computer security spring 2008 anonymity and...

Anonymity and Privacy

Aggelos KiayiasUniversity of Connecticut

Computer Security Spring 2008

CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias

Anonymity in networks

• Anonymous Credentials

• Anonymous Payments

• Anonymous E-mail and Routing

• E-voting

• Group, Traceable and Ring Signatures


Blind SignaturesSigner

signingprotocol

signing key

signaturethat can be

verifiedagainstm, pk

pk

Chaum ‘82

Usermessage

unlinkable


Anonymous Credentials

Authority

User Gateway

get(blinded)credential

+ idShow credential

Checkcredentialstructure

+ signature

receive service

sign(cred)

Verifycredential

is usedfor the first

time

Blindsignature


Applications

• Anonymous credentials: each credential can be used once and it is unlinkable to the act of showing the id.

• Can be used to disassociate the id from receiving the service.


Electronic Cash

Bank

User Shop

show(blinded)

Bank,nonce+ id

Show E-Coin

Checkcoin

structure+ signature

receive goods

sign$5-Bank(Bank,nonce)

Verifycoin

was notspent

Withdraw$5

Blindsignature


Anonymous Communication

User

Web-site

Proxy

UserWeb-site

Trusted party anonymity


Dining Cryptographers

• The waiter announces that the bill is payed!

• Did one of the cryptographers pay? or did the NSA pick up the bill?

• If a cryptographer payed he wishes to remain anonymous.

anonymous communication without trusted party


Dining Cryptographers• Consider a dinner for three:

Each cryptographer flips a coin

Shows the coin to the person on the leftIf coins are same and he is not paying he announces

“Same” ... similarly for “Different”)If coins are same and he is paying he flips his answer


Analysis

• If the number of “Same” is even then a cryptographer is paying.

• If the number of “Same” is odd then NSA is paying!

• A non-payer cannot distinguish which one of the other two is paying.


Indistinguishability of Payer

H T

H “Same”

“Same”“Diff”

H H

H “Same”

“Same”“Diff”

A B

C

A B

C

is paying

curious curious

is paying


DC-Net• Setting generalizes to arbitrary number of parties.

• It allows one party (the announcing party) to anonymously send one bit of information to everybody that is present.

• Parties keep on repeating the protocol constantly. Whenever one party wants to transmit the message it transmits it in binary.

• Once a party starts to speak no other party starts speaking till a given fixed termination bitstring is sent.

• if two parties start together they stop and wait a random number of rounds.


Anonymity and the Internet

• Whistle-blowing.

• Fear of censorship or prosecution.

• Communication regarding sensitive personal issues.


Cypherpunk Remailer

remailer

From: Aggelos Kiayias <[email protected]>To: [email protected]

::Anon-To: [email protected]

##Subject: This is the subject...

list of active remailers + statistics: http://stats.melontraffickers.com/

From: Anonymous <[email protected]> To: [email protected] Subject: This is the subject...

mailto:[email protected]






http://privacy.outel.org/rlist-clear.html

http://privacy.outel.org/rlist-clear.html






Cypherpunk Encrypted

remailer


::Encrypted: PGP

----- Begin PGP Message ------Version

----- End PGP Message -----

From: [email protected] To: [email protected] Subject: This is the subject...










Remailer Chains




##Subject: This is the subject...

remailer

remailer

remailer










Mix Network

msg1

msg2

msg1msg2

Q

P

Not possible to relate whether P send msg1 or msg2and similarly for Q (as long as there is one honest mix)

David Chaum, Untraceable Electronic Mail, Return Addressesand Digital Pseudonyms, CACM ‘81

A

B C

D


Using EncryptionEncrypted with Public-key of A

Send to B; sym_key1

Encrypted with sym_key1 Encrypted with Public-key of B

Send to C; sym_key2

Encrypted with sym_key1

Encrypted with sym_key2 Encrypted with Public-key of C

Stop; sym_key3




destination/ infopayload

fixedblocksize

fixedblocksize

fixedblocksize

fixedblocksize


Following the route

junk

A B

junk

junk

C

sender

destination


Mixmaster• A mixnet implementation for remailing.

• Message may be split into packets and each packet is routed differently (but with the same final routing destination who should assemble).

• Each mix node relays messages in batches after randomly permuting them [consistent with the standard notion of mixnets].

• Payload can be either e-mail, or usenet posting or dummy message (why a dummy ?).

http://www.abditum.com/mixmaster-spec.txt




Limitations• Lack of bidirectional communication:

especially problematic if you want to use anonymity with bidirectional protocols.

• Possibility of replay attacks: can be handled by keeping a log of sent messages and compare.

• Abuse, flooding, etc.


Onion Routing

• An onion directed to a node Ais comprised of the following:

expiration_time

next_hop

Forward(.)

Backward(.)

PAYLOAD

Encryptedwith PK

of A

Hiding routing information, by D. M. Goldschlag, M.G.Reed, P.F. Syverson, Information Hiding Workshop 1996

can be anotheronion

Key_material


Onion Layersexpiration_timenext_hop = B

Forward(.)

Backward(.)

Encryptedwith PK

of AKey_material

expiration_timenext_hop = D

Forward(.)

Backward(.)

Key_material

Encryptedwith PK

of Bexpiration_timenext_hop = null

null

null

null

Encryptedwith PK

of D

payload


Onion Peelingexpiration_time

next_hop

Forward(.)

Backward(.)PAYLOAD

Encryptedwith PK

of A

A

1. Decrypt layer2. check expiration time3. Initialize Forward(.) crypto engine using Key_material4. Initialize Backward(.) crypto engine using Key_material5. Pad PAYLOAD to maintain fixed size.6. Forward PAYLOAD to next_hop node.

Key_material B

Create Mode

S


Circuit Creation

A

B

S

D

choose an ACI = 5123forward movementcreate - mode



ACI = Anonymous Connection Identifier

[5123, 8612]

[8612, 2523]

[. ,5123]

[2523, “outside connection”]

Once the create mode is donethere exists a bidirectional link


Forwarding

A

B

S

D

DATA

[5123, 8612]

[8612, 2523]

[. ,5123]

Forward1(.)

Forward2(.)

defined in first onion

defined in second onion

Forward2(Forward1( DATA) )

the cirtcuit delivers:

thus we may define:

DATA = Forward1-1(Forward2 -1(MESSAGE) )[2523, “outside connection”]


Responding

A

B

S

D

DATA

[5123, 8612]

[8612, 2523]

[. ,5123]

Backward1(.)

Backward2(.)

defined in first onion

defined in second onion

Backward2(Backward1( DATA) )

the circuit delivers:

thus S recovers the data:

DATA = Backward1-1(Backward2 -1(MESSAGE) )[2523, “outside connection”]


Implementing Onion Routing

• Each host runs an onion proxy locally.

• TCP/IP traffic can be directed through virtual circuits created by onions.

http://tor.eff.org/Tor

http://tor.eff.org

http://tor.eff.org


Problems with Tor


Hidden Identity Based Signatures

Hidden ID-based signatures: a digital signature where the corresponding public-key is your name & is (provably) hidden into the signature.

The hiding can be inverted by the OA.

IdentityManager

name

signing keysignature

that provably containsname and can

be verified against pkIMpkIM

the OAcan

open this

Kiayias - Zhou (2007)


a glimpse


Applying HiddenIBS to TORHow to calibrate anonymity of Tor using Hidden-IBS

Add three entities in Tor:

Identity manager (IM)

A Disputes & Grievances (D&G) database

An opening authority (OA)


GoalsMinimal anonymity loss if misbehavior does not occur.

Minimal efficiency impact for services that do not require anonymity control.

Transparency to service providers.

the service providers accepting Tor traffic should not have to assist the system [except providing the necessary forensic information]


HiddenIBS + TorModify Tor Exit policy: certain type of packets must be HiddenIBS’ed [e.g., http POST requests]

Modify user’s onion proxy : it catches such packets and signs them using user’s HiddenIBS signing credential.

If user does not have a credential, the onion proxy directs user to IM to get one.

Modify exit point: beyond forwarding the packet it registers it to the D&G database (only the hash + signature need to be registered).


Overview


realization issuesWhat is a user’s identity and how does the Identity Manager verifies it?

IP address, e-mail address, id in a reputation system, etc.

How to deal with misbehaving users?

black-listing. revocation of credentials, time-based or reactive.


anonymity scalabilityDisputes & Grievances database contains:

hashes of packets + HiddenIBS signatures. we include nonces in the packets to increase entropy.

The D&G size is manageable:

using a SHA-256 hash + our bilinear map based scheme with a 10GB we can store ~ 27.3 million entries.


propertiesMinimal anonymity loss : D&G database leaks no information about Tor usage, if no misbehavior occurs.

Minimal efficiency impact for services that do not require anonymity control: only a few types of packets need to be signed.

Transparency to service providers: a simple packet log is enough to make an abuse report resulting in blacklisting a user.


other applicationsApproach is fairly general.

application to other anonymous access systems is possible.

other web-sites than wikipedia need similar abuse protection; e.g. slashdot.

More services: e.g., SMTP traffic is blocked. Using HiddenIBS it can be opened.


Blind Signatures

• we have seen already its application to e-cash and anonymous tokens.

• Another anonymity/privacy application : e-voting

User Signerblinded message

scrambled signature

signed message

message


E-Voting using Blind Signatures

voterPC

Electionofficial

blinded choice, proof of identity

scrambled signature

signed choice

choice

Anonymous Channel Votetabulation

Results


Group Signatures

Alice, pkABob, pkBCharlie, pkCDavid, pkDEric, pkEFrank, pkF

PKIGroup Manager

Verifier

OpeningAuthority

PKI-member signature

Charlie

message

Is convinced thata PKI member signs

message butnot which one

D. Chaum, E. van Heyst, 1991


Applications

• Can be used to hide the origin of a transaction.

• Prove that you belong in a group without showing who you are.

• They allow Opening Authority to reveal the identity in case of dispute.


Traceable Signatures


PKIGroup Manager

Verifier

TracingAuthority

PKI-member signature

Charlie

Is convinced thata PKI member signs

message butnot which one

A. Kiayias, Y. Tsiounis M. Yung, 2004

VerifierPKI-member signature


Charlie’s

OpeningAuthority


Applications

• As in group signatures but now it is possible to:

• The tracing authority to find all signatures of a “wanted user”

• A user to claim his signatures.


Ring Signatures


PKI


message

Is convinced thateither Eric, Frank or Bob

signs the messagebut it is unclear which one

whistle-blowing etc.


Privacy for Trusted Computing

• Your hardware proves its identity but only using an identification schema based on the previous signatures.

• Your anonymity can be preserved and still prove you are “among the good guys”

• opening functionality can be disabled.

• Direct Anonymous Attestation

computer security spring 2008 anonymity and...

Documents