DC Networks The Protocol. Immanuel Scholz

Transcription

1 DC Networks The Protocol Immanuel Scholz

2 toc Introduction Time Excluding bad clients Key Exchange On demand disclosure Literature 2

3 Introduction 3

4 Is the meal paid by one of the cryptographers? k ab Bob k bc key exchange key exchange k ab Alice Charlie k bc k ac key exchange k ac Introduction 4

5 Is the meal paid by one of the cryptographers? k ab Bob Bob: k ab k bc m bob k bc key exchange Everybody: key exchange k ab k ac m alice k ab k bc m bob k ac k bc m charlie =m alice m bob m charlie k ab Alice: Alice k ab k ac m alice k bc Charlie: Charlie k ac k bc m charlie k ac key exchange k ac Introduction 5

6 Remember the one time pad k m If an attacker knows k m and if k is random, he does not learn anything about m In other words: Key k hides the cleartext m Introduction 6

7 Bob does not learn anything k ab Bob Bob: k ab k bc m bob k bc key exchange key exchange Bob can learn: k ac m alice and k ac m charlie k ab Alice: Alice k ab k ac m alice k bc Charlie: Charlie k ac k bc m charlie k ac key exchange k ac Introduction 7

8 Sender and receiver anonymity Everybody exchanges keys with everybody Sender Anonymity Everybody gets every message Receiver Anonymity Introduction 8

9 Time 9

10 Rounds, separated by ticks In each round, each client needs to: Get the list of all participants (may have changed) Prepare and send the new message Get the message of the last round Know, that all others have received the message of the last round Time 10

11 The protocol Tick Round Server Tick get participants send receive message receive confirmation that others got message Client add all keys Time 11

12 Timing attack Attacker knows who sends at which time A client answering too fast did not send the answer "Everything understandable?" "No, the lecturer sucks!!1!" too short for human reaction other Alice Alice other participants participants Time 12

13 Timing attack Solution: Server return message after client sends All clients receive messages delayed at least one round Nice side effects: Only client server communication ( firewall proof ) Client receives implicit confirmation (or else last round message is broken) Time 13

14 The protocol Tick Tick Tick Round Round get participants send receive message = confirmation of last round get participants send next round receive message = confirmation Client add all keys add all keys Time 14

15 Excluding bad clients 15

16 Broken and malicious clients Broken clients Server logs out any client that did not send Ban lists, reputation systems etc... Malicious clients Anonymous reservation scheme and trap messages Google DSuKrypt.pdf, page , Excluding bad clients 16

17 Key Exchange 17

18 Remember: Diffie & Hellman Alice Server p,q Bob choose x alice choose x bob mod p publish q x bobmod p q x alice k ab = q x bob x alice =q x alice x bob k ab = q x alice x bob =q x alice x bob Key Exchange 18

19 Diffie & Hellman No direct client to client communication needed Complete key graph Easy distribution Exchange seeds for random number generator Unfortunately, keys become provable But: Clients can always exchange real one time pads (they even do not have to tell the server) Key Exchange 19

20 On demand disclosure 20

21 Original scheme by David Chaum Participants sign round keys Alice and Bob exchange their signatures In case of disclosure, all participants publish their keys Alice verifies Bob's key and vice versa On demand disclosure 21

22 "Watchmen" scheme n predefined watchmen may work together to disclose sender Client splits round key into n parts Send one part to each watchman In case of disclosure, all watchmen post their parts to reconstruct the round key On demand disclosure 22

23 How to split a key How to split a key k into n parts k 1 to k n? Generate n 1independent random numbers r 1 to r n 1 k i =r i for all but k n n 1 k n =k i=1 r i To join parts together, add them n i=1 n 1 k = i i=1 n 1 k i k = n i=1 n 1 r i k r i =k i=1 On demand disclosure 23

24 Split keys to Dickens and Elisa Dickens r b Bob k ab k bc r b Elisa r a k ac k bc r c Alice k ab k ac r a r c Charlie On demand disclosure 24

25 Split keys to Dickens and Elisa Dickens Dickens says: Bob Elisa says: Elisa r a r b r c k ab k ac r a k ab k bc r b k ac k bc r c = r a r b r c Everyone: 0 Alice Charlie On demand disclosure 25

26 Why do the watchmen learn nothing? The first watchmen receive random numbers. Obviously, they learn nothing about k n 1 k i=1 n 1 n 1 r i is a one time pad with r i as key i=1 The published values only consist of random numbers r a r b r c and r a r b r c On demand disclosure 26

27 Problem: Conspiration Alice and Bob exchange an additional key l ab They add l ab sent to Dickens and Elisa to their round message, but not to the key Sum of Dickens and Elisa is still 0 On disclosure, both round keys from Alice and Bob mismatch (by resp. ) l ab l ab Of course, both could be considered bad guys On demand disclosure 27

28 Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g. 5 out of 10 Google DSuKrypt.pdf, page Using Adi Shamirs polynomial interpolation, some restrictions occur All participants must use same set of watchmen (may be necessary anyway) Each watchman must get the same x coordinates from every participant On demand disclosure 28

29 Comparison Comparing the disclosure scheme by David Chaum: Both schemes are insecure against conspirations Using watchmen, a conspiration can not be formed after the message is published Using watchmen, no communication to the participants needed after message is published The disclosure can be kept secret On demand disclosure 29

30 Serverless Why do we need a server at all? Participants publish their rounds on MySpace, Blog, Forum etc. Login by invitation: Someone send the new participants DH key + Publishing URL within the DC Network Auto Logout by not publishing once Who is going to do the data retention? ; ) On demand disclosure 30

31 Thanks Interesting stuff: D.Chaum, The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability (Journal of Cryptology, vol. 1 no. 1, 1988, pp or A.Pfitzmann, Datensicherheit und Kryptographie ( dresden.de/~pfitza/dsukrypt.html, pp and German language) Literature 31