The Dangers of Composing Anonymous Channels
Venue
Information Hiding - 14th International Conference, IH 2012, Revised Selected Papers, Springer, Lecture notes in Computer Science (2013), pp. 191-206
Publication Year
2013
Authors
Emilia Kasper, George Danezis
BibTeX
Abstract
We present traffic analyses of two anonymous communications schemes that build on
the classic Crowds/Hordes protocols. The AJSS10 [1] scheme combines multiple
Crowds-like forward channels with a Hordes reply channel in an attempt to offer
robustness in a mobile environment. We show that the resulting scheme fails to
guarantee the claimed k-anonymity, and is in fact more vulnerable to malicious
peers than Hordes, while suffering from higher latency. Similarly, the RWS11 [15]
scheme invokes multiple instances of Crowds to provide receiver anonymity. We
demonstrate that the sender anonymity of the scheme is susceptible to a variant of
the predecessor attack [21], while receiver anonymity is fully compromised with an
active attack. We conclude that the heuristic security claims of AJSS10 and RWS11
do not hold, and argue that composition of multiple anonymity channels can in fact
weaken overall security. In contrast, we provide a rigorous security analysis of
Hordes under the same threat model, and reflect on design principles for future
anonymous channels to make them amenable to such security analysis.
