Attacking and repairing the improved ModOnions protocol

Authors:
Nikita Borisov;Marek Klonowski;Mirosław Kutyłowski;Anna Lauks-Dutka
Affiliations:
Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign;Institute of Mathematics and Computer Science, Wrocław University of Technology;Institute of Mathematics and Computer Science, Wrocław University of Technology;Institute of Mathematics and Computer Science, Wrocław University of Technology
Venue:
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Year:
2009

Citing 10
Cited 0

Non-malleable cryptography

STOC '91 Proceedings of the twenty-third annual ACM symposium on Theory of computing
Untraceable electronic mail, return addresses, and digital pseudonyms

Communications of the ACM
A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack

CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
On the Security of ElGamal Based Encryption

PKC '98 Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Mixminion: Design of a Type III Anonymous Remailer Protocol

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Tor: the second-generation onion router

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Rerandomizable RCCA encryption

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Repelling detour attack against onions with re-encryption

ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Breaking four mix-related schemes based on universal re-encryption

ISC'06 Proceedings of the 9th international conference on Information Security
Onions based on universal re-encryption – anonymous communication immune against repetitive attack

WISA'04 Proceedings of the 5th international conference on Information Security Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present a new class of attacks against an anonymous communication protocol, originally presented in ACNS 2008. The protocol itself was proposed as an improved version of ModOnions, which uses universal re-encryption in order to avoid replay attacks. However, ModOnions allowed the detour attack, introduced by Danezis to re-route ModOnions to attackers in such a way that the entire path is revealed. The ACNS 2008 proposal addressed this by using a more complicated key management scheme. The revised protocol is immune to detour attacks. We show, however, that the ModOnion construction is highly malleable and this property can be exploited in order to redirect ModOnions. Our attacks require detailed probing and are less efficient than the detour attack, but they can nevertheless recover the full onion path while avoiding detection and investigation. Motivated by this, we present a new modification to the ModOnion protocol that dramatically reduces the malleability of the encryption primitive. It addresses the class of attacks we present and it makes other attacks difficult to formulate.