Asynchronous Provably-Secure Hidden Services
Lecture Notes in Computer Science
The client-server model is one of the most widely used architectures in the Internet due to its simplicity and flexibility. In practice the server is assigned a public address so that its services can be consumed. This makes the server vulnerable to a number of attacks such as Distributed Denial of Service (DDoS), censorship from authoritarian governments or exploitation of software vulnerabilities. In this work we propose asynchronous protocols for allowing a client to issue requests to a
... r without revealing any information about the location of the server. Our solution reveals limited information about the network topology, leaking only the distance from the client to the corrupted participants. We also provide a simulation-based security definition capturing the requirement described above. Our initial protocol is secure in the semi-honest model against any number of colluding participants, and has linear communication complexity. We extend our solution to handle active adversaries, showing that malicious participants can only trigger a premature termination of this new protocol, in which case they are identified. For this solution the communication complexity becomes quadratic. To the best of our knowledge this is the first study of asynchronous protocols that provide strong security guarantees for the hidden server problem. While the problem of hiding the physical location of a server in a network is not exactly an anonymity problem (we do not want to hide the fact that a specific client connects to the server) the techniques and concepts we use are borrowed from the area of anonymity. Since Chaum's two seminal papers on mixes [7, 6], a large body of work has been written in order to enable communications that do not reveal the identity of participants. An alternative to mixers for achieving anonymity has been introduced by Reiter et al. with a protocol named Crowds and consists of using random paths among a set of "dummy" nodes a.k.a. jondo before reaching a specific destination (the server). In this protocol -contrary to our setting -the location of the server is public and the goal is to hide the clients. This solution is simple, efficient and provide some level of anonymity for the client. Beyond the protocol itself, the authors highlight some fundamental problems that arise with these types of constructions where traffic is routed through possible corrupted nodes: In particular, preserving the initiator's anonymity turns out to be more complex than expected [32, 28] . Indeed in our case, we have to solve a similar problem where we must hide the location of the server during the phase of responding a request. Hordes  is an improvement to Crowds where the reply from the server is done using multicast. This change makes passive attacks consisting in tracing back messages harder while adding only a reasonable operational cost. While Crowds and Hordes do not aim to hide the server like we do, these protocols highlight the difficulty of hiding nodes in a network where the adversary controls a subset of the participants and can leverage traffic analysis. Another approach to establish anonymous channels between client and servers is onion routing  . An onion is obtained by encrypting the message in a layered fashion using the public keys of the nodes on a path from sender to receiver. By doing so, a node on the circuit will not be able to identify the original source, the final destination, nor the message itself. The most popular onion routing protocol is without a doubt Tor  . Tor not only enables to preserve the anonymity of clients but also provides a mechanism to hide the location of the server through a rendez-vous node where both client and server meet. Unfortunately, as in Crowds and Hordes, a number of practical attacks based on traffic analysis are possible [17, 27, 33, 21] : In particular if a node manages to be the first relay between the server and the rendez-vous node, it will likely detect the server presence  . In case managing a Public-Key Infrastructure is too complex, one can use Katti et al.'s protocol  that relies on the idea of splitting the routing information in such a way that only the right nodes on the circuit are able to reconstruct it correctly. In our protocol we also leverage secret-sharing techniques, but for splitting and reconstructing the message only. Also our solution does not require a sender to control different nodes as in the onion slicing approach. Early attempts to counter traffic analysis attacks were not practical as they assumed the existence of some broadcast channel or ad-hoc topology and required a synchronous execution [6, 24, 30] . The more general problem of hiding the topology of a network has been solved recently in the secure multi-party computation setting [1, 19, 14] . However, these solutions involve a lot of communication and computational overhead. One of the most promising attempts for hiding the location of a server was due to Dolev and Ostrovsky : Indeed our solution borrows some of the techniques of their work, in particular we also use spanning-trees to make the multicast communications more efficient. Nonetheless our solution has two major advantages: it is asynchronous and it is secure against any number of corrupted nodes. In Figure 1 we compare our work with other proposals that allow arbitrary topologies.