Abstract
The request for on-line privacy is rapidly increasing. More and more Internet users realize that information about their on-line activities is highly valuable information for commercial companies and open for potential abuse. Information about who communicates with whom, and who accesses which services, is already used to improve on-line services, e.g. by serving more relevant on-line advertisements which many appreciate. But the problem of letting large commercial companies know your entire surfing history does not seem to be of major concern to the average Internet user. Future services may look into how to prevent this type of information leakage, but this will not help the users of today. In addition, anonymous publication of information, e.g. by dissidents and whistle-blowers, is made nearly impossible for today’s Internet users. There exists a need for censorship-resistant Internet services, where anonymous publishing of information can be made. These types of services are already starting to appear. They are combined with anonymizing technologies, and designed to be attack-resistant, accessible from anywhere, have a hidden physical location, and therefore they will be more censorship-resistant.
The overall goal of the research work was to address vulnerabilities in, and to develop new or enhance existing anonymizing network technologies and censorship-resistant services. This thesis presents both analyses and new principles to enhance the anonymizing technology existing today.
The first phase of the research work consisted of an analysis of traffic flow confidentiality in a future military network setting, and an analysis of how to securely anonymize traffic data logs at high-speed interconnections. The thesis presents a new method for securing these logs by creating transaction specific pseudonyms without increasing the amount of logged data. The thesis also presents solutions to allow some elements of the traffic data to be used for statistical analysis and therefore be available for search, while other parts of the data could be kept anonymous and unlinked to the searchable data.
The second phase of the research work focuses on technologies inside anonymizing networks, their vulnerabilities, and proposes methods to increase security to the existing techniques. The work demonstrates how the predecessor attack works in a live anonymizing network and can be used to locate a so-called hidden service within minutes with only a single compromised node in the network. An analysis of various countermeasures is also presented together with a recommendation on how to best resist this attack by using nodes protecting the initial connection to the anonymizing network.
The thesis presents a method of reducing a hidden service’s vulnerability to denial-of-service attacks by using so-called valet nodes to protect the contact points of the hidden service. In addition the valet nodes solution enables the use of completely hidden services, where even the very existence of the service is hidden from the other users and from the network itself. The use of valet nodes also supports a method of obtaining flexible quality of service for both authenticated and anonymous users of a hidden service.
The research work also presents a general improvement of the authenticated Diffie-Hellman key exchange used in building anonymous connections. The solution eliminates the need for the RSA encryption by using predistributed Diffie-Hellman values when setting up session keys for the anonymous connections. This reduces the number of encryptions and the number of messages necessary for constructing an anonymous connection while maintaining forward secrecy. The solution is also easily adaptable to the valet nodes design which will benefit from the use of public Diffie-Hellman values and thereby also avoid the use of RSA. In addition the thesis presents a method to reduce the latency in a hidden service connection by utilizing the extra protection within the valet nodes extension.