CPSC 467: Cryptography and Computer...

Outline Attacks on Anonymity Cont. Encryption with Special Properties Homomorphic Encryption Encryption with Other Properties

CPSC 467: Cryptography and Computer Security

Instructor: Michael FischerLecture by Ewa Syta

Lecture 24December 7, 2015

CPSC 467, Lecture 24 1/49


Attacks on Anonymity Cont.

Encryption with Special Properties

Homomorphic Encryption

Encryption with Other Properties



Attacks on Anonymity Cont.



Fingerprinting and Staining Attacks

Fingerprinting attack - an attack that uses specific hardware and/orsoftware specifications of a client’s machine to create a uniquelabel (a fingerprint), than can be later used to identify that client.

Staining attack - an attack that relies on the ability to insert anidentifiable “stain” (e.g., a cookie) into a client’s machine, in orderto later on use it to identify the client.



Fingerprinting Attack1 2

Fingerprinting attacks exploit benign characteristics of a browser.

I Browser vendor, version, operating system info, screencharacteristics, installed fonts, plugins, etc.

I Java Script and Flash are the main culprits.I In an experiment involving 500k users, 94% were identified.

I Top sites “silently track”: Orbitz, T-Mobile, Western Union.I And privacytool.org. And anonymizer.com.

1FPDetective: Dusting the Web for Fingerprinters. Acat et al. CCS 2013

2Top sites (and maybe the NSA) track users with “device fingerprinting”. Arstechnica. 10/2013


http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/


Staining Attack

An active attack that leaves behind evidence: higher risk butbetter payoff.

I Flash Cookies3

I Header enrichments4 5

Both attacks have serious implications not only for anonymity, butalso privacy.

3When the cookies crumbled, so did your web anonymity. The Guardian. 10/2014

4Does your phone company track you? Arstechnica. 11/2014

5Verizon’s zombie cookie gets new life. Arstechnica. 10/2015


http://www.theguardian.com/technology/2014/oct/05/cookies-crumbled-internet-anonymity

http://arstechnica.com/security/2014/11/does-your-phone-company-track-you/

http://arstechnica.com/security/2015/10/verizons-zombie-cookie-gets-new-life/


Examples

https://panopticlick.eff.org/

Ghostery

Lightbeam


https://panopticlick.eff.org/


NSA about Tor6 7

“Tor stinks.”

“Very Secure.”

“Still the King of high secure, low latency Internet Anonymity.There are no contenders for the throne in waiting.”

“We will never be able to de-anonymize all Tor users all the time.With manual analysis we can de-anonymize a very small fraction ofTor users, however, no success de-anonymizing a user (...) ondemand.”

6Tor: ’The king of high-secure, low-latency anonymity’. The Guardian. 10/2013

7’Peeling back the layers of Tor with EgotisticalGiraffe’. The Guardian. 10/2013


http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity

http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document


Peeling back the layers of Tor withEGOTISTICALGIRAFFE7

Based on what we know, NSA cannot de-anonymize users bybreaking the core Tor protocol.

Instead, they target software vulnerabilities in Firefox that the TorBrowser is built upon.

NSA actively searches for and exploits vulnerabilities “around” Tor.



QUANTUM8

The NSA’s program to insert packets from the Internet backbone.

Quantum servers are at key places on the Internet backboneensuring that they can react faster than other servers. Thispermits “man-on-the-side” attacks that inject arbitrary packets asa fake response to a legitimate request.

Leaked NSA slides showed a Quantum server impersonatingGoogle.

This same technique is used by the Chinese government to blockits citizens from censored Internet content (TCP/RST).

8How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID, Bruce Schneier, 10/2013


https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html


Man-on-the-side Attack

In a man-on-the-side, an adversary reads the traffic and inserts newmessages, but does not modify or delete messages sent by otherparticipants. The attack relies on a timing advantage to ensurethat the attacker’s response reaches the victim before thelegitimate response.

(One way of) Detecting the attack: look for packets with identicalsequence numbers.9

9How to Detect Sneaky NSA ’Quantum Insert’ Attacks. Wired. 4/2015


http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/


FOXACID8

NSA codename for an Internet-enabled system capable ofattacking target computers in a variety of ways.

FoxAcid servers are publicly accessible using normal-lookingdomain names.

When a browser visits a FoxAcid server using a special url, called aFoxAcid tag, the server attempts to infect that browser, and thenthe computer, in an effort to take control of it.



FOXACID8

Attacks are customized. Each target receives its own FoxAcid tagwhich permits to identify them and use customized exploits.

When FoxAcid servers handle callbacks from infected machines,they are called FRUGALSHOT. A machine may call back to theNSA for more instructions, to upload data from the targetcomputer, etc.

TOR users are identified by forcing the traffic to bypass their TORconnection.



NSA’s 6 Step Attack on Tor Users10 11

1. Scan Internet traffic.Use “upstream” data collection programs such as Stormbrew,Fairview, Oakstar, and Blarney to tap into the fiberopticbackbone of the Internet.

2. Mark Tor requests using fingerprinting techniques.Use XKeyscore to do so.

3. Sift out marked traffic.All Tor users look alike so it is easy to tell them apart fromnon-Tor users.

10How the NSA identifies Tor users in 6 easy steps , DailyDot. 10/2013

11Our Government Has Weaponized the Internet. Here’s How They Did It, Wired. 11/2013


http://www.dailydot.com/politics/six-steps-nsa-attack-tor/

http://www.wired.com/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/


NSA’s 6 Step Attack on Tor Users

4. Send users to NSA servers.Use Quantum to re-direct targets to FoxAcid servers whichpretend to be the legitimate server that the Tor user is tryingto access.

5. Attack users’ computers.Use FoxAcid servers to deliver exploits.

6. Identify Tor users.After obtaining access to the target computer, it is easy toidentify the user based on email accounts accessed from thesame computer, stored information, etc.



Freedom Hosting12 & Silk Road

Freedom Hosting, a provider of anonymous hosting, operated as aTor hidden service. In August 2013, all sites hosted by FreedomHosting began serving an error message with hidden codeembedded into the page. It turned out to be an exploit leveraginga security hole in Firefox to identify Tor users by reporting backthe user’s IP to a server in Northern Virginia. Later, FBI admittedit was behind this mass malware attack.

Silk Road, a black market website was also operated as a Torhidden service. FBI shut it down in October with the help fromother agencies.

12FBI Admits It Controlled Tor Servers Behind Mass Malware Attack. K. Poulsen. Wired. 9/2013


http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/


Additional Resources

I The Tor Project, https://www.torproject.org/

I Tor Browser

I How Tor works? by Artist Molly Crabapple and Writer JohnLeavitt https://www.eff.org/whatistor

I EFF on NSA Spying on Americans https://www.eff.org/nsa-spying

I The definitive guide to NSA spy programshttp://www.dailydot.com/politics/nsa-spy-prgrams-prism-fairview-blarney/


https://www.torproject.org/

https://www.torproject.org/projects/torbrowser.html.en

https://www.eff.org/whatistor

https://www.eff.org/nsa-spying

http://www.dailydot.com/politics/nsa-spy-prgrams-prism-fairview-blarney/


Encryption with Special Properties



Goals of encryption

The main goal of encryption is to provide data confidentiality.

Normally, there is a lot you can do with your unencrypted data:analyze, search, compute, etc.

However, once data is encrypted there is not much you can dowith it.

Encrypted data → secured and uselessUnencrypted data → unsecured and useful13

13Slight oversimplification



Working with encrypted data

Solution: Encrypt – decrypt – perform operations – re-encrypt

Problems: Can get very expensive very quickly. Privacy issues.

Another solution: Perform at least some operations on encrypteddata without decrypting it.

Problems: How do we do that? What operations should beallowed? Will it affect security properties of the encryptionscheme?



Encryption with special properties

The goal is to design an encryption function E so that we canperform meaningful operations on the ciphertexts withoutdecrypting it.

To make it possible, E would have to “give” some specialproperties to the ciphertext.



Homomorphic Encryption



Homomorphic encryption

Informally, homomorphic encryption is an encryption scheme witha special property that allows operations applied to ciphertext bepreserved and carried over to the plaintext.



Types of homomorphism

An encryption scheme can be homomorphic with respect to one ormore group operators.

An encryption scheme is additively homomorphic if we consider theaddition operator, and multiplicatively homomorphic if we considerthe multiplication operator.



Types of homomorphic encryption

Partially homomorphic encryption – it is possible to performoperations on encrypted data with respect to one group operator.For example, from E (x), E (y) compute E (x + y) but not E (x ∗ y).

Fully homomorphic encryption – it is possible to performoperations on encrypted data with respect to two group operator.For example, from E (x), E (y) compute E (x + y) and E (x ∗ y).

Somewhat homomorphic encryption – it is possible to perform alimited number of operations on encrypted data with respect totwo group operators. For example, we can only evaluatelow-degree polynomials over encrypted data.



Applications of homomorphic encryption



Applications of homomorphic encryption

I Cloud computing (untrusted third parties can be used)

I E-voting (votes can be counted without revealing what theyare)

I Private information retrieval (searching encrypted databases)



Partially homomorphic encryption schemes

There are many encryption schemes which have the desiredhomomorphic property.

You should be familiar with at least some of them:

I RSA (multiplicatively)

I ElGamal (multiplicatively)

I Goldwasser-Micali (additively)



(Plain) RSA

Public key: (e,N)Private key: (d ,N)Encryption function: E (m) = me mod N

Multiplicatively homomorphic property:

E (m1) ∗ E (m2) = me1 ∗me

2 mod N =

(m1 ∗m2)e mod N =

E (m1 ∗m2)



ElGamal

Public key: (p, g , b), where b = g x

Private key: (x)Encryption function: E (m) = (g r ,m ∗ br ) for a random r ∈ Zφ(p)

Multiplicatively homomorphic property:

E (m1) ∗ E (m2) =

(g r1 ,m1 ∗ br1)(g r2 ,m2 ∗ br2) =

(g r1+r2 , (m1 ∗m2)br1+r2) =

E (m1 ∗m2)



Fully homomorphic encryption

The first fully homomorphic encryption scheme using lattice–basedcryptography was presented by Craig Gentry in 2009.14

Later in 2009 a second fully homomorphic encryption schemewhich does not require ideal lattices was presented.15

A lot of changes since then.

14C. Gentry, Fully Homomorphic Encryption Using Ideal Lattices, STOC 2009

15M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan Fully Homomorphic Encryption over the Integers,

Eurocrypt 2010



FHE performance

Gentry estimated16 that performing a Google search with encryptedkeywords would increase the amount of computing time by about atrillion. Moore’s law calculates that it would be 40 years beforethat homomorphic search would be as efficient as a search today.

At Eurocrypt 2010, Craig Gentry and Shai Halevi presented aworking implementation of fully homomorphic encryption.Martin van Dijk about the efficiency:

“Computation, ciphertext-expansion are polynomial, but a ratherlarge one...”

16IBM Touts Encryption Innovation. New technology performs calculations on encrypted data without

decrypting it computerworld.com, M. Cooney,



Current FHE efforts

FHE is a very popular research area. Three main directions:

1. Improving the scheme itself (security)I Relying on standard hardness assumptions

2. Improving the bootstrapping phase (efficiency)I Leveled FHE schemes that are initialized with a bound on the

maximal evaluation depth

3. ImplementationsI HElib17, a software library that implements homomorphic

encryption.I Extension of HElib that includes the full bootstrapping phase18

17GitHub Repository

18S. Halevi and V. Shoup. Bootstrapping HElib, 2014


https://github.com/shaih/HElib

https://eprint.iacr.org/2014/873.pdf


Security of homomorphic encryption

Let’s (informally) rephrase what homomorphic encryption is.

“If you encrypt some plaintext using homomorphic encryption,then by changing the ciphertext you can change the correspondingplaintext”.

Q: Is it a good or bad property?



Security of homomorphic encryption

Non–malleability is a desirable security goal for encryption schemesso that the attacker cannot tamper with the ciphertext to affectthe plaintext and go undetected.

However, homomorphic encryption implies malleability!

To reconcile this situation, we want an encryption scheme to benon-malleable except for some desired operations.

However, it’s difficult to capture the notion of “some malleabilityallowed.”19

19B. Hemenway and R. Ostrovsky, On Homomorphic Encryption and Chosen-Ciphertext Security, PKC 2012



Encryption with Other Properties



Encryption schemes

Examples of encryption schemes with special properties:

1. Searchable encryption

2. Signcryption

3. Identity-based encryption

4. Deniable encryption



Searchable encryption

Searchable encryption20 allows to test whether certain keywordsare included in a ciphertext message without decrypting it orlearning anything about its content.

Scenario: Alice wishes to read her email on different devices. Shewants her mail server can route emails based on the keywords inthe email. For example, Bob’s email labeled “urgent” goes to herphone.

20D. Boneh, G. Crescenzo, R. Ostrovsky and G. Persiano, Public Key Encryption with Keyword Search,

EUROCRYPT 2004



SES highlights

Bob encrypts his email using a standard public key system andAlice’s standard public key Apub, and appends to the resultingciphertext a Searchable Encryption (SES) of some keywordsW1, . . . ,Wn.

EApub(M)||SES(Apub,W1, . . . ,Wn)

Alice gives the server a trapdoor TW which depends on Apriv and akeyword W . This enables the server to test whether the SESciphertext equals to some known keyword(s) but nothing else.



Signcryption

Encryption and signature schemes are the basic tools offered bypublic key cryptography. They are normally viewed as importantbut distinct building blocks for higher level protocols, but there aremany settings were both are needed.

Signcryption21 is a scheme that provides both functionalitiessimultaneously.

Signcryption scenario: encrypting and signing at the same timeimproves efficiency and usability.

21From ECRYPT report D.AZTEC.7, New Technical Trends in Asymmetric Cryptography.


http://www.ecrypt.eu.org/ecrypt1/documents/D.AZTEC.7.pdf


Identity-based encryption22

ID-based encryption allows to use some known aspect of the useridentity, for example an email address or IP address, to generate apublic key.

Suddenly Alice can send confidential messages to anyone, evenpeople who has not set up their public keys yet!

Tricky to retrieve the corresponding private key: trusted PrivateKey Generator (PKG), authenticating the key owner, securetransmission of the private key, etc.

22Adi Shamir, Identity-Based Cryptosystems and Signature Schemes, CRYPTO 1984



Deniable encryption

Deniable encryption23 allows an encrypted message to bedecrypted to different plausibly looking plaintexts, depending onthe input information used.

This feature gives the sender plausible deniability if compelled toreveal the encryption information.

23R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, Deniable Encryption, CRYPTO 1997



Deniable encryption scenario

Regular encryption schemes provide confidentiality of encrypteddata in the presence of a (powerful) adversary who given aciphertext is trying to learn the corresponding plaintext.

However, assume that custom agents at border crossings have theauthority to request decryption keys to encrypted data on one’slaptop. Let Chuck be a custom agent.

It is difficult to provide security in such an attack scenario.Amazingly, deniable encryption offers some protection against thisvery different and more hostile attack.



Types of deniable encryption schemes

Deniable encryption schemes can be categorized according towhich parties may be coerced:

I Sender deniable

I Receiver deniable

I Sender–and–receiver deniable

Deniable encryption can be symmetric or asymmetric.



Shared–key receiver–deniable ElGamal encryption24

Alice and Bob have a shared secret s. Bob’s public key is (p, g , y).Alice knows Bob’s private key x . Let mf be a fake message and ms

be a secret message to encrypt deniably.

Normal encryption: Alice computes α = gk and β = m · yk , wherek is a randomly chosen value.

Deniable encryption: Alice computes: α = gk ·ms ,β = mf · (yk ·mx

s ), where k = HASH(s||mf ),

The (α, β) pair looks like a regular ElGamal ciphertext of mf .

24M. Klonowski, P. Kubiak, and M. Kutylowski, Practical Deniable Encryption, SOFSEM, 2008



Shared–key receiver–deniable ElGamal encryption

Normal ElGamal encryption:

α = gk and β = m · yk

Deniable ElGamal encryption:

α = gk ·ms and β = mf · (yk ·mxs )

Message ms is in fact sent subliminally – a covert channel iscreated. Think “nested dolls” encryption.




Normal decryption:

β · α−x = (yk ·m) · g−kx = m

Deniable decryption: Bob needs to retrieve the fake message mf :

β · α−x = mf · (yk ·mxs ) · (gk ·ms)−x = mf .

Then he computes k = HASH(s||mf ) and ms = α · g−k .

Dishonest opening: Bob, if asked by Chuck, can reveal his key x .Chuck can check that (α, β) is a valid ElGamal encryption of mf .




This scheme provides perfect receiver deniability: the transcript ofsending m is indistinguishable from sending mf .

The scheme is not sender–deniable: Alice has no effectivealgorithm that for an argument α = gk ·ms returns an exponent k ′

s.t. α = gk ′. Why?

Also, the fact that Alice knows x is not desirable. Why?

Using a well known and widely used (as opposed to a new,designed for this purpose) scheme improves “deniability”.



Additional Resources

More information on encryption with special properties:New Technical Trends in Asymmetric Cryptography, ECRYPTreport D.AZTEC.7,http://www.ecrypt.eu.org/ecrypt1/documents/D.AZTEC.7.pdf

Tutorial on homomorphic encryption by Shai Halevi presented atCRYPTO 2011. Video and slides.http://people.csail.mit.edu/shaih/presentations.html


http://www.ecrypt.eu.org/ecrypt1/documents/D.AZTEC.7.pdf

http://people.csail.mit.edu/shaih/presentations.html

CPSC 467: Cryptography and Computer...

Documents

Transcript of CPSC 467: Cryptography and Computer...