CPSC 467: Cryptography and Computer Security

Transcription

1 CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 23 December 2, 2015 CPSC 467, Lecture 23 1/56

2 Anonymous Communication Attacks on Anonymity CPSC 467, Lecture 23 2/56

3 Anonymous Communication CPSC 467, Lecture 23 3/56

4 Anonymity 1 Anonymity is the state of being not identifiable within a set of subjects, the anonymity set. Anonymity set is the set of all possible participants in a system that could have been the sender or recipient of a particular message. Sender anonymity is the state of being not identifiable within the sender anonymity set as the sender of a particular message. Receiver anonymity is the state of being not identifiable within the receiver anonymity set as the receiver of a particular message. 1 A. Pfitzmann and M. Hansen, Anonymity, unobservability, and pseudonymity: A consolidated proposal for terminology, 2008 CPSC 467, Lecture 23 4/56

5 Goal of anonymity systems 1 In general, anonymity systems seek to provide unlinkability between sent messages and their true recipients (receiver anonymity), and between received messages and their true senders (sender anonymity). CPSC 467, Lecture 23 5/56

6 Benefits of anonymous communication 2 Investigative journalism Whistleblowing Law enforcement Self-help Avoiding persecution Personal privacy protection 2 R. Kling, Y-C. Lee, and A. Teich, Assessing Anonymous Communication on the Internet: Policy Deliberations, Journal of Information Society, 1999 CPSC 467, Lecture 23 6/56

7 Harms of anonymous communication 2 Spamming Deception Hate mail Impersonation and misrepresentation Online financial fraud Other illegal activities CPSC 467, Lecture 23 7/56

8 Approaches to anonymous communication There are two main approaches to anonymous communication: DC-nets Mix networks CPSC 467, Lecture 23 8/56

9 Dining cryptographers problem 3 Three cryptographers are sitting down to dinner at their favorite three-star restaurant. The waiter informs them that the meal has been paid anonymously by one of the cryptographers or the National Security Agency. The cryptographers respect each other s right to make an anonymous payment, but they wonder if the NSA paid. They find out by executing a two-stage protocol. 3 D. Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, Communications of the ACM, 1981 CPSC 467, Lecture 23 9/56

10 DC-nets 1. Establish a secret. Each cryptographer secretly flips an unbiased coin with the cryptographer on his right. 2. Reveal the secret. Each cryptographer says whether the two coins he sees fell on the same side or on different sides. If one of the cryptographers is the payer, he states the opposite of what he sees. If the result is 0, then NSA paid. If it is 1, then one of the cryptographer paid. However, cryptographers who did not pay do not know which one did. CPSC 467, Lecture 23 10/56

11 CPSC 467, Lecture 23 11/56

12 DC-nets The protocol is simple, elegant and unconditionally secure (assuming a secure channel) if carried out faithfully. However, there are three major issues: Collisions if two cryptographers paid for the dinner, their messages will cancel each other out. It means that only one participant can transmit at the same time. Disruptions the last cryptographer can change the final result. Complexity requires pair-wise shared secrets between the cryptographers. CPSC 467, Lecture 23 12/56

13 DC-nets Making DC-nets practical. Collisions proper scheduling of transmissions. Disruptions prevent or detect misbehavior. Complexity use a single master secret to produce shared coin flips. CPSC 467, Lecture 23 13/56

14 Herbivore 4 5 Herbivore is a distributed anonymous communication system, providing private file sharing and messaging over the Internet. It lets people anonymously publish and retrieve documents, and guarantees that even the most resourceful adversary cannot compromise their anonymity. Built to be self-organizing, Herbivore relies on neither central servers nor trusted parties, and ultimately provides anonymity by drawing on its community of users In 2000, FBI began using Carnivore to monitor electronic communications on the Internet. The name Herbivore is a gentle reminder that there is a fine line between law enforcement and harassment. CPSC 467, Lecture 23 14/56

15 Dissent 6 DISSENT stands for Dining cryptographers Shuffled Send Network. It provides anonymity and accountability. Accountability - every honest member for whom the protocol failed gets a proof of some member s misbehavior, and the adversary cannot produce a valid proof of misbehavior by an honest member. 6 H. Corrigan-Gibbs and B. Ford, Dissent: Accountable Group Anonymity, CCS 2010 CPSC 467, Lecture 23 15/56

16 Mix-networks A mix is a process that accepts encrypted messages as input, groups several messages together into a batch, decrypts and forwards some or all of the messages in the batch. A mix network consists of mix routers. Forward the message along a specified path. May intentionally delay sending messages, send them in batches of specified size, etc. Goal: obscure the associations between incoming and outgoing messages. CPSC 467, Lecture 23 16/56

17 Onion routing 7 Onion routing is based on the idea of mix networks. A message is iteratively wrapped with layers of encryption to form an onion that specifies properties of the connection along the route. Each onion router uses its public key to decrypt the entire onion to find the identity of the next onion router, cryptographic information used, and the embedded onion. The router pads the onions and forwards to the next hop. The last node in the chain removes the remaining layer of encryption and forwards the message to its destination. 7 CPSC 467, Lecture 23 17/56

18 Tor (The Onion Router) 8 Tor was originally designed and deployed by the U.S. Naval Research Laboratory for protecting government communications. Today Tor is one of the most useful anonymity tools. The goal is to protect users from network surveillance. Tor is a low latency anonymity network based on onion routing. It consists of a number of Tor relays constantly encrypting and then randomly bouncing messages before delivering them to their final destinations. 8 The Tor Project CPSC 467, Lecture 23 18/56

19 Tor No individual relay ever knows the complete path. The random path packets take is extended one hop at a time, and each relay along the way knows only the previous and the next relay. Neither an eavesdropper nor a compromised relay can link the connection s source and destination. However, Tor cannot (and does not attempt to) protect the traffic entering and exiting the network. Nor it protects users from giving away their identity. CPSC 467, Lecture 23 19/56

20 How Tor works? 9 9 Tor Overview CPSC 467, Lecture 23 20/56

21 How Tor works? CPSC 467, Lecture 23 21/56

22 How Tor works? CPSC 467, Lecture 23 22/56

23 Tor User Statistics Mevade botnet responsible for the spike in Tor traffic, Pierluigi Paganini, September 8, 2013 CPSC 467, Lecture 23 23/56

24 Tor Relay Statistics CPSC 467, Lecture 23 24/56

25 Benefits of Tor CPSC 467, Lecture 23 25/56

26 Tor Hidden Services 10 Tor also offers protection to servers offering various services (websites, instant messaging) by hiding their location. Servers are configured to receive inbound connections through Tor only. They do no reveal their IP address and are accessible only through.onion address. Tor understands.onion addresses and can properly route data to and from hidden services. 10 TOR Hidden Service Protocol CPSC 467, Lecture 23 26/56

27 Step 1: Service Setup Bob chooses some relays, asks them to be his IPs, and tells them his new public key. CPSC 467, Lecture 23 27/56

28 Step 2: Hidden Service Descriptor HDS contains the public key, a summary of IPS, and is signed by Bob. DB returns a HSD for a specific XYZ.onion. CPSC 467, Lecture 23 28/56

29 Step 3: Client Setup Alice gets Bob s HSD, chooses a rendezvous point and gives it a one-time rendezvous cookie to authenticate Bob. CPSC 467, Lecture 23 29/56

30 Step 4: Client Introduction Alice encrypts with Bob s key an introduction message with her RP, Bob s cookie, and her half of DH handshake, then asks Bob s IP to deliver it to him. CPSC 467, Lecture 23 30/56

31 Step 5: Server Response Bob decrypts Alice s message and creates a circuit to RP. He sends the cookie and completes the DH handshake. RP notifies Alice. CPSC 467, Lecture 23 31/56

32 Step 6: Connection Established Alice and Bob have an end-to-end encrypted 6 hop circuit. CPSC 467, Lecture 23 32/56

33 Attacks on Anonymity CPSC 467, Lecture 23 33/56

34 Limitations of existing schemes There s a whole array of attacks on anonymity ranging from exploiting flaws of the anonymous system, leveraging network level information, to exploiting vulnerabilities of the client-side machines. Method Mix Nets, Tor DC Nets Weakness (Active) traffic analysis attacks Anonymous DoS attacks CPSC 467, Lecture 23 34/56

35 Understanding the Adversary Many attacks assume a powerful adversary who can see large chunks of the network at the same time or can obtain large amounts of traffic data. Is an existence of a global adversary a reasonable assumption? CPSC 467, Lecture 23 35/56

36 PRISM 11 Perhaps the most infamous but not the most comprehensive NSA mass surveillance program established in Geared towards collecting the Internet data stored by nine major companies: Facebook, Google, Yahoo, Microsoft, PalTalk, Skype, YouTube, Apple, and AOL. The program operates through a secretive judiciary body called the Foreign Intelligence Surveillance Court. 11 The definitive guide to NSA spy programs, Joe Kloc, August 14, 2013 CPSC 467, Lecture 23 36/56

37 CPSC 467, Lecture 23 37/56

38 CPSC 467, Lecture 23 38/56

39 XKEYSCORE 11 NSA s widest-reaching program. It collects nearly everything a typical user does on the Internet, including the content of s and chats, visible in real time. It builds a searchable database of both metadata and communications content collected from around the world. Metadata is stored for 30 days, while the content for as little as a day. According to a leaked NSA slide, XKEYSCORE database held 41 billion Internet records over a 30 day period. CPSC 467, Lecture 23 39/56

40 XKEYSCORE: Search Capabilities 14 Queries using strong selectors ( addresses) or soft selectors (keywords). 1. Users of Tor and people who search for privacy-enhancing software Extremists aka the readers of Linux Journal NSA targets the privacy-conscious, J. Appelbaum, July 3, NSA: Linux Journal is an extremist forum and its readers get flagged for extra surveillance, Kyle Rankin, July 3, XKEYSCORE Rules CPSC 467, Lecture 23 40/56

41 Where is X-KEYSCORE? 15 Approximately 150 sites and over 700 servers. 15 XKEYSCORE: NSA s Google for the World s Private Communications, The Intercept, M. Marquis-Boire, G. Greenwald, and M. Lee, July 1, 2015 CPSC 467, Lecture 23 41/56

42 Practical Evidence of Traffic Hijacking Researchers from network intelligence firm Dyn Research observed numerous live Man-In-the-Middle (MITM) hijacks last year. Events lasted from minutes to days by attackers from various countries. Traffic improperly redirected by exploiting implicit trust placed in BGP (border gateway protocol). 16 Huge chunks of Internet traffic of financial institutions, government agencies, and network service providers have repeatedly been diverted. 16 Protocol to exchange routing and reachability information between autonomous systems (AS) 17 The New Threat: Targeted Internet Traffic Misdirection, Jim Cowie, Renesys, November 19, Repeated attacks hijack huge chunks of Internet traffic, researchers warn, Dan Goodin, November 20, Strange snafu hijacks UK nuke maker?s traffic, routes it through Ukraine, Dan Goodin, March 13, 2015 CPSC 467, Lecture 23 42/56

43 CPSC 467, Lecture 23 43/56

44 CPSC 467, Lecture 23 44/56

45 CPSC 467, Lecture 23 45/56

46 Traffic Analysis Attack Traffic analysis 20 is the process of analyzing patterns in communication in order to learn some information, frequently the sender s identity. An adversary can be passive and simply monitor the frequency and timing of communication, or be active and affect the communication by performing DoS attacks on chosen nodes, overloading the network on certain links, etc. 20 Sometimes the term is used to describe an adversary simply analyzing one s network activities. CPSC 467, Lecture 23 46/56

47 Traffic Analysis CPSC 467, Lecture 23 47/56

48 Traffic Analysis CPSC 467, Lecture 23 48/56

49 Aqua 21 Alternative high-bandwidth anonymity system that resists traffic analysis. Architecture similar to Tor: the core consists of Aqua servers that clients connect to. Traffic entering and exiting an Aqua network is made indistinguishable through a combination of chaffing and delayed flow start up. Also, traffic from a set of k-clients look indistinguishable and consequently the clients themselves. 21 Towards Efficient Traffic-analysis Resistant Anonymity Networks S. Le Blond et al., ACM SIGCOMM 2013 CPSC 467, Lecture 23 49/56

50 Intersection Attack An intersection attack is a type of a traffic analysis attack that focuses on the relation between online availability of users and certain actions. Assume that a series of anonymous blog posts consistently appears every Monday around 10am. Then, the set of users who have been online each time a post appears contains the blog owner, as opposed to the much bigger set of users who have been online when some posts appeared. An adversary can take snapshots of users available during specific times and intersect them. CPSC 467, Lecture 23 50/56

51 Intersection Attack CPSC 467, Lecture 23 51/56

52 Intersection Attack CPSC 467, Lecture 23 52/56

53 Petraeus-Broadwell Debacle 22 Jill Kelly complains about receiving a series of anonymous stalking s which seem to involve Gen. Petraeus (CIA Director). Mrs. Broadwell was identified as the sender of the s by comparing times when s were sent, locations where the s were sent from, and the lists of all people who were at those locations The investigation reveals an extramarital affair between Gen. Petraeus and Mrs. Broadwell Online PrivacySurveillance and Security Lessons From the Petraeus Scandal, C. Soghoian, November 13, CPSC 467, Lecture 23 53/56

54 Catching the High Country Bandits 23 Two men known as the High Country Bandits robbed 16 banks. FBI didn t have much luck identifying them. Finally, a witness reported a suspicious person a couple of hours before one of the robberies. The FBI asked a judge to approve a full cell tower dump, which included all phone numbers that communicated with a particular tower, from 4 of the robbery locations. Only a single number was included in 3 of the sets and another number in contact with the first one was in 2 sets. Further analysis discovered that both numbers were in most of the 16 robbery locations. They belonged to the two robbers How cell tower dumps caught the High Country Bandits and why it matters, N. Anderson, August 29, CPSC 467, Lecture 23 54/56

55 Buddies 24 Continuously simulate a global adversary to ensure minimum levels of anonymity. Allow to post messages only when safe ( anonymity set > k). Two metrics to measure anonymity: 1. Possinymity - plausible deniability 2. Indinymity - indistinguishability within a buddy set 24 Hang With Your Buddies to Resist Intersection Attacks, D. Wolinsky, E. Syta, and B. Ford,, CCS 2013 CPSC 467, Lecture 23 55/56

56 Additional Resources The Tor Project, How Tor works? by Artist Molly Crabapple and Writer John Leavitt EFF on NSA Spying on Americans The definitive guide to NSA spy programs CPSC 467, Lecture 23 56/56