Provable Anonymity. Epistemic Logic for Anonymizing Protocols. Ichiro Hasuo. Radboud University Nijmegen The Netherlands

Size: px

Start display at page:

Download "Provable Anonymity. Epistemic Logic for Anonymizing Protocols. Ichiro Hasuo. Radboud University Nijmegen The Netherlands"

Audrey Logan
5 years ago
Views:

1 Provable Anonymity Epistemic Logic for Anonymizing Protocols Ichiro Hasuo Radboud University Nijmegen The Netherlands Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 1/23

2 Concern about on-line privacy is growing... ISPs in EU might soon start logging all the URLs you browse A number of anonymizing protocols have been introduced Chaum Mix, Onion Routing, Crowds,... Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 2/23

3 A lot of work in formal verification of authentication protocols (e.g. Needham-Schroeder, Otway-Rees,...) but Formulation and verification of anonymity is still quite immature Our work is first to comprehensively formulate competing notions for anonymity, and actually verify real protocols, using crypto-conscious epistemic logic Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 3/23

4 Coauthors Peter va? Rossum Wolt?r Pieters?lavio D. Garcia Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 4/23

5 Coauthors Peter va? Rossum Wolt?r Pieters?lavio D. Garcia Full paper available: Provable Anonymity. F. Garcia, I. Hasuo, W. Pieters, and P. van Rossum. To appear in FMSE Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 4/23

6 Motivating example: onion routing Introduced by [Chaum, 81] and [Goldschlag, Reed, Syverson, 96] Epistemic logic Anonymity expressed with epistemic logic Practical implementation available as TOR (The Onion Router), Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 5/23

7 Motivating example: onion routing A tries to send a message m to B anonymously Epistemic logic Anonymity expressed with epistemic logic { } X : public-key encryption n i : nonce A (((m))) R 1 ((m)) R 2 (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R2 (((m))) = { n 0, R 2, ((m)) } R1 Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 6/23

8 Onion routing actual run A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23

9 Onion routing actual run counter run A B A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R This is anonymous because the counter run is equally possible, so adversary is not sure whether A sent something to B or C Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23

10 Onion routing actual run counter run A B A B Epistemic logic Anonymity expressed with epistemic logic C (( )) (( )) R ( ) ( ) D C (( )) (( )) R ( ) ( ) D where (( )) = { n, X, ( ) } R Anonymity fails when: private key of R is compromised we omit nonces, (( )) = { X, ( ) } R not enough padding, e.g. C is absent Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 7/23

11 Various anonymity A number of proposals and objections... Epistemic logic Anonymity expressed with epistemic logic Anonymity, Unobservability, Pseudonymity, and Identity Management A Proposal for Terminology (Ongoing draft from July 2000) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 8/23

12 Various anonymity A number of proposals and objections... Epistemic logic Anonymity expressed with epistemic logic Anonymity, Unobservability, Pseudonymity, and Identity Management A Proposal for Terminology (Ongoing draft from July 2000) With epistemic language we can formulate and verify competing notions in a uniform manner! [Halpern, O Neill] Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 8/23

13 Epistemic logic Epistemic logic Anonymity expressed with epistemic logic A ϕ A knows ϕ A ϕ (:= A ϕ) A suspects ϕ Semantics ( W, { =A A : agent} ) W : set of possible worlds =A : observational equivalence for A x = A ϕ x = A ϕ def y = A x. y = ϕ def y = A x. y = ϕ Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 9/23

14 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Sender anonymity Given: B receives message (containing) m. Weak ver. Anonymity set {A 1,..., A n } A? m anonymizer m B Not sure if A sent m A 1? m. A n? m anonymizer m B Each A i is suspected as sender Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 10/23

15 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Sender anonymity Given: B receives message (containing) m. Weak ver. Anonymity set {A 1,..., A n } A? m anonymizer m B Not sure if A sent m B A Sends m A 1? m. A n? m anonymizer m B Each A i is suspected as sender B A 1 Sends m B A 2 Sends m B A n Sends m Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 10/23

16 Anonymity expressed with epistemic logic Unlinkability Epistemic logic Anonymity expressed with epistemic logic A C anonymizer B D Adversary is not sure if A sent something to B. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 11/23

17 Anonymity expressed with epistemic logic Unlinkability Epistemic logic Anonymity expressed with epistemic logic A C anonymizer B D Adversary is not sure if A sent something to B. spy m. (A Sends m B Receives m) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 11/23

18 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Plausible deniability R can claim it is not aware of content m I relayed something, but don t know what it was! A ((m)) R (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 12/23

19 Anonymity expressed with epistemic logic Epistemic logic Anonymity expressed with epistemic logic Plausible deniability R can claim it is not aware of content m I relayed something, but don t know what it was! A ((m)) R (m) B (m) = { m } B ((m)) = { n 1, B, (m) } R m. R (R Sends m) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 12/23

20 Possible world = a run, or trace of protocol Reinterpretation of messages Observational equivalence Two aspects of observational equivalence = A : Not every event is observed by an agent (However we assume global eavesdropper as adversary) Use of cryptographic operation Encryptions/hashes makes messages look random junk! (Mauw, Verschuren, de Vink) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 13/23

21 However, two random junks Reinterpretation of messages Observational equivalence should be related. { m } A and { { m } A } B That is, mapping all undecryptable messages to single is not fine enough. Our approach is finer than preceeding work, taking care of this point. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 14/23

22 Reinterpretation of messages Reinterpretation of messages Observational equivalence Our approach is finer, using reinterpretation We cheat adversary, by reinterpreting message which looks junk for adversary into in the way adversary cannot detect a lie. another message Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 15/23

23 Reinterpretation of messages Reinterpretation of messages Observational equivalence Our approach is finer, using reinterpretation We cheat adversary, by reinterpreting message which looks junk for adversary into in the way adversary cannot detect a lie. another message Definition U: a set of messages (e.g. spy s possession) Permutation π of messages is reinterpretation under U if: π(p) = p π({ m } K ) = { π(m) } K π(hash(m)) = hash(π(m)) π( m 1, m 2 ) = π(m 1 ), π(m 2 ) for a primitive term p { m, K U, or if { m } K, K 1 U if m U In short, π preserves term structures available in U. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 15/23

24 Observational equivalence Reinterpretation of messages Observational equivalence Definition r = A r def π, reinterpretation under A s possession, s.t. π(r A ) = r A where r A : A-visible part of r For A spy, r A consists of events where A is sender or receiver. r spy = r, i.e., spy is a global eavesdropper. = A is in fact an equivalence relation. Hence A is S5-modality. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 16/23

25 Observational equivalence actual run counter run A (( )) ( ) B A (( )) ( ) B Reinterpretation of messages Observational equivalence C (( )) R ( ) D C (( )) R ( ) D where (( )) = { n, ( ) } R n : random nonce Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 17/23

26 Observational equivalence actual run counter run Reinterpretation of messages Observational equivalence A C (( )) (( )) R ( ) ( ) B D =spy A C (( )) (( )) R ( ) ( ) B D where (( )) = { n, ( ) } R n : random nonce Reinterpretation π: (( )) (( )) (( )) (( )) ( ) ( ) ( ) ( ) Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 17/23

27 Onion routing: unlinkability Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples r = Theorem A ((m)) R (m) B r = spy m. (A Sends m B Receives m) (A and B are unlinkable) where ((m)) = { n, B, (m) } R some C A sends ((m )) to R, before R relays (m). (there is enough padding) Proof [ ] By contradiction. In r =spy r, π of (m) must result from π of ((m)). Hence they have same core of onion. Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 18/23

28 Onion routing: plausible deniability Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples r = A ((m)) R (m) B Theorem For any m, r = R (R Sends m) where ((m)) = { n, B, (m) } R Proof R doesn t possess private-key of B, hence for m, π: reinterpretation under R, which gives (actual run) =R A ((m )) R (m ) B Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 19/23

29 Flawed onion routing 1: forgotten nonces Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples We forget nonces beneath skin of onion. A ((m)) r = R (m) B Theorem Unlinkability fails, i.e. where r = spy m. (A Sends m B Receives m) ((m)) = { B, (m) } R Proof Any reinterpretation π must be like (m) m 1 ((m)) { B, m 1 } R since spy possesses public-key of R. Hence any r =spy r is like A { B, m 1 } RR m 1 B, therefore r = m. (A Sends m B Receives m). Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 20/23

30 Flawed OR 2: private-key compromised Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples Private-key of R possessed by spy. A ((m)) r = R (m) B Theorem Unlinkability fails, i.e. r = spy m. (A Sends m B Receives m) where ((m)) = { n, B, (m) } R Proof Any reinterpretation π must be like (m) m 1 ((m)) { n, B, m 1 } R Hence any r =spy r is like A { n, B, m 1 } R R m 1 B, therefore r = m. (A Sends m B Receives m). Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 21/23

31 Other examples Can detect even more subtle (artificial) flaw in Onion Routing: see full paper Crowds, for sender anonymity Internet voting protocol RIES In real use in the Netherlands (ongoing analysis) Onion routing: unlinkability Onion routing: plausible deniability Forgotten nonces Private-key compromised Other examples Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 22/23

32 Anonymity is important, hard to define, hard to verify Competing notions are straightforwardly expressed with epistemic language First to consider use of cryptographic operations in semantics of epistemic logic Finer treatment of cryptographic operations using reinterpretation Able to uniformly verify/falsify wide variety of anonymizing systems Future work Justification of reinterpretation (cf. Abadi, Rogaway) Tool support Quantitative analysis Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 23/23

33 Anonymity is important, hard to define, hard to verify Competing notions are straightforwardly expressed with epistemic language First to consider use of cryptographic operations in semantics of epistemic logic Finer treatment of cryptographic operations using reinterpretation Able to uniformly verify/falsify wide variety of anonymizing systems Future work Justification of reinterpretation (cf. Abadi, Rogaway) Tool support Quantitative analysis Thank you for your attention! Contact: Ichiro Hasuo Internatinal Summer School Marktoberdorf Provable Anonymity Ichiro Hasuo, Nijmegen, NL - p. 23/23

0x1A Great Papers in Computer Security

CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Privacy on Public Networks Internet is designed as a public network Wi-Fi access points,