Privacy at the communication layer

Transcription

1 Privacy at the communication layer CS Carmela Troncoso

2 While (course) do { This course End of lecture - Small intro to next topic - Assign a paper and Defender/Critic Pre-lecture - Read the paper - All provide a Review by Monday 3pm } Lecture - Defender presents the paper (15-30 free format) - Critic presents his view - Comment your reviews and learned lessons By end of course: propose one attack or one defense Up to 3 pages describing: attacker model, attack/defense, proposed evaluation

3 Reviews Free format Recommendations (for any academic review): - Have a structure - The conclusion should be clear - Be constructive. Write the review you d like to read - Think big. Many small flaws may not be a reason for rejection. Try to extract the contribution - new approach? - will people construct on it? - fundamental result?

4 My structure (not binding) Summary: helps the authors know what you understood (calibrate your review) General comments: comments about issues global to the paper: motivation, threat model, overall design, flaws in evaluation Specific comments: comments about particular issues in Section X, in page Y Minor comments: editorial comments, typos, suggestions (other people like Strengths/weaknesses)

5

6 Privacy at the communication layer Dear Dr., Can we change my chemo appointment? A. A Network

7 Privacy at the communication layer Intelligence agencies Dear Dr., Can we change my chemo appointment? A. ISPs A Network

8 Privacy at the communication layer Intelligence agencies SysAdmin s The Boss Dear Dr., Can we change my chemo appointment? A. ISPs A Network

9 Privacy at the communication layer Intelligence agencies SysAdmin s The Boss Your Parents Your Children Dear Dr., Can we change my chemo appointment? A. ISPs A Network

10 Privacy at the communication layer Intelligence agencies SysAdmin s The Boss Your Parents Anybody curious Your Children Dear Dr., Can we change my chemo appointment? A. ISPs A Network

11 The adversary is anyone and she is VERY powerful Intelligence agencies SysAdmin s The Boss Your Parents Anybody curious Your Children Dear Dr., Can we change my chemo appointment? A. ISPs A Network

12 But we can encrypt! What is the problem? Dear Dr., Can we change my chemo appointment? A. A Network

13 But we can encrypt! What is the problem? %Q}!$#!{}{ A Network

14 But we can encrypt! What is the problem? %Q}!$#!{}{ A Network Ethernet (IEEE 802.3, 1997)

15 But we can encrypt! What is the problem? %Q}!$#!{}{ Alic e A Network Ethernet (IEEE 802.3, 1997)

16 But we can encrypt! What is the problem? %Q}!$#!{}{ A Network Ethernet (IEEE 802.3, 1997)

17 But we can encrypt! What is the problem? %Q}!$#!{}{ A Network Ethernet (IEEE 802.3, 1997) Same for IP, TCP, SMTP, IRC, HTTP,...

18 But we can encrypt! What is the problem? %Q}!$#!{}{ Destination IP web Dr. Oncologist A Network Ethernet (IEEE 802.3, 1997) Same for IP, TCP, SMTP, IRC, HTTP,...

19 OMG!! Meta Data is also sensitive!! %Q}!$#!{}{ Destination IP web Dr. Oncologist A Network Ethernet (IEEE 802.3, 1997) Same for IP, TCP, SMTP, IRC, HTTP,...

20 Traffic analysis: meta data analysis Wikipedia: traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication Making use of just traffic data of a communication (aka metadata) to extract information (as opposed to analyzing content or perform cryptanalysis) Identities of communicating parties Timing, frequency, duration Location Volume Device Military Roots - M. Herman: These non-textual techniques can establish targets' locations, order-ofbattle and movement. Even when messages are not being deciphered, traffic analysis of the target's Command, Control, Communications and intelligence system and its patterns of behavior provides indications of his intentions and states of mind - WWI: British troops finding German boats. - WWII: assessing size of German Air Force, fingerprinting of transmitters or operators (localization of troops). Nowadays - Diffie&Landau: Traffic analysis, not cryptanalysis, is the backbone of communications intelligence - Stewart Baker (NSA): metadata absolutely tells you everything about somebody s life. If you have enough metadata, you don t really need content. - Tempora, MUSCULAR XkeyScore, PRISM - Also good uses: recommendations, location-based services, Herman, Michael. Intelligence power in peace and war. Cambridge University Press, Diffie, Whitfield, and Susan Landau. Privacy on the line: The politics of wiretapping and encryption. MIT press,

21 Anonymous communications against Traffic Analysis If you are a cyber-criminal! DRM infringement, hacker, spammer, terrorist, etc. But, also if you are: Journalist Whistleblower Human rights activist Business executive Military/intelligence personnel Abuse victims And normal people?? - Avoid tracking by advertising companies - Protect sensitive personal information from businesses, like insurance companies, banks, etc. - Express unpopular or controversial opinions - Have a dual life A professor who is a pro in LoL! - Try uncommon things -It feels good to have some privacy!

22 But, It s Hard to be Anonymous! Your network location (IP address) can be linked to you ISPs store communications records Usually for several years (Data Retention Laws) Law enforcement can subpoena these records Your application is being tracked Cookies, Flash cookies, E-Tags, HTML5 Storage Centralized services like Skype, Google voice Browser fingerprinting Your activities can be used to identify you Unique websites and apps that you use Types of links that you click

23 You Have to Protect at All Layers! While Maintaining Efficiency

24 You Have to Protect at All Layers! While Maintaining Efficiency

25 Anonymous communications adversary Observe All links (Global Passive Adversary) Some links Modify delay delete or inject messages Control some nodes in the network. The adversary s' limitations Cannot break cryptographic primitives Cannot see inside nodes he does not control

26 Anonymity PROPERTIES Sender anonymity: cannot know who is Receiver anonymity: cannot know who is Bidirectional anonymity: and cannot know who each other is 3 rd party anonymity: and can know each other, but Sauron doesn't Unobservability: Sauron cannot tell if or send/receive Unlinkability: Two messages cannot be linked to /

27 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? Dear Dr., Can we change my chemo appointment? A. A Network

28 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? Dear Dr., Can we change my chemo appointment? A. A Network

29 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? Dear Dr., Can we change my chemo appointment? A. A Network

30 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? Dear Dr., Can we change my chemo appointment? A. A Network Larger anonymity set = stronger anonymity

31 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? t Dear Dr., Can we change my chemo appointment? A. A Network Larger anonymity set = stronger anonymity

32 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? H(x) Pr[sender] t Dear Dr., Can we change my chemo appointment? A. A Network Larger anonymity set = stronger anonymity

33 Quantifying anonymity How much anonymous we are? Anonymity Set Who sent this message? H(x) Pr[sender] t Dear Dr., Can we change my chemo appointment? A. A Network Larger anonymity set = stronger anonymity

34 Quantifying anonymity Anoa Framework Game à la crypto // Differential privacy Run the protocol (aka anonymous communication system) with different senders and check that the adversary cannot distinguish them

35 How do we build anonymous communications

36 Trivial: Anonymity through Broadcasting Dave Charlie Fred

37 Trivial: Anonymity through Broadcasting Dave Charlie E(msg) Fred

38 Trivial: Anonymity through Broadcasting E(Junk) E(Junk) Dave Charlie E(msg) Fred E(Junk)

39 Trivial: Anonymity through Broadcasting Simple receiver anonymity E(Junk) E(Junk) Dave Charlie E(msg) Fred E(Junk)

40 Trivial: Anonymity through Broadcasting Simple receiver anonymity E(Junk) E(Junk) Point 1: Do not re-invent this Dave Charlie E(msg) Fred E(Junk)

41 Trivial: Anonymity through Broadcasting Simple receiver anonymity Dave Charlie E(Junk) E(Junk) E(msg) Point 1: Do not re-invent this Point 2: Many ways to do broadcast - Ring - Trees It has all been done (Buses) Fred E(Junk)

42 Trivial: Anonymity through Broadcasting Simple receiver anonymity Dave Charlie E(Junk) E(Junk) E(msg) Point 1: Do not re-invent this Point 2: Many ways to do broadcast - Ring - Trees It has all been done (Buses) Point 3: Is your anonymity system better than this? Fred E(Junk)

43 Trivial: Anonymity through Broadcasting Simple receiver anonymity Dave Charlie E(Junk) E(Junk) E(msg) Point 1: Donotre-inventthis Point 2: Many ways to do broadcast - Ring - Trees Ithas all been done (Buses) Point 3:Is your anonymity systembetterthanthis? Point 4: Whatarethe problems here? Fred E(Junk) Coordination Sender anonymity Latency Bandwidth

44 The Chaumian mix (1981) cryptographic relays to break the link between sender and receiver Zelda Walter E MIX (msg, Charlie) E(msg) Dave mi x Charlie Victor Fred

45 The Chaumian mix (1981) cryptographic relays to break the link between sender and receiver Zelda Walter E MIX (msg, Charlie) E(msg) Dave mi x Charlie Victor Fred

46 The Chaumian mix (1981) cryptographic relays to break the link between sender and receiver Zelda Walter E MIX (msg, Charlie) E(msg) Dave Victor mi x Bitwise Unlinkability Computational security (cryptography-based) Charlie Fred

47 The Chaumian mix (1981) cryptographic relays to break the link between sender and receiver Zelda Walter E MIX (msg, Charlie) E(msg) Dave Victor mi x Traffic analysis resistance destroy metadata Batch + (delay, inject, drop) Charlie Fred

48 The Chaumian mix (1981) cryptographic relays to break the link between sender and receiver Zelda Walter E MIX (msg, Charlie) E(msg) Dave Victor mi x One-proxy problems - Low throughput. - Corrupt Proxy or Proxy hacked / coerced. - Real case: Penet.fi vs the church of scientology (1996) Charlie Fred

49 Solution: Mix networks Receivers Senders Bitwise unlinkability Crypto to make inputs and outputs bit patterns different (re)packetizing + (re)schedule + (re)routing, Destroy patterns (traffic analysis resistance) Load balancing Distribute trust

50 Solution: Mix networks Receivers Senders Bitwise unlinkability Crypto to make inputs and outputs bit patterns different (re)packetizing + (re)schedule + (re)routing, Destroy patterns (traffic analysis resistance) Load balancing Distribute trust A->M 2 : {M 4, {M 1,{B, Msg} M1 } M4 } M2

51 Solution: Mix networks Rely on more mixes good idea - Distributing trust some could be dishonest - Distributing load fewer messages per mix Two extremes - Mix Cascades All messages are routed through a preset mix sequence Good for anonymity poor load balancing - Free routing Each message is routed through a random sequence of mixes Security parameter: L then length of the sequence

52 Mix networks Who are the others? The (n-1) attack active attack Zelda Walter Dave mix Charlie Victor Fred

53 Mix networks Who are the others? The (n-1) attack active attack Wait or flush the mix. Block all incoming messages (trickle) and injects own messages (flood) Zelda Walter Dave mix Charlie Victor Fred

54 Mix networks Who are the others? The (n-1) attack active attack Wait or flush the mix. Block all incoming messages (trickle) and injects own messages (flood) Zelda Walter Dave mix Charlie Victor Fred

55 Who are the others? Mitigating N-1 attacks Strong identification to ensure distinct identities Problem: user adoption

56 Who are the others? Mitigating N-1 attacks Strong identification to ensure distinct identities Problem: user adoption Message expiry Messages are discarded after a deadline Adversary cannot flush the mix, and inject messages unnoticed

57 Who are the others? Mitigating N-1 attacks Strong identification to ensure distinct identities Problem: user adoption Message expiry Messages are discarded after a deadline Adversary cannot flush the mix, and inject messages unnoticed Heartbeat traffic Mixes route messages in a loop back to themselves Detect whether an adversary is blocking messages Forces adversary to subvert everyone, all the time

58 Who are the others? Mitigating N-1 attacks Strong identification to ensure distinct identities Problem: user adoption Message expiry Messages are discarded after a deadline Adversary cannot flush the mix, and inject messages unnoticed Heartbeat traffic Mixes route messages in a loop back to themselves Detect whether an adversary is blocking messages Forces adversary to subvert everyone, all the time General instance of the Sybil Attack

59 Mixes are slooooow Low-latency anonymous communications Onion Routing: anonymize streams!

60 Mixes are slooooow Low-latency anonymous communications Onion Routing: anonymize streams!

61 Mixes are slooooow Low-latency anonymous communications Onion Routing: anonymize streams! Next week

62 Key takeaways Anonymity requires a crowd Making one on your own expensive (broadcast) Who are the others? Hard problem Mix networks Practical anonymous messaging Bitwise unlinkability / traffic analysis resistance Distribution: Cascades vs. Free route networks Onion Routing next week