-\documentclass[handout]{beamer}
+\documentclass{beamer}
\usetheme{i4}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\vspace{1.5em}
\titlepage
\begin{center}
- \includegraphics[width=0.2\paperwidth]{ucsbseal}
+ \includegraphics[width=0.23\paperwidth]{fau_siegel}
\hspace{1.5em}
- \includegraphics[width=0.25\paperwidth]{streifenlogo}
+ \includegraphics[width=0.25\paperwidth]{ucsbseal}
\end{center}
\end{frame}
\item Tunnels
\item Network Database
\item \textcolor{gray}{Floodfill Participation}
- \item Thread model
+ \item Threat model
\end{itemize}
\end{block}
- \begin{block}{Attacks}
+ \begin{block}{\textcolor{gray}{Floodfill Takeover Attack}}
+
+ \end{block}
+ \begin{block}{Sibyl Attack}
\begin{itemize}
- \item \textcolor{gray}{Floodfill Takeover Attack}
- \item Sybil Attack
- \item \textcolor{gray}{Eclipse Attack}
- \item Deanonymization Attack
+ \item Attack Description
+ \item Evaluation
\end{itemize}
\end{block}
- \begin{block}{Evaluation}
+ \begin{block}{\textcolor{gray}{Eclipse Attack}}
+
+ \end{block}
+ \begin{block}{Deanonymization Attack}
\begin{itemize}
- \item \textcolor{gray}{Floodfill Takeover Attack}
- \item Sybil Attack
- \item \textcolor{gray}{Eclipse Attack}
- \item Deanonymization Attack
- \end{itemize}
+ \item Attack Description
+ \item Evaluation
+ \end{itemize}
\end{block}
\begin{block}{Conclusions}
\begin{itemize}
\item Limitations
- \item I2P Improvements
+ \item I2P improvements
\item \textcolor{gray}{Related Work}
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
- \frametitle{Introduction I2P}
+ \frametitle{Anonymity}
+ \begin{block}{Who needs anonymity}
+ \begin{itemize}
+ \item Criminals
+ \item Civil rights activists
+ \item Everyone else
+ \end{itemize}
+ \end{block}\pause
+ \begin{block}{I2P and tor}
+ \begin{itemize}
+ \item Tor: directory authorities $\leftrightarrow$ I2P:
+ decentralized DHT
+ \item Tor: proxy to the outside world $\leftrightarrow$ I2P:
+ separated \emph{Darknet}
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Introduction to I2P}
\begin{itemize}\addtolength{\itemsep}{1\baselineskip}
- \item Solution for anonymous Communication
+ \item Solution for anonymous communication
\item Separated from the ``Internet'' -- \emph{Darknet}
- \item Fully distributed Design
- \item Based on Onion Routing
+ \item Fully distributed design
+ \item Based on onion-routing
\item Between 18,000 and 28,000 active users
\end{itemize}
\end{frame}
+
\section{I2P}
\begin{frame}
\frametitle{I2P}
\begin{multicols}{2}
\begin{block}{Router}
\begin{itemize}
- \item Handle Connections
- \item Provide Name Services
+ \item Handle connections
+ \item Provide name services
\end{itemize}
\end{block}
- \pause
+% \pause
\begin{block}{Applications}
\begin{itemize}
- \item Server, Client or P2P Software
- \item Sockets interface with TCP-like or UDP-like Semantics
+ \item Server, client or P2P software
+ \item Sockets interface with TCP-like or UDP-like semantics
\end{itemize}
\end{block}
- \pause
+% \pause
\begin{figure}
\centering
\begin{tikzpicture}[scale=1.2]
\begin{frame}
\frametitle{Tunnels}
\begin{itemize}
- \item using onion-routing for anonymity
- \item unidirectional
- \item paired for bi-directional communication
+ \item Using onion-routing for anonymity
+ \item Unidirectional
+ \item Paired for bi-directional communication
\end{itemize}\pause
\begin{block}{Client Tunnels}
\begin{itemize}
- \item Used for Data Interactions
- \item Several pro Application
+ \item Used for data interactions
+ \item Several per application
\end{itemize}
\end{block}
- \pause
+% \pause
\begin{block}{Exploratory Tunnels}
\begin{itemize}
- \item Used for Database interaction
- \item 2 to 3 per Node
+ \item Used for database interaction
+ \item 2 to 3 per node
\end{itemize}
\end{block}
\end{frame}
\begin{itemize}
\item<1-> Kademlia-like DHT based on \texttt{XOR}-distance run on
320 super-nodes
+ \item<1-> Layout of the database changes completely every day
\item<2-> \iip{databaseRecord}\\
Information named using a hash over their cryptographic Keys
- \item<3-> \iip{storageLocation}\\
+ \item<2-> \iip{storageLocation}\\
Hash over name and today's date
- \item<4-> \iip{routerInfo}\\
- Peer information: IP address, Port, Protocol, Keys
- \item<5-> \iip{leaseSet}\\
- Service Information: Entry tunnels, Keys
+ \item<3-> \iip{routerInfo}\\
+ Peer information: IP address, port, protocol, keys
+ \item<3-> \iip{leaseSet}\\
+ Service information: Entry tunnels, keys
\end{itemize}
- % \begin{multicols}{2}
- % \begin{block}{\iip{routerInfo}}
- % \begin{itemize}
- % \item Peer information: IP address, Port, Protocol, Keys
- % \end{itemize}
- % \end{block}
- % \begin{block}{\iip{leaseSet}}
- % \begin{itemize}
- % \item Service Information: Entry tunnels, Keys
- % \end{itemize}
- % \end{block}
- % % \begin{figure}
- % % \centering
- % % \begin{tikzpicture}
- % % \node[draw,rectangle split, rectangle split parts=2] (lease) at (-3em,0) {\iip{leaseSet}\nodepart{second}\tiny{Keys}};
- % % \node[draw,rectangle split, rectangle split parts=2] (router) at (3em,0) {\iip{routerInfo}\nodepart{second}\tiny{Keys}};
- % % \node[draw,ellipse] (hashfn1) at (0,-3em) {\tiny{SHA256}};
- % % \node[draw,rectangle] (hash1) at (0,-5.5em) {\iip{resourceIdentifier}};
- % % \node[draw,rectangle,right=-0.1mm of hash1.east] (day) {Date};
-
- % % \node[draw,ellipse] (hashfn1) at (0,-8em) {\tiny{SHA256}};
- % % \node[draw,rectangle] (resID) at (0,-10.5em) {\iip{storageLocation}};
- % % \end{tikzpicture}
- % % \end{figure}
- % \end{multicols}
\end{frame}
\begin{frame}
\frametitle{Sample Interaction}
+ Accessing a hidden website -- ``http://civilrights.i2p''
\begin{figure}
\centering
- \begin{tikzpicture}[scale=1.2]
- \tikzstyle{every node}=[font=\small]
-% netDB
- \foreach \sector in {%
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
- {
- \node[netdb,cylinder, shape border
- rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector +
- .6)} : 10.5mm) {\sector};
- }
- \node at (0, 0) {netDB};
-% client
- \node[minimum width=9.5em,minimum
- height=5em,draw=black,thick,fill=yellow!60!white,rounded corners](clientpc) at (27.5mm,9mm) {};
- \node[client](client) at (30.5mm, 12mm) {Server Router};
- \node[rectangle,draw,below=0mm of client.south west] {Application};
- \node[above=0mm of clientpc.south] {Server's System};
-% server
- \node[minimum width=9.5em,minimum
- height=5em,draw=black,thick,fill=yellow!60!white,rounded corners](clientpc) at (-38mm,9mm) {};
- \node[client](server) at (-42mm, 12mm) {Client Router};
- \node[rectangle,draw,below=0mm of server.south east] {Application};
- \node[above=0mm of clientpc.south] {Client's System};
-% client client tunnel
- \node[chain,minimum size=7em,minimum
- height=3em,draw=none,fill=green!30!white,rounded corners](tunnel) at (16mm,22.5mm) {};
- \node[above=0mm of tunnel.north] {Server's data tunnel pair};
-% \node[tunnel,minimum width=9.5em] at (16mm, 19mm) {};
-% \node[tunnel,minimum width=9.5em] at (16mm, 22mm) {};
-%
- \node[chain,top color=white,bottom color=green] (cco1) at (23mm, 21mm) {};
- \path[arrow] ([xshift=4mm]client.north) |- (cco1.east);
- \node[chain,top color=white,bottom color=green] (cco2) at (16mm, 21mm) {};
- \path[arrow] (cco1.west) -- (cco2.east);
- \node[chain,top color=white,bottom color=green] (cco3) at (9mm, 21mm) {};
- \path[arrow] (cco2.west) -- (cco3.east);
- \node[chain,top color=white,bottom color=green] (cci1) at (23mm, 24mm) {};
- \path[arrow] (cci1.east) -| ([xshift=5mm]client.north);
- \node[chain,top color=white,bottom color=green] (cci2) at (16mm, 24mm) {};
- \path[arrow] (cci2.east) -- (cci1.west);
- \node[chain,top color=white,bottom color=green] (cci3) at (9mm, 24mm) {};
- \path[arrow] (cci3.east) -- (cci2.west);
-% server client tunnel
- \node[chain,minimum size=7em,minimum
- height=3em,draw=none,fill=green!30!white,rounded corners](tunnel) at (-30mm,22.5mm) {};
- \node[above=0mm of tunnel.north] {Client's data tunnel pair};
-% \node[tunnel,minimum width=9.5em] at (-34mm, 19mm) {};
-% \node[tunnel,minimum width=9.5em] at (-34mm, 22mm) {};
-%
- \node[chain,top color=white,bottom color=green] (csi1) at (-37mm, 21mm) {};
- \path[arrow,<-] ([xshift=-4mm]server.north) |- (csi1.west);
- \node[chain,top color=white,bottom color=green] (csi2) at (-30mm, 21mm) {};
- \path[arrow,<-] (csi1.east) -- (csi2.west);
- \node[chain,top color=white,bottom color=green] (csi3) at (-23mm, 21mm) {};
- \path[arrow,<-] (csi2.east) -- (csi3.west);
- \node[chain,top color=white,bottom color=green] (cso1) at (-37mm, 24mm) {};
- \path[arrow,<-] (cso1.west) -| ([xshift=-5mm]server.north);
- \node[chain,top color=white,bottom color=green] (cso2) at (-30mm, 24mm) {};
- \path[arrow,<-] (cso2.west) -- (cso1.east);
- \node[chain,top color=white,bottom color=green] (cso3) at (-23mm, 24mm) {};
- \path[arrow,<-] (cso3.west) -- (cso2.east);
-% client exploratory tunnel
- \node[chain,minimum size=6em,minimum
- height=3em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-32.5mm,-6.5mm) {};
- \node[below=0mm of tunnel.south,align=center] {Client's exploratory\\tunnel pair};
-% \node[tunnel,minimum width=7.5em] at (-36.5mm, 0mm) {};
-% \node[tunnel,minimum width=7.5em] at (-36.5mm, -3mm) {};
-%
- \node[chain,top color=white,bottom color=blue] (eo1) at (-36mm, -5mm) {};
- \path[arrow] ([xshift=-4mm]server.south) |- (eo1.west);
- \node[chain,top color=white,bottom color=blue] (ei1) at (-36mm, -8mm) {};
- \path[arrow,<-] ([xshift=-5mm]server.south) |- (ei1.west);
- \node[chain,top color=white,bottom color=blue] (eo2) at (-29mm, -5mm) {};
- \path[arrow] (eo1.east) -- (eo2.west);
- \node[chain,top color=white,bottom color=blue] (ei2) at (-29mm, -8mm) {};
- \path[arrow,<-] (ei1.east) -- (ei2.west);
-% service lookup
- \draw[arrow,bend right=20,dashdotted] (eo2.east) to node[above=.8em,align=center] {service\\lookup} (node4.west);
- \draw[arrow,bend right=10,<-,dashdotted] (ei2.east) to node {} ([yshift=-1mm]node4.west);
-% data link
- \draw[arrow,bend left=15,dashdotted] (cco3.west) to node {} (csi3.east);
- \draw[arrow,bend right=15,dashdotted] (cci3.west) to node {} (cso3.east);
- \node at (-9mm,22.5mm) {Data connection};
-\end{tikzpicture}
-% \foreach \sector in {%
-% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
-% {
-% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 10mm) {\sector};
-% }
-% \node at (0, 0) {netDB};
-% % client
-% \node[client](client) at (28mm, 12mm) {Server Router};
-% \node[rectangle,draw,below=0mm of client.south west] {Application};
-% \node[minimum width=7em,minimum height=4em,draw=gray](clientpc) at (25mm,9mm) {};
-% \node[above=0mm of clientpc.south] {Server's System};
-% % server
-% \node[client](server) at (-42mm, 12mm) {Client Router};
-% \node[rectangle,draw,below=0mm of server.south east] {Application};
-% \node[minimum width=7em,minimum height=4em,draw=gray](clientpc) at (-38mm,9mm) {};
-% \node[above=0mm of clientpc.south] {Client's System};
-% % client client tunnel
-% \node[chain,minimum size=6.5em,minimum height=2em,draw=gray](tunnel) at (16mm,20.5mm) {};
-% \node[above=0mm of tunnel.north] {Server's data tunnel pair};
-% % \node[tunnel,minimum width=9.5em] at (16mm, 19mm) {};
-% % \node[tunnel,minimum width=9.5em] at (16mm, 22mm) {};
-% %
-% \node[chain] (cco1) at (23mm, 19mm) {};
-% \path[arrow] ([xshift=4mm]client.north) |- (cco1.east);
-% \node[chain] (cco2) at (16mm, 19mm) {};
-% \path[arrow] (cco1.west) -- (cco2.east);
-% \node[chain] (cco3) at (9mm, 19mm) {};
-% \path[arrow] (cco2.west) -- (cco3.east);
-% \node[chain] (cci1) at (23mm, 22mm) {};
-% \path[arrow] (cci1.east) -| ([xshift=5mm]client.north);
-% \node[chain] (cci2) at (16mm, 22mm) {};
-% \path[arrow] (cci2.east) -- (cci1.west);
-% \node[chain] (cci3) at (9mm, 22mm) {};
-% \path[arrow] (cci3.east) -- (cci2.west);
-% % server client tunnel
-% \node[chain,minimum size=6.5em,minimum height=2em,draw=gray](tunnel) at (-30mm,20.5mm) {};
-% \node[above=0mm of tunnel.north] {Client's data tunnel pair};
-% % \node[tunnel,minimum width=9.5em] at (-34mm, 19mm) {};
-% % \node[tunnel,minimum width=9.5em] at (-34mm, 22mm) {};
-% %
-% \node[chain] (csi1) at (-37mm, 19mm) {};
-% \path[arrow,<-] ([xshift=-4mm]server.north) |- (csi1.west);
-% \node[chain] (csi2) at (-30mm, 19mm) {};
-% \path[arrow,<-] (csi1.east) -- (csi2.west);
-% \node[chain] (csi3) at (-23mm, 19mm) {};
-% \path[arrow,<-] (csi2.east) -- (csi3.west);
-% \node[chain] (cso1) at (-37mm, 22mm) {};
-% \path[arrow,<-] (cso1.west) -| ([xshift=-5mm]server.north);
-% \node[chain] (cso2) at (-30mm, 22mm) {};
-% \path[arrow,<-] (cso2.west) -- (cso1.east);
-% \node[chain] (cso3) at (-23mm, 22mm) {};
-% \path[arrow,<-] (cso3.west) -- (cso2.east);
-% % client exploratory tunnel
-% \node[chain,minimum size=4.5em,minimum height=2em,draw=gray](tunnel) at (-32.5mm,-3.5mm) {};
-% \node[below=0mm of tunnel.south,align=center] {Client's exploratory\\tunnel pair};
-% % \node[tunnel,minimum width=7.5em] at (-36.5mm, 0mm) {};
-% % \node[tunnel,minimum width=7.5em] at (-36.5mm, -3mm) {};
-% %
-% \node[chain] (eo1) at (-36mm, -2mm) {};
-% \path[arrow] ([xshift=-4mm]server.south) |- (eo1.west);
-% \node[chain] (ei1) at (-36mm, -5mm) {};
-% \path[arrow,<-] ([xshift=-5mm]server.south) |- (ei1.west);
-% \node[chain] (eo2) at (-29mm, -2mm) {};
-% \path[arrow] (eo1.east) -- (eo2.west);
-% \node[chain] (ei2) at (-29mm, -5mm) {};
-% \path[arrow,<-] (ei1.east) -- (ei2.west);
-% % service lookup
-% \draw[arrow,bend right=20,dashdotted] (eo2.east) to node[above=.8em,align=center] {service\\lookup} (node4.west);
-% \draw[arrow,bend right=10,<-,dashdotted] (ei2.east) to node {} ([yshift=-1mm]node4.west);
-% % data link
-% \draw[arrow,bend left=15,dashdotted] (cco3.west) to node {} (csi3.east);
-% \draw[arrow,bend right=15,dashdotted] (cci3.west) to node {} (cso3.east);
-% \node at (-9mm,20.5mm) {Data connection};
-% \end{tikzpicture}
+ \input{sample-interaction}
\end{figure}
\end{frame}
\begin{frame}
- \frametitle{Thread Model}
+ \frametitle{Threat Model}
\begin{itemize}\addtolength{\itemsep}{1\baselineskip}
\item Implicitly specified in terms of attacks considered
\item Only allows local adversaries: No global view about traffic
\end{itemize}
\end{frame}
-\section{Attacks}
+\section{Sibyl Attack}
\begin{frame}
\frametitle{Sybil Attack}
\begin{block}{Definition}
- In a Sybil Attack, the adversary utilizes multiple identities to
+ In a sybil attack, the adversary utilizes multiple identities to
break assumptions about the system
\end{block}\pause
\begin{block}{Goal}
Gaining control over parts of the keyspace in the \iip{netDB} with
- limited resources
+ limited resources. As a result be the only source considered for
+ certain pieces of data and therefore able to monitor every access
+ to it
\end{block}\pause
\begin{block}{Challenge}
Active identities require considerable resources to be useful
\end{block}
\end{frame}
+\begin{frame}
+ \frametitle{Sybil Attack}
+ \begin{block}{Generating identities}
+ \begin{itemize}
+ \item Building a database of 50,000 identities takes around 30
+ minutes on 12-core Xeon server
+ \item 156 nodes on average between two adjacent database nodes
+ \item All identities available to all malicious nodes
+ \end{itemize}
+ \end{block}\pause
+ \begin{block}{Using identities}
+ \begin{itemize}
+ \item Malicious nodes can calculate the correct identities and
+ change identity at any time
+ \item Nodes coordinate to avoid duplicate identities
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\section{Deanonymizing Users}
\begin{frame}
\frametitle{Deanonymizing Users}
\begin{block}{Goal}
\begin{itemize}
\item<2-> Nodes store their \iip{routerInfo} directly in the \iip{netDB}
\item<3-> Nodes verify the storage 20 seconds later using one of their
- \iip{exploratory Tunnels}
- \item<4-> Nodes use the same \iip{exploratory Tunnel} again for
+ \iip{exploratory tunnels}
+ \item<4-> Nodes use the same \iip{exploratory tunnel} again for
resource lookups
\end{itemize}
\end{block}
\begin{frame}
\frametitle{Deanonymizing Users}
\begin{figure}
- \centering
-\begin{tikzpicture}[scale=1.4]
-% netDB
- \foreach \sector in {%
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
- {
- \node[netdb,cylinder, shape border rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector};
- }
- \node at (0, 0) {netDB};
-% client
- \node[client](client) at (-45mm, 12mm) {Client};
-% store
- \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west);
- \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west);
-% flood
- \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west);
- \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west);
- \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east);
-% tunnels
- \node[chain,minimum size=7em,minimum
- height=3.5em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-35mm,-2.5mm) {};
- \node[below=2mm of tunnel.south] {exploratory tunnel pair};
-% \node[tunnel] at (-35mm, 0mm) {};
- \node[chain,top color=white,bottom color=blue] (ol) at (-40mm, 0mm) {};
- \node[chain,top color=white,bottom color=blue] (oe) at (-30mm, 0mm) {};
-% \node[tunnel] at (-35mm, -5mm) {};
- \node[chain,top color=white,bottom color=blue] (il) at (-40mm, -5mm) {};
- \node[chain,top color=white,bottom color=blue] (ie) at (-30mm, -5mm) {};
- \path[arrow] ([xshift=-1mm]client.south) |- (ol.west);
- \path[arrow,<-] ([xshift=-3mm]client.south) |- (il.west);
- \path[arrow] (ol.east) -- (oe.west);
- \path[arrow,<-] (il.east) -- (ie.west);
-% verify
- \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west);
- \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west);
-%lookup
- \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west);
- \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west);
-\end{tikzpicture}
-% \begin{tikzpicture}[scale=1.4,font=\tiny]
-% % netDB
-% \foreach \sector in {%
-% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
-% {
-% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector};
-% }
-% \node at (0, 0) {netDB};
-% % client
-% \node[client](client) at (-45mm, 12mm) {Client};
-% % store
-% \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west);
-% \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west);
-% % flood
-% \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west);
-% \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west);
-% \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east);
-% % tunnels
-% \node[chain,minimum size=6em,minimum height=3.5em,draw=gray](tunnel) at (-35mm,-2.5mm) {};
-% \node[below=2mm of tunnel.south] {exploratory tunnel pair};
-% % \node[tunnel] at (-35mm, 0mm) {};
-% \node[chain] (ol) at (-40mm, 0mm) {};
-% \node[chain] (oe) at (-30mm, 0mm) {};
-% % \node[tunnel] at (-35mm, -5mm) {};
-% \node[chain] (il) at (-40mm, -5mm) {};
-% \node[chain] (ie) at (-30mm, -5mm) {};
-% \path[arrow] ([xshift=-1mm]client.south) |- (ol.west);
-% \path[arrow,<-] ([xshift=-2mm]client.south) |- (il.west);
-% \path[arrow] (ol.east) -- (oe.west);
-% \path[arrow,<-] (il.east) -- (ie.west);
-% % verify
-% \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west);
-% \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west);
-% %lookup
-% \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west);
-% \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west);
-% \end{tikzpicture}
-\end{figure}
-\end{frame}
-
-\section{Evaluation}
-\begin{frame}
- \frametitle{Sybil Attack}
- \begin{block}{Generating identities}
- \begin{itemize}
- \item Building a Database of 50,000 identities takes around 30
- minutes on 12-core Xeon server
- \item 156 nodes on average between two adjacent database nodes
- \item All identities available to all malicious nodes
- \end{itemize}
- \end{block}\pause
- \begin{block}{Using identities}
- \begin{itemize}
- \item Malicious nodes can calculate the correct identities and
- change identity at any time
- \item Nodes coordinate to avoid duplicate identities
- \end{itemize}
- \end{block}
+ \centering
+ \input{deanonymization}
+ \end{figure}
\end{frame}
\begin{frame}
\frametitle{Deanonyizing Attack}
\begin{block}{Setup}
\begin{itemize}
- \item 20 attacking nodes in Santa Barbara
+ \item 20 attacking nodes in a single network
\begin{itemize}
\item 10 nodes capturing resource lookups
\item 10 nodes performing timing attack on \iip{routerInfo} storage
\end{itemize}
- \item 6 monitoring nodes: 3 in Erlangen, 3 in Santa Barbara
+ \item 6 monitoring nodes: split between two continents
\end{itemize}
\end{block}\pause
\begin{block}{Results}
\begin{itemize}
\item 60\,\% of potentially observable links detected
\item 52\,\% of attributed hits correct
- \item Working equally well for geographically remote Hosts
+ \item Working equally well for geographically remote hosts
\end{itemize}
\end{block}
\end{frame}
-\begin{frame}
- \frametitle{Deanonymizing Users}
- \begin{figure}
- \centering
-\begin{tikzpicture}[scale=1.4]
-% netDB
- \foreach \sector in {%
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
- {
- \node[netdb,cylinder, shape border rotate=90,fill=orange!50!white](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector};
- }
- \node at (0, 0) {netDB};
-% client
- \node[client](client) at (-45mm, 12mm) {Client};
-% store
- \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west);
- \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west);
-% flood
- \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west);
- \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west);
- \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east);
-% tunnels
- \node[chain,minimum size=7em,minimum
- height=3.5em,draw=none,fill=blue!30!white,rounded corners](tunnel) at (-35mm,-2.5mm) {};
- \node[below=2mm of tunnel.south] {exploratory tunnel pair};
-% \node[tunnel] at (-35mm, 0mm) {};
- \node[chain,top color=white,bottom color=blue] (ol) at (-40mm, 0mm) {};
- \node[chain,top color=white,bottom color=blue] (oe) at (-30mm, 0mm) {};
-% \node[tunnel] at (-35mm, -5mm) {};
- \node[chain,top color=white,bottom color=blue] (il) at (-40mm, -5mm) {};
- \node[chain,top color=white,bottom color=blue] (ie) at (-30mm, -5mm) {};
- \path[arrow] ([xshift=-1mm]client.south) |- (ol.west);
- \path[arrow,<-] ([xshift=-3mm]client.south) |- (il.west);
- \path[arrow] (ol.east) -- (oe.west);
- \path[arrow,<-] (il.east) -- (ie.west);
-% verify
- \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west);
- \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west);
-%lookup
- \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west);
- \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west);
-\end{tikzpicture}
-% \begin{tikzpicture}[scale=1.4,font=\tiny]
-% % netDB
-% \foreach \sector in {%
-% 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}%
-% {
-% \node[netdb](node\sector) at ({36 * (-\sector + .5)} : 12mm) {\sector};
-% }
-% \node at (0, 0) {netDB};
-% % client
-% \node[client](client) at (-45mm, 12mm) {Client};
-% % store
-% \draw[arrow,bend left=5,dashdotted] (client.north east) to node[above] {store} (node7.north west);
-% \draw[arrow,<-,bend left=5,dashdotted] (client.east) to node {} (node7.west);
-% % flood
-% \draw[arrow,draw,bend right=15] (node7.south east) to node {} (node8.south west);
-% \draw[arrow,draw,bend right=15] (node7.south east) to node[below] {replication} (node9.west);
-% \draw[arrow,draw,bend left=15] (node7.south east) to node {} (node6.north east);
-% % tunnels
-% \node[chain,minimum size=6em,minimum height=3.5em,draw=gray](tunnel) at (-35mm,-2.5mm) {};
-% \node[below=2mm of tunnel.south] {exploratory tunnel pair};
-% % \node[tunnel] at (-35mm, 0mm) {};
-% \node[chain] (ol) at (-40mm, 0mm) {};
-% \node[chain] (oe) at (-30mm, 0mm) {};
-% % \node[tunnel] at (-35mm, -5mm) {};
-% \node[chain] (il) at (-40mm, -5mm) {};
-% \node[chain] (ie) at (-30mm, -5mm) {};
-% \path[arrow] ([xshift=-1mm]client.south) |- (ol.west);
-% \path[arrow,<-] ([xshift=-2mm]client.south) |- (il.west);
-% \path[arrow] (ol.east) -- (oe.west);
-% \path[arrow,<-] (il.east) -- (ie.west);
-% % verify
-% \draw[arrow,bend left=5,dashdotted] (oe.north east) to node[above] {verify} ([yshift=1mm]node6.west);
-% \draw[arrow,bend left=15,<-,dashdotted] (ie.north east) to node {} (node6.west);
-% %lookup
-% \draw[arrow,bend right=15,dashdotted] (oe.south east) to node[above] {lookup} (node4.west);
-% \draw[arrow,bend right=5,<-,dashdotted] (ie.south east) to node {} ([yshift=-1mm]node4.west);
-% \end{tikzpicture}
-\end{figure}
-\end{frame}
-
-\begin{frame}
- \frametitle{Results for multiple Hits}
- % \small{
- % $N=144$, Number of time slices\\
- % $q=0.001$, 7\,\% of total nodes accessing the resource once a day\\
- % $x=0.52\cdot p + 0.48\cdot q$ \\
- % $P(k~hits) = {N \choose k} x^k \cdot (1-x)^{N-k}$}
- \begin{figure}
- \centering
- \includegraphics[width=.9\textwidth]{graph}
- \end{figure}
-\end{frame}
-
\section{Conclusions}
-
\begin{frame}
\frametitle{Limitations}
\begin{itemize}\addtolength{\itemsep}{1\baselineskip}
- \item Only works reliable for longer/repeated resource access
+ \item Only works reliably for longer/repeated resource access
\item Less reliable for popular resources
\item Needs extra resources per tracked user and per resource
\end{itemize}
\begin{frame}
\frametitle{I2P Improvements}
\begin{itemize}\addtolength{\itemsep}{1\baselineskip}
- \item Limiting \iip{netDB} nodes per IPv4 network
- \item Ignoring new \iip{netDB} nodes
- \item Removing storage verification
- \item Randomizing the time delta
- \item Expiring tunnels after storage verification
+ \item Working with I2P developers to make it secure again
+ \item<2-> Implemented improvements
+ \begin{itemize}
+ \item Limiting \iip{netDB} nodes per IPv4 network
+ \item Randomizing the time delta
+ \item Ongoing discussion about deeper modifications to the \iip{netDB}
+ \end{itemize}
+ \item<3-> Further improvements
+ \begin{itemize}
+ \item Ignoring new \iip{netDB} nodes
+ \item Removing storage verification
+ \item Expiring tunnels after storage verification
+ \end{itemize}
\end{itemize}
\end{frame}
+\begin{frame}{Questions?}
+ \vspace*{\fill}
+ \begin{center}
+ \includegraphics[width=7cm]{42.pdf}
+ \end{center}
+ \vspace*{\fill}
+\end{frame}
+
\begin{frame}
\frametitle{Bibliography}
\nocite{Mittal:2012}
projects / talk / attack-i2p-raid2013.git / commitdiff