Lecture 24–Anonymity and Privacy · Extracts destination and forwards. Anonymity motivation...
61
Lecture 24 – Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 – Fall 2017 Slides based on Miller and Bailey’s ECE 422
Transcript of Lecture 24–Anonymity and Privacy · Extracts destination and forwards. Anonymity motivation...
Lecture24 – AnonymityandPrivacy
StephenCheckowayUniversityofIllinois atChicago
CS487 – Fall 2017SlidesbasedonMillerandBailey’sECE422
Anonymity
•Anonymity:Concealingyouridentity•InthecontextoftheInternet,wemaywantanonymouscommunications
–Communicationswheretheidentityofthesourceand/ordestinationareconcealed
•Notthesameassecrecy/confidentiality–Confidentialityisaboutmessagecontents,
•(whatwassaid)
•Anonymityisaboutidentities•(whosaiditandtowhom)
NymitySpectrum
•Verinymity–creditcard#s,driver'slicense,address
•Pseudonymity–pennames,manyblogs
•Linkableanonymity–loyaltycards,prepaidmobilephone
•Unlinkableanonymity–payingincash,Tor
Whydoweneedanonymity?
•Necessarytoensurecivilliberties:–Freespeech,freeassociation,autonomy,freedomfromcensorshipandconstantsurveillance
•Privacyisahumanright–Dignity–NotexplicitinUSconstitution,butrelevantto1st4th5th9thamendmentsinbillofrights
•Surveillanceisexploitedforprofit–Targetedmarketingcampaigns–Discrimination(insurance,employment)
ArgumentsagainstPrivacy?
•The"NothingtoHide”Argument–DangersofconstructingaKafkaesqueworld–Optionalreading:'I'veGotNothingtoHide'andOtherMisunderstandingsofPrivacy,DanielJ.Solove
–Typicallyspokenfromaviewofprivilege•Nooneexpectsprivacyanymoreanyway
–KidstodaysharetheirentirelivesonFacebook•Benefitsfromsharing(bettersearchresults?)•Privatecommunicationsabusedbybadguys
HowtogetAnonymity
•Internetanonymityishard*–Difficultifnotimpossibletoachieveonyourown–RightthereineverypacketisthesourceanddestinationIPaddress–*Butit’seasyforbadguys.Why?
•Howdowedoit?•Stateofthearttechnique:Asksomeoneelsetosenditforyou
–Ok,it’sabitmoresophisticatedthanthat...
Proxies
•Proxy:Intermediarythatrelaysourtraffic•Trusted3rdparty,e.g....hidemyass.com
–YousetupanencryptedVPNtotheirsite–Allofyourtrafficgoesthroughthem
•Whyeasyforbadguys?Compromisedmachinesasproxies.
AlicewantstosendamessageMtoBob...
•Bobdoesn’tknowMisfromAlice,and•Evecan’tdeterminethatAliceisindeedcommunicatingwithBob.
•HMAacceptsmessagesencryptedforit.Extractsdestinationandforwards.
Anonymitymotivation
Surveillanceunder:• ThePatriotAct
• Section215• NationalSecurityLetters(NSLs)
• FISAAmendmentAct
Imagecredit:ACLU
GoogleTransparencyReport
NationalSecurityLetters(NSLs)ReportingPeriod NationalSecurityLetters Users/AccountsJanuarytoJune2016 0–499 500–999JulytoDecember2015 1–499 500–999JanuarytoJune2015 0–499 500–999JulytoDecember2014 0–499 500–999JanuarytoJune2014 500–999 500–999JulytoDecember2013 500–999 1000–1499JanuarytoJune2013 0–499 500–999JulytoDecember2012 0–499 500–999JanuarytoJune2012 500–999 1000–1499JulytoDecember2011 0–499 500–999JanuarytoJune2011 0–499 500–999JulytoDecember2010 0–499 1000–1499JanuarytoJune2010 500–999 1500–1999JulytoDecember2009 0–499 500–999JanuarytoJune2009 0–499 500–999
Metadata
•Everythingexceptthecontentsofyourcommunications:– If– When– Howmuch– Who
• What(thisisactuallythedata)“... analysis of telephony metadata often reveals information that could traditionally only be obtained by examining the contents of communications. That is, metadata is often a proxy for content.”— Prof. Edward W. Felten, Computer Science and Public Affairs, Princeton;
(former) Chief Technologist of FTC
XKEYSCORE
“I,sittingatmydesk,certainlyhadtheauthoritiestowiretapanyone,fromyouoryouraccountant,toafederaljudgeoreventhePresident,ifIhadapersonale-mail,”
Technologyasadefense
“Whetherwearesurveilledbyourgovernment,bycriminals,orbyourneighbors,itisfairtosaythatneverhasour abilitytoshieldouraffairsfrompryingeyesbeenatsuchalowebb.Theavailabilityanduseofsecureencryptionmayofferanopportunitytoreclaimsomeportionoftheprivacywehavelost.”
— 9thCircuitcourtopinion,Bernsteinv US DOJ1999“Cryptowars”
EncryptionTools:PGP
•GnuPG,freesoftware–PrettyGoodPrivacy(PGP),PhilZimmerman(1991)–GnuPG (GPG)isafreesoftwarerecreation–Letsyouhideemailcontentviaencryption
•Basicidea:–Hybridencryptiontoconcealmessages–Digitalsignaturesonmessages(hash-then-sign)
PGPcont'd
•Eachuserhas:–Apublicencryptionkey,pairedwithaprivatedecryptionkey–Aprivatesignaturekey,pairedwithapublicverificationkey
•Howdoessending/receivingwork?•Howdoyoufindoutsomeone'spublickey?
Sendingandreceiving
•Tosendamessage:–Signwithyoursignaturekey–Encryptmessageandsignaturewithrecipient'spublicencryptionkey
•Toreceiveamessage:–Decryptwithyourprivatekeytogetmessageandsignature–Usesender'spublicverificationkeytochecksig
Fingerprints
•HowdoyouobtainBob'spublickey?–GetitfromBob'swebsite?(☹ )–GetitfromBob'swebsite,verifyusingout-of-bandcommunication
•Keysareunwieldy-→fingerprints•Afingerprintisacryptographichashofakey
–Keyservers:storepublickeys,lookupbyname/emailaddress,verifywithfingerprint
•Whatifyoudon'tpersonallyknowBob?–WebofTrust(WoT),“friendofafriend”–BobintroducesAlicetoCarobysigningAlice’skey
Drawbacksof(Just)EncryptionI
•WhatifBob'smachinecompromised?–Hiskeymaterialbecomesknown–Pastmessagescanbedecryptedandread–Youalsohavesender'ssignatureonmessagessent,soyoucanproveidentityofsender
•Thesoftwarecreatedlotsofincriminatingrecords–KeymaterialthatdecryptsdatasentoverthepublicInternet–Signatureswithproofsofwhosaidwhat
• Alicebetterwatchwhatshesays–HerprivacydependsonBob’sactions
Drawbacksof(Just)EncryptionII
CasualConversations
•AliceandBobtalkinaroom•Nooneelsecanhear
–Unlessbeingrecorded•Nooneelseknowswhattheysay
–UnlessAliceorBobtellthem•Noonecanprovewhatwassaid
–NotevenAliceorBob•Theseconversationsare“off-the-record”
Desirablecommunicationproperties
•Forwardsecrecy:–Evenifyourkeymaterialiscompromised,pastmessagesshouldbesafe
•Deniability:beabletoplausiblydenyhavingsentamessage•Mimiccasual,off-the-recordconversations
–Deniableauthentication:beconfidentofwhoyouaretalkingto,butunabletoprovetoathirdpartywhatwassaid
Off-the-Record(OTR)Messaging
BobAliceSignbob(gy)
Signalice(gx)
1.UseAuthenticatedDiffie-Hellmantoestablisha(short-lived)sessionkeyEK
SS=(gx) ySS=(gy)xEK=H(SS) EK=H(SS)
OTRII
BobAliceEEK(M)MACMK(EEK(M))
2.Thenusesecret-keyencryptiononmessageM...AndauthenticateusingaMAC
SS=(gx) ySS=(gy)xEK=H(SS) EK=H(SS)
MK=H(EK)MK=H(EK)
Off-the-Record
BobAlicegy’,MACMK(gy’)
gx’,MACMK(gx’)
3.Re-keyusingDiffie-Hellman
SS’=(gx’) y’SS’=(gy’)x’EK’=H(SS’) EK’=H(SS’)
MK’=H(EK’)MK’=H(EK’)MK=H(EK)MK=H(EK)
Off-the-Record
BobAliceMK
4.PublisholdMK
SS’=(gx’) y’SS’=(gy’)x’EK’=H(SS’) EK’=H(SS’)
MK’=H(EK’)MK’=H(EK’)MK=H(EK)MK=H(EK)
Off-the-recordMessaging(OTR)
•Notethisissuitedtointeractivecommunication,notsomuchemail
• But,OTRprovides–messageconfidentiality–authentication–perfectforwardsecrecy–deniability
•Caveat:wedonothaveexamplesof“deniability”servingitspurposeinpractice
UsingOTR
•BuiltintoAdium andPidgin•Butbewaredefaults
–Loggingenabledbydefault–Etiquettedictatesyoushoulddisablethis,sodoeshistory(e.g.,ChelseaManning)
•VerydifferentfromGoogleHangout’s“offtherecord”featurewhichmerelydoesn’tlogtheconversation
Signalandthe“DoubleRatchet”TheprotocolbehindSignalapp(iphone,android)TrevorPerin andMoxieMarlinspike- ForwardsecrecyToday’smessagesaresecret,evenifkeycompromisedtomorrow
- FuturesecrecyTomorrow’smessagesaresecret,evenifkeycompromisedtoday
- DeniabilityNopermanent/transferableevidenceofwhatwassaid
- Usability Toleratesout-of-ordermessagedeliveryhttps://whispersystems.org/docs/specifications/doubleratchet/
PlausiblyDeniableStorage
Goal:Encryptdatastoredonyourharddrive
Problem:Canbecompelledtodecryptit!
Idea:havea“decoy”volumewithbenigninformationonit
Example:VeraCrypt
[Doesthissolvetheproblem?Caveats?]
RecapPrivacy/Anonymity
•Metadata:Everythingexceptthecontentsofyourcommunications:
– If– When– Howmuch– Who
• What (thisisactuallythedata) Signal and OTR
Anonymityforbrowsing?
You Server
Naiveapproach....VPNs
You Server
VPNs
VPNs
“…receivedacourtorderaskingforinformationrelatingtoanaccountassociatedwithsomeoralloftheabovecases.Asstatedinourtermsofserviceandprivacypolicyourserviceisnottobeusedforillegalactivity,andasalegitimatecompanywewillcooperatewithlawenforcementifwereceiveacourtorder”
Betterapproach:Tor
•Low-latencyanonymouscommunicationsystem•Hidemetadata
–whoiscommunicatingwithwhom?–e.g.,justsendinganencryptedmessagetoTheInterceptmaygetyouintrouble
•Hideexistenceofcommunication–anyencryptedmessagemaygetyouintrouble
Tor overview
•Worksatthetransportlayer•AllowsyoutomakeTCPconnectionswithoutrevealingyourIPaddress
•Popularforwebconnections•Tornetworkmadeupofvolunteer-runnodes,oronionrouters,locatedallovertheworld
•Basicidea:AlicewantstoconnecttoawebserverwithoutrevealingherIPaddress
OnionRouting
•Thisapproachgeneralizestoanarbitrarynumberofintermediaries(“mixes”)
•AliceultimatelywantstotalktoBob,withthehelpofHMA,Dan,andCharlie
•Aslongasanyofthemixesishonest,noonecanlinkAlicewithBob
OnionRouting
Tor
Imagecredit:TorProject
Tor
Imagecredit:TorProject
Tor
Imagecredit:TorProject
TrustinTor
•Entrynode:knowsAliceisusingTor,andidentityofmiddlenode,butnotdestination
•Exitnode:knowssomeToruserisconnectingtodestination,butdoesn'tknowwhichuser
•Destination:knowsaToruserisconnectingtoitviatheexitnode
•ImportanttonotethatTordoesnotprovideencryptionbetweenexitanddestination!(e.g.,useHTTPS)
TorHiddenServices
HowtogetTor
•TorBrowserbundleavailable(builtonmodifiedversionoffirefox)
•☺ optionalexercise:downloadanduseit!
•https://www.torproject.org/
•...orvolunteertobeapartoftheTornetwork.
OnionRoutingIssues/Attacks?
•Performance:messagebouncesaroundalot•Attack:rubber-hosecryptanalysisofmixoperators
–Defense:usemixserversindifferentcountries•Attack:adversaryoperatesallofthemixes
–Defense:havelotsofmixservers(Tortoday:~6,500)•Attack:adversaryobserveswhenAlicesendsandwhenBobreceives,linksthetwotogether
•Asidechannelattack– exploitstiminginformation–Defenses:padmessages,introducesignificantdelays
•Tordoestheformer,butnotesthatit’snotenoughfordefense
https://metrics.torproject.org/networksize.html
OnionRoutingIssues,cont.
•Issue:trafficleakage•SupposeallofyourHTTP/HTTPStrafficgoesthroughTor,buttherestofyourtrafficdoesn’t
•Howmighttheoperatorofsensitive.com•deanonymizeyourwebsessiontotheirserver?
Thetrafficleakageproblem
•Answer:theyinspectthelogsoftheirDNSservertoseewholookedupsensitive.comjustbeforeyourconnectiontotheirwebserverarrived
•Hard,generalproblem:anonymityoftenatriskwhenadversarycancorrelateseparatesourcesofinformation
Metadata
• If• When• Howmuch• Who• What
Metadata
• If• When• Howmuch• Who• What←TLS/PGP/OTR/Signal
Metadata
• If• When• Howmuch• Who←• What←TLS/PGP/OTR/Signal
Pond
•"Pondisnotemail.Pondisaforwardsecure,asynchronousmessagingsystemforthediscerning"
•Seekstoprotectagainstleakingtrafficinfoagainstallbutaglobalpassiveadversary
–forwardsecure–nospam–messagesexpireautomaticallyafteraweek
Pond
User
PrivateKeyPublicKey Pond
ServerMessages?Pubkey=Apadding=XXXX..
None.padding=XXXXXXXXXXXXX…
Messages?Pubkey=Apadding=XXXX..
Message=Mpadding=XXXXXXXXX…
Pond
User
PrivateKeyPublicKey Pond
ServerMessages?Pubkey=Apadding=XXXX..
None.padding=XXXXXXXXXXXXX…
Messages?Pubkey=Apadding=XXXX..
Message=Mpadding=XXXXXXXXX…
Privatekey
Metadatasummary
• If• When ←• Howmuch ←• Who←• What ←TLS/PGP
Pond
