We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design. Tor adds perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practical design for rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency. We briefly describe our experiences with an international network of more than a dozen hosts. We close with a list of open problems in anonymous communication. 1. Overview

Abstract. We present Mixminion, a message-based anonymous remailer protocol that supports secure single-use reply blocks. MIX nodes cannot distinguish Mixminion forward messages from reply messages, so forward and reply messages share the same anonymity set. We add directory servers that allow users to learn public keys and performance statistics of participating remailers, and we describe nymservers that allow users to maintain long-term pseudonyms using single-use reply blocks as a primitive. Our design integrates link encryption between remailers to provide forward anonymity. Mixminion brings together the best solutions from previous work to create a conservative design that protects against most known attacks. Keywords: anonymity, MIX-net, peer-to-peer, remailer, nymserver, reply block 1

We present a protocol for anonymous communication over the Internet. Our protocol, called P 5 (Peer-to-Peer Personal Privacy Protocol) provides sender-, receiver-, and sender-receiver anonymity. P 5 is designed to be implemented over the current Internet protocols, and does not require any special infrastructure support. A novel feature of P 5 is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P 5, an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations.

We present a mix network topology that is based on sparse expander graphs, with each mix only communicating with a few neighbouring others. We analyse the anonymity such networks provide, and compare it with fully connected mix networks and mix cascades. We prove that such a topology is efficient since it only requires the route length of messages to be relatively small in comparison with the number of mixes to achieve maximal anonymity. Additionally mixes can resist intersection attacks while their batch size, that is directly linked to the latency of the network, remains constant. A worked example of a network is also presented to illustrate how these results can be applied to create secure mix networks in practise.

For many Internet applications, the ability to protect the identity of participants in a distributed applications is critical. For such applications, a number of anonymous communication systems have been realized over the recent years. The effectiveness of these systems relies greatly on the way messages are routed among the participants. (We call this the route selection strategy.) In this paper, we describe how to select routes so as to maximize the ability of the anonymous communication systems to protect anonymity. To measure this ability, we define a metric (anonymity degree), and we design and evaluate an optimal route selection strategy that maximizes the anonymity degree of a system. Our analytical and experimental data shows that the anonymity degree may not always monotonically increase as the length of communication paths increase. We also found that variable path-length strategies perform better than fixed-length strategies.

Many proposed low-latency anonymous communication systems have used various flow transformations such as traffic padding, adding cover traffic (or bogus packets), packet dropping, flow mixing, flow splitting, and flow merging to achieve anonymity. It has long been believed that these flow transformations would effectively disguise network flows, thus achieve good anonymity. In this paper, we investigate the fundamental limitations of flow transformations in achieving anonymity, and we show that flow transformations do not necessarily provide the level of anonymity people have expected or believed. By injecting unique watermark into the inter-packet timing domain of a packet flow, we are able to make any sufficiently long flow uniquely identifiable even if 1) it is disguised by substantial amount of

This paper aims to quantitatively analyze anonymous communication systems with regard to anonymity properties. Various anonymous communication systems have been designed and implemented. However, there are few formal and quantitative analyses on how these systems perform. System developers often informally argued the security goals which their systems can achieve. Such results were likely vague and not persuasive. In this paper, we use a probabilistic method to investigate the anonymity behavior of anonymous communication systems. In particular, we study the probability that the true identity of a sender can be discovered in an anonymous communication system given that some nodes have been compromised. It is through this analysis that we can identify a number of design guidelines for systems aimed at providing communication anonymity. For example, contrary to what one would intuitively expect, our analytic results show that the probability that the true identity of a sender can be discovered may not always decrease as the length of communication path increases. We also found that the complexity of path topology does not have significant impact in terms of anonymity behavior.

Securing wireless sensor networks against denial of service attacks that disrupt communications or target nodes serving key roles in the network, e.g. sinks or routers, is instrumental to network availability and performance. Particularly vulnerable to these attacks are the components of any communications or operation infrastructure in the network. In this paper, we address a class of wireless sensor networks where network protocols leverage a dynamic general-purpose virtual infrastructure; the core components of that infrastructure are a coordinate system, a cluster structure, and a routing structure. Since knowledge of this virtual infrastructure enables ‘smart ’ cost-effective DOS attacks on the network, maintaining the anonymity of the virtual infrastructure is a primary security concern. The main contribution of this work is to propose an energy-efficient protocol for maintaining the anonymity of the network virtual infrastructure. Specifically, our solution defines schemes for randomizing communications such that the coordinate system, cluster structure, and routing structure remain invisible to an external observer of network traffic during the setup phase of the network. 1.

No matter how well designed and engineered, a mix server offers little protection if its administrator can be convinced to log and selectively disclose correspondences between its input and output messages, either for profit or to cooperate with an investigation. In this paper we propose a technique, fragile mixing, to discourage an administrator from revealing such correspondences, assuming he is motivated to protect the unlinkability of other communications that flow through the mix (e.g., his own). Briefly, fragile mixing implements the property that any disclosure of an input-message-tooutput-message correspondence discloses all such correspondences for that batch of output messages. We detail this technique in the context of a re-encryption mix, its integration with a mix network, and incentive and efficiency issues.

Among all the security issues in Voice over IP (VoIP) communications, one of the most difficult to achieve is traffic analysis resistance. Indeed, classical approaches provide a reasonable degree of security but induce large roundtrip times that are incompatible with VoIP. In this paper, we describe some of the privacy and security issues derived from traffic analysis in VoIP. We also give an overview of how to provide low-latency VoIP communication with strong resistance to traffic analysis. Finally, we present a server which can provide such resistance to hundreds of users even if the server is compromised.