From Spam to Hash Chains in three easy steps! p.1/29

Transcription

1 From Spam to Hash Chains in three easy steps! William D. Neumann Sandia National Labs Albuquerque, NM From Spam to Hash Chains in three easy steps! p.1/29

2 The History of Spam From 1937 up until about 1996 mankind only had to worry about one kind of Spam clogging their systems. From Spam to Hash Chains in three easy steps! p.2/29

3 The History of Spam From 1937 up until about 1996 mankind only had to worry about one kind of Spam clogging their systems. From Spam to Hash Chains in three easy steps! p.2/29

4 Fortunately, this kind of Spam was easily From Spam to Hash Chains in three easy steps! p.2/29 avoided. The History of Spam From 1937 up until about 1996 mankind only had to worry about one kind of Spam clogging their systems.

5 The History of Spam (part II) With the onset of the Internet age sometime in the mid 90 s, however, a much more insidious form of Spam was unleashed upon the world. From Spam to Hash Chains in three easy steps! p.3/29

6 The History of Spam (part II) With the onset of the Internet age sometime in the mid 90 s, however, a much more insidious form of Spam was unleashed upon the world. Unsolicited junk . From Spam to Hash Chains in three easy steps! p.3/29

7 Spam: Minor annoyance or Major Prob We all know spam is an annoyance to us, but is it really that big of a problem? In 1999, the average consumer received 40 pieces of spam per year. By 2005, the total is likely to soar to From Spam to Hash Chains in three easy steps! p.4/29

8 Spam: Minor annoyance or Major Prob We all know spam is an annoyance to us, but is it really that big of a problem? In 1999, the average consumer received 40 pieces of spam per year. By 2005, the total is likely to soar to I average well over 50 Spams per day. From Spam to Hash Chains in three easy steps! p.4/29

9 Spam: Minor annoyance or Major Prob We all know spam is an annoyance to us, but is it really that big of a problem? In 1999, the average consumer received 40 pieces of spam per year. By 2005, the total is likely to soar to I average well over 50 Spams per day. MyRealBox.com estimates that 25% of the mail in it s system s 200,000 mailboxes is Spam. AOL estimates 30% (approx. 24 million messages per day). From Spam to Hash Chains in three easy steps! p.4/29

10 Spam: Minor annoyance or Major Prob 36% of users would switch ISPs in order to reduce the flow of spam they received. From Spam to Hash Chains in three easy steps! p.5/29

11 Spam: Minor annoyance or Major Prob 36% of users would switch ISPs in order to reduce the flow of spam they received. Nearly $2 of each customer s monthly bill can be attributed to electronic junk mail and other forms of spam. From Spam to Hash Chains in three easy steps! p.5/29

12 Spam: Minor annoyance or Major Prob 36% of users would switch ISPs in order to reduce the flow of spam they received. Nearly $2 of each customer s monthly bill can be attributed to electronic junk mail and other forms of spam. Spending on commercial will balloon to $7.3 billion in 2005 from $164 million in From Spam to Hash Chains in three easy steps! p.5/29

13 Expect things to get even worse Cost of sending bulk postal mail: $0.10 per letter From Spam to Hash Chains in three easy steps! p.6/29

14 Expect things to get even worse Cost of sending bulk postal mail: $0.10 per letter Cost of sending bulk $ From Spam to Hash Chains in three easy steps! p.6/29

15 Expect things to get even worse Cost of sending bulk postal mail: $0.10 per letter Cost of sending bulk $ According to the Direct Marketing Association, $36 Billion was spent last year on direct postal marketing. From Spam to Hash Chains in three easy steps! p.6/29

16 Expect things to get even worse Cost of sending bulk postal mail: $0.10 per letter Cost of sending bulk $ According to the Direct Marketing Association, $36 Billion was spent last year on direct postal marketing. If used for , this would buy 13,000 messages per day for every man woman and child in the US! From Spam to Hash Chains in three easy steps! p.6/29

17 So what can be done? legislation From Spam to Hash Chains in three easy steps! p.7/29

18 So what can be done? legislation filtering and sorting From Spam to Hash Chains in three easy steps! p.7/29

19 So what can be done? legislation filtering and sorting cryptographic methods From Spam to Hash Chains in three easy steps! p.7/29

20 So what can be done? legislation filtering and sorting cryptographic methods e-commerce From Spam to Hash Chains in three easy steps! p.7/29

21 So what can be done? Of course, we can always resort to threats and blackmail... From Spam to Hash Chains in three easy steps! p.8/29

22 Legislation There are (as always) problems with legislative regulations: Who will define Spam? Free speech issues International Spammers What should the penalties be? From Spam to Hash Chains in three easy steps! p.9/29

23 Filtering and Sorting Filtering can be done at various layers: From Spam to Hash Chains in three easy steps! p.10/29

24 Filtering and Sorting Filtering can be done at various layers: At the client s location: procmail can filter messages as they are downloaded Some clients can filter messages as they are read by the program. From Spam to Hash Chains in three easy steps! p.10/29

25 Filtering and Sorting Filtering can be done at various layers: At the client s or spammer s ISP: The ISP can filter out spam before it is routed to it s subscribers. From Spam to Hash Chains in three easy steps! p.10/29

26 Filtering and Sorting Filtering can be done at various layers: At the client s or spammer s ISP: The ISP can filter out spam before it is routed to it s subscribers. This cuts down on the amount of wasted storage and bandwidth for the ISP. From Spam to Hash Chains in three easy steps! p.10/29

27 Filtering and Sorting Filtering can be done at various layers: At the client s or spammer s ISP: The ISP can filter out spam before it is routed to it s subscribers. This cuts down on the amount of wasted storage and bandwidth for the ISP. It unfortunately can lead to legal problems. From Spam to Hash Chains in three easy steps! p.10/29

28 Filtering and Sorting Filtering can be done at various layers: Somewhere in between Companies like SpamHaus and SpamCop will act as an intermediary, filtering Spam out of your mailstream...for a price. From Spam to Hash Chains in three easy steps! p.10/29

29 Filtering and Sorting Most filters look for hard-coded patterns as a means of blocking Spam. From Spam to Hash Chains in three easy steps! p.11/29

30 Filtering and Sorting Most filters look for hard-coded patterns as a means of blocking Spam. Known IP addresses From Spam to Hash Chains in three easy steps! p.11/29

31 Filtering and Sorting Most filters look for hard-coded patterns as a means of blocking Spam. Known IP addresses Header anomalies: Odd subject lines Special header fields Suspect To: fields From Spam to Hash Chains in three easy steps! p.11/29

32 Filtering and Sorting Most filters look for hard-coded patterns as a means of blocking Spam. Known IP addresses Header anomalies Common phrases: FREE For only $xx.xx Live, Nude, Girls! From Spam to Hash Chains in three easy steps! p.11/29

33 Filtering and Sorting Most filters look for hard-coded patterns as a means of blocking Spam. Known IP addresses Header anomalies Common phrases Unfortunately, Spammers are very active adversaries, constantly changing the content of their messages to avoid common filter traps. From Spam to Hash Chains in three easy steps! p.11/29

34 Filtering and Sorting Microsoft (among others) are working on developing intelligent filters that will do more than simple pattern matching. From Spam to Hash Chains in three easy steps! p.12/29

35 Filtering and Sorting Microsoft (among others) are working on developing intelligent filters that will do more than simple pattern matching. These filters will analyze the content of the message to thwart adaptive attacks. From Spam to Hash Chains in three easy steps! p.12/29

36 Filtering and Sorting Microsoft (among others) are working on developing intelligent filters that will do more than simple pattern matching. These filters will analyze the content of the message to thwart adaptive attacks. These filters will be easily updatable as Spam tactics change. From Spam to Hash Chains in three easy steps! p.12/29

37 Filtering and Sorting Microsoft (among others) are working on developing intelligent filters that will do more than simple pattern matching. These filters will analyze the content of the message to thwart adaptive attacks. These filters will be easily updatable as Spam tactics change. These filters will likely have the same problems as our current filters. From Spam to Hash Chains in three easy steps! p.12/29

38 A Cryptographic Approach Back in 1992 (before the spam problem had even grown to an appreciable level), Dwork and Naor devised a spam prevention technique they called Pricing via Processing. The basic idea is that for Bob to send Alice , he must first compute some pricing function, and include a proof of this computation in the . Upon receiving the , Alice will verify that the proof exists and is valid. This should take an insignificant amount of time (approx. From Spam to Hash Chains in three easy steps! p.13/29 seconds). If it fails either of these checks, the

39 The Economics of Cryptography Without requiring these computations, a Spammer can easily send 3,000,000 messages per day with one computer. His cost: No delay: $10,000 startup + $3,000 operating From Spam to Hash Chains in three easy steps! p.14/29

40 The Economics of Cryptography If we inject a 1 second delay per message per processor, the Spammer now needs 35 processors to maintain 3,000,000 messages per day. His cost: No delay: $10,000 startup + $3,000 operating 1 sec delay: $71,000 startup + $4,000 operating From Spam to Hash Chains in three easy steps! p.14/29

41 The Economics of Cryptography Similarly with a 10 second delay per message per processor, the Spammer now needs 350 processors to maintain 3,000,000 messages per day. His cost: No delay: $10,000 startup + $3,000 operating 1 sec delay: $71,000 startup + $4,000 operating 10 sec delay: $650,000 startup + $7,500 operating From Spam to Hash Chains in three easy steps! p.14/29

42 A Cryptographic Approach So what should a pricing function entail? From Spam to Hash Chains in three easy steps! p.15/29

43 A Cryptographic Approach So what should a pricing function ( entail? should be moderately hard to compute to compute). should not be amortizable, i.e. given values, the cost of computing is comparable to computing for any. Given if and. it should be easy to determine From Spam to Hash Chains in three easy steps! p.15/29

44 Pricing Functions A simple example of a pricing is the extraction of square roots modulo a prime : Alice chooses a prime of reasonable length (approx 1024 bits). Sam can obtain via some handshake protocol, or it could be registered. Sam computes then computes. He then attaches to the message and sends it to Alice. Alice can verify if with one multiplication, while Sam needs about From Spam to Hash Chains in three easy steps! p.16/29

45 Pricing Functions A better pricing function is based on the Fiat-Shamir signature scheme: Public Key: Private Key:, and compute. Compute. Signature: Choose random and, and Verification: Compute. verify that From Spam to Hash Chains in three easy steps! p.17/29

46 Pricing Functions A better pricing function is based on the Fiat-Shamir signature scheme: To send a message, we require the sender to forge a Fiat-Shamir signature on the message and header like this: Guess:. Compute: Repeat: Choose Until:... Compute. From Spam to Hash Chains in three easy steps! p.17/29

47 Pricing Functions A better pricing function is based on the Fiat-Shamir signature scheme: If we keep small enough (around 10), the sender will be able to do this in a moderate amount of time. This method is also flexible, because we can double the time required to forge a signature by simply incrementing From Spam to Hash Chains in three easy steps! p.17/29

48 Pricing Functions A better pricing function is based on the Fiat-Shamir signature scheme: If we keep small enough (around 10), the sender will be able to do this in a moderate amount of time. This method is also flexible, because we can double the time required to forge a signature by simply incrementing What s more, we can give our private key to our friends who can now send messages after performing only multiplications and From Spam to Hash Chains in three easy steps! p.17/29

49 Problems with Pricing Functions Of course, There are some problems with these pricing functions: From Spam to Hash Chains in three easy steps! p.18/29

50 Problems with Pricing Functions Of course, There are some problems with these pricing functions: Moore s law is working against us: It seems that processor speeds are increasing every time you blink. This means that today s moderate problem is tomorrow s negligible problem. We also have a wider processor speed spectrum than ever... How can an 8 Mhz Palm Pilot do the same work as a Dual 2.2GHz AMD Hammer? From Spam to Hash Chains in three easy steps! p.18/29 Fortunately, memory speeds are pretty

51 Problems with Pricing Functions Of course, There are some problems with these pricing functions: Moore s law is working against us It s not very convenient: Do you really want to spend 10 seconds of your processor s time just to send an ? You will need to upgrade at least your software. We will need some kind of infrastructure for distributing the pricing functions. From Spam to Hash Chains in three easy steps! p.18/29

52 Problems with Pricing Functions Of course, There are some problems with these pricing functions: Moore s law is working against us It s not very convenient What about Mailing lists? Companies like yahoogroups.com send out millions of legitimite messages a day. Workarounds for mailing lists might open holes for Spammers to exploit. From Spam to Hash Chains in three easy steps! p.18/29

53 Filtering + Crypto = no spam? Markus Jakobsson, Eran Gabber, et al devised a clever solution based on extended addresses: From Spam to Hash Chains in three easy steps! p.19/29

54 Filtering + Crypto = no spam? Markus Jakobsson, Eran Gabber, et al devised a clever solution based on extended addresses: Alice has what is called a core address alice@crypto.com. She can feel free to post this address freely on the internet. If Bob wants to send Alice a message he sends an to her core address along with a proof that he has done some requisite amount of work. From Spam to Hash Chains in three easy steps! p.19/29

55 Filtering + Crypto = no spam? Markus Jakobsson, Eran Gabber, et al devised a clever solution based on extended addresses: If Bob s proof verifies, Alice computes an extended address based on her core address and Bob s core address (and possibly some other information), and sends it to Bob. These extended addresses look like alice+hf04thtwf7zz@crypto.com. Bob can now send mail to Alice at that address without doing any further work. Alice From Spam to Hash Chains in three easy steps! p.19/29 can filter her messages by incoming address

56 Cash Money Über Alles One of the more popular ideas for curbing Spam is to require everyone to pay at bit of money to the recipient of the . Even if we charge as little as $ per Spammers would get billed thousands of dollars per day. Far more than they could earn by Spamming. Most personal payments would even out. Mailing lists and opt-in advertisers can send you mail through the use of recyclable coins. These charges could be efficiently computed From Spam to Hash Chains in three easy steps! p.20/29

57 MicroPayments (PayWord) To make micropayments using the PayWord system, we need three parties: The user, ; The vendor, ; A broker,. For to make micropayments to the three parties use the following protocol: gives a signed certificate authorizing to make PayWord chains. This is equivalent to extending credit to.. From Spam to Hash Chains in three easy steps! p.21/29

58 MicroPayments (PayWord) To make micropayments using the PayWord system, we need three parties: The user, ; The vendor, ; A broker,. For to make micropayments to the three parties use the following protocol: can now create a hash chain of length, where is dependant on the credit limit and the unit of payment: sends to the root the following message, commiting : From Spam to Hash Chains in three easy steps! p.21/29

59 MicroPayments (PayWord) To make micropayments using the PayWord system, we need three parties: The user, ; The vendor, ; A broker,. For to make micropayments to the three parties use the following protocol: makes successive payments by revealing the pre-images, in order. verifies that each is indeed equal to. Larger payments can be made by skipping pre-images, e.g. if was the last payword sent, five units can be sent at once by revealing. From Spam to Hash Chains in three easy steps! p.21/29

60 MicroPayments (PayWord) To make micropayments using the PayWord system, we need three parties: The user, ; The vendor, ; A broker,. For to make micropayments to the three parties use the following protocol: redeems the micropayments by sending and the last payword revealed, to. verifies and checks that If so sends the appropriate amount of money to.. From Spam to Hash Chains in three easy steps! p.21/29

61 PayWord costs The costs of running the payword scheme are as follows: One signature by One signature by. Two verifications by. One verification by per user per month per vendor per day per user per day per user per day One hash function evaluation by each unit payment. for From Spam to Hash Chains in three easy steps! p.22/29..

62 The Problem With Hash Chains Unfortunately, these hash chains can consume quite a bit of storage space. Assume you are using SHA-1 to create 1000 unit long hash chains for 20 common targets, plus $100 chains (in one cent imcrements) for amazon.com, cdnow.com, and golfsmith.com. This will require 1 MB just to store the hash chains. Not too terribly much space for a modern computer, but what about a Palm Pilot? From Spam to Hash Chains in three easy steps! p.23/29

63 Fractal Hash Sequences The idea at work here is simple: Instead of storing the entire hash chain, just store the values of a few waypoints along the way. When a new value is needed, select the nearest waypoint ahead of the value in the chain and compute just the missing segment in the chain, thereby trading storage space for the need to evaluate the hash function more often. Using Jakobsson s technique, we can store just waypoints and incur only an extra From Spam to Hash Chains in three easy steps! p.24/29 hash function evaluations at each step.

64 The 3 Pebble Hash Chain Assume we have a hash chain of length, and we can only store three pebbles to represent the chain. We can naively divide the hash chain into thirds. This way, for each consecutive value in the chain we need to perform no more than hash function evaluations. From Spam to Hash Chains in three easy steps! p.25/29

65 The 3 Pebble Hash Chain Assume we have a hash chain of length, and we can only store three pebbles to represent the chain. However, we can instead place our pebbles at positions and. Now we need at most hash function evaluations to compute values in the first two intervals. From Spam to Hash Chains in three easy steps! p.25/29

66 The 3 Pebble Hash Chain Assume we have a hash chain of length, and we can only store three pebbles to represent the chain. And once we reach position, we can reposition that pebble to position. From Spam to Hash Chains in three easy steps! p.25/29

67 The 3 Pebble Hash Chain Assume we have a hash chain of length, and we can only store three pebbles to represent the chain. And once we reach position, we can reposition that pebble to position. And slowly move it to position as we compute values in the second interval. From Spam to Hash Chains in three easy steps! p.25/29

68 The Three Pebble Hash Chain While the storage is the same in both cases, the number of hash function evaluations is not. Consider the number of evaluations needed to exhaust these chains of various length: n Naive Clever (hashes) (hashes) From Spam to Hash Chains in three easy steps! p.26/29

69 The Three Pebble Hash Chain While the storage is the same in both cases, the number of hash function evaluations is not. Consider the number of evaluations needed to exhaust these chains of various length: n Naive Clever (hashes) (hashes) From Spam to Hash Chains in three easy steps! p.26/29

70 The Three Pebble Hash Chain While the storage is the same in both cases, the number of hash function evaluations is not. Consider the number of evaluations needed to exhaust these chains of various length: n Naive Clever (hashes) (hashes) From Spam to Hash Chains in three easy steps! p.26/29

71 Pebbles A-Plenty Now, if expand our storage until we are holding pebbles, we can place them at positions. Now, our smallest interval that we have is of size 2. So we need at most one hash evaluation to compute the next value needed, plus around. hashes to move other pebbles From Spam to Hash Chains in three easy steps! p.27/29

72 Pebbles A-Plenty n Naive Clever (hashes) (hashes) (hashes) From Spam to Hash Chains in three easy steps! p.28/29

73 A Length 16 Example To retrieve the first element in the hash chain, we simply hash the pebble in position 2 and return the result: From Spam to Hash Chains in three easy steps! p.29/29

74 A Length 16 Example To retrieve the second element in the hash chain, just return the pebble in position 2 and return the result: From Spam to Hash Chains in three easy steps! p.29/29

75 A Length 16 Example To retrieve the third element in the hash chain, hash the pebble in position 4 and return the result. Also move the pebble from position 2 to position 8: From Spam to Hash Chains in three easy steps! p.29/29

76 A Length 16 Example To retrieve the fourth element in the hash chain, return the pebble in position 4. Hash the type 2 pebble in position 8 twice to move it to position 6: From Spam to Hash Chains in three easy steps! p.29/29

77 A Length 16 Example To retrieve the fifth element in the hash chain, we simply hash the pebble in position 6 and return the result. Move the pebble in position 4 to position 16: From Spam to Hash Chains in three easy steps! p.29/29

78 A Length 16 Example To retrieve the sixth element in the hash chain, just return the pebble in position 6. Hash the type 4 pebble in position 16 twice to move it to position 14: From Spam to Hash Chains in three easy steps! p.29/29

79 A Length 16 Example To retrieve the seventh element in the hash chain, we simply hash the pebble in position 8 and return the result. Also hash the pebble in position 14 twice to move it to position 12. Next move the pebble from position 6 to position 12: From Spam to Hash Chains in three easy steps! p.29/29

80 A Length 16 Example To retrieve the eigth element in the hash chain, just return the pebble in position 8. Next hash the type two pebble in position 12 twice to bring it to position 10: From Spam to Hash Chains in three easy steps! p.29/29

81 A Length 16 Example To retrieve the ninth element in the hash chain, we simply hash the pebble in position 10 and return the result: From Spam to Hash Chains in three easy steps! p.29/29

82 A Length 16 Example To retrieve the first element in the hash chain, just return the pebble in position 10: From Spam to Hash Chains in three easy steps! p.29/29

83 A Length 16 Example To retrieve the eleventh element in the hash chain, we simply hash the pebble in position 12 and return the result. Also move the pebble from position 10 to position 16: From Spam to Hash Chains in three easy steps! p.29/29

84 A Length 16 Example To retrieve element twelve in the hash chain, return pebble number 12 and hash the type two pebble in position 16 twice to move it to position 14: From Spam to Hash Chains in three easy steps! p.29/29

85 A Length 16 Example To retrieve the thirteenth element in the hash chain, we simply hash the pebble in position 14 and return the result: From Spam to Hash Chains in three easy steps! p.29/29

86 A Length 16 Example To retrieve the fourteenth element in the hash chain, we simply return the pebble in position 14: From Spam to Hash Chains in three easy steps! p.29/29

87 A Length 16 Example To retrieve the fifteenth element in the hash chain, we simply hash the pebble in position 16 and return the result: From Spam to Hash Chains in three easy steps! p.29/29

88 A Length 16 Example To retrieve the last element in the hash chain, we simply return the pebble in position 16: From Spam to Hash Chains in three easy steps! p.29/29