anonymity and secure messaging - courses.cs.washington.edu · 2016-12-07 · – confidential...
TRANSCRIPT
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Cookies
• Alternative/additionaltechnology:– Icecream
• Someofyouaskedifwecouldstudythesetechnologies
12/7/16 CSE484/CSEM584-Fall2016 2
Cookies
• Sectioniscancelled,but:
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 3
Cookies
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 4
SecurityMindsetish–ReflectionsonTrustingTrust
12/7/16 CSE484/CSEM584-Fall2016 5
IdentifyingWebPages:ElectricalOutlets
Clarketal.“CurrentEvents:IdentifyingWebpagesbyTappingtheElectricalOutlet”ESORICS2013
12/7/16 CSE484/CSEM584-Spring2016 6
PowerlineEavesdropping
12/7/16 CSE484/CSEM584-Spring2016 7
Enevetal.:Televisions,VideoPrivacy,andPowerlineElectromagneticInterference,CCS2011
PrivacyonPublicNetworks
• Internetisdesignedasapublicnetwork– MachinesonyourLANmayseeyourtraffic,network
routersseealltrafficthatpassesthroughthem• Routinginformationispublic– IPpacketheadersidentifysourceanddestination– Evenapassiveobservercaneasilyfigureoutwhois
talkingtowhom• Encryptiondoesnothideidentities– Encryptionhidespayload,butnotroutinginformation– EvenIP-levelencryption(tunnel-modeIPSec/ESP)
revealsIPaddressesofIPSecgateways
12/7/16 CSE484/CSEM584-Spring2016 8
Questions
Q1:Whatisanonymity?
Q2:WhymightpeoplewantanonymityontheInternet?
Q3:WhymightpeoplenotwantanonymityontheInternet?
12/7/16 CSE484/CSEM584-Spring2016 9
ApplicationsofAnonymity(I)
• Privacy– Hideonlinetransactions,Webbrowsing,etc.from
intrusivegovernments,marketersandarchivists• Untraceableelectronicmail– Corporatewhistle-blowers– Politicaldissidents– Sociallysensitivecommunications(onlineAAmeeting)– Confidentialbusinessnegotiations
• Lawenforcementandintelligence– Stingoperationsandhoneypots– Secretcommunicationsonapublicnetwork
12/7/16 CSE484/CSEM584-Spring2016 10
ApplicationsofAnonymity(II)
• Digitalcash– Electroniccurrencywithpropertiesofpapermoney(onlinepurchasesunlinkabletobuyer’sidentity)
• Anonymouselectronicvoting• Censorship-resistantpublishing
12/7/16 CSE484/CSEM584-Spring2016 11
WhatisAnonymity?
• Anonymityisthestateofbeingnotidentifiablewithinasetofsubjects– Youcannotbeanonymousbyyourself!
• Bigdifferencebetweenanonymityandconfidentiality– Hideyouractivitiesamongothers’similaractivities
• Unlinkabilityofactionandidentity– Forexample,senderandemailhe/shesendsarenomore
relatedafterobservingcommunicationthanbefore• Unobservability(hardtoachieve)– Observercannoteventellwhetheracertainactiontook
placeornot
12/7/16 CSE484/CSEM584-Spring2016 12
Part1:AnonymityinDatasets
12/7/16 CSE484/CSEM584-Spring2016 13
Howtoreleaseananonymousdataset?
• Possibleapproach:removeidentifyinginformationfromdatasets?
12/7/16 CSE484/CSEM584-Spring2016 14
Massachusettsmedical+voterdata[Sweeney1997]
k-Anonymity
• Eachpersoncontainedinthedatasetcannotbedistinguishedfromatleastk-1othersinthedata.
12/7/16 CSE484/CSEM584-Spring2016 15
Doesn’tworkforhigh-dimensionaldatasets(whichtendtobesparse)
DifferentialPrivacy
• Setting:Trustedpartyhasadatabase• Goal:allowqueriesonthedatabasethatareusefulbutpreservetheprivacyofindividualrecords
• Differentialprivacyintuition:addnoisesothatanoutputisproducedwithsimilarprobabilitywhetheranysingleinputisincludedornot
• Privacyofthecomputation,notofthedataset
12/7/16 CSE484/CSEM584-Spring2016 16
[Dworketal.]
Part2:AnonymityinCommunication
12/7/16 CSE484/CSEM584-Spring2016 17
Chaum’sMix
• Earlyproposalforanonymousemail– DavidChaum.“Untraceableelectronicmail,return
addresses,anddigitalpseudonyms”.CommunicationsoftheACM,February1981.
• Publickeycrypto+trustedre-mailer(Mix)– Untrustedcommunicationmedium– Publickeysusedaspersistentpseudonyms
• ModernanonymitysystemsuseMixasthebasicbuildingblock
12/7/16 CSE484/CSEM584-Spring2016 18
Beforespam,peoplethoughtanonymousemailwasagoodideaJ
BasicMixDesign
12/7/16 CSE484/CSEM584-Spring2016 19
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
Q2
12/7/16 CSE484/CSEM584-Spring2016 20
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
AnonymousReturnAddresses
12/7/16 CSE484/CSEM584-Spring2016 21
A
BMIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
Mincludes{K1,A}pk(mix),K2whereK2isafreshpublickey
ResponseMIX
{K1,A}pk(mix),{r2,M’}K2A,{{r2,M’}K2}K1
Secrecywithoutauthentication(goodforanonlineconfessionserviceJ)
MixCascadesandMixnets
12/7/16 CSE484/CSEM584-Spring2016 22
• Messagesaresentthroughasequenceofmixes• Canalsoformanarbitrarynetworkofmixes(“mixnet”)
• Someofthemixesmaybecontrolledbyattacker,butevenasinglegoodmixensuresanonymity
• Padandbuffertraffictofoilcorrelationattacks
DisadvantagesofBasicMixnets
• Public-keyencryptionanddecryptionateachmixarecomputationallyexpensive
• Basicmixnetshavehighlatency– OKforemail,notOKforanonymousWebbrowsing
• Challenge:low-latencyanonymitynetwork
12/7/16 CSE484/CSEM584-Spring2016 23
AnotherIdea:RandomizedRouting
12/7/16 CSE484/CSEM584-Spring2016 24
• Hidemessagesourcebyroutingitrandomly– Populartechnique:Crowds,Freenet,Onionrouting
• Routersdon’tknowforsureiftheapparentsourceofamessageisthetruesenderoranotherrouter
OnionRouting
12/7/16 CSE484/CSEM584-Spring2016 25
R R4
R1 R2
R
R R3
Bob
R
R
R Alice
[Reed,Syverson,Goldschlag1997]
• Senderchoosesarandomsequenceofrouters• Someroutersarehonest,somecontrolledbyattacker• Sendercontrolsthelengthofthepath
RouteEstablishment
12/7/16 CSE484/CSEM584-Spring2016 26
R4
R1
R2 R3 Bob Alice
{R2,k1}pk(R1),{ }k1 {R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4
{M}pk(B)
• Routinginfoforeachlinkencryptedwithrouter’spublickey• Eachrouterlearnsonlytheidentityofthenextrouter
Tor
• Second-generationonionroutingnetwork– http://tor.eff.org– DevelopedbyRogerDingledine,NickMathewsonandPaulSyverson
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/7/16 CSE484/CSEM584-Spring2016 27
TorCircuitSetup(1)
12/7/16 CSE484/CSEM584-Spring2016 28
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
TorCircuitSetup(2)
12/7/16 CSE484/CSEM584-Spring2016 29
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
TorCircuitSetup(3)
12/7/16 CSE484/CSEM584-Spring2016 30
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
UsingaTorCircuit
12/7/16 CSE484/CSEM584-Spring2016 31
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/7/16 CSE484/CSEM584-Spring2016 32
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/7/16 CSE484/CSEM584-Spring2016 33
CreatingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 34
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
UsingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 35
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/7/16 CSE484/CSEM584-Spring2016 36
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/7/16 CSE484/CSEM584-Spring2016 37
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/7/16 CSE484/CSEM584-Spring2016 38
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/7/16 CSE484/CSEM584-Spring2016 39
OTRANDSECUREMESSAGING
12/7/16 CSE484/CSEM584-Fall2016 40
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
12/7/16 CSE484/CSEM584-Fall2016 41
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 42
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 43
OTR:Deniability
12/7/16 CSE484/CSEM584-Fall2016 44
Eve
Alice Bob
“Somethingincriminating”
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/7/16 CSE484/CSEM584-Fall2016 45
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/7/16 CSE484/CSEM584-Fall2016 46
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/7/16 CSE484/CSEM584-Fall2016 47
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/7/16 CSE484/CSEM584-Fall2016 48
OTR:Deniability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/7/16 CSE484/CSEM584-Fall2016 49
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 50
Eve
Alice Bob
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 51
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 52
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/7/16 CSE484/CSEM584-Fall2016 53
Signal
12/7/16 CSE484/CSEM584-Fall2016 54
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.