The Phantom anonymity protocol was designed in 2008 by Swedish security researcher Magnus Bråding to provide anonymity optimized for the current conditions and needs of average internet users. The design goal was feasibility for mass adoption as a de facto internet anonymization standard. This goal differentiates it from other anonymization protocols such as TOR, which have seen only limited adoption among the masses. The Phantom protocol designer hopes to change this situation and provide secure anonymity to everyone, including non-technical people.
The protocol was first presented publicly by Magnus Bråding at the IT security and hacking conference DEFCON 16 in Las Vegas 2008.
59. A system compatible with all pre-existing network enabled applications will get a much quicker takeoff and community penetration, and will have a much larger potential Design Goal #8: Generic, Well-Abstracted and Backward Compatible
61. The Basic Idea ! IP address of α = 5.6.7.8 ! IP address of β = 1.2.3.4 ? IP address of β = ??????? ? IP address of α = ??????? β α
62. More About the Idea Each anonymized node prepares its own ”routing path”, which is a series of nodes ready to route connections and data for it If two anonymized nodes want to communicate, it is done by creating an interconnection between their individual routing paths α β
63. Routing Paths Each anonymized node decide the size and composition of their own routing paths, affecting both the strength of anonymity provided by them, and their maximum throughput capacity β α
65. Routing Path - Generalization Anonymized node Intermediate node Arbitrarily many more intermediate nodes Terminating intermediate node α
66. Routing Tunnels Anonymized node Intermediate node Arbitrarily many more intermediate nodes Terminating intermediate node Whenever the anonymized node wants to establish a connection to another node, a ”routing tunnel” is set up inside the already existing routing path Such a routing tunnel is set up relatively quick, and will then be connected to another routing tunnel inside another routing path, to form a complete anonymized connection α
67. Routing Tunnels Anonymized node Intermediate node Arbitrarily many more intermediate nodes Terminating intermediate node Such a routing tunnel is set up relatively quick, and will then be connected to another routing tunnel inside another routing path, to form a complete anonymized connection α β
70. Equivalent to IP addresses in functionality, with the exception that they allow communication between two peers without automatically revealing their identity
79. A number of Y-nodes equal to the total number of X-nodes minus one, should be located adjacent to each other in the other end of the sequence
80. One end of the sequence should be chosen at random to be the beginning of the sequence X X X Y Y Y Y Y Y 2 Y 4 Y 1 Y 8 X 5 X 7 X 3 Y 6 α
81. Secure Routing Path Establishment A ”goodie box” is prepared for each node, by the anonymized node Y 1 Y 2 X 3 Y 4 X 5 Y 6 X 7 Y 8 α
82. Secure Routing Path Establishment Another round is started, with a new goodie box for each participating node Y 1 Y 2 X 3 Y 4 X 5 Y 6 X 7 Y 8 X 3 X 5 X 7 α
83. Secure Routing Path Establishment Repeat The routing path is now securely established! α
84.
85. Secure Routing Tunnel Establishment (outbound) = = The anonymized node wants to establish a connection to a certain AP address It begins by sending a notification package through the routing path α
86. Secure Routing Tunnel Establishment (outbound) = = ! A new set of connections are created for the tunnel, and a reply package is sent through these The reply package enables the anonymized node to derive the keys of all the intermediary nodes, while it is impossible for any of them to derive any key with it themselves α
87. Secure Routing Tunnel Establishment (outbound) The anonymized node informs the exit node of the desired AP address to connect to The exit node performs the connection, and confirms a successful connection back to the anonymized node α
88. Secure Routing Tunnel Establishment (outbound) Repeat The connection is fully established at both ends, and the application layer can now start communicating over it! α
89. Secure Routing Tunnel Establishment (inbound) = = = ! An incoming connection request arrives to the entry node of the routing path The entry node sends an initialization package to the anonymized node The initialization package enables the anonymized node to immediately derive the keys of all the intermediary nodes, while it is impossible for any of them to derive any key with it themselves α β
90. Secure Routing Tunnel Establishment (inbound) = = = A new set of connections are created for the tunnel, and a reply package is sent through these The entry node confirms the connection to the external peer α β
91. Secure Routing Tunnel Establishment (inbound) It then confirms a successful connection back to the anonymized node α β
92. Secure Routing Tunnel Establishment (inbound) Repeat The connection is now fully established at both ends, and the application layer can start communicating over it! To achieve symmetry with outbound connections though, a dummy package is first sent over the tunnel This symmetry is important! α β
93.
94. The used certificates can be stored in the network database, in the individual entries for each AP address
103. Voting algorithms, digital signatures and enforced entry expiry dates are used on top of the standard DHT technology in some cases, to help enforce permissions and protect from malicious manipulation of database contents and query results
132. Thus there are no single points of the network to attack, neither technically nor legally, in order to bring down any other parts of the network than those exact ones attacked
135. Must continue to be a constant area of concern and improvement for future development Review of Design Goal #2: Maximum DoS Resistance ( )
136.
137. All security is based on cryptography and randomness, never on obscurity or chance
138. Hopefully no gaping holes have been left to chance, but review and improvements are of course needed, as always in security
139.
140. All connections are wrapped by SSL, so the protection from external eavesdroppers should under all circumstances be at least equivalent to that of SSL
141.
142. The network can therefore not be used to anonymously commit illegal acts against any computer that has not itself joined and exposed services to the anonymous network, and thus accepted the risks involved in anonymous communication for these services
143.
144. Thus, neither the port number nor any of the contents of the communication can be directly used to distinguish it from common secure web traffic
145. There are of course practically always enough advanced traffic analysis methods to identify certain kinds of traffic, or at least distinguish traffic from a certain other kind of traffic, but if this is made hard enough, it will take up too much resources or produce too many false positives to be practically or commercially viable
146.
147. Intermediate nodes will never know if they are adjacent to the anonymized node in a path or not
148. Thus, single point-to-point connections between two nodes on the anonymous network, without any intermediate nodes at all (or with very few such), can be used while still preserving a great measure of anonymity, and/or ”reasonable doubt”
149.
150. The protocol design is abstracted in a way that each individual level of the protocol can be exchanged or redesigned without the other parts being affected or having to be redesigned at the same time
151. The protocol emulates / hooks all TCP network APIs, and can thus be externally applied to any application that uses common TCP communication Review of Design Goal #8: Generic, Well-Abstracted and Backward Compatible
152.
153. Compatible with all existing and future network enabled software, without any need for adaptations or upgrades
165. The generic nature of Phantom opens up infinitely much more potential than just binding the anonymization to a single application or usage area
166.
167. One very important detail is that it will be very hard for the attacker to conclusively know that its nodes actually constitute the entire path, since the last attacker controlled node will never be able to determine if it is actually communicating with the anonymized node itself, or with just yet another intermediate node in the routing path
168. The algorithms for routing path node selection can be optimized to minimize the risk of such a successful attack
169.
170. Some anonymization protocols try to counter such attacks by delaying data and sending out junk data, but this goes against the high throughput design goal of Phantom
171.
172. Could be countered to some degree by micro delays and data chunk size reorganization in intermediate nodes, but very hard to defend against completely
173. Again though, very hard for the attacker to conclusively know where in the path its nodes are located, since they will never be able to determine if they are communicating with another intermediate node or not, or even the direction of the path