Overview |
This website provides a brief survey of searchable, peer-to-peer, file-sharing systems that offer the user some form of anonymity, including details of:
More details can be found in the following pdf paper:
Power Point slides to accompany this paper can be found here.
Introduction |
The majority of anonymous peer-to-peer file-sharing systems are "friend-to-friend" networks. These are peer-to-peer networks in which each peer (node) only connects to a small number of other, known nodes. Only the direct neighbours of a node know its IP address. Communication with remote nodes is provided by sending messages hop-to-hop across this overlay network. Routing messages in this way allows these networks to trade efficient routing for anonymity. There is no way to find the IP address of a remote node, and direct neighbours can achieve a level of anonymity by claiming that they are just forwarding requests and files for other nodes.
There is a danger that the attacker will be able to spy on the activity of their direct neighbours, and thus find out which files the neighbour is requesting or offering. Some systems contain faults that leak this information while others allow an attacker to be up to 50% certain of what their neighbour is doing. So make sure you trust your neighbours! None of the current systems try to make it hard for an attacker to work out whether or not someone is running the file-sharing software.
The Theory |
When talking about anonymous systems it is vital to be precise about what is anonymous, from whom, under what conditions, and exactly how anonymous. Node-to-node message passing provides anonymity to the originator and final receiver of a message because they can plausibly claim to be nodes in the chain, forwarding the message for someone else.
The agents involved in file-sharing are the sender, who initiates a search for a file, and the responder or receiver who answers the search query and provides the file. In peer-to-peer networks these agents communicate through a number of nodes that forward the request and possibly the search data. The attacker can be a node in the system or a more powerful global attacker that can see everything (i.e., subpoena your ISP logs). This leads to the following kinds of anonymity:
It is also necessary to ask what level of anonymity a system provides. Some useful definitions by Reiter and Rubin [RR98], are:
As a rough guide possible innocence is what you need to defend yourself in court and beyond suspicion is what you need to stop yourself been a suspect.
The following table summarizes the kinds and levels of anonymity provided by some of the most popular designs for anonymity and links to papers where you can find out more information. N.B. most of the values in this table have not been proved; there may be errors in a system that mean it does not offer any anonymity at all. For some designs e.g., MIXes there are many versions that offer different levels of anonymity.
Ants | Mixes | Crowds | Onion Routing | DC-nets | Multicast | Spoofed UDP | Freenet | |
---|---|---|---|---|---|---|---|---|
Sender anonymous to Global Attacker | No | No | No | No/B.S. | B.S. | No | No | No |
Responder anonymous to Global Attacker | No | No | No | No | B.S. | B.S. | No | No |
Sender anonymous to Responder | Prob.I. | B.S. | B.S. | B.S. | B.S. | No | Prob.I. | Prob.I. |
Sender anonymous to Node | Prob.I. | No | Prob.I. | No/B.S. | B.S. | No | Prob.I. | Prob.I. |
Responder anonymous to Sender | Prob.I. | No | No | No | B.S. | B.S. | No | No |
Responder anonymous to Node | Prob.I. | No | No | No | B.S. | B.S. | No | No |
Sender-Responder unlinkable to Node | Prob.I. | B.S. | Prob.I. | B.S. | B.S. | B.S. | Prob.I. | Prob.I. |
Sender-Responder unlinkable to Global Attacker | No | B.S. | No | B.S. | B.S. | B.S. | No | No |
Paper | [GSB02] | [Cha81] | [RR98] | [SGR97] | [Cha88] | N/A | N/A | [CSWH01] |
Implemented System |
This section contains links to, or papers on, most of the major anonymous peer-to-peer systems, but first a word of warning. Working on these systems can be more troublesome than one would at first suspect. A case in point was an anonymous peer-to-peer system known as "Winny". The author of this system pushed it as a truly anonymous file-sharing system and file-sharers who wished to swap movies quickly picked it up. While the specification of the system was never fully released, there was soon firm evidence that the system did not really guarantee anonymity, as police arrested two of the system's users and charged them with copyright theft. Shortly after this, the author of the software, who was a researcher in the Computer Science Department of Tokyo University, was also arrested and charged with aiding and abetting copyright theft.
It should be noted that some of these systems do not offer the anonymity they claim, especially when multiple attackers or time-based attacks are concerned (see the Survey paper above for more details).
System Name | Based On | Web Page or Paper |
---|---|---|
Ants | Ants | http://antsp2p.sourceforge.net |
AP3 | Crowds | [MOP +04] |
APFS | Onion routing | [SLS01] |
Entropy | Freenet | http://entropy.stop1984.com |
Free Haven | Secret sharing and MIXes | [DFM00] |
Freenet | Freenet | [CSWH01] |
GNUnet | MIXes | http://gnunet.org |
HerbivoreFS | DC-nets | [SGRE05] |
I2P | Onion routing | http://www.i2p.net |
Mantis | Ants and UDP spoofing | [BASM04] |
Mute | Ants | http://mute-net.sourceforge.net |
Nodezilla | Freenet | http://www.nodezilla.net |
Napshare | Ants | http://napshare.sourceforge.net |
Tor | Onion routing | [DMS04] |
SSMP | Secret sharing and onion routing | [HLX+ 05] |
Waste | Friend-to-Friend | http://waste.sourceforge.net |
Links |