer} +\documentclass{beamer} \usetheme{i4} \usepackage[utf8]{inputenc} \usepackage{tikz} @@ -39,9 +39,9 @@ University of California, Santa Barbara} \vspace{1.5em} \titlepage \begin{center} - \includegraphics[width=0.2\paperwidth]{ucsbseal} + \includegraphics[width=0.23\paperwidth]{fau_siegel} \hspace{1.5em} - \includegraphics[width=0.25\paperwidth]{streifenlogo} + \includegraphics[width=0.25\paperwidth]{ucsbseal} \end{center} \end{frame} @@ -53,29 +53,31 @@ University of California, Santa Barbara} \item Tunnels \item Network Database \item \textcolor{gray}{Floodfill Participation} - \item Thread model + \item Threat model \end{itemize} \end{block} - \begin{block}{Attacks} + \begin{block}{\textcolor{gray}{Floodfill Takeover Attack}} + + \end{block} + \begin{block}{Sibyl Attack} \begin{itemize} - \item \textcolor{gray}{Floodfill Takeover Attack} - \item Sybil Attack - \item \textcolor{gray}{Eclipse Attack} - \item Deanonymization Attack + \item Attack Description + \item Evaluation \end{itemize} \end{block} - \begin{block}{Evaluation} + \begin{block}{\textcolor{gray}{Eclipse Attack}} + + \end{block} + \begin{block}{Deanonymization Attack} \begin{itemize} - \item \textcolor{gray}{Floodfill Takeover Attack} - \item Sybil Attack - \item \textcolor{gray}{Eclipse Attack} - \item Deanonymization Attack - \end{itemize} + \item Attack Description + \item Evaluation + \end{itemize} \end{block} \begin{block}{Conclusions} \begin{itemize} \item Limitations - \item I2P Improvements + \item I2P improvements \item \textcolor{gray}{Related Work} \end{itemize} \end{block} @@ -83,33 +85,53 @@ University of California, Santa Barbara} \end{frame} \begin{frame} - \frametitle{Introduction I2P} + \frametitle{Anonymity} + \begin{block}{Who needs anonymity} + \begin{itemize} + \item Criminals + \item Civil rights activists + \item Everyone else + \end{itemize} + \end{block}\pause + \begin{block}{I2P and tor} + \begin{itemize} + \item Tor: directory authorities $\leftrightarrow$ I2P: + decentralized DHT + \item Tor: proxy to the outside world $\leftrightarrow$ I2P: + separated \emph{Darknet} + \end{itemize} + \end{block} +\end{frame} + +\begin{frame} + \frametitle{Introduction to I2P} \begin{itemize}\addtolength{\itemsep}{1\baselineskip} - \item Solution for anonymous Communication + \item Solution for anonymous communication \item Separated from the ``Internet'' -- \emph{Darknet} - \item Fully distributed Design - \item Based on Onion Routing + \item Fully distributed design + \item Based on onion-routing \item Between 18,000 and 28,000 active users \end{itemize} \end{frame} + \section{I2P} \begin{frame} \frametitle{I2P} \begin{multicols}{2} \begin{block}{Router} \begin{itemize} - \item Handle Connections - \item Provide Name Services + \item Handle connections + \item Provide name services \end{itemize} \end{block} - \pause +% \pause \begin{block}{Applications} \begin{itemize} - \item Server, Client or P2P Software - \item Sockets interface with TCP-like or UDP-like Semantics + \item Server, client or P2P software + \item Sockets interface with TCP-like or UDP-like semantics \end{itemize} \end{block} - \pause +% \pause \begin{figure} \centering \begin{tikzpicture}[scale=1.2] @@ -137,21 +159,21 @@ University of California, Santa Barbara} \begin{frame} \frametitle{Tunnels} \begin{itemize} - \item using onion-routing for anonymity - \item unidirectional - \item paired for bi-directional communication + \item Using onion-routing for anonymity + \item Unidirectional + \item Paired for bi-directional communication \end{itemize}\pause \begin{block}{Client Tunnels} \begin{itemize} - \item Used for Data Interactions - \item Several pro Application + \item Used for data interactions + \item Several per application \end{itemize} \end{block} - \pause +% \pause \begin{block}{Exploratory Tunnels} \begin{itemize} - \item Used for Database interaction - \item 2 to 3 per Node + \item Used for database interaction + \item 2 to 3 per node \end{itemize} \end{block} \end{frame} @@ -161,209 +183,29 @@ University of California, Santa Barbara} \begin{itemize} \item<1-> Kademlia-like DHT based on \texttt{XOR}-distance run on 320 super-nodes + \item<1-> Layout of the database changes completely every day \item<2-> \iip{databaseRecord}\\ Information named using a hash over their cryptographic Keys - \item<3-> \iip{storageLocation}\\ + \item<2-> \iip{storageLocation}\\ Hash over name and today's date - \item<4-> \iip{routerInfo}\\ - Peer information: IP address, Port, Protocol, Keys - \item<5-> \iip{leaseSet}\\ - Service Information: Entry tunnels, Keys + \item<3-> \iip{routerInfo}\\ + Peer information: IP address, port, protocol, keys + \item<3-> \iip{leaseSet}\\ + Service information: Entry tunnels, keys \end{itemize} - % \begin{multicols}{2} - % \begin{block}{\iip{routerInfo}} - % \begin{itemize} - % \item Peer information: IP address, Port, Protocol, Keys - % \end{itemize} - % \end{block} - % \begin{block}{\iip{leaseSet}} - % \begin{itemize} - % \item Service Information: Entry tunnels, Keys - % \end{itemize} - % \end{block} - % % \begin{figure} - % % \centering - % % \begin{tikzpicture} - % % \node[draw,rectangle split, rectangle split parts=2] (lease) at (-3em,0) {\iip{leaseSet}\nodepart{second}\tiny{Keys}}; - % % \node[draw,rectangle split, rectangle split parts=2] (router) at (3em,0) {\iip{routerInfo}\nodepart{second}\tiny{Keys}}; - % % \node[draw,ellipse] (hashfn1) at (0,-3em) {\tiny{SHA256}}; - % % \node[draw,rectangle] (hash1) at (0,-5.5em) {\iip{resourceIdentifier}}; - % % \node[draw,rectangle,right=-0.1mm of hash1.east] (day) {Date}; - - % % \node[draw,ellipse] (hashfn1) at (0,-8em) {\tiny{SHA256}}; - % % \node[draw,rectangle] (resID) at (0,-10.5em) {\iip{storageLocation}}; - % % \end{tikzpicture} - % % \end{figure} - % \end{multicols} \end{frame} \begin{frame} \frametitle{Sample Interaction} + Accessing a hidden website -- ``http://civilrights.i2p'' \begin{figure} \centering - \begin{tikzpicture}[scale=1.2] - \tikzstyle{every node}=[font=\small] -% netDB - \foreach \sector in {% - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% - { - \node[netdb,cylinder, shape border - rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector + - .6)} : 10.5mm) {\sector}; - } - \node at (0, 0) {netDB}; -% client - \node[minimum width=9.5em,minimum - height=5em,draw=black,thick,fill=yellow!60!white,rounded corners](clientpc) at (27.5mm,9mm) {}; - \node[client](client) at (30.5mm, 12mm) {Server Router}; - \node[rectangle,draw,below=0mm of client.south west] {Application}; - \node[above=0mm of clientpc.south] {Server's System}; -% server - \node[minimum width=9.5em,minimum - height=5em,draw=black,thick,fill=yellow!60!white,rounded corners](clientpc) at (-38mm,9mm) {}; - \node[client](server) at (-42mm, 12mm) {Client Router}; - \node[rectangle,draw,below=0mm of server.south east] {Application}; - \node[above=0mm of clientpc.south] {Client's System}; -% client client tunnel - \node[chain,minimum size=7em,minimum - height=3em,draw=none,fill=green!30!white,rounded corners](tunnel) at (16mm,22.5mm) {}; - \node[above=0mm of tunnel.north] {Server's data tunnel pair}; -% \node[tunnel,minimum width=9.5em] at (16mm, 19mm) {}; -% \node[tunnel,minimum width=9.5em] at (16mm, 22mm) {}; -% - \node[chain,top color=white,bottom color=green] (cco1) at (23mm, 21mm) {}; - \path[arrow] ([xshift=4mm]client.north) |- (cco1.east); - \node[chain,top color=white,bottom color=green] (cco2) at (16mm, 21mm) {}; - \path[arrow] (cco1.west) -- (cco2.east); - \node[chain,top color=white,bottom color=green] (cco3) at (9mm, 21mm) {}; - \path[arrow] (cco2.west) -- (cco3.east); - \node[chain,top color=white,bottom color=green] (cci1) at (23mm, 24mm) {}; - \path[arrow] (cci1.east) -| ([xshift=5mm]client.north); - \node[chain,top color=white,bottom color=green] (cci2) at (16mm, 24mm) {}; - \path[arrow] (cci2.east) -- (cci1.west); - \node[chain,top color=white,bottom color=green] (cci3) at (9mm, 24mm) {}; - \path[arrow] (cci3.east) -- (cci2.west); -% server client tunnel - \node[chain,minimum size=7em,minimum - height=3em,draw=none,fill=green!30!white,rounded corners](tunnel) at (-30mm,22.5mm) {}; - \node[above=0mm of tunnel.north] {Client's data tunnel pair}; -% \node[tunnel,minimum width=9.5em] at (-34mm, 19mm) {}; -% \node[tunnel,minimum width=9.5em] at (-34mm, 22mm) {}; -% - \node[chain,top color=white,bottom color=green] (csi1) at (-37mm, 21mm) {}; - \path[arrow,<-] ([xshift=-4mm]server.north) |- (csi1.west); - \node[chain,top color=white,bottom color=green] (csi2) at (-30mm, 21mm) {}; - \path[arrow,<-] (csi1.east) -- (csi2.west); - \node[chain,top color=white,bottom color=green] (csi3) at (-23mm, 21mm) {}; - \path[arrow,<-] (csi2.east) -- (csi3.west); - \node[chain,top color=white,bottom color=green] (cso1) at (-37mm, 24mm) {}; - \path[arrow,<-] (cso1.west) -| ([xshift=-5mm]server.north); - \node[chain,top color=white,bottom color=green] (cso2) at (-30mm, 24mm) {}; - \path[arrow,<-] (cso2.west) -- (cso1.east); - \node[chain,top color=white,bottom color=green] (cso3) at (-23mm, 24mm) {}; - \path[arrow,<-] (cso3.west) -- (cso2.east); -% client exploratory tunnel - \node[chain,minimum size=6em,minimum - height=3em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-32.5mm,-6.5mm) {}; - \node[below=0mm of tunnel.south,align=center] {Client's exploratory\\tunnel pair}; -% \node[tunnel,minimum width=7.5em] at (-36.5mm, 0mm) {}; -% \node[tunnel,minimum width=7.5em] at (-36.5mm, -3mm) {}; -% - \node[chain,top color=white,bottom color=blue] (eo1) at (-36mm, -5mm) {}; - \path[arrow] ([xshift=-4mm]server.south) |- (eo1.west); - \node[chain,top color=white,bottom color=blue] (ei1) at (-36mm, -8mm) {}; - \path[arrow,<-] ([xshift=-5mm]server.south) |- (ei1.west); - \node[chain,top color=white,bottom color=blue] (eo2) at (-29mm, -5mm) {}; - \path[arrow] (eo1.east) -- (eo2.west); - \node[chain,top color=white,bottom color=blue] (ei2) at (-29mm, -8mm) {}; - \path[arrow,<-] (ei1.east) -- (ei2.west); -% service lookup - \draw[arrow,bend right=20,dashdotted] (eo2.east) to node[above=.8em,align=center] {service\\lookup} (node4.west); - \draw[arrow,bend right=10,<-,dashdotted] (ei2.east) to node {} ([yshift=-1mm]node4.west); -% data link - \draw[arrow,bend left=15,dashdotted] (cco3.west) to node {} (csi3.east); - \draw[arrow,bend right=15,dashdotted] (cci3.west) to node {} (cso3.east); - \node at (-9mm,22.5mm) {Data connection}; -\end{tikzpicture} -% \foreach \sector in {% -% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% -% { -% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 10mm) {\sector}; -% } -% \node at (0, 0) {netDB}; -% % client -% \node[client](client) at (28mm, 12mm) {Server Router}; -% \node[rectangle,draw,below=0mm of client.south west] {Application}; -% \node[minimum width=7em,minimum height=4em,draw=gray](clientpc) at (25mm,9mm) {}; -% \node[above=0mm of clientpc.south] {Server's System}; -% % server -% \node[client](server) at (-42mm, 12mm) {Client Router}; -% \node[rectangle,draw,below=0mm of server.south east] {Application}; -% \node[minimum width=7em,minimum height=4em,draw=gray](clientpc) at (-38mm,9mm) {}; -% \node[above=0mm of clientpc.south] {Client's System}; -% % client client tunnel -% \node[chain,minimum size=6.5em,minimum height=2em,draw=gray](tunnel) at (16mm,20.5mm) {}; -% \node[above=0mm of tunnel.north] {Server's data tunnel pair}; -% % \node[tunnel,minimum width=9.5em] at (16mm, 19mm) {}; -% % \node[tunnel,minimum width=9.5em] at (16mm, 22mm) {}; -% % -% \node[chain] (cco1) at (23mm, 19mm) {}; -% \path[arrow] ([xshift=4mm]client.north) |- (cco1.east); -% \node[chain] (cco2) at (16mm, 19mm) {}; -% \path[arrow] (cco1.west) -- (cco2.east); -% \node[chain] (cco3) at (9mm, 19mm) {}; -% \path[arrow] (cco2.west) -- (cco3.east); -% \node[chain] (cci1) at (23mm, 22mm) {}; -% \path[arrow] (cci1.east) -| ([xshift=5mm]client.north); -% \node[chain] (cci2) at (16mm, 22mm) {}; -% \path[arrow] (cci2.east) -- (cci1.west); -% \node[chain] (cci3) at (9mm, 22mm) {}; -% \path[arrow] (cci3.east) -- (cci2.west); -% % server client tunnel -% \node[chain,minimum size=6.5em,minimum height=2em,draw=gray](tunnel) at (-30mm,20.5mm) {}; -% \node[above=0mm of tunnel.north] {Client's data tunnel pair}; -% % \node[tunnel,minimum width=9.5em] at (-34mm, 19mm) {}; -% % \node[tunnel,minimum width=9.5em] at (-34mm, 22mm) {}; -% % -% \node[chain] (csi1) at (-37mm, 19mm) {}; -% \path[arrow,<-] ([xshift=-4mm]server.north) |- (csi1.west); -% \node[chain] (csi2) at (-30mm, 19mm) {}; -% \path[arrow,<-] (csi1.east) -- (csi2.west); -% \node[chain] (csi3) at (-23mm, 19mm) {}; -% \path[arrow,<-] (csi2.east) -- (csi3.west); -% \node[chain] (cso1) at (-37mm, 22mm) {}; -% \path[arrow,<-] (cso1.west) -| ([xshift=-5mm]server.north); -% \node[chain] (cso2) at (-30mm, 22mm) {}; -% \path[arrow,<-] (cso2.west) -- (cso1.east); -% \node[chain] (cso3) at (-23mm, 22mm) {}; -% \path[arrow,<-] (cso3.west) -- (cso2.east); -% % client exploratory tunnel -% \node[chain,minimum size=4.5em,minimum height=2em,draw=gray](tunnel) at (-32.5mm,-3.5mm) {}; -% \node[below=0mm of tunnel.south,align=center] {Client's exploratory\\tunnel pair}; -% % \node[tunnel,minimum width=7.5em] at (-36.5mm, 0mm) {}; -% % \node[tunnel,minimum width=7.5em] at (-36.5mm, -3mm) {}; -% % -% \node[chain] (eo1) at (-36mm, -2mm) {}; -% \path[arrow] ([xshift=-4mm]server.south) |- (eo1.west); -% \node[chain] (ei1) at (-36mm, -5mm) {}; -% \path[arrow,<-] ([xshift=-5mm]server.south) |- (ei1.west); -% \node[chain] (eo2) at (-29mm, -2mm) {}; -% \path[arrow] (eo1.east) -- (eo2.west); -% \node[chain] (ei2) at (-29mm, -5mm) {}; -% \path[arrow,<-] (ei1.east) -- (ei2.west); -% % service lookup -% \draw[arrow,bend right=20,dashdotted] (eo2.east) to node[above=.8em,align=center] {service\\lookup} (node4.west); -% \draw[arrow,bend right=10,<-,dashdotted] (ei2.east) to node {} ([yshift=-1mm]node4.west); -% % data link -% \draw[arrow,bend left=15,dashdotted] (cco3.west) to node {} (csi3.east); -% \draw[arrow,bend right=15,dashdotted] (cci3.west) to node {} (cso3.east); -% \node at (-9mm,20.5mm) {Data connection}; -% \end{tikzpicture} + \input{sample-interaction} \end{figure} \end{frame} \begin{frame} - \frametitle{Thread Model} + \frametitle{Threat Model} \begin{itemize}\addtolength{\itemsep}{1\baselineskip} \item Implicitly specified in terms of attacks considered \item Only allows local adversaries: No global view about traffic @@ -374,16 +216,18 @@ University of California, Santa Barbara} \end{itemize} \end{frame} -\section{Attacks} +\section{Sibyl Attack} \begin{frame} \frametitle{Sybil Attack} \begin{block}{Definition} - In a Sybil Attack, the adversary utilizes multiple identities to + In a sybil attack, the adversary utilizes multiple identities to break assumptions about the system \end{block}\pause \begin{block}{Goal} Gaining control over parts of the keyspace in the \iip{netDB} with - limited resources + limited resources. As a result be the only source considered for + certain pieces of data and therefore able to monitor every access + to it \end{block}\pause \begin{block}{Challenge} Active identities require considerable resources to be useful @@ -393,6 +237,26 @@ University of California, Santa Barbara} \end{block} \end{frame} +\begin{frame} + \frametitle{Sybil Attack} + \begin{block}{Generating identities} + \begin{itemize} + \item Building a database of 50,000 identities takes around 30 + minutes on 12-core Xeon server + \item 156 nodes on average between two adjacent database nodes + \item All identities available to all malicious nodes + \end{itemize} + \end{block}\pause + \begin{block}{Using identities} + \begin{itemize} + \item Malicious nodes can calculate the correct identities and + change identity at any time + \item Nodes coordinate to avoid duplicate identities + \end{itemize} + \end{block} +\end{frame} + +\section{Deanonymizing Users} \begin{frame} \frametitle{Deanonymizing Users} \begin{block}{Goal} @@ -403,8 +267,8 @@ University of California, Santa Barbara} \begin{itemize} \item<2-> Nodes store their \iip{routerInfo} directly in the \iip{netDB} \item<3-> Nodes verify the storage 20 seconds later using one of their - \iip{exploratory Tunnels} - \item<4-> Nodes use the same \iip{exploratory Tunnel} again for + \iip{exploratory tunnels} + \item<4-> Nodes use the same \iip{exploratory tunnel} again for resource lookups \end{itemize} \end{block} @@ -413,227 +277,37 @@ University of California, Santa Barbara} \begin{frame} \frametitle{Deanonymizing Users} \begin{figure} - \centering -\begin{tikzpicture}[scale=1.4] -% netDB - \foreach \sector in {% - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% - { - \node[netdb,cylinder, shape border rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector}; - } - \node at (0, 0) {netDB}; -% client - \node[client](client) at (-45mm, 12mm) {Client}; -% store - \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west); - \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west); -% flood - \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west); - \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west); - \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east); -% tunnels - \node[chain,minimum size=7em,minimum - height=3.5em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-35mm,-2.5mm) {}; - \node[below=2mm of tunnel.south] {exploratory tunnel pair}; -% \node[tunnel] at (-35mm, 0mm) {}; - \node[chain,top color=white,bottom color=blue] (ol) at (-40mm, 0mm) {}; - \node[chain,top color=white,bottom color=blue] (oe) at (-30mm, 0mm) {}; -% \node[tunnel] at (-35mm, -5mm) {}; - \node[chain,top color=white,bottom color=blue] (il) at (-40mm, -5mm) {}; - \node[chain,top color=white,bottom color=blue] (ie) at (-30mm, -5mm) {}; - \path[arrow] ([xshift=-1mm]client.south) |- (ol.west); - \path[arrow,<-] ([xshift=-3mm]client.south) |- (il.west); - \path[arrow] (ol.east) -- (oe.west); - \path[arrow,<-] (il.east) -- (ie.west); -% verify - \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west); - \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west); -%lookup - \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west); - \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west); -\end{tikzpicture} -% \begin{tikzpicture}[scale=1.4,font=\tiny] -% % netDB -% \foreach \sector in {% -% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% -% { -% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector}; -% } -% \node at (0, 0) {netDB}; -% % client -% \node[client](client) at (-45mm, 12mm) {Client}; -% % store -% \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west); -% \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west); -% % flood -% \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west); -% \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west); -% \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east); -% % tunnels -% \node[chain,minimum size=6em,minimum height=3.5em,draw=gray](tunnel) at (-35mm,-2.5mm) {}; -% \node[below=2mm of tunnel.south] {exploratory tunnel pair}; -% % \node[tunnel] at (-35mm, 0mm) {}; -% \node[chain] (ol) at (-40mm, 0mm) {}; -% \node[chain] (oe) at (-30mm, 0mm) {}; -% % \node[tunnel] at (-35mm, -5mm) {}; -% \node[chain] (il) at (-40mm, -5mm) {}; -% \node[chain] (ie) at (-30mm, -5mm) {}; -% \path[arrow] ([xshift=-1mm]client.south) |- (ol.west); -% \path[arrow,<-] ([xshift=-2mm]client.south) |- (il.west); -% \path[arrow] (ol.east) -- (oe.west); -% \path[arrow,<-] (il.east) -- (ie.west); -% % verify -% \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west); -% \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west); -% %lookup -% \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west); -% \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west); -% \end{tikzpicture} -\end{figure} -\end{frame} - -\section{Evaluation} -\begin{frame} - \frametitle{Sybil Attack} - \begin{block}{Generating identities} - \begin{itemize} - \item Building a Database of 50,000 identities takes around 30 - minutes on 12-core Xeon server - \item 156 nodes on average between two adjacent database nodes - \item All identities available to all malicious nodes - \end{itemize} - \end{block}\pause - \begin{block}{Using identities} - \begin{itemize} - \item Malicious nodes can calculate the correct identities and - change identity at any time - \item Nodes coordinate to avoid duplicate identities - \end{itemize} - \end{block} + \centering + \input{deanonymization} + \end{figure} \end{frame} \begin{frame} \frametitle{Deanonyizing Attack} \begin{block}{Setup} \begin{itemize} - \item 20 attacking nodes in Santa Barbara + \item 20 attacking nodes in a single network \begin{itemize} \item 10 nodes capturing resource lookups \item 10 nodes performing timing attack on \iip{routerInfo} storage \end{itemize} - \item 6 monitoring nodes: 3 in Erlangen, 3 in Santa Barbara + \item 6 monitoring nodes: split between two continents \end{itemize} \end{block}\pause \begin{block}{Results} \begin{itemize} \item 60\,\% of potentially observable links detected \item 52\,\% of attributed hits correct - \item Working equally well for geographically remote Hosts + \item Working equally well for geographically remote hosts \end{itemize} \end{block} \end{frame} -\begin{frame} - \frametitle{Deanonymizing Users} - \begin{figure} - \centering -\begin{tikzpicture}[scale=1.4] -% netDB - \foreach \sector in {% - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% - { - \node[netdb,cylinder, shape border rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector}; - } - \node at (0, 0) {netDB}; -% client - \node[client](client) at (-45mm, 12mm) {Client}; -% store - \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west); - \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west); -% flood - \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west); - \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west); - \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east); -% tunnels - \node[chain,minimum size=7em,minimum - height=3.5em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-35mm,-2.5mm) {}; - \node[below=2mm of tunnel.south] {exploratory tunnel pair}; -% \node[tunnel] at (-35mm, 0mm) {}; - \node[chain,top color=white,bottom color=blue] (ol) at (-40mm, 0mm) {}; - \node[chain,top color=white,bottom color=blue] (oe) at (-30mm, 0mm) {}; -% \node[tunnel] at (-35mm, -5mm) {}; - \node[chain,top color=white,bottom color=blue] (il) at (-40mm, -5mm) {}; - \node[chain,top color=white,bottom color=blue] (ie) at (-30mm, -5mm) {}; - \path[arrow] ([xshift=-1mm]client.south) |- (ol.west); - \path[arrow,<-] ([xshift=-3mm]client.south) |- (il.west); - \path[arrow] (ol.east) -- (oe.west); - \path[arrow,<-] (il.east) -- (ie.west); -% verify - \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west); - \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west); -%lookup - \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west); - \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west); -\end{tikzpicture} -% \begin{tikzpicture}[scale=1.4,font=\tiny] -% % netDB -% \foreach \sector in {% -% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}% -% { -% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector}; -% } -% \node at (0, 0) {netDB}; -% % client -% \node[client](client) at (-45mm, 12mm) {Client}; -% % store -% \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west); -% \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west); -% % flood -% \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west); -% \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west); -% \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east); -% % tunnels -% \node[chain,minimum size=6em,minimum height=3.5em,draw=gray](tunnel) at (-35mm,-2.5mm) {}; -% \node[below=2mm of tunnel.south] {exploratory tunnel pair}; -% % \node[tunnel] at (-35mm, 0mm) {}; -% \node[chain] (ol) at (-40mm, 0mm) {}; -% \node[chain] (oe) at (-30mm, 0mm) {}; -% % \node[tunnel] at (-35mm, -5mm) {}; -% \node[chain] (il) at (-40mm, -5mm) {}; -% \node[chain] (ie) at (-30mm, -5mm) {}; -% \path[arrow] ([xshift=-1mm]client.south) |- (ol.west); -% \path[arrow,<-] ([xshift=-2mm]client.south) |- (il.west); -% \path[arrow] (ol.east) -- (oe.west); -% \path[arrow,<-] (il.east) -- (ie.west); -% % verify -% \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west); -% \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west); -% %lookup -% \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west); -% \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west); -% \end{tikzpicture} -\end{figure} -\end{frame} - -\begin{frame} - \frametitle{Results for multiple Hits} - % \small{ - % $N=144$, Number of time slices\\ - % $q=0.001$, 7\,\% of total nodes accessing the resource once a day\\ - % $x=0.52\cdot p + 0.48\cdot q$ \\ - % $P(k~hits) = {N \choose k} x^k \cdot (1-x)^{N-k}$} - \begin{figure} - \centering - \includegraphics[width=.9\textwidth]{graph} - \end{figure} -\end{frame} - \section{Conclusions} - \begin{frame} \frametitle{Limitations} \begin{itemize}\addtolength{\itemsep}{1\baselineskip} - \item Only works reliable for longer/repeated resource access + \item Only works reliably for longer/repeated resource access \item Less reliable for popular resources \item Needs extra resources per tracked user and per resource \end{itemize} @@ -642,14 +316,30 @@ University of California, Santa Barbara} \begin{frame} \frametitle{I2P Improvements} \begin{itemize}\addtolength{\itemsep}{1\baselineskip} - \item Limiting \iip{netDB} nodes per IPv4 network - \item Ignoring new \iip{netDB} nodes - \item Removing storage verification - \item Randomizing the time delta - \item Expiring tunnels after storage verification + \item Working with I2P developers to make it secure again + \item<2-> Implemented improvements + \begin{itemize} + \item Limiting \iip{netDB} nodes per IPv4 network + \item Randomizing the time delta + \item Ongoing discussion about deeper modifications to the \iip{netDB} + \end{itemize} + \item<3-> Further improvements + \begin{itemize} + \item Ignoring new \iip{netDB} nodes + \item Removing storage verification + \item Expiring tunnels after storage verification + \end{itemize} \end{itemize} \end{frame} +\begin{frame}{Questions?} + \vspace*{\fill} + \begin{center} + \includegraphics[width=7cm]{42.pdf} + \end{center} + \vspace*{\fill} +\end{frame} + \begin{frame} \frametitle{Bibliography} \nocite{Mittal:2012}