Provable Anonymity. Epistemic Logic for Anonymizing Protocols. Ichiro Hasuo. Radboud University Nijmegen The Netherlands
|
|
- Audrey Logan
- 5 years ago
- Views:
Transcription
1 Provable Anonymity Epistemic Logic for Anonymizing Protocols Ichiro Hasuo Radboud University Nijmegen The Netherlands Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 1/23
2 Concern about on-line privacy is growing... ISPs in EU might soon start logging all the URLs you browse A number of anonymizing protocols have been introduced Chaum Mix, Onion Routing, Crowds,... Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 2/23
3 A lot of work in formal verification of authentication protocols (e.g. Needham-Schroeder, Otway-Rees,...) but Formulation and verification of anonymity is still quite immature Our work is first to comprehensively formulate competing notions for anonymity, and actually verify real protocols, using crypto-conscious epistemic logic Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 3/23
4 Coauthors Peter va? Rossum Wolt?r Pieters?lavio D. Garcia Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 4/23
5 Coauthors Peter va? Rossum Wolt?r Pieters?lavio D. Garcia Full paper available: Provable Anonymity. F. Garcia, I. Hasuo, W. Pieters, and P. van Rossum. To appear in FMSE Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 4/23
6 Motivating example: onion routing Introduced by [Chaum, 81] and [Goldschlag, Reed, Syverson, 96] Epistemic logic Anonymity expressed with epistemic logic Practical implementation available as TOR (The Onion Router), Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 5/23
7 Motivating example: onion routing A tries to send a message m to B anonymously Epistemic logic Anonymity expressed with epistemic logic { } X : public-key encryption n i : nonce A (((m))) R 1 ((m)) R 2 (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R2 (((m))) = { n 0, R 2, ((m)) } R1 Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 6/23
8 Onion routing actual run A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23
9 Onion routing actual run counter run A B A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R This is anonymous because the counter run is equally possible, so adversary is not sure whether A sent something to B or C Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23
10 Onion routing actual run counter run A B A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R Anonymity fails when: private key of R is compromised we omit nonces, (( )) = { X, ( ) } R not enough padding, e.g. C is absent Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23
11 Various anonymity A number of proposals and objections... Epistemic logic Anonymity expressed with epistemic logic Anonymity, Unobservability, Pseudonymity, and Identity Management A Proposal for Terminology (Ongoing draft from July 2000) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 8/23
12 Various anonymity A number of proposals and objections... Epistemic logic Anonymity expressed with epistemic logic Anonymity, Unobservability, Pseudonymity, and Identity Management A Proposal for Terminology (Ongoing draft from July 2000) With epistemic language we can formulate and verify competing notions in a uniform manner! [Halpern, O Neill] Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 8/23
13 Epistemic logic Epistemic logic Anonymity expressed with epistemic logic A ϕ A knows ϕ A ϕ (:= A ϕ) A suspects ϕ Semantics ( W, { =A A : agent} ) W : set of possible worlds =A : observational equivalence for A x = A ϕ x = A ϕ def y = A x. y = ϕ def y = A x. y = ϕ Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 9/23
14 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Sender anonymity Given: B receives message (containing) m. Weak ver. Anonymity set {A 1,..., A n } A? m anonymizer m B Not sure if A sent m A 1? m. A n? m anonymizer m B Each A i is suspected as sender Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 10/23
15 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Sender anonymity Given: B receives message (containing) m. Weak ver. Anonymity set {A 1,..., A n } A? m anonymizer m B Not sure if A sent m B A Sends m A 1? m. A n? m anonymizer m B Each A i is suspected as sender B A 1 Sends m B A 2 Sends m B A n Sends m Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 10/23
16 Anonymity expressed with epistemic logic Unlinkability Epistemic logic Anonymity expressed with epistemic logic A C anonymizer B D Adversary is not sure if A sent something to B. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 11/23
17 Anonymity expressed with epistemic logic Unlinkability Epistemic logic Anonymity expressed with epistemic logic A C anonymizer B D Adversary is not sure if A sent something to B. spy m. (A Sends m B Receives m) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 11/23
18 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Plausible deniability R can claim it is not aware of content m I relayed something, but don t know what it was! A ((m)) R (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 12/23
19 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Plausible deniability R can claim it is not aware of content m I relayed something, but don t know what it was! A ((m)) R (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R m. R (R Sends m) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 12/23
20 Possible world = a run, or trace of protocol Reinterpretation of messages Observational equivalence Two aspects of observational equivalence = A : Not every event is observed by an agent (However we assume global eavesdropper as adversary) Use of cryptographic operation Encryptions/hashes makes messages look random junk! (Mauw, Verschuren, de Vink) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 13/23
21 However, two random junks Reinterpretation of messages Observational equivalence should be related. { m } A and { { m } A } B That is, mapping all undecryptable messages to single is not fine enough. Our approach is finer than preceeding work, taking care of this point. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 14/23
22 Reinterpretation of messages Reinterpretation of messages Observational equivalence Our approach is finer, using reinterpretation We cheat adversary, by reinterpreting message which looks junk for adversary into in the way adversary cannot detect a lie. another message Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 15/23
23 Reinterpretation of messages Reinterpretation of messages Observational equivalence Our approach is finer, using reinterpretation We cheat adversary, by reinterpreting message which looks junk for adversary into in the way adversary cannot detect a lie. another message Definition U: a set of messages (e.g. spy s possession) Permutation π of messages is reinterpretation under U if: π(p) = p π({ m } K ) = { π(m) } K π(hash(m)) = hash(π(m)) π( m 1, m 2 ) = π(m 1 ), π(m 2 ) for a primitive term p { m, K U, or if { m } K, K 1 U if m U In short, π preserves term structures available in U. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 15/23
24 Observational equivalence Reinterpretation of messages Observational equivalence Definition r = A r def π, reinterpretation under A s possession, s.t. π(r A ) = r A where r A : A-visible part of r For A spy, r A consists of events where A is sender or receiver. r spy = r, i.e., spy is a global eavesdropper. = A is in fact an equivalence relation. Hence A is S5-modality. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 16/23
25 Observational equivalence actual run counter run A (( )) ( ) B A (( )) ( ) B Reinterpretation of messages Observational equivalence C (( )) R ( ) D C (( )) R ( ) D where (( )) = { n, ( ) } R n : random nonce Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 17/23
26 Observational equivalence actual run counter run Reinterpretation of messages Observational equivalence A C (( )) (( )) R ( ) ( ) B D =spy A C (( )) (( )) R ( ) ( ) B D where (( )) = { n, ( ) } R n : random nonce Reinterpretation π: (( )) (( )) (( )) (( )) ( ) ( ) ( ) ( ) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 17/23
27 Onion routing: unlinkability Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples r = Theorem A ((m)) R (m) B r = spy m. (A Sends m B Receives m) (A and B are unlinkable) where ((m)) = { n, B, (m) } R some C A sends ((m )) to R, before R relays (m). (there is enough padding) Proof [ ] By contradiction. In r =spy r, π of (m) must result from π of ((m)). Hence they have same core of onion. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 18/23
28 Onion routing: plausible deniability Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples r = A ((m)) R (m) B Theorem For any m, r = R (R Sends m) where ((m)) = { n, B, (m) } R Proof R doesn t possess private-key of B, hence for m, π: reinterpretation under R, which gives (actual run) =R A ((m )) R (m ) B Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 19/23
29 Flawed onion routing 1: forgotten nonces Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples We forget nonces beneath skin of onion. A ((m)) r = R (m) B Theorem Unlinkability fails, i.e. where r = spy m. (A Sends m B Receives m) ((m)) = { B, (m) } R Proof Any reinterpretation π must be like (m) m 1 ((m)) { B, m 1 } R since spy possesses public-key of R. Hence any r =spy r is like A { B, m 1 } RR m 1 B, therefore r = m. (A Sends m B Receives m). Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 20/23
30 Flawed OR 2: private-key compromised Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples Private-key of R possessed by spy. A ((m)) r = R (m) B Theorem Unlinkability fails, i.e. r = spy m. (A Sends m B Receives m) where ((m)) = { n, B, (m) } R Proof Any reinterpretation π must be like (m) m 1 ((m)) { n, B, m 1 } R Hence any r =spy r is like A { n, B, m 1 } R R m 1 B, therefore r = m. (A Sends m B Receives m). Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 21/23
31 Other examples Can detect even more subtle (artificial) flaw in Onion Routing: see full paper Crowds, for sender anonymity Internet voting protocol RIES In real use in the Netherlands (ongoing analysis) Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 22/23
32 Anonymity is important, hard to define, hard to verify Competing notions are straightforwardly expressed with epistemic language First to consider use of cryptographic operations in semantics of epistemic logic Finer treatment of cryptographic operations using reinterpretation Able to uniformly verify/falsify wide variety of anonymizing systems Future work Justification of reinterpretation (cf. Abadi, Rogaway) Tool support Quantitative analysis Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 23/23
33 Anonymity is important, hard to define, hard to verify Competing notions are straightforwardly expressed with epistemic language First to consider use of cryptographic operations in semantics of epistemic logic Finer treatment of cryptographic operations using reinterpretation Able to uniformly verify/falsify wide variety of anonymizing systems Future work Justification of reinterpretation (cf. Abadi, Rogaway) Tool support Quantitative analysis Thank you for your attention! Contact: Ichiro Hasuo Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 23/23
0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Privacy on Public Networks Internet is designed as a public network Wi-Fi access points,
More informationDefinition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party
Definition Anonymous Communication Hiding identities of parties involved in communications from each other, or from third-parties Who you are from the communicating party Who you are talking to from everyone
More informationA Model of Onion Routing with Provable Anonymity
A Model of Onion Routing with Provable Anonymity Joan Feigenbaum 1, Aaron Johnson 1, and Paul Syverson 2 1 Yale University {Joan.Feigenbaum, aaron.johnson}@yale.edu 2 Naval Research Laboratory syverson@itd.nrl.navy.mil
More informationENEE 459-C Computer Security. Security protocols
ENEE 459-C Computer Security Security protocols Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public.
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationYale University Department of Computer Science
Yale University Department of Computer Science A Model of Onion Routing with Provable Anonymity Aaron Johnson YALEU/DCS/TR-1368 August 30, 2006 A Model of Onion Routing with Provable Anonymity Aaron Johnson
More informationSecurity protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i
Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012
Network Security: Anonymity Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2012 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationAnonymity. With material from: Dave Levin and Michelle Mazurek
http://www.sogosurvey.com/static/sogo_resp_images/tat_resp_images/designimg/guaranteed-anonymous-survey.png Anonymity With material from: Dave Levin and Michelle Mazurek What is anonymity? Dining cryptographers
More informationChaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981
Anonymizing Networks Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981 Reed, Syverson, Goldschlag, Anonymous Connections and Onion
More informationDesign and Analysis of Efficient Anonymous Communication Protocols
Design and Analysis of Efficient Anonymous Communication Protocols Thesis Defense Aaron Johnson Department of Computer Science Yale University 7/1/2009 1 Acknowledgements Joan Feigenbaum Paul Syverson
More informationProtocols for Anonymous Communication
18734: Foundations of Privacy Protocols for Anonymous Communication Anupam Datta CMU Fall 2016 Privacy on Public Networks } Internet is designed as a public network } Machines on your LAN may see your
More informationComputer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017
Computer Security 15. Tor & Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2017 April 24, 2017 CS 419 2017 Paul Krzyzanowski 1 Private Browsing Browsers offer a "private" browsing modes
More informationPrivate Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes
Private Browsing Computer Security 16. Tor & Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2017 Browsers offer a "private" browsing modes Apple Private Browsing, Mozilla Private Browsing,
More informationAnonymity and Privacy
Computer Security Spring 2008 Anonymity and Privacy Aggelos Kiayias University of Connecticut Anonymity in networks Anonymous Credentials Anonymous Payments Anonymous E-mail and Routing E-voting Group,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 25 April 18, 2012 CPSC 467b, Lecture 25 1/44 Anonymous Communication DISSENT- Accountable Anonymous
More informationAnoA: A Differential Anonymity Framework
AnoA: A Differential Anonymity Framework Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, Esfandiar Mohammadi CISPA, Saarland University Abstract Protecting individuals privacy in online
More informationUntraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms EJ Jung Goals 1. Hide what you wrote encryption of any kind symmetric/asymmetric/stream 2. Hide to whom you sent and when pseudonym?
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 23
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 23 Announcements Project 4 is Due Friday May 2nd at 11:59 PM Final exam: Friday, May 12th. Noon - 2:00pm DRLB A6 Today: Last details
More informationContext. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!
Context Protocols for anonymity The nternet is a public network: Myrto Arapinis School of nformatics University of Edinburgh Routing information is public: P packet headers contain source and destination
More informationCS526: Information security
Cristina Nita-Rotaru CS526: Information security Anonymity systems. Based on slides by Chi Bun Chan 1: Terminology. Anonymity Anonymity (``without name ) means that a person is not identifiable within
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015
Network Security: Anonymity Tuomas Aura T-110.5241 Network security Aalto University, autumn 2015 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationAnonymity With material from: Dave Levin
Anonymity With material from: Dave Levin http://www.sogosurvey.com/static/sogo_resp_images/tat_resp_images/designimg/guaranteed-anonymous-survey.png What is anonymity? Dining cryptographers Mixnets and
More information2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w
Onion Routing for Anonymous and Private Internet Connections David Goldschlag Michael Reed y Paul Syverson y January 28, 1999 1 Introduction Preserving privacy means not only hiding the content of messages,
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Anonymity Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationAnonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012
Anonymous Communication: DC-nets, Crowds, Onion Routing Simone Fischer-Hübner PETs PhD course Spring 2012 DC (Dining Cryptographers) nets [Chaum 1988 ] Chaum, CACM 28(10), October 1985 Who paid for the
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationPayload analysis of anonymous communication system with host-based rerouting mechanism
Payload analysis of anonymous communication system with host-based rerouting mechanism Hongfei Sui Jianer Chen Songqiao Chen Jianxin Wang College of Information Science and Engineering Central South University
More informationMechanized Proofs for a Recursive Authentication Protocol
Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol
More informationFormalizing Provable Anonymity in Isabelle/HOL
Under consideration for publication in Formal Aspects of Computing Formalizing Provable Anonymity in Isabelle/HOL Yongjian Li Chinese Academy of Sciences Institute of Software State Key Laboratory of Computer
More informationExtensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle
Extensions of BAN by Heather Goldsby Michelle Pirtle Overview BAN Logic Burrows, Abadi, and Needham GNY Gong, Needham, Yahalom RV AT Abadi and Tuttle VO van Oorschot SVO Syverson and van Oorschot Wenbo
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationAnonymous communications: Crowds and Tor
Anonymous communications: Crowds and Tor Basic concepts What do we want to hide? sender anonymity attacker cannot determine who the sender of a particular message is receiver anonymity attacker cannot
More informationAnonymous Connections and Onion Routing
Anonymous Connections and Onion Routing David Goldschlag, Michael Reed, and Paul Syverson Center for High Assurance Computer Systems Naval Research Laboratory Washington, D.C. 1 Who is Talking to Whom?
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationA SIMPLE INTRODUCTION TO TOR
A SIMPLE INTRODUCTION TO TOR The Onion Router Fabrizio d'amore May 2015 Tor 2 Privacy on Public Networks Internet is designed as a public network Wi-Fi access points, network routers see all traffic that
More informationCS Paul Krzyzanowski
Computer Security 17. Tor & Anonymous Connectivity Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2018 1 2 Anonymity on the Internet Often considered bad Only criminals need to hide
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More informationA Quantitative Analysis of Anonymous Communications
IEEE TRANSACTIONS ON RELIABILITY, VOL. 53, NO. 1, MARCH 2004 103 A Quantitative Analysis of Anonymous Communications Yong Guan, Xinwen Fu, Riccardo Bettati, and Wei Zhao Abstract This paper quantitatively
More informationEfficiency Optimisation Of Tor Using Diffie-Hellman Chain
Efficiency Optimisation Of Tor Using Diffie-Hellman Chain Kun Peng Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract Onion routing is the most common anonymous communication channel.
More informationAn Optimal Strategy for Anonymous Communication Protocols
An Optimal Strategy for Anonymous Communication Protocols Yong Guan, Xinwen Fu, Riccardo Bettati, Wei Zhao Department of Computer Science Texas A&M University College Station, TX 77843-3112 E-mail: yguan,
More informationHow Alice and Bob meet if they don t like onions
How Alice and Bob meet if they don t like onions Survey of Network Anonymisation Techniques Erik Sy 34th Chaos Communication Congress, Leipzig Agenda 1. Introduction to Anonymity Networks Anonymity Strategies
More informationPrivacy Enhancing Technologies CSE 701 Fall 2017
Privacy Enhancing Technologies Lecture 2: Anonymity Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Anonymous communication mixes, anonymizing proxies,
More informationCS 134 Winter Privacy and Anonymity
CS 134 Winter 2016 Privacy and Anonymity 1 Privacy Privacy and Society Basic individual right & desire Relevant to corporations & government agencies Recently increased awareness However, general public
More informationANONYMOUS CONNECTIONS AND ONION ROUTING
I J C I T A E Serials Publications 6(1) 2012 : 31-37 ANONYMOUS CONNECTIONS AND ONION ROUTING NILESH MADHUKAR PATIL 1 AND CHELPA LINGAM 2 1 Lecturer, I. T. Dept., Rajiv Gandhi Institute of Technology, Mumbai
More informationPeer-to-Peer Networks 14 Security. Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Cryptography in a Nutshelf Symmetric Cryptography - AES - Affine Cryptosystems
More informationTowards measuring anonymity
Towards measuring anonymity Claudia Díaz, Stefaan Seys, Joris Claessens, and Bart Preneel K.U.Leuven ESAT-COSIC Kasteelpark Arenberg 0, B-300 Leuven-Heverlee, Belgium claudia.diaz@esat.kuleuven.ac.be http://www.esat.kuleuven.ac.be/cosic/
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationFormal Methods for Assuring Security of Computer Networks
for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols
More informationOn the Limits of Provable Anonymity
On the Limits of Provable Anonymity Nethanel Gelernter Department of Computer Science Bar Ilan University nethanel.gelernter@gmail.com Amir Herzberg Department of Computer Science Bar Ilan University amir.herzberg@gmail.com
More informationANET: An Anonymous Networking Protocol
ANET: An Anonymous Networking Protocol Casey Marshall csm@soe.ucsc.edu May 31, 2005 Abstract This paper presents a simple, anonymizing network protocol. Its primary goal is to provide untraceability of
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationA Privacy-Aware Service Protocol for Ubiquitous Computing Environments
A Privacy-Aware Service Protocol for Ubiquitous Computing Environments Gunhee Lee, Song-hwa Chae, Inwhan Hwang, and Manpyo Hong Graduate School of Information Communication, Ajou University, Suwon, Korea
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationOn Privacy and Anonymity in Knowledge Externalization
On Privacy and Anonymity in Knowledge Externalization Yuen-Yan Chan and Chi-Hong Leung The Chinese University of Hong Kong rosannachan@cuhk.edu.hk, leung_chi_hong@yahoo.com.hk Secure Knowledge Management
More informationThe Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science
The Tor Network Cryptography 2, Part 2, Lecture 6 Ruben Niederhagen June 16th, 2014 Tor Network Introduction 2/33 Classic goals of cryptography: confidentiality, data integrity, authentication, and non-repudiation.
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationOnion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J
Onion Routing Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J Motivation Public Network Encryption does not hide Routing Information Traffic Analysis Who is Talking to Whom? by analyzing the traffic
More informationTHE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul
THE SECOND GENERATION ONION ROUTER Roger Dingledine Nick Mathewson Paul Syverson 1 -Presented by Arindam Paul Menu Motivation: Why do we need Onion Routing? Introduction : What is TOR? Basic TOR Design
More informationCryptanalysis of a fair anonymity for the tor network
Cryptanalysis of a fair anonymity for the tor network Amadou Moctar Kane KSecurity, BP 47136, Dakar, Senegal amadou1@gmailcom April 16, 2015 Abstract The aim of this paper is to present an attack upon
More informationAn Optimal Strategy for Anonymous Communication Protocols
Appeared in: Proceedings of the 22th International Conference on Distributed Computing Systems, Vienna, Austria, July 2002. An Optimal Strategy for Anonymous Communication Protocols Yong Guan, Xinwen Fu,
More informationInformation Hiding, Anonymity and Privacy: A Modular Approach
Information Hiding, Anonymity and Privacy: A Modular Approach Dominic Hughes STANFORD UNIVERSITY Vitaly Shmatikov SRI INTERNATIONAL Abstract We develop a new specification framework for security properties.
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationLecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena
Lecture 8: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus Jacobson Course Admin HW/Lab 3
More informationBlockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric
Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric Elli Androulaki Staff member, IBM Research, Zurich Workshop on cryptocurrencies Athens, 06.03.2016 Blockchain systems
More informationIdentity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation
Identity Mixer: From papers to pilots and beyond Gregory Neven, IBM Research Zurich Motivation Online security & trust today: SSL/TLS for encryption and server authentication Username/password for client
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationAchieving Privacy in Mesh Networks
Achieving Privacy in Mesh Networks Xiaoxin Wu Intel China Research Center Ltd Beijing, China xiaoxin.wu@intel.com Ninghui Li Department of Computer Science Purdue University West Lafayette, IN 47907-2086,
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More informationUsing Sphinx to Improve Onion Routing Circuit Construction (short paper)
Using Sphinx to Improve Onion Routing Circuit Construction (short paper) Aniket Kate and Ian Goldberg David R. Cheriton School of Computer Science University of Waterloo, ON, Canada {akate,iang}@cs.uwaterloo.ca
More informationTwo Formal Views of Authenticated Group Diffie-Hellman Key Exchange
Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson 1, O. Chevassut 2,3, O. Pereira 2, D. Pointcheval 1 and J.-J. Quisquater 2 1 Ecole Normale Supérieure, 75230 Paris Cedex 05,
More informationFrom Crypto to Code. Greg Morrisett
From Crypto to Code Greg Morrisett Languages over a career Pascal/Ada/C/SML/Ocaml/Haskell ACL2/Coq/Agda Latex Powerpoint Someone else s Powerpoint 2 Cryptographic techniques Already ubiquitous: e.g., SSL/TLS
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationAn Introduction to Digital Identity
1 An Introduction to Digital Identity Andreas Pfitzmann Dresden University of Technology, Department of Computer Science, D-01062 Dresden Nöthnitzer Str. 46, Room 3071 Phone: +49 351 463-38277, e-mail:
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationModelling and Automatically Analysing Privacy Properties for Honest-but-Curious Adversaries
Modelling and Automatically Analysing Privacy Properties for Honest-but-Curious Adversaries Andrew Paverd Department of Computer Science University of Oxford andrew.paverd@cs.ox.ac.uk Andrew Martin Department
More informationTungsten Security Whitepaper
Tungsten Labs UG (haftungsbeschränkt) Email: contact@tungsten-labs.com Web: http://tungsten-labs.com Monbijouplatz 5, 10178 Berlin Tungsten Security Whitepaper Berlin, May 2018 Version 1 Contents Introduction
More informationCSE BAN Logic Presentation
(Mike Burrows Marin Abadi Roger Needham Published 1989 SRC Research Report 9 Presentation by Heather Goldsby Michelle Pirtle "! #! $ % Problem Solution BAN Logic Goals of BAN Terms Symbols Notation and
More informationINFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2
Digital Signature Introduction to Computer Security Lecture 7 Digital Signature October 9, 2003 Construct that authenticates origin, contents of message in a manner provable to a disinterested third party
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationcommunication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.
Introduction to anonymous communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.Leuven) 1 a few words on the scope of the
More informationVerification of security protocols introduction
Verification of security protocols introduction Stéphanie Delaune CNRS & IRISA, Rennes, France Tuesday, November 14th, 2017 Cryptographic protocols everywhere! they aim at securing communications over
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationAnalysis of an E-voting Protocol using the Inductive Method
Analysis of an E-voting Protocol using the Inductive Method Najmeh Miramirkhani 1, Hamid Reza Mahrooghi 1, Rasool Jalili 1 1 Sharif University of Technology,Tehran, Iran {miramirkhani@ce., mahrooghi@ce.,
More informationA Report on Modified Onion Routing and its Proof of Concept
A Report on Modified Onion Routing and its Proof of Concept Introduction: This document briefly describes the architecture, code layout, operation principles and testing covered in the implementation of
More informationDandelion: Privacy-Preserving Transaction Propagation in Bitcoin s P2P Network
Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin s P2P Network Presenter: Giulia Fanti Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew
More informationInternet Crimes Against Children:
Internet Crimes Against Children: Web, 2011 PROGRAM MATERIALS Presented By Professor Donald R. Mason Associate Director & Research Professor The National Center for Justice & the Rule of Law at The University
More informationLogic of Authentication
Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees
More informationFormal Analysis of Chaumian Mix Nets with Randomized Partial Checking
Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking Ralf Küsters University of Trier, Germany kuesters@uni-trier.de Tomasz Truderung University of Trier, Germany truderung@uni-trier.de
More informationMaintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018
Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018 By: Ethan Mendes and Patrick Zhang Mentor: Kyle Hogan What is
More information