untraceable electronic mail, return addresses, and digital pseudonyms david chaum cacm vol. 24 no. 2...
TRANSCRIPT
Untraceable Electronic Mail,
Return Addresses, and Digital Pseudonyms
Untraceable Electronic Mail,
Return Addresses, and Digital Pseudonyms
David ChaumCACM Vol. 24 No. 2
February 1981
Presented by: Adam Lee 1/24/2006
David ChaumCACM Vol. 24 No. 2
February 1981
Presented by: Adam Lee 1/24/2006
MotivationMotivation
Many uses for anonymous communication channels Elections Anonymous crime tips Whistle-blowing Etc.
Standard mail offers some guarantees of anonymity; why not email too?
Many uses for anonymous communication channels Elections Anonymous crime tips Whistle-blowing Etc.
Standard mail offers some guarantees of anonymity; why not email too?
ContributionsContributions
Cryptographic protocols to support an anonymous email system Keep sender anonymous w.r.t. both the receiver and other parties in the network
Allow receiver to reply to sender without revealing sender’s identity
Protocol can also be used to form anonymous and verifiable rosters E.g., for an electronic election
Cryptographic protocols to support an anonymous email system Keep sender anonymous w.r.t. both the receiver and other parties in the network
Allow receiver to reply to sender without revealing sender’s identity
Protocol can also be used to form anonymous and verifiable rosters E.g., for an electronic election
Historical Perspective, 1979Historical Perspective, 1979 Cryptography had been around for millennia Usually required the use of shared secrets
Paradigm shift: late 1970s Diffie & Hellman, “New Directions in Cryptography” (1976)
RSA cryptosystem (1977)
Rapid advancements allow for the sharing of keys (secrets) between strangers
Cryptography had been around for millennia Usually required the use of shared secrets
Paradigm shift: late 1970s Diffie & Hellman, “New Directions in Cryptography” (1976)
RSA cryptosystem (1977)
Rapid advancements allow for the sharing of keys (secrets) between strangers
NotationNotation
Keys in public-key cryptosystem Public key: K Private key: K-1
Encryption of x with K denoted by K(x)
Keys are inverses i.e., K-1(K(x)) = K(K-1(x)) = x
Keys in public-key cryptosystem Public key: K Private key: K-1
Encryption of x with K denoted by K(x)
Keys are inverses i.e., K-1(K(x)) = K(K-1(x)) = x
OperationsOperations
To prevent certain attacks, Chaum advocates random padding before encryption i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x
When signing, first pad with some known constant i.e., K-1(C, y) where C is a known constant
To prevent certain attacks, Chaum advocates random padding before encryption i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x
When signing, first pad with some known constant i.e., K-1(C, y) where C is a known constant
Chaum’s AssumptionsChaum’s Assumptions
Can’t break the cryptosystem
Anyone can observe all links in the system The so-called “global passive adversary”
Anyone can inject, replay, remove, or modify messages Dolev-Yao active attacker model (which they didn’t publish about until 1983)
Can’t break the cryptosystem
Anyone can observe all links in the system The so-called “global passive adversary”
Anyone can inject, replay, remove, or modify messages Dolev-Yao active attacker model (which they didn’t publish about until 1983)
Sending Anonymous MailSending Anonymous Mail
Rather than sending mail directly to the recipient, send mail to a mix
Principle: Try to reduce correspondence between input- and output-sets Fool global passive adversaries
What about keeping the message private?
Rather than sending mail directly to the recipient, send mail to a mix
Principle: Try to reduce correspondence between input- and output-sets Fool global passive adversaries
What about keeping the message private?
The Crypto!The Crypto! Players (and their public keys)
Mixes (Kn) Recipient, A (Ka)
One mix protocol Sender -> Mix: K1(R1, Ka(R0, M), A) Mix -> A: Ka(R0, M)
Use of public key crypto hides message from mix and nosy parties on the Internet
Players (and their public keys) Mixes (Kn) Recipient, A (Ka)
One mix protocol Sender -> Mix: K1(R1, Ka(R0, M), A) Mix -> A: Ka(R0, M)
Use of public key crypto hides message from mix and nosy parties on the Internet
Cascade Mix ExampleCascade Mix Example
Protocol Sender -> Mix n: Kn(Rn, Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)An-1)
Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)
… Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A) Mix 1 -> A: Ka(R0, M)
As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!
Protocol Sender -> Mix n: Kn(Rn, Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)An-1)
Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)
… Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A) Mix 1 -> A: Ka(R0, M)
As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!
ObservationsObservations At each step in the cascade, the current mix Peels off one layer of encryption Discovers a forwarding address Passes message along
So, each mix only knows where a message came from and where its going
Note similarities between onion routing, Crowds, etc…
At each step in the cascade, the current mix Peels off one layer of encryption Discovers a forwarding address Passes message along
So, each mix only knows where a message came from and where its going
Note similarities between onion routing, Crowds, etc…
Return to SenderReturn to Sender
This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses?
Embed an untraceable return address!
Format: K1(R1, AX), KX
AX is X’s return address, KX is a temporary public key for X
This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses?
Embed an untraceable return address!
Format: K1(R1, AX), KX
AX is X’s return address, KX is a temporary public key for X
ExampleExample Protocol:
X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX
Y -> Mix: K1(R1, AX), Kx(R2, M2) Mix -> X: R1(Kx(R2, M2))
Note 1: R1 used to alter forwarded message to prevent I/O correspondence
Note 2: Return addresses can be cascaded just like messages.
Note 3: Responses clearly different from initial messages
Protocol: X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX
Y -> Mix: K1(R1, AX), Kx(R2, M2) Mix -> X: R1(Kx(R2, M2))
Note 1: R1 used to alter forwarded message to prevent I/O correspondence
Note 2: Return addresses can be cascaded just like messages.
Note 3: Responses clearly different from initial messages
Possible Attack (not in paper)Possible Attack (not in paper) Note that K1(R1, AX) and KX aren’t bound
A malicious mix can read reply messages by carrying out a man in the middle attack With email, lots of times, replies contain the original message!
Note that K1(R1, AX) and KX aren’t bound
A malicious mix can read reply messages by carrying out a man in the middle attack With email, lots of times, replies contain the original message!
Attack ExampleAttack Example
X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX’
Note substituted ephemeral public key KX’
Y -> Mix: K1(R1, AX), Kx’(R2, M2) Mix can unpack this message, read M2, and reencrypt using KX
Mix -> X: R1(Kx(R2, M2))
X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX’
Note substituted ephemeral public key KX’
Y -> Mix: K1(R1, AX), Kx’(R2, M2) Mix can unpack this message, read M2, and reencrypt using KX
Mix -> X: R1(Kx(R2, M2))
A Simple SolutionA Simple Solution
To prevent the previously mentioned attack, we need only change the first message of the protocol
X -> Mix: K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX
This allows Y to verify that the mix didn’t change KX, since the mix can’t alter anything encrypted with KY
To prevent the previously mentioned attack, we need only change the first message of the protocol
X -> Mix: K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX
This allows Y to verify that the mix didn’t change KX, since the mix can’t alter anything encrypted with KY
Anonymous ElectionsAnonymous Elections
Form a roster of pseudonyms by sending anonymous emails through a mix-net
Output list in a public location
Only entities on the list can take actions in the system
Form a roster of pseudonyms by sending anonymous emails through a mix-net
Output list in a public location
Only entities on the list can take actions in the system
Recommendations for an Untraceable Mail System
Recommendations for an Untraceable Mail System To hide number of messages sent, each participant sends same number of messages per interval (some are dummies) Cover traffic!
To hide number of messages received, must check all messages, not just known good messages
Messages should all be same size Prevent I/O correlation
To hide number of messages sent, each participant sends same number of messages per interval (some are dummies) Cover traffic!
To hide number of messages received, must check all messages, not just known good messages
Messages should all be same size Prevent I/O correlation
Implementing an Advanced MixImplementing an Advanced Mix A mix with all of the following properties can be implemented using the techniques presented in this paper
Overview Break message into fixed size blocks Each mix “pops” the first block, adds a block of junk to the end
Decrypt removed block to yield a key R which is used to encrypt each block in the new message
A mix with all of the following properties can be implemented using the techniques presented in this paper
Overview Break message into fixed size blocks Each mix “pops” the first block, adds a block of junk to the end
Decrypt removed block to yield a key R which is used to encrypt each block in the new message
Discussion QuestionsDiscussion Questions
Why wasn’t Chaum’s mix network ever implemented?
How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?
Why wasn’t Chaum’s mix network ever implemented?
How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?
Discussion Questions (cont.)Discussion Questions (cont.) This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?
What do people think of the notion of certified mail and receipts?
This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?
What do people think of the notion of certified mail and receipts?