Anonymous Routing in Wireless Networks: Onion Routing

Priyanka Banerjee

Organization

Introduction Traffic Analysis overview Onion Routing in Wired Networks Onion Routing in Wireless Networks conclusion

Introduction
Types of Attackers on the web:

Active Attackers Passive attackers

Traffic Analysis

Intercept traffic Capture packets Analyze packets Deduce useful information

Traffic analysis focuses on the headers, which contain meta data like source address, destination address, timing information etc

Hence even if the packet content is encrypted, Traffic analysis can reveal useful information

Importance of Traffic Analysis

Although traffic analysis provides lower quality information, it is preferred over cryptanalysis because it is easier than breaking complex encrypted messages [2] It is also cheaper because traffic data can be automatically collected and processed to provide a high degree of intelligence [2] It is used for military purposes [2] and by various organizations to track unpleasant events over the internet

Onion Routing

Onion routing is the the mechanism in which the sender (initiator) and the receiver (responder) nodes communicate with each other anonymously by means of some intermediate nodes called as onion routers It relies on public key cryptoraphy

Infrastructure for Onion Routing

Network Infrastructure

Proxy Interfaces

Steps in Onion Routing

Defining a route Constructing an anonymous connection Moving data through an anonymous connection Destroying the anonymous connection

Example

Let onion routers 4, 3, and 5 be randomly selected by the onion proxy

The proxy encrypts the data with 5s public key followed by 3 and then 4 Thus an onion is created which looks like E4pu (3s IP address, E3pu ((5s IP address, (E5pu (recipients IP address, data)))))

The proxy then sends the onion to the first onion router i.e. 4 Onion router 4 peels the outer layer of the onion using its private key It forwards the onion to 3 which now looks like E3pu ((5s IP address, (E5pu (recipients IP address, data))))

Onion router 3 peels the outer layer of the onion using its private key It forwards the onion to 5 which now looks like (E5pu (recipients IP address, data))

Onion router 5 now peels the outer layer of the onion using its private key It finds plain data and the destination address and forwards it to the destination

Problems and solutions

The size of the onion reduces as it nears the destination Hence an attacker can infer details about the destination To avoid this onions are padded at each onion router to maintain the size of the onion (Onions can be padded to same or different sizes )

Every onion router has details of only its previous and next hop So even if an onion router has been compromised the attacker can only get the encrypted onion .He will not be able to decrypt the onion without the private keys and hence will not infer any valuable information from it

Suppose an attacker records data going on between routers and is able to compromise a router at a later stage, to acquire private key and decrypt data.
This can be avoided by using a session key between communicating parties. The session key is used to encrypt data and is valid only for the duration of the communication.

Packet delivery is not ensured If an onion router fails on the way then the message will not reach the destination

It is susceptible to denial of service attacks. This can be done by forcing onion routers to do a large number of cryptographic operations by many sending packets to it. Eventually the router simply ends up doing cryptographic operations and is not able to forward packets This can be mitigated using client puzzles. Here the onion proxy/router (i.e. the server) forces a requesting client to complete a puzzle before it allocates resources But puzzle solving has an impact on the latency

Challenges in Wireless Networks

In a wireless medium there is node mobility and lack of infrastructure. There is no central point governing the flow of traffic. So nodes rely on intermediate nodes to relay their data. If intermediate nodes are compromised then onion routing fails Also packets are broadcast into the network. Thus traffic analysis becomes easier and may go undetected

Lack of central management makes it susceptible to active attacks It takes longer to construct paths due to the dynamic nature of the environment. Key distribution for encrypting traffic is a challenge.

Wireless Anonymous Routing (WAR)

It is based on onion routing and traffic mixing Here the keys are distributed using a RadioGram RadioGram object is like an onion which has layers of encryption around the data content RadioGrams are broadcast into the network and the intended nodes along the route to the destination decrypt a layer at a time

The structure of a radiogram is as follows:

[tid] {[sk] [MIC] [^]} {[sk] [MIC] [^]} . {[sk] [MIC] [^]} [content] [padding] The information contained within the curly braces { } represent each layer of the onion Transmitter ID i.e. tid: It uniquely defines a radiogram. It is a RSA public key. It is used to encrypt the session key. And the session key is then used to encrypt the rest of the fields Session key i.e. sk: It is a symmetric key encrypted by the public key of the transmitter

MIC or Checksum: It is the pre-computed hash value of everything the onion skin wraps except the padding
Control Signals i.e. ^: It tells the receiver what has to be done with the received message. It also tells about the type of message and the padding Content: This is the actual data that is being transmitted and can be interpreted only by the final destination Padding: This is used just to maintain the size of the onion

Example

[A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content] [padding]

A generates the content [content]. It then generates a random session key (16 byte) C.sk . It sets the control signal C.^ appropriately i.e. type= MESSAGE and padding = k bits . It prepends [C.^] to [ content] It computes a 16 byte MIC over [C.sk] [C.^] [content] and calls it C.MIC. It encrypts [C.MIC] [C.^] [content] under C.sk . It encrypts C.sk using Cs public key and calls it C.sk . It prepends [C.sk] to [C.MIC] [C.^] [content] . Append any padding if reqired. It renames [C.sk] [C.MIC] [C.^] [content] to [content] It repeats the above steps for (all other intermediate nodes) B.

When the nodes within the transmission range of A receive the Radiogram they perform the following steps: They strip A.id and save it They strip B.MIC and save it. They strip the encrypted B.sk. They try to decrypt B.sk to B.sk using their private key. (If it succeeds then they are the intended recipient else they simply drop the packet. Only B is able to decrypt B.sk as it was encrypted with his public key.) B assumes that the message is for him and now uses B.sk to decrypt the remainder of the message i.e. [B.MIC] [B.^] [content] B checks B.^ to determine where the padding begins and the other rules it is supposed to follow. B computes B.MIC over [B.sk] [B.^] [content]. It compares B.MIC to B.MIC. If they are equal B checks B.^ for further information. If they are unequal it implies that the packet has been altered and B drops it or logs it as required. It then prepends his transmitter id and puts the packet which looks like [B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue and broadcasts it. Again all the nodes in Bs range perform the above steps. But only C is able to decrypt the message and read it.

Drawbacks of WAR

Key distribution is a problem Time taken for a packet to be delivered to a destination is long because of RSA encryption and decryption. This algorithm relies on public key cryptography

The sender needs to know the topology of the entire network as there is no route discovery
It does not ensure packet delivery because if an intermediate node on the destination path fails then the packet will never reach the destination

A node has to perform a certain number of decryptions just so that it can determine if it is the intended node on the route to the destination It is susceptible to DDOS attacks because an attacker can send keep broadcasting packets and force the legitimate nodes on a route to do a large number of decryptions. Thus a valid packet may not be transmitted

Secure Distributed Anonymous Routing Protocol (SDAR)

This protocol is also based on onion routing It does not require the source node to know the entire network topology unlike the previous WAR protocol It is divided into three phases: Path discovery Path reverse Data Forward

Path discovery: This allows the source node S to establish a path up to the destination using intermediate nodes. The beauty of this phase is that none of the intermediate nodes can discover the identity of any of the participating nodes except its neighbors. The source S creates a path discovery packet and broadcasts it.

Path reverse:

When the receiver receives the path discovery message it puts in the ids and session keys of all the intermediate nodes into one message

It encrypts this message again and again with the session keys of the intermediate nodes beginning from the last node. It then broadcasts the packet Every node along the reverse path removes a layer of encryption and broadcasts the packet
So when the source receives the message it has the ids and keys of all the nodes on the path to the destination. It uses these keys to encrypt the data and broadcasts it

Data Transfer:

The source encrypts the data using the keys of the intermediate nodes and broadcasts it Each node on the way decrypts a layer and forwards it So when the message reaches the destination all the encryption layers have been peeled off and the receiver is able to read the message

Drawbacks of the SDAR protocol:

There is no control over the route length since the path to the destination is a discovery process. Hence it may take a really long time for the actual data transfer to begin If malicious nodes keep forwarding path discovery packet amongst each other then it may never reach the intended receiver

Advantages of the SDAR protocol:

The source need not know the topology of the entire network since path discovery is a dynamic process

I] http://en.wikipedia.org/wiki/Traffic_analysis II] http://www.more.net/technical/netserv/troubleshooting/trafficanalysis.html III] http://tor.eff.org/overview.html.en IV] http://en.wikipedia.org/wiki/Onion_routing 1] Mary Elisabeth Gaup Moe. Security Models for Anonymous Routing. Norwegian University of Science and Technology. 2] George Danezis. Introducing traffic Analysis- Attacks, Defenses and public Policy Issues. Invited Talk. 3] Yih Chun Hu, Adrian Perrig. A Survey of Secure Wireless Ad Hoc Routing. University of California- Berkeley, Carnegie Mellon University. 4] Adam Back, Ulf Moller, Anton Stiglic. Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems. Zero-knowledge Systems Inc. 5] Marc O Morain, Vladislav Titov, Wendy Verbuggen. Onion Routing for Anonymous Communication. 6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. Proxies for anonymous Routing. Naval Research Laboratory, Washington DC. 7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin. Tor: An Anonymous Routing Network for Covert On-line Operations. Air Force Institute of Technology, Wright Patterson AFB. 8] Michael E. Locasto, Clayton Chen, Ajay Nambi. WAR: Wireless Anonymous Routing. Department of Computer Science, Columbia University. 9] Liu Yang, Markus Jacobson, Susanne Wetzel. Discount Anonymous On Demand Routing for Mobile Ad hoc Networks. 10] Azzedine Boukerche, Khalil El-Khatib, Li Xu, Larry Korba. SDAR: A Secure Distributed Anonymous Routing Protocol. University of Ottawa. 11] Dehn Sy, Rex Chen, Lichun Bao. ODAR: On-Demand Anonymous Routing in Ad-Hoc Networks. University of California. 12] Stefaan Seys, Bart Preneel. ARM: Anonymous Routing Protocol for Mobile Ad hoc Networks. Department of Electrical Engineering-ESAT, SCD/COSIC

References: