Mixing withBabel. CekiGulcu GeneTsudik. IBMResearchDivision,ZurichResearchLaboratory. Saumerstrasse4,CH-8803Ruschlikon.

Transcription

1 Mixing withBabel CekiGulcu GeneTsudik IBMResearchDivision,ZurichResearchLaboratory Saumerstrasse4,CH-8803Ruschlikon Switzerland tel fax Abstract Increasinglylargenumbersofpeoplecommunicatetodayvia electronicmeanssuchas ornewsforums.oneofthebasic propertiesofthecurrentelectroniccommunicationmeansisthe identicationoftheend-points.however,attimesitisdesirable orevencriticaltohidetheidentityand/orwhereaboutsofthe end-points(e.g.,humanusers)involved. Thispaperdiscussesthegoalsanddesiredpropertiesof anonymous ingeneralandintroducesthedesignand salientfeaturesofbabelanonymousr er.babelallows userstoconverseelectronicallywhileremaininganonymouswithrespecttoeachotherandtoother{evenhostile{ parties.arangeofattacksandcorrespondingcountermeasures isconsidered.anattemptismadetoformalizeandquantify certaindimensionsofanonymityanduntraceablecommunication.keywords:security, ,mix,anonymity,untraceability, tracanalysis,r er Introduction Explosivegrowthandproliferationoftheglobal Internetinthepastdecadeallowedmillionsofpeopletocommunicateviaelectronicmail.Inmanyrespects, israpidlyreplacingtraditionalpaper mail. isnotonlyfastandconvenientbutalso{ atleastforthetimebeing{freeofchargeforalarge segmentofusers. Thereare,however,someaspectsof thatcan beimprovedupon.first,mostoftoday'sinternet isnotverysecure.senderauthentication,nonrepudiation,dataintegrityandprivacyaresomeofthe basicingredientsofsecure .whilebasic securityisaddressedtosomeextentbyrecentoerings suchaspgp[35]andpem[6],theiracceptanceisfar fromuniversal.anotherimportantfeaturemissingin current issupportforanonymityanduntraceabilityofusers.intheinternetmilieu,itisquiteunrealistictoexpectanysecurityfeaturesoftheunderlyingnetwork;eavesdropperscaneasilyrecord messagesandgatheraddressinginformation.traditionalpapermail,incontrast,allowsonetosendan envelopewithaprinteddestinationaddressandno returnaddress.this,coupledwithothercommonsenseprecautions,canmakethesenderuntraceable 0996SymposiumonNetworkandDistributedSystemSecurity,February22-23,996,SanDiego,California. andanonymous;policeandsleuthctiontothecontrarynotwithstanding. Inthispaperwediscussthegoalsanddesiredpropertiesofanonymous andthendescribethedesign andfeaturesofthebabel{ananonymousr er developedatibmzurichresearchlaboratory.in brief,ourapproachisbasedonaspecialentitycalled a"mix".theconceptofamixwasrstintroduced bychaum[2]intheearlyeighties.amixcanbe viewedasalogicalcomponent(e.g.,applicationlayer software)thatforwards messagesand{inthe process{obfuscatestherelationshipbetweenincomingandoutgoingmessagetrac. Thepaperisorganizedasfollows.Inthenextsectionwebeginbymotivatingtheneedforanonymity, brieyreviewingpreviousworkanddescribingthe goalsofanonymous/untraceable .then,insection3weintroducetheconceptofamixandconsider thethreatsitfaces.sections4,5and6aredevoted tothetechnicaldiscussionofbabelanonymousr er.section7presentsanattempttoquantify somemeasuresofanonymity.finally,section8describesthesalientimplementationissues. 2Motivation Itisnosurprisethatuntraceablecommunication isahighly-chargedand,attimes,evencontroversial, topic[,8,22,23].anonymous isananathematosomepeople.thisreputationisduelargelyto thepossibleabusesofanonymityforthepurposesof spreadinglibelousaccusations,hate-lledpropaganda, pornographyandotherunpleasantcontent. Atthesametime,anonymousmailhasitslegitimateandbenignuses.Wedividetheseintofourmain categories:.discussionofsensitiveandpersonalissues 2.Informationsearches 3.Freedomofspeechinintolerantenvironments 4.Polling/Surveying Manypeopleinneedofcounselingortherapy,such asvictimsofsexual,alcoholordrugabuse,canreceive Thelistisnotmeanttobeexhaustive.

2 supportandcounselingelectronicallywhileremaining anonymous.forexample,avictimofabusewould probablybereluctanttoparticipateinon-linetherapysessionsiftherewasachancethatsomeonethey knewwas"listening".thusitisoftencriticalforthe identityoftheusertoremainsecret.thisneedisalso widelyrecognizedbythemedicalprofession. Weoftenseekinformationanonymouslyinthe courseofoureverydaylife.forexample,anemployee ofonecompanymayinquireaboutajobopeningat another(perhapscompeting)company;theneedfor anonymityisobvious.2furthermore,peopleoften seekinformationfromsourcesthat,shouldtheidentity oftheseekerbecomeknown,wouldactinamanner notagreeabletotheseeker.forexample,aconsumer mightliketobrowseanumberofelectronicshopsand comparepricesbeforemakingapurchase.iftheconsumer'sidentitywererevealed,thevisitedshopscould placehisname/addressontheirmailinglistsandstart bombardinghismailboxwithunwanted\junk" . Thereareothereverydaycaseswhereanonymityisan integralpartofatransaction. Onamoresombernote,therearestill,alas,anumberoftotalitarianregimesintheworld;placeswhere nonviolent(e.g.,verbal)oppositionordissentcanhave seriousconsequencesincludingimprisonment,torture anddeath.furthermore,eveninthefreeworld,there areintolerantandfanaticalgroupsthatviolentlyand virulentlyharasscriticsformereopinions.examples abound::: Inthesamevein,therearealsomanywell-known situationsinwhichanindividualmayfeelcompelled toreportcorruption,criminalbehaviororothermisdeeds.insuchcases,beinganonymousmeansbeing safefromvaryingdegreesofretribution. Anotheruseful,albeitrathernon-controversial,applicationofanonymous isintheareaofpolling andsurveying.thereareanumberoforganizations specializinginopinionsurveysonawidevarietyof topics.participants'anonymityisoneofthebasic featuresofthisactivity. Admittedly,thefundamentalmotivationforhiding one'sidenticationisthefearofretribution(either rightfulorwrongful.)itisnotthegoalofthispaper topartakeinthecurrentlyon-goingdebateonprivacy andanonymityontheinternet.weonlynotethat anonymityisanoptional(andmostlylegal)partof regular,papermail.obviously,itcanbemisused, yettherearenogreatdebatesonbanninganonymous usageofpapermail.drawingaboundarybetweenuse andabuseoftechnologyisacomplicatedphilosophical matter;itisnottreatedinthispaper. 2.Previouswork Therstandthemostauthoritativepaperto-date dealingwithanonymouscommunicationwaspublishedbyd.chaumin98[2].thebabelr erdescribedinthisreportowesmuchtohisideas. 2Thisexampleisofproactivejobsearch;itisdierent fromtheusualreactivesearchwherebythejobdescriptionsare broadcastedtothe"masses",e.g.,bypostinginappropriate newsgroups. ChaumalsoinventedtheDC-network[4]whichprovidesunconditionaluntraceabilitycommensuratewith highbandwidthoverhead.ptzmannandwaidner havealsodoneaconsiderableamountofworkon anonymityanduntraceablecommunicationinlan andisdnenvironments.[24,26,25,27]. Theoldestand(currently)mostwidely-usedanonymousr erislocatedinFinland.ItiscalledPenet andisoperatedbyj.helsingius.penetperformsthe followingfunctions: Itstripsoallheaderinformationoftheincomingmailbeforeforwardingittoitsnaldestination. Then,ifnotalreadyassigned,analiasforthesender iscreated.intheoutgoingmessage,theaddressofthe senderisreplacedbyanalias.thealiasallowsthe recipient(s)ofthemessagetoreplytotherealsender withoutknowinghisidentity. ThedemandonthePenetr erisquitehigh: over7,000messagesaresentdaily.thealiasdatabase contains200,000entries[].recently,penethasbecomethesubjectofsomecontroversy3. Thesecondbrandofr ersarepromotedbya groupcalledcypherpunks[2].thereareabout20 publiclyavailablecypherpunkr ers.theser ersoersomeofthebasicfunctionalitydescribedin thispaper.althoughtheysharethesamecodebase, eachdiersinminorways;someallowpostingtonewsgroupswhileothersdonot,somedonotacceptpgp encryptedmessages;someevenusedierentformats. Theirlackofauniedmodusoperandicomplicates theiruseandhinderstheiracceptance.themixmaster[7]r erwrittenbyl.cottrellisasignicant stepforwardasitconstitutesthersttruemix. 2.2Overviewofdesiredproperties Webeginthetechnicaldiscussionbyenumerating thedesiredpropertiesofanonymousmail..anyoneabletosend shouldbeabletodo soanonymously. 2.Itshouldbeimpossible(or,atleast,computationallyhard)todeterminetheoriginatorofanonymousmail. 3.Thereceiver(s)ofanonymousmailcanreplyto thesender,whoremainsanonymous.moreover, receiver(s)mayreplywithmultiplemessages.(it isimportanttonotethatsomeonereplyingtoan anonymousmessage,bydenition,sacricessome anonymitybecausetheoriginalsender"knows" theintendedreceiver(s)andcancorrelateareply withanearliermessage.4) 3OnFebruary8,995,basedonaburglaryreportledwith thelosangelespolice,transmittedbyinterpol,finnishpolice presentedhelsingiusawarrantforsearchandseizure.bound todosobylaw,hecomplied,therebyrevealingtheelectronic addressofasingleuser. 4However,somedegreeofanonymitycanbepreserved.For example,areplytoananonymousnewsgrouppostonlyreveals thenewgrouptotheoriginalposter;theidentityofthereplying partyremainssecret. 2

3 4.Individualr ersinterveninginanonymizing messagesshouldbetrustedaslittleaspossible. Theanonymityoftheend-pointsshouldbepreservedevenifanumberofinterveningentities colludeoraresubverted. 5.Ther erinfrastructureshouldberesistantto bothpassiveandactiveattacks.(thisproperty iselaboratedonbelow.) 6.Thesenderofanonymous can(anonymously)obtainconrmationthatithasbeen properlyprocessedbyther ersystem. 7.Anonymous shouldnotoverloadtheglobal infrastructure.(forexample,ifanonymity requiresgenerationof noiseitsvolume shouldbekeptlow.) 2.3Notation Thefollowingnotationisusedthroughouttheremainderofthepaper: M message;sequenceofasciibits Ex(M)encryptionofMwithX'spublickey Dx(M)decryptionofMwithX'sprivatekey KfMgconventionalencryptionofMwithkeyK (M;M2)concatenationofMandM2 Ax X's address. dmepaddingstringmtolength (byappendingrandombits) bmctrimmingstringmtolength (byremovingtrailingbits) 3MIX-fundamentalbuildingblock Asalreadymentioned,ananonymousr er,ora mix,isanentitythat,inadditiontoforwardingincomingmessages,strivestohidetherelationshipbetween incomingandoutgoingmessagetrac.(seefigure.)inourmodelweassumetheexistenceofapowerful adversary{eve{capableofrecording,removingor alteringpacketsenteringorleavingamix.eveisalso abletogeneratespuriousmessages. Amixfunctionsaccordingtothefollowingprinciple[2].SupposeAlicewishestosendmessageMto Bobanonymously.Shesubmitsaspeciallycomposed messageitothemix.iincludesmandbob'snetworkaddress.itisintelligibleonlytothemix.a transformedversionofi,calledo,isforwardedby themixtobob.ideallytherelationbetweentheincomingmessage,i,andtheoutgoingmessage,o,is obfuscated.thus,eveisunabletoconnectaliceto Bob.Thiskindofanonymityiscalled\unlinkability ofsenderandrecipient"[27]. TherearetwowaysforEvetocorrelateincoming andoutgoingmessages:i)bycontents,i.e.,message dataormessagesize,or,ii)bycausality,i.e.,byassociatingtimeofmessagearrivalwiththatofitsdeparture. Ingeneral,contentcorrelationcanbeaddressedby usingstandardcryptographictechniquesalongwith Mix Alice Bob Eve Figure:BasicModel padding.causalcorrelationcanbeeasilycounteredif theincomingtracvolumeissucientlyhigh.inthe nextsectionwefocusonmakingcontentandcausal correlationdicult. 3.Passiveattacks Thissectionaddressesso-calledpassiveattacks,i.e. thosethatcanbecarriedoutbymerelyobservingmessagetrac. 3..Contentcorrelation Twoelementscanhelpincontentcorrelation:actualcontentandlength.Forpreventionitsucesthat allmessagesto/fromamixbeencryptedandbeof uniformlength.wedenotethislengthby. TheuserencryptshismessageMandthedestinationaddressABobwiththemix'spublickey.Thus, I=Emix(ABob;M)whereABobisBob'snetwork address. UponreceiptandsuccessfuldecryptionofI,the string(abob;m)isberevealed.theoutputmessageo,consistingofm(incleartext)andotherdata addedbytheunderlyingcommunicationsnetwork,is forwardedtobobatabob.evemayattempttocorrelateoandibycomparingemix(abob;m)andi. TooutwitEve,randomone-time"salt"mustfactored intotheencryptiontoensurethatsuccessiveencryptionsofthesamemessageyielddierentresults. Inhybridsystemsbasedonbothpublicandconventionalkeyencryptiontherandomstringmightbe unnecessary.suchsystemstypicallyusearandomsessionkeytoencryptuserdatawithasymmetrickey algorithmandapublickeyencryptionalgorithmto encrypttherandomsessionkey.eachencryptionwith apublickeyusesadierentsessionkey,whichisrevealedonlytotheowneroftheprivatekey(themix inthisparticularcase).thus,eveisunabletocorrelateiandoeventhoughsheisabletore-encrypt (ABob;M).There-encryptionresultsinI0,which bearsnoresemblancetoi;referto[26]forcryptographicattacksonstraight-rsaimplementationof mixes. Inordertoavoidsizecorrelation,messagesizes mustbeconstantthroughouttheentiremixnetwork. 3

4 Messagesizeuniformitycanbeachievedbypadding toaconstantlength()withrandomdata.although seeminglyinnocuous,paddingisanimportantissue andgreatlyinuencestheimplementationofamix. Adetaileddiscussionofthisissueispostponeduntil Section6. Notethatthesecurityofthesystemisbasedonthe integrityofamix.inasingle-mixarchitecture,ifthe mixissomehowforcedtorevealitsprivatekey,identitiesofuserscanbecompromised.multiplemixescan beusedtoincreasethesecurityofthewholesystem. Thisisdiscussedinthefollowingsections. 3..2Timecorrelation Obviously,thereisastrongcausalrelationshipbetweentheincomingandoutgoingmessages.ThisrelationshipcanbeexploitedbyEve.Onesimplesolution istooutputmessagesinbatches,asoutlinedin[2]. Inthisscheme,atleastNinputmessagesareaccumulatedbeforebeingforwardedinrandomorder.N iscalledtheminimumbatchsize.werefertothis schemeasnormalorregularbatching. Underlowloadconditions,incomingmessagesmay besoscarcethatabatchofsizencannotbeformed withinareasonabletime.sendingoutrandom-looking decoymessagestorandomdestinationssolves(orat leastalleviates)theproblem.decoysareindistinguishablefromnormalmessagesexceptthattheyare immediatelydiscardedbytheirrecipientsafterdecryption. Inanenhancedscheme,calledintervalbatching,we dividetimeintoequalperiodsoflengtht.letnbe thenumberofincomingmessagesinagivenperiod. Thefollowingprocedureisperformedattheendof eachperiod: normalbatching ifnn N?ndecoysfollowedbybatchingif0<n<N ThisapproachguaranteesthatamessagewillbedelayedatmostTunitsoftimebyamix.Note thatbatchingmessagesintroducesariskbecause anonymitythendependsonthebehaviorofother users.thisexternaldependencecanpavetheway forotherattacks(seesection3.2..) Anotherpopularapproachtosolvingthetimecorrelationprobleminvolvesintroducingarandomdelay foreachmessage.thisrandomnessmakesthesystem nondeterministicbutnotnecessarilysafer.weavoid thisvenue. 3.2Activeattacks Inthissectionwediscussactiveattacks,i.e.those involvingdirectmodicationstomessageow,byaltering,inserting,delayingandevendeleting,messages. 3.2.Isolate&Identify Ifregularbatchingisused,Evemaysubmitanumberofmessagestoamix,forminganalmostcomplete batch,withonlyonemessagemissing.uponarrival ofagenuinemessage,theentirebatchisforwarded andevecansimplypickoutthemessageshedidnot generate[27].notethat,althoughthegenuinemessagemaybeencrypted,eveisabletocorrelatethe genuinemessagewithitsoutgoingcounterpart.the mixisthusconsidereddefeated. Intheinterval-basedbatchingapproach,ooding amixisuselessifgenuinetracisheavy.however, whenfewlegitimatemessagesarriveinagiveninterval,oodingcausesthemixtobelievethatdecoysare unnecessary.evemightevenremoveorrearrangemessagessothatonerealmessagetricklesintothemixper period.then,byinjectingfalsemessageseveisable tolinkthesingleauthenticmessagewithitsoutgoing counterpart. Thisattackisdiculttothwartcompletely.One simplebutonlypartialcountermeasureistorequire acertainnumberofdecoysevenwhenabatchisfull. Amoreeectiveapproachistheintroductionofintermixdetours;itisdiscussedinSection MessageReplay Evecantrytodefeatamixbyrecordingagenuinemessageandreinsertingitlaterintothemessage stream.asanincomingmessageiresultsinthesame outputowhenreplayed,associatingthetwoistrivial.becauseofitssimplicity,messagereplayisan extremelyseriousthreat.itispossibletopreventreplaybykeepingtrackofincomingmessagesanddiscardingreplays[2].replaydetectionisawell-studied topic[8,9].basictechniquesconsistofusingsequence numbers,randomnumbers(nonces)ordataandtime stamps. Techniquesinvolvingsequencenumbersornonces implyatleastsomesynchronization.however,thereis aninherentcontradictionbetweenthetermssynchronizationandanonymity.moreover,traditionalmethodsareconcernedwithauthentication,whichisnot requiredinourcase.underthesecircumstances,we havedecidedtouseavariantofatime-stampscheme. Inbrief,eachmessageisuniquelyidentiedand time-stamped.clearly,theidentiershouldrevealno informationaboutthemessage.assumingtheuseof hybridmessageencryptioncryptosystem(e.g.,asin PEMorPGP)weusethepublickeyencryptedform ofthesessionkeyasthemessageidentier.sincea messagedoesnotdecryptcorrectlyevenifasinglebit oftheencryptedsessionkeyisaltered,itisaninvariantofreplays.thesessionkeyisuniquewithahigh degreeofprobabilitybecause,itisusuallygenerated atrandomfromaverylargekeyspace5.thismethod isalsoverycost-eectivesinceamixdoesnothaveto performanyexpensiveoperationstocalculateunique identiersfortheincomingmessages;itsimplycopies theencryptedsessionkey. Itiscertainlyundesirabletokeeptrackofmessages indenitelyasitwouldresultinexcessivespaceusage. Asimplesolutionistotime-stampmessagesandush messageentriesaftersomexedsystem-widetimeinterval.thispointisfurtherdiscussedinsection8. Replyingtomessagesissomewhatdierentbecause \replays"alongareplypathareperfectlylegitimate (seesection5.6). 5pgpuses28bitIDEA-keys.Moreover,beforeRSAencryptingthisIDEA-key,itrandomlypadsittothemodulus ofthepublickey. 4

5 Alice Mix Mix Mix 2 3 Bob 5 3.3Cascadingorchainingmixes users'disposal.asmentionedearlier,ifonlyasingle maydecidetouseaseriesofmixestoforwardher messagetobob[2],seefigure2.thesystemthus becomesmoresecure. mixisused,thatmixistrustedtowithholdcritical information.insteadoftrustingasinglemix,alice Wenowassumethatthereisapoolofmixesatthe messagereceivedbybob,evehastosubvert/defeat ingthesystemwithoutpayingattentiontointer-mix trac.ifthetracloadislow,thesecuritydegeneratestotheworst-casescenariooutlinedinsection 3..2.However,inpractice,alargenumber(>00) ofindependentmixesdistributedaroundtheworld wouldmakeitverydicultforevetobeaglobal 4ForwardPath observer. themixesonthepath. cansimplyconcentrateonmessagesenteringandleav- fact,inordertolinkthemessagesentbyalicetothe IfEveisaglobalobserverofthemixnetworkshe Eve'staskbecomessignicantlymoredicult.In Figure2:Chainingmixes tion/decryption)havenoimpactonmessagesize.we exceptions)presentedinthissectionisduetochaum [2,3,4]. timebeing)thatcryptographicoperations(encryp- atinterveningmixes.mostofthematerial(withfew willreturntothisissueinsection6. 4.Compositionbysender anonymousmessagesandtheirsubsequenthandling Forthesakeofclarity,weassume(forthe Inthissectionwedescribetheprocessofgenerating composeshermessageaccordingtothefollowingprocedure: setofmixesisreferredtoastheforwardpath6.she sagetobobthroughfmixes;f;f2;:::;ff.this ()Thecleartextmessageispaddedtoexactly SupposeAlicewishestosendananonymousmes- 6WeusetheletterFtodenotemixesontheforwardpath. suresthateachmessageispaddedwithatleast =?randombytes.thereasonforreserving bytes.themaximumallowedcleartextmessage sizeis,,where<.thisrestrictionen- bytesforpaddingwillbecomeclearinsection (2)ThepaddedmessagedMeisthenencrypted 6.Theparametersandaresystem-wideconstants. withthelast,ff,isencryptedinthefollowing onceforeverymixontheforwardpath,starting xi=eff?i+(aff?i+2;xi?);for<if manner: x=eff(abob;dme) Theresultisanalogoustoanonionwhereeach whereefirepresentspublickeyencryptionwith EF(AF2;EF2(:::EFf?(AFf;EFf(ABob;dMe)):::)) xf= mixfi'skey.thenaloutcomeis: encryptionislikenedtoalayerofskin.toaccess sagesizeisshowninthegure.inparticular,the innerlayers,outerlayersmustbestrippedorst increaseswitheachencryptionandconcatenation step. (seefigure3.)theeectofencryptiononmes- dimensionsoftheboxesshowhowmessagesize takesplaceatthesuccessivemixes.thisensuresthat theinformationrevealedtoeachmixiskepttoaminimum. 4.2Processingbymixes Therstr er,uponreceptionofAlice'smes- mixontheforwardpath,f.7 atthesender,theonlytrustedentity.noencryption (3)Oncetheonionisassembleditissenttotherst Notethattheencryptionstepsareallperformed Figure3:ForwardmessagepreparedbyAlice formatconversionmusttakeplace. ablefortransmissionas .inthatcase,anappropriate sage,decryptsitwithitssecretkeytodiscoverthe addressofthenexthop,af2.thisisanalogousto removingtherstofskinoftheonion. alayerofencryptionuntilthelasthopisreached. Thelastr erstripsotheremaininglayerand 7Thebinarydataproducedbyencryptionmightbeunsuit- Similarly,eachmixontheforwardpathremoves bytes Address F2 Address Ff Addr. Bob Data Padding encryption with F s key other encryptions encryption with F(f ) s key encryption with Ff s key

6 discoversabob.themessageisthendeliveredwith allpaddingremoved. TheactualmessagereceivedbyBobshowsthatit hasbeendeliveredbymixff.bobdoesnotknowthe identitiesoftheothermixesnorthatoftheoriginator, Alice8. Toaccommodatethelargestpossiblenumberof users,thesystemofr ersassumesthattherecipientofanonymousmessageshasonlybasic capabilitywithnospecicsoftwaretohandleanonymousmessages.onlyregularmailisdeliveredtothe naldestination.inotherwordsthelastmixseesthe messageincleartext. Ifthedestinationhasencryptioncapability(e.g., PGP)Alicecanencryptthemessageusingtherecipient'spublickey.Thus,thecontentsofthemessage arehiddenfromthelasthop,andahigherdegreeof securityisachieved.obviously,ifthedestinationisa publicnewsgroup,usingsecretkeysmakelittlesense. 4.3Whatdoesamixknow? Oneimportantsecuritymeasureoftheentiremix networkistheamountofknowledgegainedbyamix inthecourseofprocessingamessage.byexamining -specicelds(e.g.,smtpheaders)anintermediatemixontheforwardpathcandiscovertheidentity ofthepreviousmixhop.withoutsomequestionable hackingof softwareitappearsimpossibletopreventamixfromgainingthisknowledge. Anotherpieceofinformationvisibletoamixisthe identityofthenexthop.itispossible{albeitin theory{topreventanintermediatemixfromknowing thenexthop.9webrieysketchonesimplemethod: Alicecomposestheanonymousmessagemuchas beforebutomitsmixaddresses{afi{fromthelayers. Eachinterveningmix,insteadofsendingthemessage tothenexthop,postsittoanewsgroupperiodically scannedbyallmixes.(analternativeistobroadcast themessagetoallmixes.)allmixestrytodecryptthe messagebutonlyonesucceeds.thesameprocedure isrepeateduntilthelastmixisreached;thelastmix forwardsthemessagedirectlytobob. Althoughithalvestheknowledgegainedbyintermediatemixesthissolutionisfraughtwithdiculties: theperformanceoverheadalonewouldbestaggering. Amorepractical,butcommensuratelyscaleddown, variationistogivethesenderanoptiontoinclude multiplemixaddressesineachlayer.thisway,an intermediatemixforwardsanoutboundmessageto severalnext-hopmixesandremainsuncertainwithrespecttotheidentityoftheactualnexthop. 5ReturnPath Thusfarwediscussedhowtosendmessages anonymouslywithoutenablingreplies.although uni-directionalcommunicationismostamenableto anonymity,itissometimesdesirableforananonymous mailrecipienttoreplytothe(stillanonymous)sender. Thiscanbeachievedbygivingthesenderanoption 8UnlessofcoursethemessagebearsAlice'snameor signature. 9Notethatlittlecanbedoneincaseofthelasthopmix. ofincludingareturnpathinformation(rpi)inthe anonymousmessage. 5.CreatingtheRPI TheRPIiscomposedbyAliceaccordingtothefollowingprocedure. ()AlicechoosesmixesR;R2;:::;Rrforthereturn pathandmixesf;f2;:::;fffortheforward path.(seefigure4.) Alice Bob R R 2 F 2 F F f R r Figure4:ReturnPath Themixesontheforwardpathandreturnpath arecompletelyindependent.thetwosetsmay beidentical,overlappingorcompletelydisjoint. (2)Alicerandomlychoosesakeyseed{KS{ and,usingit,computesrkeys,k;k2;:::;kr. Therearemanywaystodoso,e.g.:Ki= E(KS;i)forirThesekeyswillbeused bythereturnmixestoencryptbob'sreply. (3)Thekeyseed(alongwiththenumberofhopsr) isrstencryptedwithalice'spublickeytoform y0=ealice(ks;r). (4)Then,onceforeverymixonthereturnpath, startingwiththelast,rr,thefollowingencryptionisperformed: yi=(arr?i+;err?i+(kr?i+;yi?)) (forir) Thenaloutcomeis: yr=ar;er(k;ar2;er2(k2;::: :::ERr(Kr;AAlice;EAlice(KS;r)):::)): Werefertotheresultantblock,showninFigure 5,asalittleonion,similarinconstruction,but smallerthan,theforward-pathonion. (5)AliceinsertstheresultingRPIblockintothebeginningofthecleartextmessageshewishesto send.thentheprocedureoutlinedintheprevioussectionisfolloweduntilthelastr eron theforwardpath,ff,isreached.ffdetectsthe 6

7 7 K, Address of R2 encryption with mix R s key RPIintheoutboundmessageandmodiesthe mailheadersuchthatalaterreplybybobwould Figure5:ReturnPathInformation other encryptions Kr, Address of Alice encryption with mix Rr s key [bytes] encryption with Alice s key KS, r RPIismeanttobetreatedopaquelybyBob. receivedbybobisprexedwithanrpiblock.the 5.2Replyingbyrecipient Asmentionedabove,themessagesentbyAliceand anycryptographiccapabilityfrombob.) destination{bob{butwetrytoavoidrequiring sumethattherpiis"visible"tothelasthopmix. ItwouldbemoresecuretoencryptRPIforthe besentdirectlytorandnottoff.0(weas- Padding prependstherpihereceivedfromalice.hethen namelyr. sendshisreplytotherstmixonthereturnpath, Bobcomposeshisreplyasusualandsimply ThemessagereceivedbyRisshowninFigure6. 5.3Replyprocessingbyr ers (SMTP) Header inga\reply-to"eld[6]intheheaderofthemessagesentto byrpi0.astherstmixonthereturnpath,r, RPIandextractsit.LetusdenotethisoriginalRPI UponreceivingBob'sreply,Rdetectstheincluded Figure6:Bob'sreplyasreceivedbyR Bob. performsthefollowingsteps: 0InRFC-822-compatiblesystems,thisisachievedbyinclud- Message Body ()Combinetheheaderandbodyofthereply(withouttheRPI)intoastringM0.Thisisthestring AR2,theaddressofR2.LetRPIdenotethe thatwillultimatelyreachalice. (3)DecryptRPI0,torevealtherandomkeyKand (2)PadM0tosize?!. (4)EncryptdM0e?!withKtoformY= (5)Send(RPI;Y)toR2.Notethatthesizeofthis Thenextr?r ersonthereturnpathwill messageis. tion. KfdHeader+Bodye?!g. newrpi,whichhasonefewerlayerofencryp- performasimilaroperation.atmixri: ()Afterreceptionof(RPIi?;Yi?)decryptRPIi? isidenticalexceptthatthenexthop'saddresswillbe (2)EncryptYi?byKitoform (3)Send(RPIi;Yi)tothenexthopARi+. Forthelastmixonthereturnpath,theoperation denotedrpii. torevealai+andki.theresultantvalueis AAliceinsteadofARr+. distinguishablefromamessageontheforwardpath becausebothhavesize.thestructureofbothmes- Itisimportanttonotethatareplymessageisin- Yi=KifYi?g. sageslookidenticaltoanoutsideobserver,i.e.en- cryptedgibberish. longstotheforwardorreplyowsbyperformingat mosttwodecryptionattempts. Amixisabletodeterminewhetheramessagebe- Alicesees: messageisonthereplypath. thedecryptionoftheentiremessage,bytes,should cryptionhavebeenremovedexceptthelast.therefore besuccessful2 5.4Handlingrepliesattheoriginator Bob'sreply.However,bythistime,alllayersofen- Otherwise,themessageisontheforwardpathand Ifdecryptionofrst!bytesissuccessfulthenthe Eventually,Alicereceivesthestring(RPIr;Yr)as RPIr=EAlice(KS;r)and still!. K;K2;:::;Kr,inordertoprocessthereply.Inour Chaum'smodel[2],Alicehastorememberthekeys icetoregeneratek:::kr.successivedecryptions ofyrwiththesekeysyieldm'.wenotethatin AssumeforthetimebeingthatthesizeofthisnewRPIis 2Ifbothencryptionattemptsfailthemessageisdiscarded. DecryptingRPIrrevealsKSandrandallowsAl- Yr=KrfKr?f:::KfdM0eg:::gg

8 Alice R r R 2 R F F 2 X X 2 X x F f Bob 8 mainstatelesswithrespecttooutstandingmessages. simplifyingtheprocessingandallowingalicetore- scheme,keysareembeddedinthereply,considerably ingananonymousmessagetoanewgrouporabulletin inbothdirections.supposethatalicebeginsbysendtions,foraliceandbobtocommunicateanonymously headerasseenbytherstmix.thisheadercanbe 5.5Two-wayAnonymousConversation messageisnotequallyanonymous. usedtoidentifybob.thus,areplytoananonymous Despitetheabove,itispossible,undersomecondi- NotethatM'iscomposedofBob'sreply,andits herrpibutitrepresentstheonlywaytocommunicatewithalice.hesendshisreplym'tor(sthop inrpi)anonymouslythroughmixesx;x2;:::;xx (seefigure7).inotherwords,bobcreateshisown forwardpathandconnectsittoalice'srpi. board.thismessage,amongotherthings,includesan RPI.SinceBobdoesnotknowAlice,hedoesnottrust anotherseriesofmixes,seefigure8.thus,itispossiblefortwopartiestocommunicateelectronicallyin AlicecanreplytoBob'sanonymousreplythroughyet bothdirectionswithouteitherpartyknowingtheidentityoftheother. 5.6Securityofreplies BobcanalsoincludeanRPIinhismessagesothat Figure7:Bob'sanonymousreplytoAlice. fectlylegitimateformultiplerecipientstogenerate toforward-boundmessages.thisisbecauseitisper- applysimilarreplaydetectionmeasurestorepliesas severalresponsestoasingleanonymousmessage.(this holdsonlyifaliceexplicitlyallowsrepliesbyincluding anrpiblock.) ever,thatincaseswhererepliesarenotwanted, Thus,Evecanmountareplayattack.Note,how- Unfortunately,itisdicult(ifnotimpossible)to X X 2 X x R r R 2 R F F 2 F f dress.inotherwords,sincerpi-sarenotdigitally dedrpi.also,anrpiisnot"tied"toagivensender; itistrivialtocreateanrpiwithafakereturnad- signed,theycanberepudiated. 5.6.Inter-MixDetours Babelallowsmessagestobesentwithoutanembed- Figure8:AlicereplyingtoBob'sanonymousreply. N N N 2 curity(i.e.,untraceability)ofrepliesbyintroducing n Y thereplytothenexthopri+.inthedetourmode, inter-mixdetours. path.normallyamixri(0i<r)forwarded Asimpleyetpowerfulwayofstrengtheningthese- LetR;R2;:::;Rrdenotethemixesonthereturn Y2 Yy Richoosesarandomforwardpath(calledadetour) Di;Di2;:::;Diri,whichconsistsofnormalmixesdrawn fromtheglobalmixnetwork.themessageisthen asshowninfigure9. anonymouslyforwardedtori+throughthesemixes toured.however,ifthemixesonthedeviatedpath whererepliestothesameanonymousmessagecanbe correlatedbymerelyexaminingtheexposedrpi. pearsdierentforeachreply,inparticular,during areplayattack.comparethistothepreviouscase structedbyamixandnotauser. theyarearegularanonymousmessagesonlycon- Messagesontheforwardpathcouldalsobede- AdetourensuresthatamessageleavingRiap- Thereisnothingspecialaboutdetour-edmessages; benetthatcanbederivedfromdetouringforwardboundmessagesisthat,unlikechaum'smixes[2],we wouldhavetobetaggedaccordingly.animportant canguaranteethateventheoriginatorofananonymousmessagecannotrecognizeitsownmessageasit leavesamix. furtherdetouredmessages,endlessdetourloopswould occur.toavoidthisproblem,detouredmessages Oneslightdrawbackofintroducinginter-mixde-

9 R r R R Alice Bob envisaged:insteadofdeliveringareplydirectlytoal- toursisthatamixnowhastoknowaboutothermixes; Figure9:Inter-mixdetoursonreplies. analogoustothebroadcastsolutionasdescribedin 2 [0] Indirectreplies thusfar,ithasnotbeenarequirement. matchingthatnumbertag.thismethodisroughly ice,bobcandeliverittoalocalnewsgroupwithaspe- cialnumbertag.alicescansthisnewsgroupforreplies Anentirelydierentapproachtorepliescanalsobe F F 2 F f tice,however,ciphertextisusuallysomewhatlonger cleartextcanbedevised,e.g.cfbmodeofdes 6KeepingMessageSizesConstant withapre-distributedinitializationvector.inprac- thancleartext.inhybrid-keycryptosystemsthesize increaseisparticularlynoticeableduetotheneedto sagesareofthesamelengthasthecorresponding shortermessage. includeanencryptedrandomsessionkeyinaddition totheciphertext.conversely,decryptionresultsina Inprinciple,acryptosystemwhereencryptedmes- mixes.thedierencesinsizecanbeexploitedbyeve. wouldstillvisibletor ers.thisallowsthemto creaseaftereachdecryptionasittravelsthroughthe outgoingmessageto.althoughallmessageswould havethesamesizeforaneavesdropper,thedecrease Theproblemcanbesolvedifeachmixpadsthe Thus,thelengthofan messagewouldde- D r D r D r 2 D r 2 rr D D 9 orfollowinghops,andiscontrarytooneofourgoals makeeducatedguessesastothenumberofpreceding trac,thersthopcaninferthatitisthersthop setinsection2.2. bycomparingalice'saddresswiththelistofknown sentbyaliceisindistinguishablefromotherinter-mix inghopsshouldbekeptsecret.althoughthemessage therecipient,respectively. becausetheycanlearntheidentityofthesenderand viousandnexthopandnothingelseaboutthepathof amessage.therstandlasthopsarealittledierent Furthermore,thenumberofprecedingandfollow- Eachmixshouldknowonlytheidentityofthepre- hopsnorthenumberoffollowingones. diatehops,shouldnotknowthenumberofpreceding mixes.inasimilarfashion,thelasthopcandeduce thatitisthelast.however,allothers,i.e.interme- thepointclear. isdividedintoaxednumberofxed-sizeblocks. ThisisthesolutionimplementedintheMixmaster information-carryingdata.anexampleshouldmake thatsomepadding(encryptedornot)alwaysfollows package[7]. andmorestorage-ecient.thebasicideaistoensure Chaum[2]presentsageneralsolutionwheredata bytesofc0hasnoimpactontheencryptedversion havinglength+.if<pthentrimmingtrailing ofdatafollowedbyp=?mbytesofpadding.also supposetheencryptedversionofcisdenotedbyc0 LetstringCoflengthbecomposedofMbytes Herewepresentanotherapproachthatissimpler padding,seefigure0.inotherwords,trimming ofthedatabutonlyontheencryptedversionofthe bytesresultsmerelyinthelossoftheoriginalpadding butnotindataloss. ciphertextwillbedetected,leadingtopossiblerejec- mationaboutthecleartext,alterationsmadetothe algorithmshouldbesuchthatcorrectdecryptionof agivenblockdependsonsomeoralloftheprevious blocksbutnotonfollowingblocks.thisistruefor mostencryptionalgorithms.wealsonotethatifthe encryptionpackageusedembedscrcorlengthinfor- Forthepreviousstatementtohold,theencryption Figure0:Padding Encrypting Trimming bytes Data Padding Encryption Data Padding Trimming excess bytes Data Padding

10 ticularr ersystemprovides.inparticular,the quirementsforconstructingmixesthatprovidebi- ofamix,thepotentialthreatsfacingitandre- tionofthemessage.thisissueisfurtherdiscussedin notionsofconfusionandstaunchnessareintroduced malizeandanalyzethedegreeofanonymityapar- Section Heedinganonymity anddened. 7.Fixed-PathSystems directionalanonymity.thissectionattemptstofor- Intheprecedingsectionswedenedthenotion estingwaytoincreasetheoveralltracloadistouse mixes.thisshouldnotnecessarilybeso.aninter- thesamexedmixpathforallmessages[24].we uration,messagesalwaysenterthesystematm,are denotethispathbym;m2;:::;mm.inthiscong- ischosenatrandomfromalargepoolofavailable forwardedtom2,thentothenextmix,andsoonuntil theyleavethesystematmm. Byforcingallmessagestovisitallmixespertaining Untilnowwemadeanassumptionthatamixpath maximal.thereareotheradvantagesofusingaxed tothexedpath,thetracgoingthrougheachis path.themixnetworkbecomesmorereliable,less chaoticandmucheasiertomanage. goodengineeringpractices.clearly,ifamixisoverwhelmedbysheertracvolume,datalosscanoccur. Thisisnotaseriousdrawbackbecause,asthetrac increasesbeyondtheprocessingcapacityofthemixes, otherxedpathscanbeintroducedtoooadthepreviousxedpath(s). Maximizingtracloadmightseemcontraryto lowingattackwhereeveallowsonlyasinglemessage therstandlastmixes,mandmm.considerthefoltem.shecanevenlearnagreatdealbywatchingonly NowitismucheasierforEvetomonitortheentiresys- mixesonthexedpath,m,isclearlylimited.thus, theadvantageofusingalargenumberofmixesislost. Owingtopracticalconsiderations,thenumberof causeeveallowsonlyasinglegenuinemessagetoenter Thisattackisreferredtoasthetrickleattackbe- Figure:TheTrickleAttack totrickleintoaintervalbatchingmixnetwork.eve thesystem.byobservingtheoutputofthelastmix, Mm,shecancorrectlycorrelatethegenuinemessage withitscorrespondingoutput. 0 single message per period Controlled by Eve... M M 2 M m 7.2Systemstaunchness,miss&guessfactormixdecoysdonotconfuseEve. However,asmanyuserswouldbealarmedoreven themtoleavethemixnetwork.unfortunately,inter- upsetbyreceivingdecoymessages,wedonotallow Decoysmightbeusedtooutfoxthetrickleattack. makingacorrectcorrelation.(obviously,g+m=.) ofconfusionintroducedbythemixes.similarly,the andamessageleavingit.itrepresentsthemeasure mixesuseregularbatchingwiththebatchsizesetto guessfactor,denotedg,isdenedastheprobabilityof relationbetweenamessageenteringthemixnetwork networkastheprobabilityofmakinganincorrectcor- Wedenethemissfactor,denotedM,foramix Considerthexed-pathcasewheretheintervening ismoresecurethanasinglemixbutnotnecessarily advantageofchainingthroughseveralmixes? becauseevehastosubvertallmixesinordertobreak theanonymitychain.inotherwords,achainofmixes theguessfactorofasinglemix.whatisthenthe N.Then,Gforthexedpathisequalto=N.It isinterestingtonotethattheresultisidenticalto amessagetravelsthrough. 7.3TheQuestforConfusion thisfar,staunchnessisequaltothenumberofmixes defeatmessageanonymity.inallschemesdescribed moreconfusing.wedenethestaunchness,s,ofa mixnetworkasthenumberofsecretkeysneededto Achainofmixesismoresecurethanasinglemix mixesuseinterval-basedbatchinginsteadofregular sagesarrivingduringintervaliisdepictedinfigure fectlysynchronizedandmessagetransmissiontimeis smallbutnon-zero3,theitineraryofagroupofmes- batching.assumingtheclocksofr ersareper- leaveitattime(mt),alongwiththerestofthe messagesenteredduringthesameinterval.theguess 2.Amessageenteringthesystematintervaliwill Considerthexedpathcasewhereintervening teminintervali. whereniisthenumberofmessagesenteringthesysabilityforcorrectcorrelationisclosetoone.thisis factorforperiodiisgivenby missfactor,thebetter.onecouldsimplyincreasethe whatonewouldexpectbyintuition. Thus,iffewmessagesenterthesystem,theprob- Forobviousreasons,thehigherthevalueofthe Gi=ni; durationoftheinterval,t,toaugmenttheaverage numberofincomingmessagesperperiod.however, interval. thishasanegativeimpactontheaveragedelayexperiencedbymessages.theywillbedelayedonthe thefollowingmixes.thus,thetotalaveragedelayfor averagebyt=2intherstmixandforafullperiodat 3Sothatmessagesarriveatthefollowingmixduringanew

11 messages leaving M messages leave the mix system 2 messages leaving M messages entering M 2 messages entering M3 messages leaving M m messages entering M m Figure2:Intervalbatchingwithsynchronizedclocks thexedpath,neglectingtransmissionandprocessing time,isgivenby messages entering M... time butwithanaddedtwist.the"twist"isthatattheend wheremisthenumberofr ersonthexedpath. 7.3.Probabilisticdeferment duceanewschemebasedonthetimeintervalmethod Continuingourpursuitofconfusion,wenowintro- E[Delay]=T(2+m?)[sec] it (i+)t (i+2)t (i+m )T (i+m)t aredeferredforanadditionaltimeperiodwhileall foranadditionalperiod. intervalandd=?qtheprobabilityofdeferringit refertothisschemeasprobabilisticdefermentwith intervalbatching. takenbyippingabiasedcoin.letqbetheprobabilityofforwardingthemessageattheendofthecurrent othermessagesaresentwithnofurtherdelay4.we ofeachtimeinterval,someoftheincomingmessages deferred.theprobabilitymassfunctionofkisgiven timesagivenmessageleavingthemixsystemhasbeen LettherandomvariableKdenotethenumberof Thedecisiontodeferagivenincomingmessageis ingappropriatestateinformation. PfK=kg=mkqm?kdkwherek=0;:::;m; 4Incominganddeferredmessagesaredistinguishedbykeep- whichisthebinomialdistribution.theexpectedvalue ofkissimplye[k]=md layedaslongas2tmseconds;delayedforafullinter- valandalsodeferredonallmmixes. eragewillbedelayedby: E[delay]=T(2+m?)+Tmd Thus,withthenewscheme,amessageontheav- toguessboththeintervaltowhichamessagebelongs (i.ek)andalsoitspositioninthatinterval.presuming thatthenumberofmessagesarrivingateachperiod Notethatintheworstcaseamessagemaybede- Withthenewschedulingpolicytheopponenthas avgaddtldelay[sec] {z} themostlikelydefermentevent. isroughlythesame5,eve'sbestguessistoassume where0<d<,asbgoesfrom0tom,pfb=bg forsimpleintervalbatching,timestheprobabilityof themostlikelydefermentevent,i.e. intervali,designatedbgi,isgivenbytheguessfactor Thustheguessfactorforthenewpolicyforthe arigorousproof,referto[34].foralessrigorous rstincreasesmonotonicallyandthendecreasesmonotonically,reachingitslargestvaluefor6de[b]e,the butamusingproof,thereadercanapproximatethe binomialbythepoissondistribution,generalizethe smallestintegergreaterthanorequaltomd.for ForabinomialvariableB,withparameters(m;d), bgi=gipfmostlikelykg derivativewithrespecttoanowcontinuousb. factorialtothegammafunction7andthentakethe =2.Themostlikelyvalueforkis3,withprobability isreachedforvaluesofdnottoofarawayfrom=2. event,pfb=de[b]eg,asafunctionofthedeferment dierentforevenvaluesofm,forwhichtheminimum mostlikelyeventisminimalford==2.thisisalittle probabilitydforevenandoddvaluesofm. Foranumericexample,supposem=5andd=q= Figure3showstheprobabilityofthemostlikely plydoubledthetimeintervaltot0=2t,astohave ducesanadditionaluncertaintyof0 32.Thus,theprobabilisticdefermentmethodintro- Clearly,foroddvaluesofm,theprobabilityofthe latedinterval. thesamedelayintheworstcase,thenthedecreasein theguessfactorwouldbeonly=2.theprobabilistic batchingforallvaluesofm>,evenintheworst defermentmethodcompareswellwithsimpleinterval case. 6"E"doesnotmeanencryptionhere. 5Otherwise,messagesarelikelytobelongtothemostpopu- 32.Ifwehadsim- equaltoitselfwhenderived.however,itisonlydenedfor<+. 7Liketheexponentialfunctionthegammafunctionisalso

12 Probability of the most likely b Odd number of mixes m= Even number of mixes m= m=3 tionofd m=4 m= AHybridApproach m= m= domorderpath,imposesaxedsetofmixesbutallows Figure3:Probabilityofthemostlikelybasafunc- m= method,thetracloadisoptimal.however,there arenocriticallines.evemustobserveandcontrolall communicationslinestodefeatthemixnetwork.the traversingtheminanyorderchosenatrandom,with eachmixvisitedonlyonce.aswiththexedpath m=00 m=000 usetoincreasetheconfusionfactorfurther. Ahybridconguration,referredtoasxed-setran forthexed-setrandomordersystem.however,it probabilisticdefermentapproachcanalsobeputto Itisverydiculttocalculatetheconfusionfactor Deferment probability, d Deferment probability, d combinessomeofthebestfeaturesofthemethods mentionedsofar. 8Implementation andrequirementsdescribedinthispaperhasbeenimplementedtheibmzurichresearchlaboratoryduringrsthalfof995.thissectiondiscussessomeof 8.Computingenvironment toimplementbabel.perlisreadilyavailableon Ananonymousr erconformingtotheideas thesalientaspectsoftheimplementation. ThepopularscriptlanguagePerl[32,33]wasused Probability of the most likely b 2 mostunixplatformsandiswell-suitedforprocessing looselystructureddatasuchas messaged.we optedforthelatestincarnationofperl,version5. ware,wechosepgptoprovidethecryptographicbase. 8.2PrettyGoodPrivacyorPGP pgpcombinestheconvenienceandsecurityofpublickeyalgorithmswiththehighspeedofconventional thisisnotthecaseforautomated(batch)processing; errorconditionsrequireunexpecteduserinteraction, cryptography.itoersfull-blownmessageprivacyand andthereturncodesareattimesconfusing. 8.2.PGPleformat pgpiswell-suitedforinteractiveuse.unfortunately, authentication,basedonrsa[30]andidea[4,5]. encryptedandsigned,buttheusercanviewitscontentsandverifyitssignaturewithasinglecommand. Atthebytelevelthisisachievedbyembeddingacom- Withpgp,an messagecanbecompressed, Sinceitwasdesignedwiththemassappealinmind, tographicoperations,whicharenotoriouslycostlyin termsofprocessingpower. Perl.However,theimpactofinterpretingthecode atruntimeisnegligiblecomparedtothatofcryp- costinvolvedinusinganinterpretedlanguagesuchas Itbeingthemostpopular encryptionsoft- Werecognizethatthereisaninherentperformance pressedpacketinsideahybridrsa-ideaencrypted packet.thispacketitselfisthenembeddedinasignaturepacket(figure4)whichcaninturnbeembedded inaradix-64asciiarmor. unknowntype,i.e.userdata,isencountered.althoughthismightbethecorrectbehaviorattheuser level,itisinadequatewhenmultipleencryptionis pgprecursivelyprocesseseachpackettypeuntilan Figure4:MultiplePacketEmbedding signature batchprocessing. used.inthatcase,pgp8attemptstocontinuede- mixes). missing(amixdoesnotknowthesecretkeyofother cryptingafterarstsuccessfuldecryption.thesec- onddecryptionoperationwillusuallyfailbecausethe secretkeyneededtoperformtheoperationwillbe 8Behaviorobservedwiththe\+force"optionrequiredforin radix 64 Armor RSA IDEA compressed compressed data

13 Cipher byte type CTB 8 bits messageheadersalsocontainssensitiveinformation PEMisevenworseinthisrespect,astheunencrypted PEMmessageheaderscontainidenticationofboth senderandrecipient[3].thecleartextpartofpgp privacyandauthenticationbutnotsenderanonymity. thatcanbeusedbyanattackertocorrelatemessages.thispotentialthreatwascarefullystudied,anopedattheearlierstagesoftheproject. aversion-independentpgpformatparserwasdevel- Furthermore,pgpismeanttobeusedfor packet length 8/6 bits algorithm type 8 bits byte (= for RSA) Figure5:Dataformatforencryptedle recipient key ID 64 bits RSA encrypted IDEA key variable variable mentionedinsection6,trimmingisusedtoenforce 8.2.2Sideeectsofencryption IDEA uniformmessagesize.fortunately,whencompression textintotheciphertext.thiscausespgptoreject foreencryptingit9.however,sinceuniformmessage lesalteredinanyway,particularlytrimmedles.as sizeisaconcern,compressionisalwaysturnedo. Incompressionmode,pgpaddsaCRCoftheclear- Thispreventsmessagesfromshrinking. Bydefault,pgpattemptstocompresscleartextbe- Thereisanotherreasonforturningocompression. (message body) isturnedo,pgprecordsonlythelengthofthecleartextmessage.thus,alterationstodatalengtharphertext.wecapitalizeonthisbehaviortoimplement cleartext(e.g.,mailheaders)usuallyprecedesthepgp partofthemessage.moreover,additionalcleartext thantheprerecordedvalue,butacceptslongerones. inan messagethatincludespgpciphertext,the detectedbutnotthosetocontents. Thisbehaviorcanbeexplainedbyconsideringthat, (e.g.acleartextsignature)usuallyfollowsthepgpci- 9Somethinkthatcompressionenhancessecurity;wedonot. Tobeprecise,pgprejectsmessagesthatareshorter 3 presentedinsection Radix-64format sortofconversionmusttakeplacetosendencrypted simpleandecientconversionmethodisradix-64armoring.itisdenedin[6]. 8.3R erdeployment dataover7-bitchannelssuchas .aremarkably Aspgp-encryptedlesareinbinaryformat,some theforwardandreplymessagesindistinguishably,as minutes,withouthavinganyadministratorprivileges. pavesthewayforasecuritybreach.sincebabelis Personal istreatedasusual,butanonymous accountintoananonymousr erinamatterof on lters.anyusercantransformhiscomputer inthe.forwardle.referto[5]forfurtherinformation theuser'smailbox20.thisiscompatiblewiththeinternet'spopulistphilosophy.however,notethatthis mailislteredandprocessedwithoutevercluttering ABabelmixisdesignedtoactasalterinstalled designedwithaminimumofhumaninterventionin mailersitecanattractswarmsofmessages.thiscan mind,thepasswordneededtoaccessthesecretkeyof congurationle.althoughthisleisnotaccessible toacasualuser,thesystemadministratorcanusually overridethesafeguards.furthermore,apopularre- ar erisstoredincleartext,inaread-protected mentionedexportrestrictions. resultinseriousperformancedegradationonthelocal 8.4Proxies raphypersebutalsotoequipmentthatmakesuse duetou.s.exportrestrictionsoncryptographicparaphernalia.restrictionsapplynotonlytocryptog- notcontainasinglelineofcryptographiccodeandreliescompletelyonpgpitisstillsubjecttotheafore- ofcryptography.inparticular,althoughbabeldoes host. TheactualdeploymentofBabelhasbeendelayed ontheuser'sbehalf.theproxymixisalsoabletosubstituteitselffortheuserinordertoprocessmultiply encryptedreplies.consequently,itispossibleforany bare-bones usertosendanonymousmessages Babeloersaso-calledproxymodeofoperation.In thismode,auserwithnobabelsoftwarecanaskany andreceivereplies.2 mixtocomposeandforwardananonymousmessage Inordertoappealtothegreatestnumberofusers, 8.5Messagelength Concretevalues cansendtheirordersencryptedwiththeproxymix's publickey. However,usersequippedpgpbutnoBabelsoftware curebecausetractotheproxymixowsincleartext. esthatanymailersoftwareshouldbeabletosend andreceivemessagesatleast64kbytesinlength(includingheader).takingintoaccounta33%increase 20Unlessanerroroccurswhileprocessingthemessage. 2Thisisparticularlyapplicabletonon-Unixusers. Theproxymodeofoperationsissomewhatlessse- ofradix-64armoring,themaximumuniformmessage TheInternet "bible",RFC23[3],speci-

14 size,,wecouldsafelyadoptis48kbytes22.being concernedbynetworkbandwidth,weoptedforhalf thatnumber,i.e.24kbytes. Fora52-bitpublickey,pgpincreasesmessagesize byabout5bytesateachencryption.experiments showthatthethicknessofalayeroftheanonymous onionisonaverageapproximately220bytes.therefore,when2kbytesofpaddingareused,amessage cansafelyincludeninelayersofencryption.therecommendedrpisize!is.5kbytes.thisallowsapproximatelysevenmixesonthereturnpath. Weintentionallychosenottoprovidesupportfor largerles.thisistheacceptedpracticeonexistingr ers.itismeanttofrustratetheanonymous transmissionofgraphicles,whichtendtobevery large23.itisstillpossibletosplitlargerlesinto smallerpiecesandsendthemanonymously. 8.6TimeSynchronization&ReplayDetection AsmentionedinSection3.2.2,eachlayerofthe onioncreatedbyaliceincludesatimestamp.the valueofthetimestamp,referredtoas,isthenumberofsecondselapsedinsecondssincejanuary,970 GMT,tothemomentofmessagecompositionbythe sender. ABabelmixusesatwo-stepreplaydetection. First,itrecordsauniqueidentierofthemessageas describedinsection3.2.2.aslongastherecordis inthedatabase,replaysaredetected.however,inordertokeepthedatabasesizereasonable,therecord isdeletedattime(+).thereafter,anymessage bearingthetimestamporolderwillbediscardedas beingtooold;notnecessarilyforbeingareplay. Timestampsareintroducedmerelytokeepthereplaydatabasesmall.Thus,onlylooseclocksynchronizationisneeded.Assumingthetotaldelayexperiencedbymessagesatr erstobeaboutonehour, wechosetobe24hours,oneorderofmagnitude largerthanmessagethedelay.thus,thetimeittakes tovisitallmixesontheforwardpathisconsidered negligiblewithrespectto. Withsuchacoarsevalueof,itissucientthat hostskeepclocksaccuratewithinadayforthesystem tofunctionproperly. 9Conclusions Thispaperpresentedananonymousr ersystemcalledBabel.Babelisexibleenoughtoallow bothsendingandreceivinganonymouselectronicmessages.anonymitycriteriahavebeendenedinorder tocomparedegreesofanonymityprovidedbyvarious congurations. ThebasiccomponentsofBabel,mixes,arenot awareofeachotherandlearnverylittleaboutmessagestheyprocess.incontrasttosomecurrentlyoperatingr ers,babelmixesdonotdependon (potentiallytreacherous)aliastables. ThesoftwareimplementationofBabelisbasedon freelyavailableingredients:perlandpgp.atthe 22nottakingtheheadersizeintoaccount. 23andofquestionablenature. sametime,thesystemremainsaccessibletouserswith onlyabasic capabilitythroughtheuseofits proxymode. ABabelmixcanbeveryeasilysetupbyany userhavingonlyasimpleunixaccount.however, itisenvisagedthatsettingupaninternet-widemix network(mesh)willtakesometime. Aswithanynewtechnology,someabuseisunavoidable.CaveatEmptor! Acknowledgments TheauthorswishtothankPh.Janson,M.Waidner,M.Steiner,R.Hauserandtheanonymizedrefereesformanyhelpfulcommentsandsuggestions. References []D.Akst,\Postcardfromcyberspace,"LosAngelesTimes, February [2]D.Chaum,\UntraceableElectronicMail,ReturnAddresses,andDigitalPseudonyms,"Communicationsofthe ACM,v.24,n.2,Feb98,pp.84{88. [3]D.Chaum,\SecuritywithoutIdentication:Transaction SystemstomakeBigBrotherObsolete,"Communications oftheacm,28/0,985,pp.030{044. [4]D.Chaum,\TheDiningCryptographersProblem:UnconditionalSenderandRecipientUntraceability,"Journalof Cryptology,/,988,pp.65{75. [5]B.Costales,E.AllmanandN.Rickert,\Sendmail", O'Reilly&Associates,993. [6]D.H.Crocker,\StandardfortheformatofArpaInternet messages",rfc822,august982. [7]L.Cottrell,\MixmasterandR erAttacks," [8]D.W.DaviesandW.L.Price,\SecurityforComputer Networks,"JohnWiley&Sons,984,pp.37{43. [9]D.E.R.Denning,\CryptographyandDataSecurity," Addison-Wesley,982 [0]D.J.FarberandK.C.Larson,\NetworkSecurityviaDynamicProcessRenaming,"FourthDataCommunications Symposium,Oct975,QuebecCity,pp.8{8. []J.Helsingius:Pressrelease,February20th995. [2]E.Hughes,\CypherpunksManifesto,"distributedon Usenetandvariousmailinglists,March993. [3]InternetEngineeringTaskForce,\RequirementsforInternetHosts{ApplicationandSupport,"RFC23,October 989. [4]X.Lai,\OntheDesignandSecurityofofBlockCiphers," ETHSeriesinInformationProcessing,v.,Konstanz: Hartung-GorreVerlag,992. [5]X.LaiandJ.Massey,\AproposalforaNew BlockEncryptionStandard,"AdvancesinCryptology EUROCRYPT'90Proceedings,Berlin:Springer-Verlag, 99,pp.389{404. 4

15 [6]J.Linn,\PrivacyEnhancementforInternetElectronic Mail PartI:MessageEncryptionandAuthentication Procedures,"RFC42,Feb993. [7]S.Maguire,\WritingSolidCode.",MicrosoftPress,993, pp.79{80. [8]T.May,\CryptoAnarchyandVirtualcommunities,"InternetSecurityJournal,April995. [9]D.L.Mills,\Algorithmsforsynchronizingnetwork clocks."rfc956,september985. [20]D.L.Mills,\Experimentsinnetworkclocksynchronization,"RFC957,September985. [2]D.L.Mills,\NetworkTimeProtocol(Version3)Specication,ImplementationandAnalysis,"RFC305,March 992. [22]W.Mossberg,\Personaltechnology,"WallStreetJournal, Jan [23]J.Quittner,\UnmaskedontheNet,"Timemagazine, March6995. [24]A.Ptzmann,\HowtoimplementISDNswithoutuser observability Someremarks,"InstitutfurInformatik, UniversityofKarlsruhe,InternerBericht4/85,985. [25]A.Ptzmann,B.PtzmannandM.Waidner,\ISDN- Mixes:UntraceableCommunicationwithVerySmall BandwidthOverhead,"GI/ITGConference:CommunicationinDistributedSystems,MannheimFeb.20{ 2299,Informatik-Fachberichte267,Springer-Verlag, Heildelberg99,pp.45{463. [26]A.PtzmannandB.Ptzmann,\Howtobreak thedirectrsa-implementationofmixes,"advances incryptology EUROCRYPT'89Proceedings,Berlin: Springer-Verlag,990,pp.373{38. [27]A.PtzmannandM.Waidner,\NetworksWithoutUser Observability designoptions,"eurocrypt85,springer- Verlag,Berlin986,pp.245{253.Revisionin:Computers &Security,6/2987,pp.58{66. [28]J.B.Postel,\Simpl TransferProtocol",RFC82, August982. [29]R.RivestandA.Shamir,\HowtoExposeanEavesdropper,"CommunicationsoftheACM,v.2,n.2,Feb978, pp.20{26. [30]R.Rivest,A.Shamir,andL.M.Adleman,\CryptographicCommunicationsSystemandMethod,"U.S Patent4,405,829,20Sep983. [3]B.Schneier,\AppliedCryptography,"JohnWiley&Sons, 994. [32]R.Schwartz,\LearningPerl,"O'Reilly&Associates,993 [33]L.WallandR.Schwartz,\ProgrammingPerl,"O'Reilly &Associates,993. [34]R.Sheldon,\ArstCourseinProbability,"Macmillan, fourthedition,994,pp.47{67. [35]P.Zimmerman,\PGPUser'sGuide",includedinPGP distribution2.6i,october994. [36]P.Zimmerman,\PGP2.6leformats",includedinPGP distribution2.6,may994. 5