Anonymity and Privacy

Similar documents
Protocols for Anonymous Communication

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

ENEE 459-C Computer Security. Security protocols (continued)

ENEE 459-C Computer Security. Security protocols

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 23

0x1A Great Papers in Computer Security

CS 134 Winter Privacy and Anonymity

Anonymity. With material from: Dave Levin and Michelle Mazurek

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Anonymity With material from: Dave Levin

Privacy Enhancing Technologies CSE 701 Fall 2017

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Security and Anonymity

A SIMPLE INTRODUCTION TO TOR

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

CPSC 467b: Cryptography and Computer Security

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Anonymity. Assumption: If we know IP address, we know identity

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Lecture 9. Anonymity in Cryptocurrencies

Introduction to Cybersecurity Digital Signatures

How Alice and Bob meet if they don t like onions

CNT Computer and Network Security: Privacy/Anonymity

Onion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J

Problem: Equivocation!

Anonymity. Christian Grothoff.

Anonymous communications and systems

Structure-Preserving Certificateless Encryption and Its Application

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Anonymous communications: Crowds and Tor

Blind Signatures and Their Applications

CS526: Information security

ANET: An Anonymous Networking Protocol

ENEE 457: E-Cash and Bitcoin

ANONYMOUS CONNECTIONS AND ONION ROUTING

Bitcoin/Namecoin/*coin: On Bitcoin like protocols and their relation to other IT-Security issues

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Anonymous Connections and Onion Routing

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Anonymity on the Internet. Cunsheng Ding HKUST Hong Kong

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Onion services. Philipp Winter Nov 30, 2015

Applied cryptography

Mixminion: Design of a Type III Anonymous R er Protocol

Peer-to-Peer Networks 14 Security. Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg

Crypto Background & Concepts SGX Software Attestation

Anonymity Analysis of TOR in Omnet++

Pseudonym Based Security Architecture for Wireless Mesh Network

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

CS Paul Krzyzanowski

On Privacy and Anonymity in Knowledge Externalization

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

CS232. Lecture 21: Anonymous Communications

Design and Analysis of Efficient Anonymous Communication Protocols

anonymous routing and mix nets (Tor) Yongdae Kim

Security: Focus of Control. Authentication

Distributed-Application Security

Introduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?

Scalable privacy-enhanced traffic monitoring in vehicular ad hoc networks

Herbivore: An Anonymous Information Sharing System

NYMBLE: Blocking Misbehaving Users in Anonymizing Networks

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

DISSENT: Accountable, Anonymous Communication

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

A Privacy-Aware Service Protocol for Ubiquitous Computing Environments

Security: Focus of Control

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

Blocking of Mischievous Users in Anonymizing Networks using Nymble System Srikanth Chintala, I.L. Narsimha Rao

Efficiency of large-scale DC-networks

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Anonymous communication with on-line and off-line onion encoding

Peer-to-Peer Systems and Security

A simple approach of Peer-to-Peer E-Cash system

Cryptanalysis of a fair anonymity for the tor network

The Design of an Anonymous and a Fair Novel E-cash System

Ergo platform. Dmitry Meshkov

EXTENDED NYMBLE: METHOD FOR TRACKING MISBEHAVING USERS ANONYMOSLY WHILE BLOCKING

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Anonymous Communications

2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w

Introduction to Computer Security

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

On Anonymity in an Electronic Society: A Survey of Anonymous Communication Systems

CISC859: Topics in Advanced Networks & Distributed Computing: Network & Distributed System Security. A Brief Overview of Security & Privacy Issues

Privacy-preserving PKI design based on group signature

Freedom of Speech: Anonymity. Steven M. Bellovin February 17,

Secure Multiparty Computation

Provable Anonymity. Epistemic Logic for Anonymizing Protocols. Ichiro Hasuo. Radboud University Nijmegen The Netherlands

Anonymous Credentials through Acid Mixing

Achieving Privacy in Mesh Networks

Public-Key Infrastructure NETS E2008

Optimal Payoff for Selective Traceable Anonymity of a Network System

Remote E-Voting System

Transcription:

Computer Security Spring 2008 Anonymity and Privacy Aggelos Kiayias University of Connecticut

Anonymity in networks Anonymous Credentials Anonymous Payments Anonymous E-mail and Routing E-voting Group, Traceable and Ring Signatures

Blind Signatures Chaum 82 signing key Signer signing protocol User message pk unlinkable signature that can be verified against m, pk

Anonymous Credentials Blind signature Authority get (blinded) credential + id User sign(cred) Show credential receive service Verify credential is used for the first time Gateway Check credential structure + signature

Applications Anonymous credentials: each credential can be used once and it is unlinkable to the act of showing the id. Can be used to disassociate the id from receiving the service.

Electronic Cash Withdraw $5 Blind signature Bank show (blinded) Bank,nonce + id User sign$5-bank(bank,nonce) Show E-Coin receive goods Verify coin was not spent Shop Check coin structure + signature

Anonymous Communication User Proxy User Web-site Web-site Trusted party anonymity

Dining Cryptographers anonymous communication without trusted party The waiter announces that the bill is payed! Did one of the cryptographers pay? or did the NSA pick up the bill? If a cryptographer payed he wishes to remain anonymous.

Dining Cryptographers Consider a dinner for three: Each cryptographer flips a coin Shows the coin to the person on the left If coins are same and he is not paying he announces Same... similarly for Different ) If coins are same and he is paying he flips his answer

Analysis If the number of Same is even then a cryptographer is paying. If the number of Same is odd then NSA is paying! A non-payer cannot distinguish which one of the other two is paying.

Indistinguishability of Payer A B is paying A is paying B H T H H Diff Same Diff Same H Same H Same C curious C curious

DC-Net Setting generalizes to arbitrary number of parties. It allows one party (the announcing party) to anonymously send one bit of information to everybody that is present. Parties keep on repeating the protocol constantly. Whenever one party wants to transmit the message it transmits it in binary. Once a party starts to speak no other party starts speaking till a given fixed termination bitstring is sent. if two parties start together they stop and wait a random number of rounds.

Anonymity and the Internet Whistle-blowing. Fear of censorship or prosecution. Communication regarding sensitive personal issues.

Cypherpunk Remailer From: Aggelos Kiayias <aggelos@cse.uconn.edu> To: remailer@bigapple.yi.org :: Anon-To: a_friend@myfriends.com remailer ## Subject: This is the subject... From: Anonymous <BigappleRemailer@bigapple.yi.org> To: a_friend@myfriends.com Subject: This is the subject... list of active remailers + statistics: http://stats.melontraffickers.com/

Cypherpunk Encrypted From: Aggelos Kiayias <aggelos@cse.uconn.edu> To: anonymous@remailer.net :: Encrypted: PGP remailer ----- Begin PGP Message ------ Version ----- End PGP Message ----- From: anonymous@remailer.net To: a_friend@myfriends.com Subject: This is the subject...

Remailer Chains From: Aggelos Kiayias <aggelos@cse.uconn.edu> To: anonymous@remailer.net :: Anon-To: anonymous@remailer2.net :: Anon-To: anonymous@remailer3.net ## Subject: This is the subject... remailer remailer remailer

Q Mix Network David Chaum, Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms, CACM 81 P msg1 D msg2 A B C msg2 msg1 Not possible to relate whether P send msg1 or msg2 and similarly for Q (as long as there is one honest mix)

Using Encryption fixed block size Encrypted with Public-key of A Send to B; sym_key1 Encrypted with sym_key1 Encrypted with sym_key2 fixed block size Encrypted with sym_key1 Encrypted with Public-key of B Send to C; sym_key2 Encrypted with sym_key1 Encrypted with sym_key3 destination/ info payload fixed block size fixed block size Encrypted with sym_key2 Encrypted with Public-key of C Stop; sym_key3

Following the route sender A B junk C junk destination junk

Mixmaster A mixnet implementation for remailing. Message may be split into packets and each packet is routed differently (but with the same final routing destination who should assemble). Each mix node relays messages in batches after randomly permuting them [consistent with the standard notion of mixnets]. Payload can be either e-mail, or usenet posting or dummy message (why a dummy?). http://www.abditum.com/mixmaster-spec.txt

Limitations Lack of bidirectional communication: especially problematic if you want to use anonymity with bidirectional protocols. Possibility of replay attacks: can be handled by keeping a log of sent messages and compare. Abuse, flooding, etc.

Onion Routing Hiding routing information, by D. M. Goldschlag, M.G.Reed, P.F. Syverson, Information Hiding Workshop 1996 An onion directed to a node A is comprised of the following: expiration_time next_hop Forward(.) Backward(.) Key_material PAYLOAD Encrypted with PK of A can be another onion

Onion Layers expiration_time next_hop = B Forward(.) Backward(.) Key_material expiration_time next_hop = D Forward(.) Backward(.) Key_material expiration_time next_hop = null null null null Encrypted with PK of D Encrypted with PK of B Encrypted with PK of A payload

S Onion Peeling expiration_time next_hop Forward(.) Backward(.) Key_material PAYLOAD Encrypted with PK of A Create Mode B A 1. Decrypt layer 2. check expiration time 3. Initialize Forward(.) crypto engine using Key_material 4. Initialize Backward(.) crypto engine using Key_material 5. Pad PAYLOAD to maintain fixed size. 6. Forward PAYLOAD to next_hop node.

S [.,5123] Circuit Creation ACI = Anonymous Connection Identifier choose an ACI = 5123 forward movement create - mode [8612, 2523] B A choose an ACI = 8612 forward movement create - mode choose an ACI = 2523 forward movement create - mode [5123, 8612] Once the create mode is done there exists a bidirectional link D [2523, outside connection ]

S [.,5123] Forwarding DATA [8612, 2523] defined in first onion B Forward1(.) defined in second onion Forward2(.) A the cirtcuit delivers: [5123, 8612] Forward2(Forward1( DATA) ) thus we may define: DATA = Forward1-1 (Forward2-1 (MESSAGE) ) D [2523, outside connection ]

S [.,5123] Responding defined in first onion [8612, 2523] Backward1(.) defined in second onion B Backward2(.) DATA A the circuit delivers: [5123, 8612] Backward2(Backward1( DATA) ) thus S recovers the data: DATA = Backward1-1 (Backward2-1 (MESSAGE) ) D [2523, outside connection ]

Implementing Onion Routing Tor http://tor.eff.org/ Each host runs an onion proxy locally. TCP/IP traffic can be directed through virtual circuits created by onions.

Problems with Tor

Hidden Identity Based Signatures Kiayias - Zhou (2007) Hidden ID-based signatures: a digital signature where the corresponding public-key is your name & is (provably) hidden into the signature. The hiding can be inverted by the OA. name the OA can open this signing key Identity Manager pkim signature that provably contains name and can be verified against pkim

a glimpse

Applying HiddenIBS to TOR How to calibrate anonymity of Tor using Hidden-IBS Add three entities in Tor: Identity manager (IM) A Disputes & Grievances (D&G) database An opening authority (OA)

Goals Minimal anonymity loss if misbehavior does not occur. Minimal efficiency impact for services that do not require anonymity control. Transparency to service providers. the service providers accepting Tor traffic should not have to assist the system [except providing the necessary forensic information]

HiddenIBS + Tor Modify Tor Exit policy: certain type of packets must be HiddenIBS ed [e.g., http POST requests] Modify user s onion proxy : it catches such packets and signs them using user s HiddenIBS signing credential. If user does not have a credential, the onion proxy directs user to IM to get one. Modify exit point: beyond forwarding the packet it registers it to the D&G database (only the hash + signature need to be registered).

Overview

realization issues What is a user s identity and how does the Identity Manager verifies it? IP address, e-mail address, id in a reputation system, etc. How to deal with misbehaving users? black-listing. revocation of credentials, time-based or reactive.

anonymity scalability Disputes & Grievances database contains: hashes of packets + HiddenIBS signatures. we include nonces in the packets to increase entropy. The D&G size is manageable: using a SHA-256 hash + our bilinear map based scheme with a 10GB we can store ~ 27.3 million entries.

properties Minimal anonymity loss : D&G database leaks no information about Tor usage, if no misbehavior occurs. Minimal efficiency impact for services that do not require anonymity control: only a few types of packets need to be signed. Transparency to service providers: a simple packet log is enough to make an abuse report resulting in blacklisting a user.

other applications Approach is fairly general. application to other anonymous access systems is possible. other web-sites than wikipedia need similar abuse protection; e.g. slashdot. More services: e.g., SMTP traffic is blocked. Using HiddenIBS it can be opened.

Blind Signatures message User signed message blinded message scrambled signature Signer we have seen already its application to e-cash and anonymous tokens. Another anonymity/privacy application : e-voting

E-Voting using Blind Signatures choice voter PC blinded choice, proof of identity scrambled signature Election official signed choice Anonymous Channel Results Vote tabulation

Group Signatures D. Chaum, E. van Heyst, 1991 PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf Group Manager message PKI-member signature Opening Authority Charlie Verifier Is convinced that a PKI member signs message but not which one

Applications Can be used to hide the origin of a transaction. Prove that you belong in a group without showing who you are. They allow Opening Authority to reveal the identity in case of dispute.

Traceable Signatures PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf A. Kiayias, Y. Tsiounis M. Yung, 2004 Group Manager PKI-member PKI-member PKI-member Opening Authority signature signature signature Tracing Authority Verifier Charlie Is convinced that a PKI member signs message but not which one Verifier Verifier Charlie s

Applications As in group signatures but now it is possible to: The tracing authority to find all signatures of a wanted user A user to claim his signatures.

Ring Signatures PKI Alice, pka Bob, pkb Charlie, pkc David, pkd Eric, pke Frank, pkf message PKI-member signature Verifier Is convinced that either Eric, Frank or Bob signs the message but it is unclear which one whistle-blowing etc.

Privacy for Trusted Computing Your hardware proves its identity but only using an identification schema based on the previous signatures. Your anonymity can be preserved and still prove you are among the good guys opening functionality can be disabled. Direct Anonymous Attestation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback