Introduction to Cybersecurity Digital Signatures
Lecture Summary Digital Signatures Basic Definitions RSA-based Signatures Attacks 1
Digital signatures Goal of digital signatures: Alice s private key Sign Plaintext with signature Alice s public key Verify Alice Plaintext Plaintext Only the secret key allows for creating signatures Everybody can verify the validity of signatures using the respective public key Signatures serve as undisputable evidence that the respective person signed the message Bob 2
Definition of digital signatures Definition: Digital Signatures A digital signature scheme is a triple of algorithms (K, S, V) such that: The randomized key generation algorithm K takes no input and returns a key (pk, sk). The (randomized or stateful) signing algorithm S takes a secret key sk and a message m and returns a tag t. The deterministic verification algorithm V takes a public key pk, a message m and a tag t and returns a bit b 0,1. The message space M pk for a public key pk is the set of all m such that S(sk, m) does not output a distinguished error symbol for all sk with pk, sk [K]. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M pk, and any tag t [S sk, m ], we have that V pk, m, t = 1. 3
Definition of Digital Signatures Technical difference to public-key encryption: Signature schemes often maintain state Differences to MACs and consequences: Key transmission has to be authentic but not necessarily secret Non-repudiation! (Can use signatures as evidence at a third party) 4
CMA Game (for digital signatures) Challenger(n) (pk, sk) K t i S(sk, m i ) CMA Exp In,A n pk m i M pk t i (m, t ) Adversary(n) Output 1 if V pk, m, t = 1 and m, t { m 1, t 1,, m q, t q } Definition: CMA-Security of digital signatures A sequence of signature schemes I = I n n N = K n, S n, V n n N is secure against existential forgery under chosen-message attack (CMA) if for all efficient adversaries A = A n n N, we have that Pr[Exp CMA In,A n = 1] is negligible. 5
Naïve RSA-based signatures Naïve use: Key Generation as for RSA encryption for primes p, q: Set N pq Pick random e, with 1 e φ N and gcd e, φ N = 1 } Can be publicly known Set d e 1 mod φ(n) Set pk (N, e) Set sk d Output (pk, sk) 6
Naïve RSA-based signatures Naïve use: Signing S(sk, m) Set t m d mod N Output t Correctness: t e m ed m mod N Verifying V pk, m, t Test if t e m mod N Output b {0,1} 7
Attacks on Naïve RSA-based Signatures Existential forgery under passive attacks: Given (N, e), adversary has to find (m, t) such that t e m mod N Idea: Pick arbitrary t, and output t e, t Forgery on the message t e mod N. 8
Attacks on Naïve RSA-based Signatures Selective forgery under active attacks, blinding attack: Adversary wants signature on m Pick random r Z N and compute m m r e mod N Ask signer to sign m. Result: m, t where t e m mod N Compute t t r Indeed we have t e t e r e mod N m m re re r e m mod N Originally attack against RSA signature schemes Now special primitive (blind signature), used in anonymous digital cash, election systems, etc. 9
Attacks on Naïve RSA-based Signatures Countermeasures: 1. Add redundancy to the message 2. Hash message before signing Hash-then-sign general concept, often even introduced as the only way to sign in books Advantage: Allows for signing arbitrarily long messages Required properties for hash to make the system secure? 10
Introduction to Cybersecurity Anonymity and Privacy
Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 12
Motivation What is privacy? Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means that something is inherently special or sensitive to them. The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as protection of information. Wikipedia (2014) 13
Motivation Privacy in the internet Alice shares her opinion in an Online Social Network. As a consequence, her employer, who dislikes that opinion, fires Alice. Alice insults my dog! Time to get rid of her I like cats, but I hate dogs. 14
Examples of Privacy Breaches Online Advertisement Cookie Tracking What is a cookie? 15
Refresher: What is a Cookie? GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats www.example.com www.example.com HTTP Request HTTP Response HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> 16
Refresher: What is a Cookie? www.example.com GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Cookie: Always sent back to this server (during time to live). www.example.com HTTP Request HTTP Response HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> 17
Examples of Privacy Breaches Online Advertisement Cookie Tracking Bob just visited economist.com pcworld.com HTTP request for ad images, passing cookies + referrer to doubleclick.net www.economist.com www.sportsnews.com www.pcworld.com ad.doubleclick.net 18
Tradeoff Utility-Privacy The doctor needs private information about you in order to make a qualified diagnosis. If you hide relevant but private information, this may lead to a false diagnosis. My symptoms include fever and headache. Maybe you have the flu. 19
Tradeoff Utility-Privacy The doctor needs private information about you in order to make a qualified diagnosis. If you hide relevant but private information, this may lead to a false diagnosis. Last week, I was in a tropical region and now I suffer from fever and headache. To be sure, we need to test you for Malaria. 20
Differences to other Security goals A large part of privacy is about what other parties actually do with your data. Even, if you are sure that only your doctor knows about your private data, what does he do with this information? Does he use your data only for the intended purpose without further distributing it to other parties? 21
Basic Principles of Data Protection Law in Germany Prohibition of conditional permission: Collecting personal data is forbidden, unless - explicitly permitted by the law - or the person concerned gave explicit consent. Principle of immediacy: The personal data have to be collected directly from the person concerned. Principle of data avoidance and data economy. Data processing system should strive to use no (or as little as possible) personally identifiable data. 22
Basic Principles of Data Protection Law in Germany Principle of Transparency: A person whose data are collected has to be informed about the purposes of collection, processing and use. Principle of Earmarking (purpose bound): If data can collected for a particular purpose, processing it is strictly bound to this purpose. 23
Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 24
Anonymity It is a state of being not identifiable within a set of subjects/individuals Internet is designed to be public place - Routing information is public - IP packet headers identify source and destination Even a passive observer can easily figure out who is talking to whom Encryption does not and cannot hide identities - Encryption hides payload, but not routing information 25
Anonymity in the Digital Era Positive aspects - Avoiding from detection, retribution, and embarrassment - Freedom of expression - Whistle-blowing... Negative aspects (Illegal activity) - Anonymous bribery - Copyright infringement - Harassment and financial scams - Disclosure of trade secrets... 26
Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others Anonymity - The state of being not identifiable within a set of subjects/individuals - It is a property exclusively of individuals Privacy!= Anonymity - Anonymity is a way to maintain privacy, and sometimes it is not necessary 27
Anonymity vs. Privacy Privacy preserving protocols are not pervasively used - Reasons: Efficiency, Overhead, Law, Surveillance The Internet has become a mass surveillance system - NSA s Prism Program http://prism-break.org/ Global heat map of the Prism program (Credit: The Guardian) 28
Anonymous Communication A simple Example Three cryptographers are having dinner. Either NSA is paying for the dinner, or One of them is paying, but wishes to remain anonymous. 1. Each diner flips a coin and shows it to his left neighbor. - Every diner will see two coins: his own and his right neighbor s 2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). 3. Odd number of same NSA is paying; even number of same one of them is paying - But a non-payer cannot tell which of the other two is paying! 29
Dining Cryptographers - Share secret coin with left diner - Can you infer who pays? different different? NSA pays 31
Dining Cryptographers - Share secret coin with left diner - Can you infer who pays? same different? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying 32
Anonymous Network Communication Entities (subjects and objects) and Actions Subjects execute actions on objects Senders Communication Network Recipients Messages Subjects called senders send objects called messages to subjects called recipients using a communication network 34
Network Adversary The attacker uses all information available to him to infer (probabilities of) his items of interest (IOIs) Attacker capabilities - He controls some communication lines and a few subjects - He is not able to get information on the sender or recipient from the message content Senders Communication Network Recipients Messages Attacker 35
Anonymity Notions various notions of anonymity: - Subject Anonymity Sender Anonymity Recipient Anonymity - Relationship Anonymity - Unlinkability =? 36
Anonymous Communication (AC) Protocols Various AC protocols with different goals: - Low Latency Overhead - Low Communication Overhead - High Traffic-Analysis Resistance Communication Complexity Latency Typically categorized by latency overhead: - low-latency AC protcols e.g. Tor, DC Nets, Crowds Traffic-Analysis Resistance - high-latency AC protocols e.g. Mix networks 37
Anonymous Email Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms -Chaum, 1981 Proposes solution to the cryptographic traffic analysis problem: keeping confidential who converses with whom, and when they converse Idea: Use Public-Key Crypto and special communication network Shuffle all messages before forwarding to recipients! Senders Shuffler Recipients? 38
Mix-Server: Basics N senders S 1,, S N with messages m 1,, m N senders want to publish messages anonymously S 1 E pk (m 1 ) publish public key pk S 2 E pk (m 2 ) MS m π(1) m π(2) E pk (m N ) m π(n) S N decrypt and output messages as permutation collect N messages 39
Definition: Mix Network But: What if mix server is compromised? Mix Network: A group of mix servers that operate sequentially Server 1 Server 2 Server 3??? Inputs Outputs distribute trust to protect against compromised mix servers 40
Mix Networks - Requirements Correctness: Output is a permutation of the inputs. Privacy: if at least one Mix-Server conceals his mixing the senders cannot be linked to their respective output. Public Verifiability: Honesty of Mix-Servers can be verified publicly Soundness: public verification guarantees correctness. Robustness: Mix Network still works correctly under restricted failure conditions 41
Mix Networks De-cryption Networks (Chaum Mixes) use layered encryption that is decrypted layer by layer m 1 Server 1 Server 2 Server 3 m π1 (1) m π2 (π 1 (1)) m π3 (π 2 (π 1 (1))) m 2 Decrypt Shuffle m π1 (2) Decrypt Shuffle m π2 (π 1 (2)) Decrypt Shuffle m π3 (π 2 (π 1 (2))) m N m π1 (N) m π2 (π 1 (N)) m π3 (π 2 (π 1 (N))) Requirements: - Correctness - Public Verifiability - Privacy - Soundness - Not Robustness Robust! Question: Are all mix network requirements fulfilled? 42
Mix Networks Re-encryption networks ElGamal allows for Re-encryption of ciphertexts! m 1 Server 1 Server 2 Server 3 m π1 (1) m π2 (π 1 (1)) m π3 (π 2 (π 1 (1))) m 2 Shuffle Re-encrypt m π1 (2) Shuffle Re-encrypt m π2 (π 1 (2)) Shuffle Re-encrypt m π3 (π 2 (π 1 (2))) m N m π1 (N) m π2 (π 1 (N)) m π3 (π 2 (π 1 (N))) Threshold Decryption that only relies on a fraction of the mix servers to work correctly 43
Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 44
High vs. Low Latency Mix servers need to wait for at least N messages Incur high latency overhead in real network communication Low Latency AC Protocols Aim: To keep latency/delay due to the AC protocol small such that its existence/usage is transparent to the user Useful for applications such as - web browsing - instant messaging, tele-conferencing - web services such as internet banking 45
VPNs (e.g. anonymizer.com) Idea: use intermediate server to serve as proxy for user s actions -> Proxy Server Sender Proxies Recipient Problem: - Requires trust in proxy server Question: What happens if proxy is compromised? 46
Towards Onion Routing Similar to mix networks, distribute trust across various servers Sender Proxies Recipient Problem: - Single compromised proxy sufficient to break anonymity! Question: What happens if a proxy is compromised? 47
Onion Routing Circuit Construction Establish symmetric keys between the sender and proxy nodes such that - only the sender and a proxy node knows the key, and - a proxy node does not know entities other than its neighbors on the path (or circuit) Onion Routers Recipient Sender 48
Onion Routing Onion Transfer The sender creates a layered encryption of message (onion) and send it to the first node in her circuit Each proxy decrypts one layer of the onion and forwards to next proxy Sender 3 Onion Routers m Recipient m m 1 m 2 49
Intermezzo: Diffie-Hellman key exchange Alice g, p x R G g xy mod p g x mod p g y mod p shared secret Bob g, p y R G g xy mod p Publicly known: p large prime number, g generator for group of order p Computational Diffie-Hellman Assumption: Given the triple (g, g a, g b ), it is computationally infeasible to determine the value of g ab. 50
Second Generation Onion Routing Idea: use telescope construction together with Diffie-Hellmann key exchange to generate ephemeral, symmetric session keys! Onion Routers Sender 3 Recipient 1 2 51
Second Generation Onion Routing Example: 2 hop circuit construction to surf a webpage Browsing Key Exchange Webpage 52
Tor Tor (https://www.torproject.org) - Intended to provide anonymity over the Internet - Running since October 2003 - Implements 2 nd Generation OR Tremendously successful! - > 2,000,000 users all over the world - > 7000 OR (volunteers) nodes/proxies/router metrics.torproject.org The second most employed privacy enhancing technology after the TLS protocol 53
Tor Vulnerabilities Traffic Analysis adversary can observe traffic at different locations in the network If traffic looks similar it likely belongs to the same user! 54
Tor Vulnerabilities Traffic Analysis low communication overhead results in low traffic analysis resistance alternatives with high traffic-analysis resistance - e.g. Crowds, DC nets etc. - cause high communication overhead Communication Complexity Latency low traffic analysis resistance one of the biggest problem of today s AC networks! Traffic-Analysis Resistance 55
Tor Vulnerabilities DNS Leaks DNS requests not sent through Tor network by default Attacker could see what websites are being visited by examining DNS requests external software such as Foxyproxy and Privoxy can be used to route DNS requests through tor network, but this is _not_ default behavior 56
Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 57