B. MINNY PRISCILLA* et al.

[IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

A SURVEY ON TRAFFIC FLOW CORRELATION ATTACKS IN ANONYMITY NETWORKS

B. Minny Priscilla1, Dr.K.Subrahmanyam2
2

M.Tech, CSE, KL University, Andhra Pradesh,India,minny2k8@gmail.com Professor, CSE, KL University, Andhra Pradesh, India,smkodukula@yahoo.com

Abstract
This paper describes about the Mix networks that are designed to provide anonymity for users in a variety of applications, including anonymous web browsing and numerous E-commerce systems. These networks have been shown to be susceptible to flow correlation attacks empirically. This paper also describes about the anonymous communication and the realization in the onion routing and helps in exploring their use in variety of applications.

Index Terms: Mix Network, Anonymity Network, Onion Routing, Tor -------------------------------------------------------------------- *** ----------------------------------------------------------------------1. INTRODUCTION In today's expanding on-line world, there is an increasing concern about the protection of anonymity and privacy in electronic services. In the past, many technical solutions have been proposed that hide a user's identity in various applications and services. Anonymity is an important issue in electronic payments, electronic voting, electronic auctions, but also for email and web browsing. This paper describes how a freely available system, onion routing, can be used to protect a variety of Internet services against both eavesdropping and traffic analysis attacks, from both the network and outside observers. This paper includes a specification sufficient to guide both re implementations and new applications of onion routing. We also discuss configurations of onion routing networks and applications of onion routing, including Virtual Private Networks (VPN), Web browsing, e-mail, remote login, and electronic cash. A purpose of traffic analysis is to reveal who is talking to whom. The anonymous connections described here are designed to be resistant to traffic analysis, i.e., to make it difficult for observers to learn identifying information from the connection (e.g., by reading packet headers, tracking encrypted payloads, etc.). Any identifying information must be passed as data through the anonymous connections. Our implementation of anonymous connections, onion routing, provides protection against eavesdropping as a side effect 2. MIX NETWORK Digital mixes (also known as mix networks) were invented by David Chaum [1] in 1981. Digital mixes create hard-totrace communications by using a chain of proxy servers. Each message is encrypted to each proxy using public key cryptography; the resulting encryption is layered like a Russian doll (except that each "doll" is of the same size) with the message as the innermost layer. Each proxy server strips off its own layer of encryption to reveal where to send the message next. If all but one of the proxy servers is compromised by the tracer, untraceability can still be achieved against some weaker adversaries. Some anonymous remailers (such as Mixmaster) [2] and onion routing (including Tor) are based on this idea. There is another kind of mix net that consists of re-encryption operations. In these mix nets each mix node re-encrypts the set of received messages and the decryption is done in a single step. Homomorphic encryption schemes allow that. The goal of most Mix based systems is to offer sender and relationship anonymity. This means that the receiver should not find out who the sender is and an eavesdropper should not able to detect that there is a communication relationship between two parties. Although there are applications for receiver anonymity ex: Anonymous web publishing most internet activities where anonymity is desired require only sender and relationship anonymity.

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 81

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

Reply message from

Where: Kb = Bs public key, K1 = the mixs public key. A destination can reply to a source without sacrificing source anonymity. The reply message shares all of the performance and security benefits with the anonymous messages from source to destination.

2.3 Benefits
Figure 1: Basic Mix Network The current model offers several benefits, the most dominating ones are briefly described in the following paragraphs.

2.1 Message format

To accomplish this, the sender takes the mixs public key (Km), and uses it to encrypt an envelope containing a random string (R1), a nested envelope addressed to the recipient, and the email address of the recipient (B). This nested envelope is encrypted with the recipients public key (Kb), and contains another random string (R0), along with the body of the message being sent. Upon receipt of the encrypted top-level envelope, the mix uses its secret key to open it. Inside, it finds the address of the recipient (B) and an encrypted message bound for B. The random string (R1) is discarded.

2.3.1Accessibility
Using well-known MIXes makes it straightforward for a user to access them. Their identities (host names or IP addresses) can be made public through web sites or news messages in the Usenet and the addition and removal of MIXes can also be made public in this way. In general, it is not expected that MIXes appear and disappear frequently. Rather, the model assumes that each MIX remains operational for a long time (e.g. months or years) before it terminates its service.

2.3.2Authentication
Using digital certificates makes it possible to control which MIXes are allowed to offer their services. This prevents unauthorized (and potentially malicious) MIXes from joining the system and collecting information and in addition gives the user the possibility to identify and authenticate the MIXes she is using. A centralized system could play the role of the certification authority responsible for issuing certificates for MIXes. This does of course not guarantee that malicious MIXes are present in the system, but gives at least the possibility to evaluate the trustworthiness of a MIX before certifying it.

2.2 Return Addresses:

What is needed now is a way for B to respond to A while still keeping the identity of A secret from B.A solution is for A to form an untraceable return address where Ax is its own real address, Kx is a public one-time key chosen for the current occasion only, and S1 is a key that will also act as a random string for purposes of sealing. Then, A can send this return address to B as part of a message sent by the techniques already described sendsK1(S1,A),Kx(S0,response) to M, and M transforms it to A,S1(Kx(S0,response).This mix uses the string of bits S1 that it finds after decrypting the address part K1(S1,A) as a key to re-encrypt the message part Kx(S0,response). Only the addressee, A, can decrypt the resulting output because A created both S1 and Kx. The additional key Kx assures that the mix cannot see the content of the reply-message. The following indicates how B uses this untraceable return address to form a response to A, via a new kind of mix: The message from

2.3.3 Reliability
By controlling who is allowed to operate a MIX, one can make sure that only highly reliable MIXes are present in the system. In addition, there could be minimal requirements for the computing power of the MIXes and for the network connection they offer in order to make sure that no particular MIX becomes a bottleneck in the system.

3. ANONYMITY NETWORK
The Anonymity Network (AN) [3] is a MIX network to enable anonymous Web browsing. Its basic architecture is similar to that of Onion Routing, Freedom, or Pipe Net [4].This enables

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 82

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY users to access the Web while blocking any tracking or tracing of their identity on the Internet. This type of online anonymity moves Internet traffic through a worldwide network of volunteer servers. Anonymity networks prevent traffic analysis and network surveillance - or at least make it more difficult.

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

As an example consider the network shown above, in here A,B,C and D are users (senders), Q,R,S, and T are servers (receivers), the boxes are mixes, and, The degree of anonymity takes into account the probability associated with each user.

3.2 Example 3.1 Degree of Anonymity:

A measure for the anonymity degree [5] should satisfy a number of requirements: First, the anonymity degree should capture the quality of an anonymity system. It has been shown for example that information theoretical means, such as entropy, are more accurate for comparing anonymity systems than, say, anonymity sets. Second, the anonymity degree should take into account the topology of the network or that of any overlay defined by the anonymity system. The topology influences how much information can be gathered by an attacker, and thus has an impact on the system anonymity degree. For example, a system of fully-connected nodes will have a different anonymity degree from a chain of nodes. Third, the anonymity degree, as measure of the effectiveness of the anonymity system. While a large number of users clearly contributes anonymity, this not necessary reflects on the quality of the anonymity system should be independent of the number of users. Finally, the anonymity measure must be independent of the threat model, as attackers may use a variety of attack techniques, or combinations thereof, to break the anonymity. In anonymity networks (e.g. Tor, Crowds, Mixmaster, Tarzan, etc.) it is important to be able to measure quantitatively the guarantee that is given to the system. The degree of anonymity d is a device that was proposed at the 2002 Privacy Enhancing Technology (PET) conference. There were two papers that put forth the idea of using entropy as the basis for formally measuring anonymity: "Towards an Information Theoretic Metric for Anonymity", and "Towards Measuring Anonymity". The ideas presented are very similar with minor differences in the final definition of d. Anonymity networks have been developed and many have introduced methods of proving the anonymity guarantees that are possible, originally with simple Chaum Mixes and Pool Mixes the size of the set of users was seen as the security that the system could provide to a user. This had a number of problems; intuitively if the network is international then it is unlikely that a message that contains only Urdu came from the United States, and viceversa. Information like this and via methods like the predecessor attack and intersection attack helps an attacker increase the probability that a user sent the message.

Figure 2: Pool Mixes

it begins by defining the entropy of the system (here is where the papers differ slightly but only with notation,

We will use the notation from, where H(X) is the entropy of the network, N is the number of nodes in the network, and pi is the probability associated with node i. Now the maximal entropy of a network occurs when there is uniform probability associated with each node ( ) and this yields

The degree of anonymity (now the papers differ slightly in the definition here, defines a bounded degree where it is compared to HM and gives an unbounded definitionusing the entropy directly, we will consider only the bounded case here) is defined as.

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 83

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY Using this anonymity systems can be compared and evaluated using a quantitatively analysis.

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

4. ONION ROUTING
This refers to the layered nature of the encryption service: The original data is encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and, ultimately, its destination. This reduces the possibility of the original data being unscrambled or understood in transit. In onion routing [6], instead of making socket connections directly to a responding machine, initiating applications make connections through a sequence of machines called onion routers. The onion routing net-work allows the connection between the initiator and responder to remain anonymous. Anonymous connections hide who is connected to whom, and for what purpose, from both outside eavesdroppers and compromised onion routers. If the initiator also wants to remain anonymous to the responder, then all identifying information must be removed from the data stream before being sent over the anonymous connection. Onion routers in the network are connected by longstanding (permanent) socket connections. Anonymous connections through the network are multiplexed over the longstanding connections. For any anonymous connection, the sequence of onion routers in a route is strictly defined at connection setup. However, each onion router can only identify the previous and next hops along a route. Data passed along the anonymous connection appears different at each onion router, so data cannot be tracked en route, and compromised onion routers cannot cooperate by correlating the data stream each sees. We will also see that they cannot make use of replayed onions or replayed data.

content via Tor's anonymous hidden service feature. Furthermore, by keeping some of the entry relays (bridge relays) secret, users can evade Internet censorship which relies upon blocking public Tor relays.

4.2 Operation:
Tor aims to conceal its users identities and their network activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers throughout the globe. These onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in network location. That anonymity extends to the hosting of censorship-resistant content via Tor's anonymous hidden service feature. By keeping some of the entry relays secret (bridge relays), users can evade Internet censorship that relies upon blocking public Tor relays. Because the internet address of the sender and the recipient are not both in clear text at any hop along the way(and at middle relays neither piece of information is in clear text), someone eavesdropping at any point along the communication channel cannot directly identify both ends. Furthermore, to the recipient it appears that the last Tor node (exit relay) is the originator of the communication rather than the sender.

4.3 Hidden services

Tor can also provide anonymity to servers in the form of location-hidden services [8], which are Tor clients or relays running specially configured server software. Rather than revealing the server's IP address (and therefore its network location), hidden services are accessed through Tor-specific .onion pseudo top-level domain (TLD), or pseudo main. The Tor network understands this TLD and routes data anonymously both to and from the hidden service. Due to this lack of reliance on a public address, hidden services may be hosted behind firewalls or network address translators (NAT). A Tor client is necessary in order to access a hidden service. Hidden services have been deployed on the Tor network beginning in 2004. Other than the database that stores the hidden-service descriptors, Tor is decentralized by design; there is no direct readable list of hidden services. There are a number of independent hidden services that serve this purpose. Because location-hidden services do not use exit nodes, they are not subject to exit node eavesdropping. There are, however, a number of security issues involving Tor hidden services. For example, services that are reachable through Tor hidden services and the public Internet are susceptible to correlation attacks and thus not perfectly hidden. Other pitfalls

4.1 Tor (Onion Routing Network)

Tor (short for the onion router) [7] is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis. Tor aims to conceal its users' identities and their network activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers throughout the globe. These onion routers employ encryption in a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in network location. That anonymity extends to the hosting of censorship-resistant

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 84

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY include misconfigured services (e.g. identifying information included by default in web server error responses) uptime and downtime statistics, intersection attacks and user error.

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

5.3 Anonymous Cash

Certain forms of e-cash are designed to be anonymous and untraceable, unless they are double spent or otherwise misused. However, if a customer cannot contact a vendor without identifying himself, the anonymity of e-cash is undermined. For transactions where both payment and product can be conveyed electronically, anonymous connections can be used to hide the identities of the parties from one another How can the customer be prevented from taking his purchase without paying for it (e.g., by closing the connection early) or the vendor be prevented from taking the customer's e-cash without completing the transaction? This is a hard problem. In the case of a well known vendor, a practical solution is to require customers to pay first. The vendor is unlikely to deliberately cheat its customers since it may be caught in an audit.

5. ONION ROUTING APPLICATIONS

We first describe how to use anonymous connection in VPNs, anonymous chatting services, and anonymous cash. We then describe onion routing proxies for three Internet services: Web browsing, e-mail, and remote logins. These three onion routing proxies have been implemented. Anonymzing versions of these proxies that remove the identifying information that may be present in the headers of these services' data streams have been implemented as well.

5.1 Virtual Private Networks

If two sites wanted to collaborate, they could establish one or more long term tunnels that would multiplex many socket connections, or even raw IP packets, over a single anonymous connection. This would effectively hide who is collaborating with whom and what they are working on, without requiring the construction of an individual anonymous connection for each connection made. Such long term anonymous connections between enclaves provide the analog of a leased line over a public network. Note that the protection provided a VPN by onion routing is broader than that provided by encrypting firewalls. Basic encrypting firewalls encrypt Payloads only. Thus, they protect confidentiality, but do nothing to protect against traffic analysis. IPSEC will protect traffic for individual connections by encapsulating packets in encrypted packets from the firewall, but this will not protect against institutional level traffic analysis. Communication between two such firewalls will still indicate collaboration between the sites behind them. Constant padding may be added, but this is very expensive. And, unless many unrelated sites agree to do it, it still does not hide the existence of the VPN established between those sites that are so padding.

5.4 Remote Login

We proxy remote login requests by taking advantage of the option -l username to rlogin. The usual rlogin command is of the form: rlogin -l username server To use rlogin through an onion routing proxy, one would type rlogin -l username@server proxy where proxy refers to the onion routing proxy to be used and both username and server are the same as specified above. A normal rlogin request is transmitted from a privileged port on the client to the well known port for rlogin (513) on the server as: \0 username on client \0 username on server \0 terminal type \0 where username on client is the username of the individual invoking the command on the client machine, username on server is either the -l field (if specified) or the username of the individual invoking the command on the client machine (if no -l is specified), and the terminal type is a standard term cap/line speed specification. The server responds with a single zero byte if it will accept the connection or breaks the socket connection if an error has occurred or the connection is rejected. Our normal rlogin proxy therefore receives the initial request: \0 username on client \0 username server \0 terminal type \0 .The proxy creates an anonymous connection to the RLOGIN port on the server machine and proceeds to send it a massaged request of the form: \0 username \0 username \0 terminal type \0 once this request is transmitted to the server, the proxy blindly forwards data in both directions between the client and server until the socket is broken by either side. Notice that the onion router does not send the server the client's username on the client, so communication is anonymous, unless the data-stream subsequently reveals more information.

5.2Anonymous Chatting
Anonymous connections can be used in a service similar to IRC, where many parties meet to chat at some central server. The chat server may mate several anonymous connections carrying matching tokens. Each party defines the part of the connection leading back to itself, so no party has to trust the other to maintain its privacy. If the communicating parties layer end-to-end encryption over the mated anonymous connections, they also prevent the central server from listening in on the conversation.

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 85

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

5.5 Web Browsing

Proxying HTTP requests follow the IETF HTTP V1.0 Specification. An HTTP request from a client through an HTTP proxy is of the form: GET http://www.server.com/file.html HTTP/1.0 followed by optional fields. Notice that an HTTP request from a client to a server is of the form: GET file.html HTTP/1.0 also followed by optional fields. The server name and protocol scheme are missing, because the connection is made directly to the server. As an example, a complete request from Netscape Navigator to an onion router HTTP proxy may look like this: GET http://www.server.com/file.html HTTP/1.0 Referer: http://www.server.com/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/3.0 (X11; I; SunOS 5.4 sun4m) Host: www.server.com Accept: image/gif, image/x-bitmap, and image/jpeg The proxy must create an anonymous connection to www.server.com, and issue a request as if it were a client. Therefore, the request must be massaged to remove the server name and scheme, and transmitted to www.server.com over the anonymous connection. Once this request is transmitted to the server, the proxy blindly forwards data in both directions between the client and server until the socket is broken by either side. For privacy filtering of HTTP, the proxy proceeds as outlined above with one change. It is now necessary to sanitize the optional fields that follow the GET command because they may contain identity information. Furthermore, the data stream during a connection must be monitored, to sanitize additional headers that might occur during the connection. The Anonymizer also provides anonymous Web browsing. Users can connect to servers through the Anonymizer and it strips of identifying headers. This is essentially what our filtering HTTP proxy does. But packets can still be tracked and monitored. The Anonymizer could be used as a front end to the onion routing network to provide effective protection against traffic analysis.

different applications to share the same communication infrastructure increases the ability of the network to resist traffic analysis.

REFERENCES
[1] D. Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, Comm. ACM, vol. 24, no. 2, pp. 84-90, Feb. 1981. [2]L.cotterell, Mixmaster and remailer attacks,1994.http://www.obscura.com/-loki/remailer/remaileressay.html. [3] Marc Rennhard Design, Implementation, and Analysis of an Anonymity Network for Web Browsing, February, 2002. [4]WeiDai.PipeNet.http://www.eskimo.com/~weidai/pipenet.t xt. [5] C. Daz, S. Seys, J. Claessens, and B. Preneel, Towards Measuring Anonymity, Proc. Privacy Enhancing Technologies Workshop (PET 02), R. Dingledine and P. Syverson, eds., pp. 54-68, Apr. 2002. [6] P.F. Syverson, D.M. Goldschlag, and M.G. Reed, Anonymous Connections and Onion Routing, Proc. IEEE Symp. Security and Privacy, pp. 44-54, 1997. [7] S.J. Murdoch and G. Danezis, Low-Cost Traffic Analysis of Tor, Proc. 2005 IEEE Symp. Security and Privacy, pp. 183-195, May 2005. [8] L. verlier and P. Syverson, Locating Hidden Servers, Proc. IEEE Symp. Security and Privacy May 2006.

BIOGRAPHIES
B.Minny Priscilla received B.Tech Degree in Information Technology from St.Anns college of Engineering And Technology, JNT University, Kakinada in the year 2010 is currently pursuing M.Tech in the Department of Computer Science and engineering at KL University, Vijayawada.

6. CONCLUSION
This paper describes about the versatility of anonymous communications by exploring their use in variety of applications, these include standard internet services such as web browsing, remote login and electronic mail. Onion routing communication moves the anonymous communication infrastructure below the Application level properly separating communication and applications. Since the efficiency depends upon sufficient network traffic allowing

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 86

B. MINNY PRISCILLA* et al. [IJESAT] INTERNATIONAL JOURNAL OF ENGINEERING SCIENCE & ADVANCED TECHNOLOGY Dr. Kodukula Subrahmanyam, a Gold Medalist from Andhra University (1992-93) is currently working as a Professor in Computer Science & Engineering Department, School of Computing of KL University, Guntur. He is in teaching profession for the past 20 years and prior to joining KL University he worked as Programme Leader in the School of Engineering, Science & Technology at KDU University, Malaysia for about 10 years. He has published more than 30 papers in both national and international journals/conferences and attended various workshops in Malaysia, Singapore, USA & India. His research interests include Knowledge Management, Communication Technologies & Soft Systems Methodologies. He has guided 100 over students towards their Masters and Bachelor Dissertations and currently guiding 4 towards their PhD.

ISSN: 22503676
Volume - 2, Special Issue - 1, 81 87

IJESAT | Jan-Feb 2012

Available online @ http://www.ijesat.org 87