Privacy and Anonymity in the Internet

Transcription

1 Privacy and Anonymity in the Internet Part 3: Personal Data Protection and Cryptographic Anonymity Techniques Aspects: Infrastructures and cryptographic techniques Unobservability - content anonymization, address anonymization ules for a responsible usage of the internet BaSoTI 2014, Privacy and Anonymity in the Internet 1

2 Objectives Privacy: Do not let others look into your data - encrypt critical data Data protection: Forbid theft of data Forbid alterations / modifications of personal data Avoid usage of modified documents/modified software 2

3 Objectives Anonymity: Hide your relations in communication this often requires to encrypt the message content Forbid the observation of your physical location Protect own privacy do not allow unwanted collection of data: surveillance, traffic analysis Effects in case of dishonest parties: discrimination, physical safety attacks, criminal prosecution, censorship, social sorting Anonymity techniques are built upon crytographic techniques but require more than bare cryptography 3

4 Aspects of Security Access Control: control the access to a system in general, access to system functions, access to data (e. g. by a firewall) Confidentiality/Privacy: prohibits unauthorized access by third parties to data, access to identity attributes (done by encryption) Authenticy: Proof of the identity of the author / originator and authenticity of data (e.g. by a digital signature) Integrity: Provability that data is orignal, got not altered Provability/Verifyability: Proof of authenticity and integrity by a authorized third party Copyright: Protection of intelectual / Cultural properties, Copyrightmarks, Identification of illegal copies 4

5 Attackers capabilities within an anonymity infrastructure An attacker may gain control over a limited number of links and/or nodes capabilities - compare to data flow deviations (see Security Lecture): Interruption: destroy or corrupt messages Interception/Observation: access message content, determine sender and receiver of messages, find out correllations Modification: modify messages, change message destinations Fabrication: inject new messages into the system, take part in the anonymity service offered by the infrastructure 5

6 Cryptographic Techniques (1/3) Encryption function E Decryption function D Key... K E K (P) S = E K1 (P) P = D K2 (S) P... original message S... encrypted Text symmetric cryptographic schems (Private Key): K1=K2 asymmetric cryptographic schemes (public key): K1 public key, specific to a receiver (decoding entity) K2 private (secret) key, specific to a receiver (decoding entity) 6

7 Cryptographic Techniques (2/3) Symmetric codes: Encryption is done by an arithmetic transformation of the data using a secret key. Decryption is the reverse transformation using the same secret key. Variants: One Time Pad: A single but very long key, sender and receiver combine data bitwise-xo with the secret key Pseudo One Time Pad: A short secret key is used to generate a n infinite long key, e.g. the key as a parameter for a pseudo random number generator that generate the long key, combination using bitwise XO operation Data as key generator: A first block is encrypted using the key (similarly to one time pad), the next key for the next block is generated out of the previous original data, and so on. 7

8 Cryptographic Techniques (3/3) asymmetric codes: Pair of a public key and a private key, computationally hardness to guess private key from public key Variants by different algorithms: SA (ivest et al. 1978) based on difficulty of factorization of big numbers DSA (Elgamal, 1984) Digital Signature Algorithm (Standard) based on the Calculation of discrete logarithms Elliptical Curve-Algorithms (Miller, Koblitz, ca. 1985) 8

9 Signatures for Authentication (1/3) Digital signatures are used as replacement of written genuine signatures, typically related to an original document (message) that s content is signed Digital signatures are transfered as postfix of a message A signed message is transferred as follows: message + signature(sender-id, message, random number) private key: public key: secret of the signing entity used as parameter for the signature function public for all to check the validity of the signature Compared to en/decryption: reverse roles of keys 9

10 Signatures for Authentication (2/3) Sign function: signature = E K-privat ( hash(message) + random_number) Check function : hash(message) + rest = D K-public, sender (signature) In case of equality (=) the signature is valid, otherwise: signature invalid, e.g. signature tampered when forwarded wrong message, e.g. tampered during transfer message or signature not sent by the claimed sender 10

11 Signatures for Authentication (3/3) A simple signature scheme that is not cryptographically strong However, it represents the general idea. Choose a prime number M Chose Parameters a,b,c in the way that a*b MOD M = c Public Key: b,c, (M) Private Key: a, (M) Difficulty: a = c/b MOD M Sign-Function: sig = a*h(msg) MOD M Check-Function: if ( sig*b MOD M = c *H(msg) MOD M) { valid=true;} else {valid=false; } 11

12 Privacy and Unobersvability (1/2) Situation: Client Server Need for privacy: Observation in the network Observation by service provider hide the message content of request and response mesages ban observation of who communicates with whom (hide sender/receiver correllation) 12

13 Privacy and Unobersvability (2/2) Third-Party Analysis Tools, such as Google Analytics Client Server JavaScript + parameters Observation of client server relations Analytics Server 13

14 Anonymity techniques Strongest Assumption: The attacker/observer is able to observe the sending act and the receiving act, and is able to track a message. General anonymity approach: Hide the personal communication in a cover set of communications, cover traffic Confuse the observer, conceal the particular sender and receiver and their communication relationship Hide the receiver address, and the sender address (for a reply) either by broadcast, or by address encryption 14

15 Anonymity techniques Hide a single transmission among n transmissions The other n-1 transmissions are the cover traffic that is either generated as artifical (redundant, random) traffic or is taken from many different users that mix their transmissions The cover set should be as big as possible observation of n=6 transmissions For anonymity, it must be ensured that an attacker is not able to control the entire cover set, i.e. not able to control all the n-1 transmissions 15

16 Anonymity techniques Broadcast network and implicit addresses: Delivery of the same message to all receiver nodes that take part in the anonymity infrastructure. The message have to contain an attribute that allows the addressee to recognize the message. This attribute can be build using an asymmetric cryptographic system. message + encrypted address recipients anonymity A C Only the desired receiver is able to decrypt its address (or a magic text) 16

17 Anonymity techniques DC network: A time-slotted network allows all nodes to send within a slot. One node provides a real message content and the receiver address and XOes both with a secret key. All other nodes provide dummy messages that are generated from secret keys. The keys are formed in a way that the superposition of all messages reveals the original real message content. node A Msg Dest: Key-B: Key-C: node B Msg Dest: Key-A: Key-C: node C Msg Dest: Key-A: Key-B: Send: Send: Send: sender anonymity global-xo:

18 Anonymity techniques Private Information etrieval: Hidden request of data cells from a set of servers with replicated content. The interest on a specific data cell is protected by requests of randomly chosen additional cells. equests are sent by broadcast (! not necessarily) messages, and all servers send reply messages. A specific XO-based request encoding and reply decoding method allows to extract the desired data cell anonymously. all channels are encrypted A,B,C A,B,C wants to read C A,B,C A,B,C m=e (A XO B) comparable to recipients anonymity A,B,C A,B,C A XO (A XO B ) XO (B XO C) = C 18

19 Anonymity techniques MIX (David Chaum, 1981) Messages are sent to destination through proximity entities (MIX nodes), message content and addresses are encrypted. user X receiver (e.g. server) sender user Y Sender anonymity and recipients anonymity Another similar concept: Onion outer See next slides for details. 19

20 MIX the general principle sender A S MIX P receiver B Process A sends P to B, via MIX 1: encrypt using the public key of the MIX S=E MIX (B:P) 2: send S to MIX MIX receives S 1: MIX decrypts B:P using decryption function B:P=D MIX (S) 2: MIX sends P to B B receives P from MIX (anonymously) (1) Unobservability: An observer is not able to guess from S and P that A was the originator of message P, assumed that it does not exploit correlations in time (2) Anonymity: The receiver is not able to relate the received message P to A, it solely sees the message P coming from the Mix (anonymity) 20

21 MIX Problems and Solutions Problem a single MIX knows all communication-relations and messages correlation of incoming and outgoing messages by observation of their time and length replay attacks are still possible up to now no reply messages possible, needed for HTTP: request, response Solution cascading of several MIXes that should operate independently buffering of messages in a MIX and delayed, reordered forwarding, length-filling (padding) encryption message + randomnumber and duplicate detection manage proximity replyaddresses to follow-up MIXes, the final receiver sends synchronously a response 21

22 MIX functional view Functional view on a single MIX: S=E K-public (P,rand) dropping of duplicates Data base of previous messages decryption message buffer P,rand = D K-private (S ) Proximity reply address resolver reply-adr = index(d(e(rand)) delay and reordering P,E(rand) for simplification: destination address and addresses of follow-up Mixes are contained in P 22

23 MIX - Cascading MIX-Cascades: using a sequence of multiple MIXes, distributes knowledge under assumption that MIXes do not cooperate S M2M1 = E K-Public1 (E K-Public2 (M,rand2), rand1) sender MIX1 S M2 = E K-Public2 (M,rand2), E(rand1) MIX2 M, E(rand2) store: (address sender, rand1) receiver store: (address MIX1, rand2) 23

24 Analytics via MIX cascades server: sees the request coming from the last MIX (here this is MIX2) Client MIX1 MIX2 Server JavaScript + parameters observation of client server relations: Analytics system sees the request coming from the last MIX (here this is MIX2) Analytics Server 24

25 Onion outer Concept similar to MIXes A message is encrypted several times and routed through several routernodes that decrypt the message stepwise. Difference: not a fixed sequence of MIXes a network of routers, a client selects a route from several routes and is capable to change that route for any later communication phase huge number of onion routers traffic is distributed and does not concentrate on a few MIXes circuit-concept a route that is stable for a specific time no message padding (no length unification), instead circuits can be used by several IP streams that are interleaved end-to-end integrity checking for a circuit TO-Project: 25

26 Onion outer encrypted link TO router Illustration of TO s operation unencrypted link D TO directory C TO client/proxy D 1 C The users client loads a list of TO nodes from a directory server 26

27 Onion outer encrypted link TO router Illustration of TO s operation unencrypted link D TO directory C TO client/proxy D 2 C The users client picks a random route to the destination server 27

28 Onion outer encrypted link TO router Illustration of TO s operation unencrypted link D TO directory C TO client/proxy D 3 C The users selects another random path, when another destination server is accessed (path changes regularly) 28

29 ules for responsible usage of the Internet Problem / Questions: When is it preferable to allow access to the personal usage behaviour and to open identy attributes? When it is better to stay anonymous? Can that decision be controlled for Internet usage? 29

30 ules for responsible usage of the Internet Use the Web as productive platform provide valuable content in the Internet. identfy yourself and your contact address as author of articles, blogs etc. BUT: don t publish critical private information in the web (e.g. twitter, facebook) Be aware keep in mind that observations and analytics are always possible Analytics are mostly pseudonymized as long you don t identfy yourself, possibly personalized when identification data can be used in addition to analytics keep in mind that your physical position can be tracked in most mobile services read the terms of usage when you register to a service 30

31 ules for responsible usage of the Internet Example: Schufa (a german Credit scoring service) tries to exploit facebook data to adjust a persons credit score can be dangerous, for example if you have friends with a bad payment manner potentially a social ranking will be taken 31

32 ules for responsible usage of the Internet Support of privacy and anonymity: take part in anonymity infrastuctures use them for your free communications don t use them for illegal actions (unallowed downloads, copyright violations, spamming, cyber criminal activities) most infrastructures allow tracking for law enforcement 32

33 ules for responsible usage of the Internet For website publishers / web application programmers: Web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the home page by looking for the word "privacy." Privacy policies should state clearly how and when personal information is collected. Web sites should make it possible for individuals to get access to their own data. Cookies transactions should be more transparent. Web sites should continue to support anonymous access for Internet users. Protecting privacy will be one the greatest challenges for the Internet. From Sufers Aware : EPIC. (1997). Surfer Beware I: Personal Privacy and the Internet. 33