作者：Arjun R. Nambiar
摘要：Anonymous communications systems on the Internet provides protection against eavesdroppers and others that seek to link users with their communications. These systems have many important applications in areas such as law enforcement, intelligence gathering, business privacy, anonymous publishing, and personal privacy. Currently deployed systems rely on a relatively small set of advertised servers to forward messages for the user. These systems can suffer from scalability problems, with potentially large bandwidth and system overhead costs, and the servers themselves can be targets of direct attacks.
Peer-to-peer anonymous communications systems, such as Tarzan and MorphMix , have been proposed as a way to alleviate these problems with a large and dynamic set of peers acting as servers. This makes direct attacks less effective and increases scalability. Tarzan, however, requires that each peer know the identity of all other peers, which makes it highly vulnerable to intersection attacks 2.7 and does not scale beyond 10,000 nodes . MorphMix does not have this requirement, but it requires that users allow other peers to choose the peers that will help forward the users messages; attacker controlled peers will always select other colluding peers to be on the path. Although the authors of MorphMix propose a collusion detection scheme, attackercontrolled peers will be able to choose their colluding partners as forwarding nodes far too often while the detection algorithm is still learning. The fundamental problem is one of selecting peers independently at random, to ensure unbiased path selection, while not distributing lists of all the peers in the system to all other peers.
We propose a new peer-to-peer anonymous communications system using distributed hash tables (DHTs). Similar to peer-to-peer file-sharing systems that use DHTs 2.9, our system maps each IP address to a point on the id space using consistent hashing. We further divide the id space into groups, conceptually organized as a binary tree for purposes of node lookup. Each node has knowledge of all the nodes in its own group, as well as knowing a limited number of nodes in other groups. This knowledge is enough to effectively route lookups throughout the system. Nodes use redundancy and probabilistic checking when performing lookups to prevent malicious nodes from returning false information without detection.
We show that our scheme prevents attackers from biasing path selection, while incurring moderate overheads, as long as the fraction of malicious nodes is less than 20%. Additionally, the system prevents attackers from obtaining a snapshot of the entire system until the number of attackers grows too large (e.g. 15% for 10000 peers and 256 groups). The number of groups can be used as a tunable parameter in the system, depending on the number of peers, that can be used to balance performance and security.