Are mixnets the answer to anonymous communications?

Combined with strong encryption such as the Signal protocol, modern mixnets could achieve the Holy Grail: metadata-resistant secure communications.

digital network privacy - eavesdropping
Thinkstock

Encryption is not enough.

Widespread deployment of end-to-end encryption is critical to protecting confidential information in transit. But the metadata--the who, the when, the where--transits in the clear. A classic example is using PGP-encrypted email. The body may be encrypted, but the subject, to, from, and rest of the headers are not encrypted.

The last several years have seen widespread deployment of end-to-end encryption both for consumers and in the enterprise. For instance, the Signal protocol now protects the message confidentiality of more than a billion people. However, Signal offers limited metadata resistance, and there is no equally strong tool to anonymize those communications.

In the enterprise, privacy-preserving statistics remain an unsolved problem. In many cases, you might want to know usage statistics for millions or billions of people, but the law (or public outcry) prevents you from doing so. Finding ways to extract useful statistics without violating user privacy at scale, therefore, becomes a challenge.

The answer to both problems could be mixnets.

What are mixnets?

Combined with strong encryption such as the Signal protocol, modern mixnets could achieve the Holy Grail: metadata-resistant secure communications. Unlike many academic efforts so far, researchers with funding are actually building this technology. At the current rate of development and testing, we could see real-world deployment in the next year or two.

First proposed by cryptographer David Chaum in a 1981 paper, at its simplest a mixnet receives a bunch of different messages, delays them, shuffles them, and sends them out again at random intervals. This makes it impossible for a passive adversary to correlate inbound messages with outbound messages. As a result, "Mix networks offer anonymity against the global passive adversary," Ania Piotrowska, a mixnet researcher at the University College, London, tells CSO.

A global passive adversary

The current best-of-breed anonymity system, Tor, is beginning to show its age. By design, Tor breaks under the scrutiny of a global passive adversary. If you can see all connections to and from Tor, you can correlate inbound and outbound traffic and de-anonymize everyone using traffic analysis.

"Tor was meant to protect against a local adversary, someone who maybe controls one or two relays," Aggelos Kiayias, chair in cybersecurity and privacy at the University of Edinburgh, and head of the Panoramix project, tells CSO. "Someone that has a global view of the network is completely different. Things get even worse if someone has a global view of the network and runs malicious relays in the network."

"Unfortunately, that is not an unrealistic threat model," he adds.

When Tor was first invented more than a decade ago, a global passive adversary was considered akin to the Easter Bunny or Santa Claus--a mythical state no one could ever possibly achieve. See all the traffic, all the time, on the entire planet? Really? That was before the world learned of the NSA's goal to "Sniff it All, Know it All, Collect it All, Process it All, Exploit it All."

five eyes Wikileaks

The Five Eyes plan to collect and process all communications traffic

Numerous sources tell CSO the Five Eyes spying junta is getting closer to achieving that goal, and that puts the anonymity of Tor users in danger. DARPA's recent RFP for their Resilient Anonymous Communication for Everyone (RACE) project hints at new SIGINT capabilities against Tor users.

The current research into mixnets is clearly driven by a move to protect user privacy in the wake of the Snowden revelations. "The US government is funding Tor, and Tor works really well unless your threat model includes the US government," Harry Halpin, head of the NEXTLEAP project, tells CSO. "However, for Europe, whose threat model may or may not include the US, as shown by the Snowden revelations, something more powerful is needed."

The European Commission funded the Panoramix Project for €5 million to investigate mixnets. The results of that R&D are Loopix and MCMix, two modern mixnets, tuned slightly differently, that achieve low latency while still maintaining strong anonymity properties.

Early mixnet implementations like Mixminion and Mixmaster suffered from high latency--in the hours or days range--and thus unusable by mere mortals. Mixnet research languished for 15 years, but found renewed interest post-Snowden. Mixnet latency today is much lower, and researchers tell CSO they are pushing the envelope to achieve the lowest latency, combined with the strongest privacy, possible.

In addition to mixing and delaying messages for random intervals, modern mixnets also deploy chaff and decoy traffic. Both clients and mix nodes create and send bogus messages that look binary identical to genuine messages. This makes it difficult for a passive adversary to know which traffic is real and which traffic is bogus. The deception also makes mixnets an ideal solution for anonymous secure messaging, for privacy-preserving statistics, anonymous cryptocurrency transactions, and even electronic voting.

The metadata problem comes into crystal focus when we consider the social-political consequences.

Securing journalist metadata

Widespread deployment of end-to-end encryption is a cornerstone of democracy on the cyber domain. Privacy at scale has a name: political liberty, but the metadata generated by encrypted communications betrays us at every turn--who we message, when we message them, for how long. If you're texting a journalist or a drug rehab clinic or a priest, it doesn't take a genius of an adversary to figure out what you're saying.

In a free society, the government should not know who is talking to whom, when, or for how long--much less what they say. That kind of power can and will be abused. Metadata is so revealing that the former head of both the NSA and CIA, General Michael Hayden, famously said "We kill people based on metadata."

Tor is optimized for low-latency web browsing, not metadata-resistant secure messaging. While OnionShare and Ricochet are useful hacks to provide anonymous file transfer and messaging respectively, they are still hacks stretching the intended use case of the Tor network. Both are, however, solid prototypes for future, more robust, solutions.

A survey of existing research and development makes clear that in the future, anonymity will rely not on one general-purpose anonymity system like Tor, but on different anonymity systems for specific use cases, like file transfer and secure messaging. Tor remains the king of metadata-resistant web browsing, and that's not likely to change in the immediate future.

Many well-respected academic proposals over the years have attempted to solve the metadata problem. DC-nets like Dissent offer cryptographically provable anonymity, but don't scale beyond the tens of thousands of users. Other solutions offer strong anonymity at the expense of high latency, or unrealistic amounts of chaff that cause high bandwidth usage on mobile devices. Billions of users won't wait minutes for every single message to be delivered. From a user experience perspective, a delay of a handful of seconds is the most people will tolerate.

A workable solution to the secure messaging metadata problem must offer low latency (in the seconds), scale to the millions or billions of users (to ensure a large anonymity set), not generate huge amounts of chaff traffic (and thus consume too much bandwidth on mobile devices), and must also possess the strongest anonymity properties possible given the first three conditions.

"Tor has been built around web browsing with low latency," Halpin says. "In order to get low latency, you can't do things like mix packets or use dummy traffic. However, for applications where the exceedingly low latency of browsing web pages is not necessary, mixnets are the obvious solution."

Welcome to trade-off town, where mixnets are king.

Secure messaging for journalists

For many sensitive sources in government, simply contacting a journalist over, say, Signal, is not an option. "Signal," Halpin says, "offers no resistance against traffic analysis." Especially not if your adversary is the NSA's notorious Q Group, dedicated to stopping whistleblowers from coming forward.

The act of contacting a journalist can be suspicious in and of itself. More technically minded sources might use a throwaway PGP key and a temporary email account accessed over Tor, but that quickly becomes a usability nightmare, and unhelpful if, indeed, the Five Eyes spying junta has achieved their goal of becoming a global passive adversary.

Asking sources to gamble their career, pension, or even time in prison to report corruption or malfeasance in government based on their ability to not screw up using PGP--and a prayer that their Tor traffic can't be de-anonymized--is more than most sources will bear.

SecureDrop, deployed in many newsrooms today, attempts to solve this problem by integrating PGP, Tor and (soon) strong end-point security in the form of Qubes. However, SecureDrop has a ton of moving parts and suffers from a high degree of complexity. As a result, it requires a lot of technical skill from journalists to use correctly, and its usability remains touch and go. An unsolicited pen test last year by security researcher Donncha O'Cearbhaill highlighted the risks of cargo cult security, when less-technical operators of highly complex systems go through the motions without fully understanding the why and the how.

"I would assume that eventually where people are using technologies like SecureDrop and Tor hidden services for secure communications, I believe mixnets will eventually be better suited for those use cases," Halpin tells CSO.

Mixnets hold the promise of metadata-resistant secure communications. If a modern mixnet gets successfully deployed at scale, we can imagine a world in which whistleblowers can expose government malfeasance with a greatly reduced chance of being caught. This will tend to promote greater government transparency, embolden the free press, and in general promote democratic institutions and values.

Maybe that's a lot to put on mixnets, but consider the dramatic revolution in secure communications sparked by Signal. Billions of people now enjoy end-to-end encrypted text, voice and video calls. Anonymizing their metadata so no one knows who is talking to whom will be the next great leap forward in democratic technology on the internet today.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline