Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
![Page 1: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/1.jpg)
Modelling and Analysing of Security Protocol: Lecture 9
Anonymous Protocols: Theory
![Page 2: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/2.jpg)
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet
![Page 3: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/3.jpg)
The rest of the course
• Today: 12th Oct, Protocols for anonymity (homework)
• 19th Oct moved to 22th Oct 11:15 to 13:00:– Model Checking & Fair exchange protocols.
• 26th Oct, : Summary Lecture (Homework due)
• 2nd, 9th, 16th, 23rd and 30th Nov Student presentations
![Page 4: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/4.jpg)
Homework
• You have only got questions 1 and 2 back. You have not been told your mark for question 3.
• Attacks exist against some of your protocols.
• As part of the current homework you have to analysis your own protocol using ProVerif.
• If you can find and correct a fault in your protocol you will win back half the marks lost for that fault in homework 1.
![Page 5: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/5.jpg)
Qu. 1: Typing attack
1. A B : A
2. B A : Nb
3. A B : { A, B, Nb}Kas
4. B S : { A, B, { A, B, Nb }Kas }Kbs
5. S B : { A, B, Nb }Kbs
![Page 6: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/6.jpg)
Qu. 2: Early SSL
1. A B : EB(Kab)
2. B A : { Nb }Kab
3. A B : { CA, SignA( Nb ) }Kab
![Page 7: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/7.jpg)
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet
![Page 8: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/8.jpg)
IP address
• When you connect to another computer you send it our IP address.
• It is ever hard to communicate well without revealing your real IP address.
• Recent count case (last week) decided that your IP address can be used to identify you in court.
![Page 9: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/9.jpg)
“You have zero privacy anyway, get over it”
Scott, CEO of SUN microsystems.
![Page 10: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/10.jpg)
Dining Cryptographers
• Nodes form a ring• Each adjacent pair picks a random number• Each node broadcasts the sum (xor) of the
adjacent numbers• The user who wants to send a
message also adds the message• The total sum (xor) is:
r1+r
2+r
2+r
3+r
3+
r4+r
4+r
5+r
5+r
1+m = m
r1
r4
r5
r3
r2
r1+r
2
r5+r
1
r4+r
5
r3+r
4r
2+r
3 +m
![Page 11: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/11.jpg)
Dinning Cryptographers
• It's impossible to tell who added m.
• Beyond suspicion even to a global attacker.
• Very inefficient: everyone must send the same amount of data as the real sender.
![Page 12: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/12.jpg)
A Hierarchy of Goals
Fresh Key Key ExclusivityFar-end
OperativeOnce
Authenticated
Good Key
EntityAuthentication
Key Confirmation
Mutual Belief in Key
![Page 13: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/13.jpg)
The Theory of Anonymity
Anonymity means different things to different users.
The right definitions are key to understand any system.
“On the Internet nobody knows you’re a dog”
![Page 14: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/14.jpg)
The Theory of Anonymity
• Anonymity is a difficult notion to define.– Systems have multiple agents– which have different views of the system– and wish to hide different actions– to variable levels.
• Sometimes you just want some doubt, sometimes you want to act unseen.
![Page 15: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/15.jpg)
The Theory of Anonymity
• In a system of anonymous communication you can be: – A sender– A receive / responder– A helpful node in the system– An outsider (who may see all or just some of the
communications).
• We might want anonymity for any of these, from any of these.
![Page 16: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/16.jpg)
Some Kinds of Anonymity
• Sender anonymity.• Receiver anonymity.• Sender-receiver unlinkability.For the • Sender• Receive• Another participant in the protocol.• Outside observer that can see all/some of the
network
![Page 17: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/17.jpg)
Levels of Anonymity
Reiter and Rubin provide the classification:
• Beyond suspicion: the user appears no more likely to have acted than any other.
• Probable innocence: the user appears no more likely to have acted than to not to have.
• Possible innocence: there is a nontrivial probability that it was not the user.
![Page 18: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/18.jpg)
Beyond suspicion
• All users are Beyond suspicion:
Prob
Users
A B C D E
![Page 19: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/19.jpg)
Beyond suspicion
• Not Beyond Suspicion:
Prob
Users
A B C D E
![Page 20: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/20.jpg)
Probable Innocence
• All users are Probably Innocence
Prob
Users
A B C D E
50%
![Page 21: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/21.jpg)
Probable Innocence
• All users are Probably Innocence
Prob
Users
A B C D E
50%
![Page 22: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/22.jpg)
Probable Innocence
• All users are Probably Innocence
Prob
Users
A B C D E
50%
![Page 23: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/23.jpg)
Probable Innocence
• All users are Probably Innocence
Prob
Users
A B C D E
50%
![Page 24: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/24.jpg)
Probable Innocence
• All users are Probably Innocence
Prob
Users
A B C D E
50%
![Page 25: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/25.jpg)
Possible Innocence
• There a small change it is not you.
Prob
Users
A B C D E
50%
![Page 26: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/26.jpg)
Definitions
• These definitions do not take into account how likely each principal is to be guilty to start off with.
• Or quantify what the attack learns from a run of the protocol.
• This is currently a hot research topic, so far there are lots of complicated definitions but no clear winner.
![Page 27: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/27.jpg)
Example: The Anonymizer
An Internet connection reveals your IP number.
The Anonymizer promise
“Anonymity”
Connection made via The Anonymizer.
The Server see only the Anonymizer.
S
?
The Anonymizer
![Page 28: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/28.jpg)
Example: The Anonymizer
The sender is Beyond Suspicion to the server.
The server knows The Anonymizer is being used.
If there is enough other traffic, you are Probably Innocence to a global observer.
The global observer knows you are using the “The Anonymizer”
There is no anonymity to the “The Anonymizer”
![Page 29: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/29.jpg)
Example: The Anonymizer
• From the small print:
• … we disclose personal information only in the good faith belief that we are required to do so by law, or that doing so is reasonably necessary …
• … Note to European Customers: The information you provide us will be transferred outside the European Economic Area
![Page 30: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/30.jpg)
Crowds
• A crowd is a group of n nodes• The initiator selects randomly a node (called
forwarder) and forwards the request to it• A forwarder:
– With prob. 1-pf selects
randomly a new node andforwards the request to him
– With prob. pf sends the
request to the server
server
![Page 31: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/31.jpg)
Crowds
• The sender is beyond suspicion to the server.
• Some of the nodes could be corrupted.
• The initiator could forward the message to a corrupted node.
• The sender has probable innocence to other nodes.
![Page 32: Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d575503460f94a36520/html5/thumbnails/32.jpg)
Today’s Lecture
• Practical course issues.• Theoretical anonymity.
– Dinning Cryptographers Protocol– Definitions of Anonymity– The Crowds Protocol
BREAK• Practical anonymous systems
– Onion Routing and the Tor System– Mix Networks– Anonymous File-sharing Systems: MUTE – Anonymous Publishing: Freenet