Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484...
30
CSE 484 / CSE M 584: Computer Security and Privacy Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
Transcript of Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484...
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Tor
• Second-generationonionroutingnetwork– https://www.torproject.org/– Nowalargeopensourceprojectwithanon-profitorganizationbehindit
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/9/16 CSE484/CSEM584-Fall2016 2
TorBrowserBundle
• Asingle,downloadablebrowserappwhichdoestherightthing.
12/9/16 CSE484/CSEM584-Fall2016 3
TorCircuitSetup(1)
12/9/16 CSE484/CSEM584-Fall2016 4
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
TorCircuitSetup(2)
12/9/16 CSE484/CSEM584-Fall2016 5
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
TorCircuitSetup(3)
12/9/16 CSE484/CSEM584-Fall2016 6
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
UsingaTorCircuit
12/9/16 CSE484/CSEM584-Fall2016 7
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/9/16 CSE484/CSEM584-Fall2016 8
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/9/16 CSE484/CSEM584-Fall2016 9
CreatingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 10
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
UsingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 11
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/9/16 CSE484/CSEM584-Fall2016 12
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/9/16 CSE484/CSEM584-Fall2016 13
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/9/16 CSE484/CSEM584-Fall2016 14
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/9/16 CSE484/CSEM584-Fall2016 15
OTRANDSECUREMESSAGING
12/9/16 CSE484/CSEM584-Fall2016 16
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
(Borisov,Goldberg,Brewer2014)
12/9/16 CSE484/CSEM584-Fall2016 17
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 18
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability/Repudability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 19
OTR:Deniability/Repudability
12/9/16 CSE484/CSEM584-Fall2016 20
Eve
Alice Bob
“Somethingincriminating”
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/9/16 CSE484/CSEM584-Fall2016 21
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/9/16 CSE484/CSEM584-Fall2016 22
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/9/16 CSE484/CSEM584-Fall2016 23
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/9/16 CSE484/CSEM584-Fall2016 24
OTR:Deniability/Repudability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/9/16 CSE484/CSEM584-Fall2016 25
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 26
Eve
Alice Bob
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 27
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 28
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/9/16 CSE484/CSEM584-Fall2016 29
Signal
12/9/16 CSE484/CSEM584-Fall2016 30
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.
