Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential...
54
CSE 484 / CSE M 584: Computer Security and Privacy Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
Transcript of Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential...
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Cookies
• Alternative/additionaltechnology:– Icecream
• Someofyouaskedifwecouldstudythesetechnologies
12/7/16 CSE484/CSEM584-Fall2016 2
Cookies
• Sectioniscancelled,but:
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 3
Cookies
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 4
SecurityMindsetish–ReflectionsonTrustingTrust
12/7/16 CSE484/CSEM584-Fall2016 5
IdentifyingWebPages:ElectricalOutlets
Clarketal.“CurrentEvents:IdentifyingWebpagesbyTappingtheElectricalOutlet”ESORICS2013
12/7/16 CSE484/CSEM584-Spring2016 6
PowerlineEavesdropping
12/7/16 CSE484/CSEM584-Spring2016 7
Enevetal.:Televisions,VideoPrivacy,andPowerlineElectromagneticInterference,CCS2011
PrivacyonPublicNetworks
• Internetisdesignedasapublicnetwork– MachinesonyourLANmayseeyourtraffic,network
routersseealltrafficthatpassesthroughthem• Routinginformationispublic– IPpacketheadersidentifysourceanddestination– Evenapassiveobservercaneasilyfigureoutwhois
talkingtowhom• Encryptiondoesnothideidentities– Encryptionhidespayload,butnotroutinginformation– EvenIP-levelencryption(tunnel-modeIPSec/ESP)
revealsIPaddressesofIPSecgateways
12/7/16 CSE484/CSEM584-Spring2016 8
Questions
Q1:Whatisanonymity?
Q2:WhymightpeoplewantanonymityontheInternet?
Q3:WhymightpeoplenotwantanonymityontheInternet?
12/7/16 CSE484/CSEM584-Spring2016 9
ApplicationsofAnonymity(I)
• Privacy– Hideonlinetransactions,Webbrowsing,etc.from
intrusivegovernments,marketersandarchivists• Untraceableelectronicmail– Corporatewhistle-blowers– Politicaldissidents– Sociallysensitivecommunications(onlineAAmeeting)– Confidentialbusinessnegotiations
• Lawenforcementandintelligence– Stingoperationsandhoneypots– Secretcommunicationsonapublicnetwork
12/7/16 CSE484/CSEM584-Spring2016 10
ApplicationsofAnonymity(II)
• Digitalcash– Electroniccurrencywithpropertiesofpapermoney(onlinepurchasesunlinkabletobuyer’sidentity)
• Anonymouselectronicvoting• Censorship-resistantpublishing
12/7/16 CSE484/CSEM584-Spring2016 11
WhatisAnonymity?
• Anonymityisthestateofbeingnotidentifiablewithinasetofsubjects– Youcannotbeanonymousbyyourself!
• Bigdifferencebetweenanonymityandconfidentiality– Hideyouractivitiesamongothers’similaractivities
• Unlinkabilityofactionandidentity– Forexample,senderandemailhe/shesendsarenomore
relatedafterobservingcommunicationthanbefore• Unobservability(hardtoachieve)– Observercannoteventellwhetheracertainactiontook
placeornot
12/7/16 CSE484/CSEM584-Spring2016 12
Part1:AnonymityinDatasets
12/7/16 CSE484/CSEM584-Spring2016 13
Howtoreleaseananonymousdataset?
• Possibleapproach:removeidentifyinginformationfromdatasets?
12/7/16 CSE484/CSEM584-Spring2016 14
Massachusettsmedical+voterdata[Sweeney1997]
k-Anonymity
• Eachpersoncontainedinthedatasetcannotbedistinguishedfromatleastk-1othersinthedata.
12/7/16 CSE484/CSEM584-Spring2016 15
Doesn’tworkforhigh-dimensionaldatasets(whichtendtobesparse)
DifferentialPrivacy
• Setting:Trustedpartyhasadatabase• Goal:allowqueriesonthedatabasethatareusefulbutpreservetheprivacyofindividualrecords
• Differentialprivacyintuition:addnoisesothatanoutputisproducedwithsimilarprobabilitywhetheranysingleinputisincludedornot
• Privacyofthecomputation,notofthedataset
12/7/16 CSE484/CSEM584-Spring2016 16
[Dworketal.]
Part2:AnonymityinCommunication
12/7/16 CSE484/CSEM584-Spring2016 17
Chaum’sMix
• Earlyproposalforanonymousemail– DavidChaum.“Untraceableelectronicmail,return
addresses,anddigitalpseudonyms”.CommunicationsoftheACM,February1981.
• Publickeycrypto+trustedre-mailer(Mix)– Untrustedcommunicationmedium– Publickeysusedaspersistentpseudonyms
• ModernanonymitysystemsuseMixasthebasicbuildingblock
12/7/16 CSE484/CSEM584-Spring2016 18
Beforespam,peoplethoughtanonymousemailwasagoodideaJ
BasicMixDesign
12/7/16 CSE484/CSEM584-Spring2016 19
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
Q2
12/7/16 CSE484/CSEM584-Spring2016 20
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
AnonymousReturnAddresses
12/7/16 CSE484/CSEM584-Spring2016 21
A
BMIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
Mincludes{K1,A}pk(mix),K2whereK2isafreshpublickey
ResponseMIX
{K1,A}pk(mix),{r2,M’}K2A,{{r2,M’}K2}K1
Secrecywithoutauthentication(goodforanonlineconfessionserviceJ)
MixCascadesandMixnets
12/7/16 CSE484/CSEM584-Spring2016 22
• Messagesaresentthroughasequenceofmixes• Canalsoformanarbitrarynetworkofmixes(“mixnet”)
• Someofthemixesmaybecontrolledbyattacker,butevenasinglegoodmixensuresanonymity
• Padandbuffertraffictofoilcorrelationattacks
DisadvantagesofBasicMixnets
• Public-keyencryptionanddecryptionateachmixarecomputationallyexpensive
• Basicmixnetshavehighlatency– OKforemail,notOKforanonymousWebbrowsing
• Challenge:low-latencyanonymitynetwork
12/7/16 CSE484/CSEM584-Spring2016 23
AnotherIdea:RandomizedRouting
12/7/16 CSE484/CSEM584-Spring2016 24
• Hidemessagesourcebyroutingitrandomly– Populartechnique:Crowds,Freenet,Onionrouting
• Routersdon’tknowforsureiftheapparentsourceofamessageisthetruesenderoranotherrouter
OnionRouting
12/7/16 CSE484/CSEM584-Spring2016 25
R R4
R1 R2
R
R R3
Bob
R
R
R Alice
[Reed,Syverson,Goldschlag1997]
• Senderchoosesarandomsequenceofrouters• Someroutersarehonest,somecontrolledbyattacker• Sendercontrolsthelengthofthepath
RouteEstablishment
12/7/16 CSE484/CSEM584-Spring2016 26
R4
R1
R2 R3 Bob Alice
{R2,k1}pk(R1),{ }k1 {R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4
{M}pk(B)
• Routinginfoforeachlinkencryptedwithrouter’spublickey• Eachrouterlearnsonlytheidentityofthenextrouter
Tor
• Second-generationonionroutingnetwork– http://tor.eff.org– DevelopedbyRogerDingledine,NickMathewsonandPaulSyverson
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/7/16 CSE484/CSEM584-Spring2016 27
TorCircuitSetup(1)
12/7/16 CSE484/CSEM584-Spring2016 28
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
TorCircuitSetup(2)
12/7/16 CSE484/CSEM584-Spring2016 29
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
TorCircuitSetup(3)
12/7/16 CSE484/CSEM584-Spring2016 30
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
UsingaTorCircuit
12/7/16 CSE484/CSEM584-Spring2016 31
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/7/16 CSE484/CSEM584-Spring2016 32
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/7/16 CSE484/CSEM584-Spring2016 33
CreatingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 34
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
UsingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 35
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/7/16 CSE484/CSEM584-Spring2016 36
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/7/16 CSE484/CSEM584-Spring2016 37
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/7/16 CSE484/CSEM584-Spring2016 38
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/7/16 CSE484/CSEM584-Spring2016 39
OTRANDSECUREMESSAGING
12/7/16 CSE484/CSEM584-Fall2016 40
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
12/7/16 CSE484/CSEM584-Fall2016 41
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 42
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 43
OTR:Deniability
12/7/16 CSE484/CSEM584-Fall2016 44
Eve
Alice Bob
“Somethingincriminating”
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/7/16 CSE484/CSEM584-Fall2016 45
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/7/16 CSE484/CSEM584-Fall2016 46
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/7/16 CSE484/CSEM584-Fall2016 47
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/7/16 CSE484/CSEM584-Fall2016 48
OTR:Deniability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/7/16 CSE484/CSEM584-Fall2016 49
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 50
Eve
Alice Bob
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 51
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 52
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/7/16 CSE484/CSEM584-Fall2016 53
Signal
12/7/16 CSE484/CSEM584-Fall2016 54
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.
