P2PSIP M. Petit-Huguenin Internet-Draft Impedance Mismatch Intended status: Standards Track November 5, 2012 Expires: May 9, 2013 Anonymization for REsource LOcation And Discovery (RELOAD) draft-petithuguenin-p2psip-reload-anonymous-02 Abstract This document presents a set of techniques that a REsource LOcation And Discovery (RELOAD) node may use to ensure that the use of high level RELOAD operations do not reveal the owner of this node. These high level features are defined as the set of operations related to data storage, plus the operation that permits to exchange application layer messages. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 9, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Petit-Huguenin Expires May 9, 2013 [Page 1] Internet-Draft RELOAD Anonymization November 2012 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview of Operations . . . . . . . . . . . . . . . . . . . . 5 2.1. Anonymous Certificate . . . . . . . . . . . . . . . . . . 5 2.2. End to end encryption . . . . . . . . . . . . . . . . . . 5 2.3. Onion Routing . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Sending anonymous requests . . . . . . . . . . . . . . . . 8 2.5. Receiving requests anonymously . . . . . . . . . . . . . . 11 2.6. End to end encryption over onion routing . . . . . . . . . 12 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. Normative sections . . . . . . . . . . . . . . . . . . . . . . 15 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7.1. Normative References . . . . . . . . . . . . . . . . . . . 16 7.2. Informative References . . . . . . . . . . . . . . . . . . 16 Appendix A. Release notes . . . . . . . . . . . . . . . . . . . . 17 A.1. TODO List . . . . . . . . . . . . . . . . . . . . . . . . 17 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 Petit-Huguenin Expires May 9, 2013 [Page 2] Internet-Draft RELOAD Anonymization November 2012 1. Introduction The goal of [RELOAD] is to provide a standardized and NAT friendly access to a peer-to-peer network, with a strong security model. This security model is designed to provide strong security guarantees even in the face of a large number of malicious nodes, but what it is not designed to do is to provide anonymity for any of the nodes. There is a lot of reasons why the owner of a RELOAD node may be reluctant to disclose this ownership, but the main motivation for this document is to alleviate the concerns that commercial entities may have to store data in a RELOAD overlay that is shared with competitors. Commercial entities that needs to share such data generally provide a way to query their database to their competitors because they can control the access and detect datamining attempts. A overlay definitively makes datamining more challenging but on the other hand does not let a data owner know the rate of access to its data. Besides, the problem is more one of perception as even if the properties of the overlay are completely understood nobody can guarantee that someone will not come up with a new way of harvesting data in an overlay, making the act of storing such data a perceptively risky operation. Adding some guarantee of anonymity to the data stored would dissipate any reluctance because even if the complete set of data stored is somehow captured by an hostile entity, there is no way that this data can be linked to its owner, with the added bonus that the processes to detect and manage datamining are no longer needed, making an overlay a better proposition than a shared database. In addition to anonymous storage, a node may want to be able to retrieve data or to exchange application messages in an anonymous way too, so this document will also apply to such operations. This document focuses only on anonymizing high level operations, excluding all the overlay topology operations (Join, Leave, Update, RouteQuery and Probe) and all the forwarding and link management operations (Attach, AppAttach, Ping, ConfigUpdate and PathTrack [I-D.ietf-p2psip-diagnostics] ), leaving only the data store operations up for anonymization (Store, Fetch, Stat and Find). AppAttach, although an application level operation, cannot be completely anonymized and so had to be replaced by a new mechanism that can be anonymized. A standard RELOAD overlay leaks ownership information in various places for the selected set of anonymizable operations: 1. Any request is signed by the originating node and is accompanied with the certificate of the signer. This certificate may contain information on the owner of the node, particularly in the Subject Petit-Huguenin Expires May 9, 2013 [Page 3] Internet-Draft RELOAD Anonymization November 2012 section. 2. Even if the certificate accompanying the request does not contain private information, a node can send an Attach or AppAttach to the Node-ID in the certificate to find the IP address of the node and deduce private information. 3. The data contained in a Store request or a Fetch answer is also signed by the owner of the data, and again accompanied by the certificate of the owner, thus disclosing a second time the same information than in points 1 and 2. 4. Some standard RELOAD Usages disclose the owner's Node-ID in the data itself. This is the case for P2PSIP [I-D.ietf-p2psip-sip] , [REDIR] and probably more existing and future usages. Note that RELOAD anonymization, like all security subjects, is not some kind of magic feature that will guarantee anonymization of a specific application - as an example, the techniques described in this document cannot do anything to protect a node that tries to anonymously store data containing the name of its owner. Petit-Huguenin Expires May 9, 2013 [Page 4] Internet-Draft RELOAD Anonymization November 2012 2. Overview of Operations 2.1. Anonymous Certificate The first step to achieve anonymity is to separate the certificate used for establishing connectivity from the certificate used for signing message and data. The certificate used to establish connectivity (i.e. used with the link layer protocols) is the one that is already described by [RELOAD] . The certificate used to sign messages and data must not reveal anything about its owner, so it must contain a different Node-ID than the standard RELOAD certificate, must contain an anonymous rfc822Name (e.g. anonymous@overlay.example.org), must have an empty Subject and must be a Traceable Anonymous Certificate (PAC) [RFC5636] , created from a different key pair. The standard certificate may be used for signing messages and data that does not need to be anonymous, but the PAC must never be used for connectivity, as it would unmask this identity to the neighbors of the node. For the same reason if the PAC is used for signing a StoreReq message it must also be used used to sign the data inside the message. Similarly if the PAC is used to sign data in a StoreReq message, then it must also be used to sign the StoreReq message carrying this data. Not doing this would unmask the identity of the sending node. 2.2. End to end encryption This document defines a new RELOAD transaction called Tunnel, which carries DTLS [RFC6347] messages. A successful handshake will be made of 3 Tunnel transactions, as follow: 1. The tunnel_req message contains a ClientHello DTLS message and the tunnel_ans message contains an HelloVerifyRequest DTLS message. 2. The tunnel_req message contains a ClientHello DTLS message and the tunnel_ans message contains a ServerHello, ServerKeyExchange and ServerHelloDone DTLS messages. 3. The tunnel_req message contains a ClientKeyExchange and a Finished DTLS message and the tunnel_ans message contains a Finished DTLS message. The RELOAD end to end retransmission mechanism replaces the standard DTLS retransmission mechanism. The client and server sides of the DTLS connection use a key pair different than the key pairs used for the RELOAD certificates. After the handshake successfully completed, Tunnel transactions can be used to carry ApplicationData DTLS messages in both directions. Note that tunnelling DTLS over RELOAD Petit-Huguenin Expires May 9, 2013 [Page 5] Internet-Draft RELOAD Anonymization November 2012 imposes to exchange ApplicationData messages in client/server mode, which is different from the way DTLS traditionally operates after the handshake. Figure 1 shows the messages exchanges. Intermediate peers are not shown in this diagram. Alice Bob | | | tunnel_req(ClientHello) | |-------------------------------------------------------------->| | tunnel_ans(ServerHello|HelloVerifyRequest) | |<--------------------------------------------------------------| | | | tunnel_req(ClientHello) | |-------------------------------------------------------------->| | tunnel_ans(ServerHello|ServerKeyExchange|ServerHelloDone) | |<--------------------------------------------------------------| | | | tunnel_req(ClientKeyExchange|Finished) | |-------------------------------------------------------------->| | tunnel_ans(Finished) | |<--------------------------------------------------------------| | | | tunnel_req(ApplicationData) | |-------------------------------------------------------------->| | tunnel_ans(ApplicationData) | |<--------------------------------------------------------------| | | Figure 1 The end to end encryption mechanism described here seems to offering much when compared to running (D)TLS over a connection established by an AppAttach transaction. The problem with AppAttach is that the IP addresses are exchanged before the establishment of the secure connection, which would indirectly unmask the identity of both sides. This can be acceptable for some applications, but there are applications that may require an additional step before revealing the identity (e.g. by using a zero-knowledge proof) or may require to never unmask the identity for one or both sides of a communication. For these cases the mechanism described here will assure that each side will be able to communicate and choose if and when they want to reveal information that can unmask identity. 2.3. Onion Routing To be able to hide the origin of a RELOAD message, some peers in an overlay implement, in addition to the normal message routing described in RELOAD, a new routing algorithm called onion routing. Petit-Huguenin Expires May 9, 2013 [Page 6] Internet-Draft RELOAD Anonymization November 2012 This routing mode uses a new ID called an Onion-ID and an associated new DestinationType so this ID can be inserted in a Destination. An Onion-ID contains a session key index and an opaque array containing a list of DestinationS encrypted with the session key indicated by the index. When a peer implementing onion routing receives a message that have an Onion-ID on the top of the destination_list (after removing its own Node-ID), it uses the index to find the session key and decrypt the opaque array. The resulting Destination list is then inserted in place of the current list. If the message received is a request, then the peer takes the current via_list (after inserting the Node-ID of the previous peer), inverts it, then encrypts it with the same session key than previously, and replaces the current via_list with a new list containing the resulting Onion-ID. If the received message is a Tunnel message and if the signer of the message received is also the node that requested the creation of the session key used to decrypt the Onion-ID, then it is decrypted with the same session key, and send as for a new message, signed by the current node, unless the decrypted message is not a Tunnel message, in which case the decrypted data also contains the transaction_id and SecurityBlock, so the message can be sent signed by the original peer. If the received message is a Tunnel message but the the signer of the message is not the same than the node that requested the creation of the session key, then the session key is used to encrypt the content of the message which is then inserted in an ApplicationData DTLS message, itself inserted in a Tunnel message. and send as for a new message, signed by the current node. If the received message is not a Tunnel message then the session key is used to encrypt the content of the message plus the transaction_id and SecurityBlock, which is then inserted in an ApplicationData DTLS message, itself inserted in a Tunnel message, and send as for a new message, signed by the current node. In all cases the new message is sent without end-to-end retransmission. That requires the node to keep some state in case the message received is retransmitted. This mechanism is inspired by the design of TOR [DINGLEDINE 04] . Petit-Huguenin Expires May 9, 2013 [Page 7] Internet-Draft RELOAD Anonymization November 2012 2.4. Sending anonymous requests A RELOAD overlay providing anonymity must contain a number of peers that also implement both onion routing and the server part of the end-to-end encryption mechanism described in the previous sections. To permit each node requiring anonymity to find the peers that provide this service, these peers register themselves using [REDIR] . A node requiring anonymity shoudl implement the client part of the end-to-end encryption mechanism. Each of theses nodes will randomly select a number of peers providing anonymous service, and will create a telescoping path, by first establishing a end-to-end encryption path with the first peer, then a second encryption path through the first encryption path, to the second peer, and so on until an end-to- end encryption path is established with the last peer of the list. Figure 2 shows a simplified view of this process, by replacing the 3 DTLS transactions by one named "Keys" and by using "Encrypted(Keys)" as a shortcut for these 3 transactions inside the ApplicationData of the Tunnel message. Alice Onion 1 Onion 2 Onion 3 | | | | | Keys | | | |---------------------------->| | | | Keys | | | |<----------------------------| | | | | | | | Encrypted(Keys) | | | |---------------------------->| Keys | | | |----------------->| | | | Keys | | | Encryption(Keys) |<-----------------| | |<----------------------------| | | | | | | | Encrypted(Encrypted(Keys)) | | | |---------------------------->| Encrypted(Keys) | | | |----------------->| Keys | | | |------------>| | | | Keys | | | Encrypted(Keys) |<------------| | Encrypted(Encrypted(Keys)) |<-----------------| | |<----------------------------| | | | | | | Figure 2 The node stores the session key created by each successive peer in the telescoping path, and will use them to prepare the Petit-Huguenin Expires May 9, 2013 [Page 8] Internet-Draft RELOAD Anonymization November 2012 destination_list for sending an anonymous message. The destination_list is built by first encrypting the final destination Node-ID with the key of the last peer in the telescopic path, and store it as an Onion-ID, then adding the Node-ID of the final destination on top of the Onion-ID. The rest of the destination_list is built by encrypting the whole resulting destination_list with the session key of the preceding peer in an Onion-ID, and adding the Node-ID of the peer, and this recursively until all the peers in the list have been added. E.g. after the exchange in Figure 2 , the following destination_list can be built to anonymously reach Bob: [Node-ID(Onion 1), Onion-ID(Onion 1, Node-ID(Onion 2), Onion-ID(Onion 2, Node-ID(Onion 3), Onion-ID(Onion 3, Bob)))] To send an anonymous message, the node will successsively encrypt it with each session key, in the reserse order of the destination_list, encapsulating each encryption result in an ApplicationData DTLS message and then in a Tunnel message. When receiving a response to its anonymous request, the node will decrypt the content of each ApplicationData DTLS message inside a Tunnel message by using the session keys in the same order than the destination_list of the request sent. By applying the onion routing rules, the data sent by Alice is successively decrypted by each onion peer, and the response back is successively encrypted by each onion peer, as shown in Figure 3 (T stands for an ApplicationData DTLS message inside a Tunnel message). Petit-Huguenin Expires May 9, 2013 [Page 9] Internet-Draft RELOAD Anonymization November 2012 Alice Onion 1 Onion 2 Onion 3 Bob | | | | | |T(T(T(FetchReq))) | | | | |----------------->| | | | | Decrypt | | | | |T(T(FetchReq)) | | | | |--------------->| | | | | Decrypt | | | | |T(FetchReq) | | | | |------------->| | | | | Decrypt | | | | |FetchReq | | | | |---------->| | | | | FetchAns| | | | |<----------| | | | Encrypt | | | | T(FetchAns)| | | | |<-------------| | | | Encrypt | | | | T(T(FetchAns))| | | | |<---------------| | | | Encrypt | | | | T(T(T(FetchAns)))| | | | |<-----------------| | | | | | | | | Figure 3 Petit-Huguenin Expires May 9, 2013 [Page 10] Internet-Draft RELOAD Anonymization November 2012 2.5. Receiving requests anonymously Some RELOAD usages store a Node-ID in the RELOAD distributed storage so it can be used later by another node to connect to a service. This is the case for example for P2PSIP [I-D.ietf-p2psip-sip] and [REDIR] . A node that want to use this technique but do not want to disclose its identity will store, in place of its Node-ID, a Destination list similar to the one it could use to send an anonymous request. E.g. if the destination_list shown in Section 2.4 was stored by Alice in the overlay, Carol could retrieve it and anonymously reach her by using it in a request, as shown in Figure 4 . Carol Onion 3 Onion 2 Onion 1 Alice | | | | | | Request | | | | |---------->| | | | | Encrypt | | | | | T(Request) | | | | |------------>| | | | | Encrypt | | | | | T(T(Request)) | | | | |--------------->| | | | | Encrypt | | | | | T(T(T(Request))) | | | | |------------------>| | | | | T(T(T(Answer))) | | | | |<------------------| | | | Decrypt | | | | T(T(Answer)) | | | | |<---------------| | | | Decrypt | | | | T(Answer) | | | | |<------------| | | | Decrypt | | | | Answer | | | | |<----------| | | | | | | | | Figure 4 Petit-Huguenin Expires May 9, 2013 [Page 11] Internet-Draft RELOAD Anonymization November 2012 2.6. End to end encryption over onion routing Combining the techniques in the two previous sections guarantees anonymity for both the sender and the receiver. But the exit onion peer from the point of view of the sender and the admitting onion peer from the point of view of the receiver (and all the intermediate peers between those two) will see the data exchanged, as shown in Figure 5 . Petit-Huguenin Expires May 9, 2013 [Page 12] Internet-Draft RELOAD Anonymization November 2012 Carol O4 O5 06 03 02 01 Alice | | | | | | | | |T(T(T(Req) | | | | | | | |---------->| | | | | | | | D | | | | | | | |T(T(Req)) | | | | | | | |--------->| | | | | | | | D | | | | | | | |T(Req) | | | | | | | |------>| | | | | | | | D | | | | | | | |Req | | | | | | | |--->| | | | | | | | E | | | | | | | |T(Req) | | | | | | | |------>| | | | | | | | E | | | | | | | |T(T(Req)) | | | | | | | |--------->| | | | | | | | E | | | | | | | |T(T(T(Req) | | | | | | | |---------->| | | | | | | | | | | | | | | | T(T(T(Ans)| | | | | | | |<----------| | | | | | | D | | | | | | | T(T(Ans))| | | | | | | |<---------| | | | | | | D | | | | | | | T(Ans)| | | | | | | |<------| | | | | | | D | | | | | | | Ans| | | | | | | |<---| | | | | | | E | | | | | | | T(Ans)| | | | | | | |<------| | | | | | | E | | | | | | | T(T(Ans))| | | | | | | |<---------| | | | | | | E | | | | | | | T(T(T(Ans)| | | | | | | |<----------| | | | | | | | | | | | | | | Figure 5 If this is a concern, then the receiving node must also implement the Petit-Huguenin Expires May 9, 2013 [Page 13] Internet-Draft RELOAD Anonymization November 2012 server part of the peer-to-peer encryption so the sender can establish an end-to-end encryption eventually through the telescoping paths on one or both sides. Petit-Huguenin Expires May 9, 2013 [Page 14] Internet-Draft RELOAD Anonymization November 2012 3. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] . "SHOULD", "SHOULD NOT", "RECOMMENDED", and "NOT RECOMMENDED" are appropriate when valid exceptions to a general requirement are known to exist or appear to exist, and it is infeasible or impractical to enumerate all of them. However, they must not be interpreted as permitting implementors to fail to implement the general requirement when such failure would result in interoperability failure. Onion peer: An onion peer is a RELOAD peer that has onion routing capabilities. Anonymous node: An anonymous node is a RELOAD node that may want to use anonymity for some or all of its application level operations. 4. Normative sections Coming soon. 5. Security Considerations Coming soon. Petit-Huguenin Expires May 9, 2013 [Page 15] Internet-Draft RELOAD Anonymization November 2012 6. IANA Considerations 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5636] Park, S., Park, H., Won, Y., Lee, J., and S. Kent, "Traceable Anonymous Certificate", RFC 5636, August 2009. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [RELOAD] Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., and H. Schulzrinne, "REsource LOcation And Discovery (RELOAD) Base Protocol", draft-ietf-p2psip-base-22 (work in progress), July 2012. [REDIR] Maenpaa, J. and G. Camarillo, "Service Discovery Usage for REsource LOcation And Discovery (RELOAD)", draft-ietf-p2psip-service-discovery-06 (work in progress), October 2012. 7.2. Informative References [I-D.ietf-p2psip-diagnostics] Song, H., Jiang, X., Even, R., and D. Bryan, "P2PSIP Overlay Diagnostics", draft-ietf-p2psip-diagnostics-09 (work in progress), August 2012. [I-D.ietf-p2psip-sip] Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., and H. Schulzrinne, "A SIP Usage for RELOAD", draft-ietf-p2psip-sip-07 (work in progress), January 2012. [DINGLEDINE 04] Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The Second-Generation Onion Router", In Proceedings of the 13th Usenix Security Symposium, 2004. Petit-Huguenin Expires May 9, 2013 [Page 16] Internet-Draft RELOAD Anonymization November 2012 Appendix A. Release notes This section must be removed before publication as an RFC. A.1. TODO List o Add normative sections. Author's Address Marc Petit-Huguenin Impedance Mismatch Email: petithug@acm.org Petit-Huguenin Expires May 9, 2013 [Page 17]