Scavenging for Anonymity with BlogDrop

Transcription

1 Scavenging for Anonymity with BlogDrop Henry Corrigan- Gibbs Yale University Bryan Ford Provable Privacy Workshop 9-10 July 2012 Vigo, Spain

2 MoNvaNon Alice is a cinzen of country X Alice uses Tor to make an anonymous blog post to a server inside of country X Government of country X wants to find out post author s idennty how hard is that? 2

3 MoNvaNon Country X Blog Server Alice 3

4 MoNvaNon Tor average daily users in Q1 2012: ~ in Iran ~ in Syria ~2 000 in China Gov t X can t arrest thousands of people on a hunch what if the blog post has a Nmestamp? Tor stats from h]ps://metrics.torproject.org/ 4

5 Internet Usage in a Day Percentage of Day's Users Online 12% 11% 10% 9% 8% 7% 6% 5% 4% 3% 2% 1% 0% Hour of Day If Alice is hiding among 3% of daily Tor users in China, she might be in trouble AOL Web Search Data Set Data mirrored at h]p:// data/ 5

6 State of the art User Sessions Nme Anonymity set as large as the number of online users 6

7 Outline MoNvaNon Overview: Anonymity scavenging Ciphertext construcnon Conclusion 7

8 Anonymity Scavenging Can Alice increase latency to gain anonymity? High- latency systems are unpopular à unsafe Mixmaster/mixminion vs. Tor Would like low- latency Bobs to protect high- security Alices Same monvanon as alpha mixing (Dingledine et al. PETS 06) 8

9 Anonymity over Nme User Sessions Nme 9

10 Anonymity over Nme User Sessions Blog A 10

11 Anonymity over Nme User Sessions Blog B 11

12 BlogDrop Features Anonymous comm protocol in which user defines anonymity set size (vs. latency) High- security Alices hide amongst low- latency Bobs Accountable: protocol violanons detectable At least one server is honest All users have pseudonym PK of blog author more on this later 12

13 Bob s Ciphertexts for Blogs A and B Blog A Blog B Server X 13

14 Server X 14

15 Server X 15

16 Server X 16

17 Server X 17

18 Server X 18

19 Server X 19

20 Server X 20

21 Server X 21

22 Server X 22

23 Server X 23

24 Server X 24

25 Server X 25

26 When each server has collected enough ciphertexts to sansfy closure the servers each add their own ciphertext to the set Server X 26

27 Server X 27

28 Server X 28

29 Plaintext Server X 29

30 Closure CondiNon How long do servers wait before revealing the plaintext message? Blog author picks a closure condinon Aoer 9 July 2012 AND when there are 10 ciphertexts Aoer Alice, Bob, Carol, and Dave (idennfied by PKs) have all submi]ed ciphertexts When there are $ in Swiss bank acct # Others à Closure condinon defines anon set à Poorly chosen closure condinons create anonymity risks area for future work 30

31 Plaintext Server X 31

32 Server X 32

33 Server X 33

34 Server X 34

35 Server X 35

36 Server X 36

37 Server X 37

38 Server X 38

39 Server X 39

40 Server X 40

41 Server X 41

42 Server X 42

43 Review Scavenging: Blog A and Blog B have different latencies and different anonymity set sizes One honest server enforces closure condi2on I omi]ed many details e.g., Servers can fla4en ciphertexts into an O(L) size ciphertext avoids O(NL) storage How servers agree on ciphertexts 43

44 Outline MoNvaNon Overview: Anonymity scavenging Ciphertext Conclusion 44

45 Ciphertext ConstrucNon Server X (g x ) Alice (g a ) g ax g ay g az + m Using some group G = <g> in which ElGamal cryptosystem is secure mg a(x+y+z) Client/server secret graph (Chaum 88) (Wolinsky et al., Eurosec 12) 45

46 Ciphertext ConstrucNon Server X (g x ) Alice (g a ) g ax g ay g az + m Bob g bx g by g bz mg a(x+y+z) g b(x+y+z) 46

47 Ciphertext ConstrucNon Alice (g a ) Bob Carol Server X (g x ) g ax g bx g cx g ay g by g cy g az g bz g cz + m mg a(x+y+z) g b(x+y+z) g c(x+y+z) 47

48 Ciphertext ConstrucNon Alice (g a ) Bob Carol Server X (g x ) g ax g bx g cx g - x(a+b+c) g ay g by g cy g - y(a+b+c) g az g bz g cz + m g - z(a+b+c) mg a(x+y+z) g b(x+y+z) g c(x+y+z) Client/server secret graph (Chaum 88) (Wolinsky et al., Eurosec 12) 48

49 m g - x(a+b+c) g - y(a+b+c) g - z(a+b+c) mg a(x+y+z) We exploit ElGamal s mulnplicanve homomorphism to recover the plaintext Ciphertexts use iteranve ElGamal encrypnon. Non- author plaintext=1 g b(x+y+z) g c(x+y+z) 49

50 PrevenNng Denial of Service Assume that all users know anon author s PK PoK{ a, k: (C alice = (g x g y g z ) a A = g a ) K = g k } Alice knows the log of C alice and that log is equal to her private key. i.e., Alice generated her ciphertext correctly ~ OR ~ DoS- resistant DC- net (Golle and Juels, Eurocrypt 04) Alice knows the author s secret key and Alice can send whatever she wants 50

51 Policy Document The Catch 22: To get anonymous communicanon, need to anonymously communicate the blog parameters author s pseudonym PK, closure condinon, post length, etc Not quite: policy document only needs to be distributed once to set up blog e.g., Use once- per- month mix to shuffle policy documents 51

52 Outline MoNvaNon Overview: Anonymity scavenging Ciphertext construcnon Conclusion 52

53 Conclusion Most exisnng systems allow user to be anonymous only among set of online users BlogDrop (via anonymity scavenging) gives anonymity among set of users High- security users hide amongst low- latency users DoS- resistant 53

54 54