r. newman anonymity - background. defining anonymity defining anonymity need for anonymity need for...

21
R. Newman R. Newman Anonymity - Anonymity - Background Background

Upload: nigel-andrews

Post on 03-Jan-2016

225 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

R. NewmanR. Newman

Anonymity - BackgroundAnonymity - Background

Page 2: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Defining anonymityDefining anonymity Need for anonymityNeed for anonymity Defining privacyDefining privacy Threats to anonymity and privacyThreats to anonymity and privacy Mechanisms to provide anonymityMechanisms to provide anonymity Applications of anonymity technologyApplications of anonymity technology

TopicsTopics

Page 3: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Early (pre-computer) uses for social reasons (ability to Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, act more freely, have work accepted without prejudice, etc.) etc.)

Traffic analysis an issue prior to computers (e.g., Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies)Bodyguard of Lies)

Computer TAP solvable with cryptography Computer TAP solvable with cryptography With public-key cryptography, theoretical possibility for With public-key cryptography, theoretical possibility for

anonymity and pseudonymity anonymity and pseudonymity

Anonymity - BeginningsAnonymity - Beginnings

Page 4: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Traffic Analysis PreventionTraffic Analysis Prevention Sender, Recipient, Message AnonymitySender, Recipient, Message Anonymity Voter AnonymityVoter Anonymity PseudonymityPseudonymity Revokable anonymityRevokable anonymity Data anonymityData anonymity

Forms of AnonymityForms of Anonymity

Page 5: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

CryptographyCryptography SteganographySteganography Traffic Analysis Prevention (TAP)Traffic Analysis Prevention (TAP) Mixes, crowdsMixes, crowds Data sanitization/scrubbingData sanitization/scrubbing k-anonymityk-anonymity

Anonymity MechanismsAnonymity Mechanisms

Page 6: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Global vs. RestrictedGlobal vs. Restricted All links vs. some linksAll links vs. some links All network nodes vs. some or no nodesAll network nodes vs. some or no nodes

Passive vs. ActivePassive vs. Active Passive – listen onlyPassive – listen only Active – remove, modify, replay, or inject new messagesActive – remove, modify, replay, or inject new messages

Cryptography AssumptionsCryptography Assumptions All unencrypted contents are observableAll unencrypted contents are observable All encrypted contents are not, without keyAll encrypted contents are not, without key

Adversaries Adversaries

Page 7: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

One key, KOne key, Kabab, associated with entities A and B, associated with entities A and B

Same key used for encryption and decryption: Same key used for encryption and decryption:

C=E(M,KC=E(M,Kabab), ),

M=D(C,KM=D(C,Kabab)=D(E(M,K)=D(E(M,K

abab)K)Kabab)) For message M, ciphertext C = {M}KFor message M, ciphertext C = {M}K

Anyone with KAnyone with Kabab can form ciphertext can form ciphertext

Anyone with KAnyone with Kabab can decrypt C can decrypt C

For message M, MIC or MAC uses hash fcnFor message M, MIC or MAC uses hash fcn

If only A and B have KIf only A and B have Kabab, then MAC, then MAC

If group key, then MICIf group key, then MIC Depending on E, may require crypto Depending on E, may require crypto

hash fcn hash fcn

Symmetric Key Symmetric Key Cryptography Cryptography

Page 8: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Two keys, K and KTwo keys, K and K-1-1, associated with entity A, associated with entity A K is public key, KK is public key, K-1-1 is private key is private key Keys are inverses: {{M}K}KKeys are inverses: {{M}K}K-1-1 = {{M}K = {{M}K-1-1}K = M}K = M For message M, ciphertext C = {M}KFor message M, ciphertext C = {M}K

Anyone can send A ciphertext using KAnyone can send A ciphertext using K Only A has KOnly A has K-1-1 so only A can decrypt C so only A can decrypt C

For message M, signature S = {M}KFor message M, signature S = {M}K -1-1

Anyone can verify M,S using KAnyone can verify M,S using K

Only A can sign with KOnly A can sign with K-1-1

Public Key Cryptography Public Key Cryptography

Page 9: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Limit on size of M, based on size of K in PKCLimit on size of M, based on size of K in PKC Need to format M to avoid attacks on PKCNeed to format M to avoid attacks on PKC Use confounder to foil guessed ptxt attacksUse confounder to foil guessed ptxt attacks Typical use of one-way hash H to distill large M to Typical use of one-way hash H to distill large M to

reasonable size for signingreasonable size for signing Typical use of PKC to distribute symmetric key for Typical use of PKC to distribute symmetric key for

actual encryption/decryption of larger messagesactual encryption/decryption of larger messages See See http://www.rsa.com/rsalabs/ for standards for standards

Details we omitDetails we omit

Page 10: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Wish to receive email anonymously, but Wish to receive email anonymously, but Be able to link new messages with past onesBe able to link new messages with past ones Respond to the senderRespond to the sender

Do not trust single authority (e.g., Paypal)Do not trust single authority (e.g., Paypal) Underlying message delivery system is untrustedUnderlying message delivery system is untrusted

Global active adversaryGlobal active adversary

Chaum – Untraceable Chaum – Untraceable MailMail

Page 11: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Mix is like a special type of router/gatewayMix is like a special type of router/gateway It has its own public key pair, KIt has its own public key pair, K

11 and K and K11

-1-1

Recipient A also has public key pair, KRecipient A also has public key pair, Kaa and K and K

aa-1-1

Sender B prepends random confounder RSender B prepends random confounder Raa to message to message

M, encrypts for A: CM, encrypts for A: Caa = {R = {R

aa|M}K|M}Kaa

B then prepends confounder for mix to C and encrypts B then prepends confounder for mix to C and encrypts for mix: Cfor mix: C

11 = {R = {R11|A|C|A|C

aa}K}K11

B sends CB sends C11 to mix, which later send C to mix, which later send C

aa to A to A

Chaum Mix 1Chaum Mix 1

Page 12: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Mix simply decrypts and strips confounder from Mix simply decrypts and strips confounder from message to Amessage to A

Incoming message and outgoing message do not appear Incoming message and outgoing message do not appear relatedrelated

Use padding to ensure same length (some technical Use padding to ensure same length (some technical details here)details here)

Gather a batch of messages from different sources Gather a batch of messages from different sources before sending them out in permuted orderbefore sending them out in permuted order

Chaum Mix 2Chaum Mix 2

Page 13: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

As long as messages are not repeated, adversary can't As long as messages are not repeated, adversary can't link an incoming message with an outgoing one link an incoming message with an outgoing one (anonymous within the batch)(anonymous within the batch)

Mix can discard duplicate messagesMix can discard duplicate messages B can insert different confounder in repeatsB can insert different confounder in repeats B can use timestamps – repeats look differentB can use timestamps – repeats look different

Mix signs message batchs, sends receipt to sendersMix signs message batchs, sends receipt to senders This allows B to prove to A if a message was not This allows B to prove to A if a message was not

forwarded forwarded

Chaum MixChaum Mix

Page 14: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

If one mix is good, lots of mixes are better!If one mix is good, lots of mixes are better! B prepares M for A by selecting sequence of mixes, 1, 2, B prepares M for A by selecting sequence of mixes, 1, 2,

3, … , n. 3, … , n. Message for A is prepared for Mix 1Message for A is prepared for Mix 1 Message for Mix 1 is prepared for Mix 2Message for Mix 1 is prepared for Mix 2 … … Message for Mix n-1 is prepared for Mix nMessage for Mix n-1 is prepared for Mix n Layered message is sent to Mix nLayered message is sent to Mix n

Each mix removes its confounder, obtains address of Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in next mix (or A), and forwards when batch is sent in permuted orderpermuted order

Cascading Mixes 1Cascading Mixes 1

Page 15: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Mix in cascade that fails to forward a message can be Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed detected as before (the preceding mix gets the signed receipt)receipt)

Any mix in cascade that is not compromised can provide Any mix in cascade that is not compromised can provide unlinkabilityunlinkability

This gets us anonymous message delivery, but does not This gets us anonymous message delivery, but does not allow return messagesallow return messages

Cascading Mixes 2Cascading Mixes 2

Page 16: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

B generates a public key KB generates a public key Kbb for the message for the message

B seals its true address and another key K using the B seals its true address and another key K using the mix's key Kmix's key K

11: RetAddr = ({K,B}K: RetAddr = ({K,B}K11, K, K

bb) )

A encrypts reply M and confounder RA encrypts reply M and confounder R00 with message key with message key

KKbb and sends to mix along with return address: Reply = and sends to mix along with return address: Reply =

{K,B}K{K,B}K11, {R, {R

00|M}K|M}Kbb

Mix decrypts address and key, uses key K to re-encrypt Mix decrypts address and key, uses key K to re-encrypt reply: {{Rreply: {{R

00|M}K|M}Kbb}K and sends to B }K and sends to B

Return Addresses 1Return Addresses 1

Page 17: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

B must generate new return address keys for each B must generate new return address keys for each message (K and Kmessage (K and K

bb) so there are no duplicates) so there are no duplicates Mix must remove duplicates if foundMix must remove duplicates if found Symmetric cryptography may be used for both K and KSymmetric cryptography may be used for both K and K

bb

here (but not for mix key!) here (but not for mix key!) – How?How?

Cascade can return messages by building the return Cascade can return messages by building the return address in reverse order, then peeling off layers as the address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return reply is forwarded (and encrypted) along the return pathpath

Return Addresses 2Return Addresses 2

Page 18: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

For cascaded mixes, must build return address for the For cascaded mixes, must build return address for the whole pathwhole path

Receiver uses built-up return address and return key to Receiver uses built-up return address and return key to send replysend reply

Each mix on return path unwraps its portion of return Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address address, re-encrypts, and forwards to next address

Sender had all the keys (it built the return address) so it Sender had all the keys (it built the return address) so it can decrypt replycan decrypt reply

Return Addresses 3Return Addresses 3

Page 19: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Mix must make input messages unlinkable with output Mix must make input messages unlinkable with output messagesmessages

– Messages must all be same lengthMessages must all be same length– Messages must all be encrypted so as to appear Messages must all be encrypted so as to appear

randomrandom– Can't hide source/destination addresses along a Can't hide source/destination addresses along a

single hop in path, but must hide sender and receiver, single hop in path, but must hide sender and receiver, as well as distance along pathas well as distance along path

– Mix must randomize order of outputMix must randomize order of output Mix may have any number of triggersMix may have any number of triggers

Mix GenericsMix Generics

Page 20: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

Timed mixTimed mix– Mix gathers messages for period T, then sendsMix gathers messages for period T, then sends

Threshold mixThreshold mix– Mix gathers N messages, then sendsMix gathers N messages, then sends

Hybrid mixHybrid mix– Mix sends when N messages or period T reachedMix sends when N messages or period T reached

Pool mixPool mix– Mix keeps pool of messages of size P, when pool Mix keeps pool of messages of size P, when pool

reaches size N+P, N randomly chosen messages are reaches size N+P, N randomly chosen messages are sentsent

Continuous mixContinuous mix– Mix attaches random delay D from some distribution Mix attaches random delay D from some distribution

to each msg M, sends M when delay is reachedto each msg M, sends M when delay is reached

Mix TriggersMix Triggers

Page 21: R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats

In addition to padding messages to some constant In addition to padding messages to some constant length (and segmenting longer messages), mix may length (and segmenting longer messages), mix may introduce dummy messages into trafficintroduce dummy messages into traffic

Dummy messages especially useful in timed mixes (may Dummy messages especially useful in timed mixes (may not have many messages to send)not have many messages to send)

Strong resistance from network guysStrong resistance from network guys Research question: how much does this form of padding Research question: how much does this form of padding

help, and what is the relationship between increase in help, and what is the relationship between increase in anonymity and cost of padding?anonymity and cost of padding?

Mix PaddingMix Padding