anonymity - beginnings
Post on 13-Jan-2016
30 Views
Preview:
DESCRIPTION
TRANSCRIPT
R. NewmanR. Newman
Anonymity - BackgroundAnonymity - Background
Defining anonymityDefining anonymity Need for anonymityNeed for anonymity Defining privacyDefining privacy Threats to anonymity and privacyThreats to anonymity and privacy Mechanisms to provide anonymityMechanisms to provide anonymity Applications of anonymity technologyApplications of anonymity technology
TopicsTopics
Early (pre-computer) uses for social reasons (ability to Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, act more freely, have work accepted without prejudice, etc.) etc.)
Traffic analysis an issue prior to computers (e.g., Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies)Bodyguard of Lies)
Computer TAP solvable with cryptography Computer TAP solvable with cryptography With public-key cryptography, theoretical possibility for With public-key cryptography, theoretical possibility for
anonymity and pseudonymity anonymity and pseudonymity
Anonymity - BeginningsAnonymity - Beginnings
Traffic Analysis PreventionTraffic Analysis Prevention Sender, Recipient, Message AnonymitySender, Recipient, Message Anonymity Voter AnonymityVoter Anonymity PseudonymityPseudonymity Revokable anonymityRevokable anonymity Data anonymityData anonymity
Forms of AnonymityForms of Anonymity
CryptographyCryptography SteganographySteganography Traffic Analysis Prevention (TAP)Traffic Analysis Prevention (TAP) Mixes, crowdsMixes, crowds Data sanitization/scrubbingData sanitization/scrubbing k-anonymityk-anonymity
Anonymity MechanismsAnonymity Mechanisms
Global vs. RestrictedGlobal vs. Restricted All links vs. some linksAll links vs. some links All network nodes vs. some or no nodesAll network nodes vs. some or no nodes
Passive vs. ActivePassive vs. Active Passive – listen onlyPassive – listen only Active – remove, modify, replay, or inject new messagesActive – remove, modify, replay, or inject new messages
Cryptography AssumptionsCryptography Assumptions All unencrypted contents are observableAll unencrypted contents are observable All encrypted contents are not, without keyAll encrypted contents are not, without key
Adversaries Adversaries
One key, KOne key, Kabab, associated with entities A and B, associated with entities A and B
Same key used for encryption and decryption: Same key used for encryption and decryption:
C=E(M,KC=E(M,Kabab), ),
M=D(C,KM=D(C,Kabab)=D(E(M,K)=D(E(M,K
abab)K)Kabab)) For message M, ciphertext C = {M}KFor message M, ciphertext C = {M}K
Anyone with KAnyone with Kabab can form ciphertext can form ciphertext
Anyone with KAnyone with Kabab can decrypt C can decrypt C
For message M, MIC or MAC uses hash fcnFor message M, MIC or MAC uses hash fcn
If only A and B have KIf only A and B have Kabab, then MAC, then MAC
If group key, then MICIf group key, then MIC Depending on E, may require crypto Depending on E, may require crypto
hash fcn hash fcn
Symmetric Key Symmetric Key Cryptography Cryptography
Two keys, K and KTwo keys, K and K-1-1, associated with entity A, associated with entity A K is public key, KK is public key, K-1-1 is private key is private key Keys are inverses: {{M}K}KKeys are inverses: {{M}K}K-1-1 = {{M}K = {{M}K-1-1}K = M}K = M For message M, ciphertext C = {M}KFor message M, ciphertext C = {M}K
Anyone can send A ciphertext using KAnyone can send A ciphertext using K Only A has KOnly A has K-1-1 so only A can decrypt C so only A can decrypt C
For message M, signature S = {M}KFor message M, signature S = {M}K -1-1
Anyone can verify M,S using KAnyone can verify M,S using K
Only A can sign with KOnly A can sign with K-1-1
Public Key Cryptography Public Key Cryptography
Limit on size of M, based on size of K in PKCLimit on size of M, based on size of K in PKC Need to format M to avoid attacks on PKCNeed to format M to avoid attacks on PKC Use confounder to foil guessed ptxt attacksUse confounder to foil guessed ptxt attacks Typical use of one-way hash H to distill large M to Typical use of one-way hash H to distill large M to
reasonable size for signingreasonable size for signing Typical use of PKC to distribute symmetric key for Typical use of PKC to distribute symmetric key for
actual encryption/decryption of larger messagesactual encryption/decryption of larger messages See See http://www.rsa.com/rsalabs/ for standards for standards
Details we omitDetails we omit
Wish to receive email anonymously, but Wish to receive email anonymously, but Be able to link new messages with past onesBe able to link new messages with past ones Respond to the senderRespond to the sender
Do not trust single authority (e.g., Paypal)Do not trust single authority (e.g., Paypal) Underlying message delivery system is untrustedUnderlying message delivery system is untrusted
Global active adversaryGlobal active adversary
Chaum – Untraceable Chaum – Untraceable MailMail
Mix is like a special type of router/gatewayMix is like a special type of router/gateway It has its own public key pair, KIt has its own public key pair, K
11 and K and K11
-1-1
Recipient A also has public key pair, KRecipient A also has public key pair, Kaa and K and K
aa-1-1
Sender B prepends random confounder RSender B prepends random confounder Raa to message to message
M, encrypts for A: CM, encrypts for A: Caa = {R = {R
aa|M}K|M}Kaa
B then prepends confounder for mix to C and encrypts B then prepends confounder for mix to C and encrypts for mix: Cfor mix: C
11 = {R = {R11|A|C|A|C
aa}K}K11
B sends CB sends C11 to mix, which later send C to mix, which later send C
aa to A to A
Chaum Mix 1Chaum Mix 1
Mix simply decrypts and strips confounder from Mix simply decrypts and strips confounder from message to Amessage to A
Incoming message and outgoing message do not appear Incoming message and outgoing message do not appear relatedrelated
Use padding to ensure same length (some technical Use padding to ensure same length (some technical details here)details here)
Gather a batch of messages from different sources Gather a batch of messages from different sources before sending them out in permuted orderbefore sending them out in permuted order
Chaum Mix 2Chaum Mix 2
As long as messages are not repeated, adversary can't As long as messages are not repeated, adversary can't link an incoming message with an outgoing one link an incoming message with an outgoing one (anonymous within the batch)(anonymous within the batch)
Mix can discard duplicate messagesMix can discard duplicate messages B can insert different confounder in repeatsB can insert different confounder in repeats B can use timestamps – repeats look differentB can use timestamps – repeats look different
Mix signs message batchs, sends receipt to sendersMix signs message batchs, sends receipt to senders This allows B to prove to A if a message was not This allows B to prove to A if a message was not
forwarded forwarded
Chaum MixChaum Mix
If one mix is good, lots of mixes are better!If one mix is good, lots of mixes are better! B prepares M for A by selecting sequence of mixes, 1, 2, B prepares M for A by selecting sequence of mixes, 1, 2,
3, … , n. 3, … , n. Message for A is prepared for Mix 1Message for A is prepared for Mix 1 Message for Mix 1 is prepared for Mix 2Message for Mix 1 is prepared for Mix 2 … … Message for Mix n-1 is prepared for Mix nMessage for Mix n-1 is prepared for Mix n Layered message is sent to Mix nLayered message is sent to Mix n
Each mix removes its confounder, obtains address of Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in next mix (or A), and forwards when batch is sent in permuted orderpermuted order
Cascading Mixes 1Cascading Mixes 1
Mix in cascade that fails to forward a message can be Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed detected as before (the preceding mix gets the signed receipt)receipt)
Any mix in cascade that is not compromised can provide Any mix in cascade that is not compromised can provide unlinkabilityunlinkability
This gets us anonymous message delivery, but does not This gets us anonymous message delivery, but does not allow return messagesallow return messages
Cascading Mixes 2Cascading Mixes 2
B generates a public key KB generates a public key Kbb for the message for the message
B seals its true address and another key K using the B seals its true address and another key K using the mix's key Kmix's key K
11: RetAddr = ({K,B}K: RetAddr = ({K,B}K11, K, K
bb) )
A encrypts reply M and confounder RA encrypts reply M and confounder R00 with message key with message key
KKbb and sends to mix along with return address: Reply = and sends to mix along with return address: Reply =
{K,B}K{K,B}K11, {R, {R
00|M}K|M}Kbb
Mix decrypts address and key, uses key K to re-encrypt Mix decrypts address and key, uses key K to re-encrypt reply: {{Rreply: {{R
00|M}K|M}Kbb}K and sends to B }K and sends to B
Return Addresses 1Return Addresses 1
B must generate new return address keys for each B must generate new return address keys for each message (K and Kmessage (K and K
bb) so there are no duplicates) so there are no duplicates Mix must remove duplicates if foundMix must remove duplicates if found Symmetric cryptography may be used for both K and KSymmetric cryptography may be used for both K and K
bb
here (but not for mix key!) here (but not for mix key!) – How?How?
Cascade can return messages by building the return Cascade can return messages by building the return address in reverse order, then peeling off layers as the address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return reply is forwarded (and encrypted) along the return pathpath
Return Addresses 2Return Addresses 2
For cascaded mixes, must build return address for the For cascaded mixes, must build return address for the whole pathwhole path
Receiver uses built-up return address and return key to Receiver uses built-up return address and return key to send replysend reply
Each mix on return path unwraps its portion of return Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address address, re-encrypts, and forwards to next address
Sender had all the keys (it built the return address) so it Sender had all the keys (it built the return address) so it can decrypt replycan decrypt reply
Return Addresses 3Return Addresses 3
Mix must make input messages unlinkable with output Mix must make input messages unlinkable with output messagesmessages
– Messages must all be same lengthMessages must all be same length– Messages must all be encrypted so as to appear Messages must all be encrypted so as to appear
randomrandom– Can't hide source/destination addresses along a Can't hide source/destination addresses along a
single hop in path, but must hide sender and receiver, single hop in path, but must hide sender and receiver, as well as distance along pathas well as distance along path
– Mix must randomize order of outputMix must randomize order of output Mix may have any number of triggersMix may have any number of triggers
Mix GenericsMix Generics
Timed mixTimed mix– Mix gathers messages for period T, then sendsMix gathers messages for period T, then sends
Threshold mixThreshold mix– Mix gathers N messages, then sendsMix gathers N messages, then sends
Hybrid mixHybrid mix– Mix sends when N messages or period T reachedMix sends when N messages or period T reached
Pool mixPool mix– Mix keeps pool of messages of size P, when pool Mix keeps pool of messages of size P, when pool
reaches size N+P, N randomly chosen messages are reaches size N+P, N randomly chosen messages are sentsent
Continuous mixContinuous mix– Mix attaches random delay D from some distribution Mix attaches random delay D from some distribution
to each msg M, sends M when delay is reachedto each msg M, sends M when delay is reached
Mix TriggersMix Triggers
In addition to padding messages to some constant In addition to padding messages to some constant length (and segmenting longer messages), mix may length (and segmenting longer messages), mix may introduce dummy messages into trafficintroduce dummy messages into traffic
Dummy messages especially useful in timed mixes (may Dummy messages especially useful in timed mixes (may not have many messages to send)not have many messages to send)
Strong resistance from network guysStrong resistance from network guys Research question: how much does this form of padding Research question: how much does this form of padding
help, and what is the relationship between increase in help, and what is the relationship between increase in anonymity and cost of padding?anonymity and cost of padding?
Mix PaddingMix Padding
top related