Anonymity and Privacy

Transcription

1 Computer Security Spring 2008 Anonymity and Privacy Aggelos Kiayias University of Connecticut

2 Anonymity in networks Anonymous Credentials Anonymous Payments Anonymous and Routing E-voting Group, Traceable and Ring Signatures

3 Blind Signatures Chaum 82 signing key Signer signing protocol User message pk unlinkable signature that can be verified against m, pk

4 Anonymous Credentials Blind signature Authority get (blinded) credential + id User sign(cred) Show credential receive service Verify credential is used for the first time Gateway Check credential structure + signature

5 Applications Anonymous credentials: each credential can be used once and it is unlinkable to the act of showing the id. Can be used to disassociate the id from receiving the service.

6 Electronic Cash Withdraw $5 Blind signature Bank show (blinded) Bank,nonce + id User sign$5-bank(bank,nonce) Show E-Coin receive goods Verify coin was not spent Shop Check coin structure + signature

7 Anonymous Communication User Proxy User Web-site Web-site Trusted party anonymity

8 Dining Cryptographers anonymous communication without trusted party The waiter announces that the bill is payed! Did one of the cryptographers pay? or did the NSA pick up the bill? If a cryptographer payed he wishes to remain anonymous.

9 Dining Cryptographers Consider a dinner for three: Each cryptographer flips a coin Shows the coin to the person on the left If coins are same and he is not paying he announces Same... similarly for Different ) If coins are same and he is paying he flips his answer

10 Analysis If the number of Same is even then a cryptographer is paying. If the number of Same is odd then NSA is paying! A non-payer cannot distinguish which one of the other two is paying.

11 Indistinguishability of Payer A B is paying A is paying B H T H H Diff Same Diff Same H Same H Same C curious C curious

12 DC-Net Setting generalizes to arbitrary number of parties. It allows one party (the announcing party) to anonymously send one bit of information to everybody that is present. Parties keep on repeating the protocol constantly. Whenever one party wants to transmit the message it transmits it in binary. Once a party starts to speak no other party starts speaking till a given fixed termination bitstring is sent. if two parties start together they stop and wait a random number of rounds.

13 Anonymity and the Internet Whistle-blowing. Fear of censorship or prosecution. Communication regarding sensitive personal issues.

14 Cypherpunk R er From: Aggelos Kiayias To: :: Anon-To: r er ## Subject: This is the subject... From: Anonymous To: Subject: This is the subject... list of active r ers + statistics:

15 Cypherpunk Encrypted From: Aggelos Kiayias To: :: Encrypted: PGP r er Begin PGP Message Version End PGP Message From: To: Subject: This is the subject...

16 R er Chains From: Aggelos Kiayias To: :: Anon-To: :: Anon-To: ## Subject: This is the subject... r er r er r er

17 Q Mix Network David Chaum, Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms, CACM 81 P msg1 D msg2 A B C msg2 msg1 Not possible to relate whether P send msg1 or msg2 and similarly for Q (as long as there is one honest mix)

18 Using Encryption fixed block size Encrypted with Public-key of A Send to B; sym_key1 Encrypted with sym_key1 Encrypted with sym_key2 fixed block size Encrypted with sym_key1 Encrypted with Public-key of B Send to C; sym_key2 Encrypted with sym_key1 Encrypted with sym_key3 destination/ info payload fixed block size fixed block size Encrypted with sym_key2 Encrypted with Public-key of C Stop; sym_key3

19 Following the route sender A B junk C junk destination junk

20 Mixmaster A mixnet implementation for r ing. Message may be split into packets and each packet is routed differently (but with the same final routing destination who should assemble). Each mix node relays messages in batches after randomly permuting them [consistent with the standard notion of mixnets]. Payload can be either , or usenet posting or dummy message (why a dummy?).

21 Limitations Lack of bidirectional communication: especially problematic if you want to use anonymity with bidirectional protocols. Possibility of replay attacks: can be handled by keeping a log of sent messages and compare. Abuse, flooding, etc.

22 Onion Routing Hiding routing information, by D. M. Goldschlag, M.G.Reed, P.F. Syverson, Information Hiding Workshop 1996 An onion directed to a node A is comprised of the following: expiration_time next_hop Forward(.) Backward(.) Key_material PAYLOAD Encrypted with PK of A can be another onion

23 Onion Layers expiration_time next_hop = B Forward(.) Backward(.) Key_material expiration_time next_hop = D Forward(.) Backward(.) Key_material expiration_time next_hop = null null null null Encrypted with PK of D Encrypted with PK of B Encrypted with PK of A payload

24 S Onion Peeling expiration_time next_hop Forward(.) Backward(.) Key_material PAYLOAD Encrypted with PK of A Create Mode B A 1. Decrypt layer 2. check expiration time 3. Initialize Forward(.) crypto engine using Key_material 4. Initialize Backward(.) crypto engine using Key_material 5. Pad PAYLOAD to maintain fixed size. 6. Forward PAYLOAD to next_hop node.

25 S [.,5123] Circuit Creation ACI = Anonymous Connection Identifier choose an ACI = 5123 forward movement create - mode [8612, 2523] B A choose an ACI = 8612 forward movement create - mode choose an ACI = 2523 forward movement create - mode [5123, 8612] Once the create mode is done there exists a bidirectional link D [2523, outside connection ]

26 S [.,5123] Forwarding DATA [8612, 2523] defined in first onion B Forward1(.) defined in second onion Forward2(.) A the cirtcuit delivers: [5123, 8612] Forward2(Forward1( DATA) ) thus we may define: DATA = Forward1-1 (Forward2-1 (MESSAGE) ) D [2523, outside connection ]

27 S [.,5123] Responding defined in first onion [8612, 2523] Backward1(.) defined in second onion B Backward2(.) DATA A the circuit delivers: [5123, 8612] Backward2(Backward1( DATA) ) thus S recovers the data: DATA = Backward1-1 (Backward2-1 (MESSAGE) ) D [2523, outside connection ]

28 Implementing Onion Routing Tor Each host runs an onion proxy locally. TCP/IP traffic can be directed through virtual circuits created by onions.

29 Problems with Tor

30 Hidden Identity Based Signatures Kiayias - Zhou (2007) Hidden ID-based signatures: a digital signature where the corresponding public-key is your name & is (provably) hidden into the signature. The hiding can be inverted by the OA. name the OA can open this signing key Identity Manager pkim signature that provably contains name and can be verified against pkim

31 a glimpse

32 Applying HiddenIBS to TOR How to calibrate anonymity of Tor using Hidden-IBS Add three entities in Tor: Identity manager (IM) A Disputes & Grievances (D&G) database An opening authority (OA)

33 Goals Minimal anonymity loss if misbehavior does not occur. Minimal efficiency impact for services that do not require anonymity control. Transparency to service providers. the service providers accepting Tor traffic should not have to assist the system [except providing the necessary forensic information]

34 HiddenIBS + Tor Modify Tor Exit policy: certain type of packets must be HiddenIBS ed [e.g., http POST requests] Modify user s onion proxy : it catches such packets and signs them using user s HiddenIBS signing credential. If user does not have a credential, the onion proxy directs user to IM to get one. Modify exit point: beyond forwarding the packet it registers it to the D&G database (only the hash + signature need to be registered).

35 Overview

36 realization issues What is a user s identity and how does the Identity Manager verifies it? IP address, address, id in a reputation system, etc. How to deal with misbehaving users? black-listing. revocation of credentials, time-based or reactive.

37 anonymity scalability Disputes & Grievances database contains: hashes of packets + HiddenIBS signatures. we include nonces in the packets to increase entropy. The D&G size is manageable: using a SHA-256 hash + our bilinear map based scheme with a 10GB we can store ~ 27.3 million entries.

38 properties Minimal anonymity loss : D&G database leaks no information about Tor usage, if no misbehavior occurs. Minimal efficiency impact for services that do not require anonymity control: only a few types of packets need to be signed. Transparency to service providers: a simple packet log is enough to make an abuse report resulting in blacklisting a user.

39 other applications Approach is fairly general. application to other anonymous access systems is possible. other web-sites than wikipedia need similar abuse protection; e.g. slashdot. More services: e.g., SMTP traffic is blocked. Using HiddenIBS it can be opened.

40 Blind Signatures message User signed message blinded message scrambled signature Signer we have seen already its application to e-cash and anonymous tokens. Another anonymity/privacy application : e-voting

41 E-Voting using Blind Signatures choice voter PC blinded choice, proof of identity scrambled signature Election official signed choice Anonymous Channel Results Vote tabulation

42 Group Signatures D. Chaum, E. van Heyst, 1991 PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf Group Manager message PKI-member signature Opening Authority Charlie Verifier Is convinced that a PKI member signs message but not which one

43 Applications Can be used to hide the origin of a transaction. Prove that you belong in a group without showing who you are. They allow Opening Authority to reveal the identity in case of dispute.

44 Traceable Signatures PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf A. Kiayias, Y. Tsiounis M. Yung, 2004 Group Manager PKI-member PKI-member PKI-member Opening Authority signature signature signature Tracing Authority Verifier Charlie Is convinced that a PKI member signs message but not which one Verifier Verifier Charlie s

45 Applications As in group signatures but now it is possible to: The tracing authority to find all signatures of a wanted user A user to claim his signatures.

46 Ring Signatures PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf message PKI-member signature Verifier Is convinced that either Eric, Frank or Bob signs the message but it is unclear which one whistle-blowing etc.

47 Privacy for Trusted Computing Your hardware proves its identity but only using an identification schema based on the previous signatures. Your anonymity can be preserved and still prove you are among the good guys opening functionality can be disabled. Direct Anonymous Attestation