NYMBLE: Blocking Misbehaving Users in Anonymizing Networks

OUTLINE:
Abstract

Introduction
Earlier solutions and their drawbacks

Our solution with features

Discussion and Conclusions

ABSTRACT:
Anonymizing networks such as Tor allow users to access

Internet services privately by using a series of routers to hide the clients IP address from the server. The success of such networks, however, has been limited by users employing this anonymity for abusive purposes such

as defacing popular Web sites.

Web site administrators routinely rely on IP-address

blocking for disabling access to misbehaving users, but

blocking IP addresses is not practical if the abuser routes through an anonymizing network.

 As a result, administrators block all known exit nodes of anonymizing networks, denying anonymous access to

misbehaving and behaving users alike. To address this problem, we present Nymble, a system in which servers can blacklist misbehaving users, thereby blocking users without compromising their anonymity. Our system is thus agnostic to different servers definitions of misbehaviorservers can blacklist users for whatever reason, and the privacy of blacklisted users is maintained.

INTRODUCTION:
ANONYMIZING networks such as Tor clients IP address. Unfortunately, some users have misused such networksunder the route traffic through

independent nodes in separate administrative domains to hide a

cover of anonymity, users have repeatedly defaced popular Web sites

such as Wikipedia. Since Web site administrators cannot blacklist individual malicious users IP addresses, they blacklist the entire

anonymizing network. Such measures eliminate malicious activity

through anonymizing networks at the cost of denying anonymous access to behaving users.

Cont
In other words, a few bad apples can spoil the fun for all.(This has happened repeatedly with Tor.1)

Earlier Solutions and their drawbacks:

PSEUDONYMOUS CREDENTIAL SYTEM : In pseudonymous credential systems users log into Web sites using pseudonyms, which can be added to a blacklist if a user misbehaves. Unfortunately, this approach results in pseudonymity for all users, and weakens the anonymity provided by the anonymizing network. ANONYMOUS CREDENTIAL SYTEM Anonymous credential systems employ group signatures. Basic group signatures allow servers to revoke a misbehaving users anonymity by complaining to a group manager.

Servers must query the group manager for every authentication, and thus,
lacks scalability. Traceable signatures allow the group manager to release a trapdoor that allows all signatures generated by a particular user to be traced; such an approach does not provide the backward unlinkability that we desire, where a users accesses before the complaint remain anonymous. Backward unlinkability allows for what we call subjective blacklisting, where servers can blacklist users for whatever reason since the privacy of the blacklisted user is not at risk. In contrast, approaches without backward unlinkability need to paycareful attention to when and why a user must have all their connections linked, and users must worry about whether their behaviors will be judged fairly.

SUBJECTIVE BLACKLISTING:

Subjective blacklisting is also better suited to servers such as Wikipedia, where misbehaviors such as questionable edits to a Webpage, are hard to define in mathematical terms. In some systems, misbehavior can indeed be defined precisely. For instance, double spending of an e-coin is considered a misbehavior in anonymous e-cash systems following which the offending user is deanonymized. Unfortunately, such systems work for only narrow definitions of misbehaviorit is difficult to map more complex notions of misbehavior onto double spending or related approaches .

OUR SOLUTION:
We present a secure system called Nymble, which provides all the following properties: anonymous authentication, backward unlinkability, subjective blacklisting, fast authentication speeds, rate-limited

anonymous connections, revocation auditability

(where users can verify whether they have been blacklisted), and also addresses the Sybil attack to make its deployment practical.

The Nymble system architecture showing the various modes of interaction. Users interact with the NM and servers though the

anonymizing network.

RESOURCE BASED BLOCKING:

To limit the number of identities a user can obtain (called the Sybil attack), the Nymble system binds nymbles to

resources that are sufficiently difficult to obtain in great

numbers. For example, we have used IP addresses as the resource in our implementation, but our scheme generalizes to other resources such as email addresses, identity certificates, and trusted hardware.

THE PSEUDONYM MANAGER :

The user must first contact the Pseudonym Manager (PM) and demonstrate control over a resource; for IP-address blocking,the user must connect to the PM directly (i.e., not through a known anonymizing network)

We assume the PM has knowledge about Tor routers, for example,

and can ensure that users are communicating with it directly. Pseudonyms are deterministically chosen based on the controlled resource, ensuring that the same pseudonym is always issued for the same resource.

NYMBLE MANAGER:
After obtaining a pseudonym from the PM, the user connects to the Nymble Manager (NM) through the anonymizing network, and requests nymbles for

access to a particular server (such as Wikipedia).

A users requests to the NM are therefore pseudonymous, and nymbles are generated using the users pseudonym and the servers identity.

These nymbles are thus specific to a particular user-server pair.

Nevertheless, as long as the PM and the NM do not collude, the Nymble system cannot identify which user is connecting to what server; the NM knows only the pseudonym-server pair, and the PM knows only the user identity-pseudonym pair.

The life cycle of a misbehaving user. If the server complains in time period tc about a users connection in t, the user becomes linkable starting in tc. The complaint in tc can include nymble tickets from only tc1 and earlier.

TIME : Nymble tickets are bound to specific time periods. Time is divided into linkability windows of duration W, each of which is split into L time periods of duration T (i.e., W L T ).

We will refer to time periods and linkability windows chronologically as t1;

t2; . . . ; tL and w1; w2; . . . , respectively. While a users access within a time period is tied to a single nymble ticket,

the use of different nymble tickets across time periods grants the user
anonymity between time periods. Smaller time periods provide users with higher rates of anonymous authentication, while longer time periods allow servers to rate-limit the number of misbehaviors from a particular user before he or she is blocked. For example, T could be set to five minutes, and W to one day (and thus, L 288).

The linkability window allows for dynamism since resources such as IP addresses can get reassigned and it is undesirable to blacklist such resources indefinitely, and it ensures forgiveness of misbehavior after a certain period of time. We assume all entities are time synchronized (for example, with time.nist.gov via the Network Time Protocol (NTP)), and can thus calculate the current linkability window and time period.

BLACKLISTING A USER:

If a user misbehaves, the server may link any future connection from this user within the current linkability window (e.g., the same day). A user connects and misbehaves at a server during time period t within linkability window w. The server later detects this misbehavior and complains to the NM in time period tc (t < tc tL) of the same linkability window w. As part of the complaint, the server presents the nymble ticket of the misbehaving user and obtains the corresponding seed from the NM.

The server is then able to link future connections by the user in time periods tc; tc 1; . . . ; tL of the same linkability window w to the complaint. Therefore, once the server has complained about a user, that

user is blacklisted for the rest of the day, for example (the
linkability window). Note that the users connections in t1; t2; . . . ; t; t 1; . . . ; tc remain unlinkable (i.e., including those since the misbehavior and until the time of complaint). Even though misbehaving users can be blocked from making connections in the future, the users pastconnections remain unlinkable,

thus providing backward unlinkability and subjective blacklisting.

NOTIFYING THE USER ABOUT THE BLACKLISTED STATUS :

Users who make use of anonymizing networks expect their

connections to be anonymous. If a server obtains a seed for that user,

however, it can link that users subsequent connections. It is of utmost importance then that users be notified of their blacklist status before they present a nymble ticket to a server. In our system, the user can download the servers blacklist and verify her status. If blacklisted, the user disconnects immediately.

Who trusts whom to be how for what guarantee.

CONCLUSIONS
We have proposed and built a comprehensive credential system called Nymble, which can be used to add a layer of accountability to any

publicly known anonymizing network.

Servers can blacklist misbehaving users while maintaining their privacy, and we show how these properties can be attained in a way that is

practical, efficient, and sensitive to the needs of both users and services.