190 likes | 288 Views
Anonymity - Beginnings. Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, etc.) Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies) Computer TAP solvable with cryptography
E N D
Anonymity - Beginnings • Early (pre-computer) uses for social reasons (ability to act more freely, have work accepted without prejudice, etc.) • Traffic analysis an issue prior to computers (e.g., Bodyguard of Lies) • Computer TAP solvable with cryptography • With public-key cryptography, theoretical possibility for anonymity and pseudonymity
Forms of Anonymity • Traffic Analysis Prevention • Sender, Recipient, Message Anonymity • Voter Anonymity • Pseudonymity • Revokable anonymity • Data anonymity
Anonymity Mechanisms • Cryptography • Steganography • Traffic Analysis Prevention (TAP) • Mixes, crowds • Data sanitization/scrubbing • k-anonymity
Adversaries • Global vs. Restricted • All links vs. some links • All network nodes vs. some or no nodes • Passive vs. Active • Passive – listen only • Active – remove, modify, replay, or inject new messages • Cryptography Assumptions • All unencrypted contents are observable • All encrypted contents are not, without key
Symmetric Key Cryptography • One key, Kab, associated with entities A and B • Same key used for encryption and decryption: C=E(M,Kab), M=D(C,Kab)=D(E(M,Kab)Kab) • For message M, ciphertext C = {M}K • Anyone with Kab can form ciphertext • Anyone with Kab can decrypt C • For message M, MIC or MAC uses hash fcn • If only A and B have Kab, then MAC • If group key, then MIC • Depending on E, may require crypto hash fcn
Public Key Cryptography • Two keys, K and K-1, associated with entity A • K is public key, K-1 is private key • Keys are inverses: {{M}K}K-1 = {{M}K-1}K = M • For message M, ciphertext C = {M}K • Anyone can send A ciphertext using K • Only A has K-1 so only A can decrypt C • For message M, signature S = {M}K-1 • Anyone can verify M,S using K • Only A can sign with K-1
Details we omit • Limit on size of M, based on size of K in PKC • Need to format M to avoid attacks on PKC • Use confounder to foil guessed ptxt attacks • Typical use of one-way hash H to distill large M to reasonable size for signing • Typical use of PKC to distribute symmetric key for actual encryption/decryption of larger messages • See http://www.rsa.com/rsalabs/ for standards
Chaum – Untraceable Mail • Wish to receive email anonymously, but • Be able to link new messages with past ones • Respond to the sender • Do not trust single authority (e.g., Paypal) • Underlying message delivery system is untrusted • Global active adversary
Chaum Mix 1 • Mix is like a special type of router/gateway • It has its own public key pair, K1 and K1-1 • Recipient A also has public key pair, Ka and Ka-1 • Sender B prepends random confounder Ra to message M, encrypts for A: Ca = {Ra|M}Ka • B then prepends confounder for mix to C and encrypts for mix: C1 = {R1|A|Ca}K1 • B sends C1 to mix, which later send Ca to A
Chaum Mix 2 • Mix simply decrypts and strips confounder from message to A • Incoming message and outgoing message do not appear related • Use padding to ensure same length (some technical details here) • Gather a batch of messages from different sources before sending them out in permuted order
Chaum Mix • As long as messages are not repeated, adversary can't link an incoming message with an outgoing one (anonymous within the batch) • Mix can discard duplicate messages • B can insert different confounder in repeats • B can use timestamps – repeats look different • Mix signs message batchs, sends receipt to senders • This allows B to prove to A if a message was not forwarded
Cascading Mixes 1 • If one mix is good, lots of mixes are better! • B prepares M for A by selecting sequence of mixes, 1, 2, 3, … , n. • Message for A is prepared for Mix 1 • Message for Mix 1 is prepared for Mix 2 • … Message for Mix n-1 is prepared for Mix n • Layered message is sent to Mix n • Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in permuted order
Cascading Mixes 2 • Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed receipt) • Any mix in cascade that is not compromised can provide unlinkability • This gets us anonymous message delivery, but does not allow return messages
Return Addresses 1 • B generates a public key Kb for the message • B seals its true address and another key K using the mix's key K1: RetAddr = ({K,B}K1, Kb) • A encrypts reply M and confounder R0 with message key Kb and sends to mix along with return address: Reply = {K,B}K1, {R0|M}Kb • Mix decrypts address and key, uses key K to re-encrypt reply: {{R0|M}Kb}K and send to B
Return Addresses 2 • B must generate new return address keys for each message (K and Kb) so there are no duplicates • Mix must remove duplicates if found • Symmetric cryptography may be used for both K and Kb here (but not for mix key!) • How? • Cascade can return messages by building the return address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return path
Return Addresses 3 • For cascaded mixes, must build return address for the whole path • Receiver uses built-up return address and return key to send reply • Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address • Sender had all the keys (it built the return address) so it can decrypt reply
Mix Generics • Mix must make input messages unlinkable with output messages • Messages must all be same length • Messages must all be encrypted so as to appear random • Can't hide source/destination addresses along a single hop in path, but must hide sender and receiver, as well as distance along path • Mix must randomize order of output • Mix may have any number of triggers
Mix Triggers • Timed mix • Mix gathers messages for period T, then sends • Threshold mix • Mix gathers N messages, then sends • Hybrid mix • Mix sends when N messages or period T reached • Pool mix • Mix keeps pool of messages of size P, when pool reaches size N+P, N randomly chosen messages are sent • Continuous mix • Mix attaches random delay D from some distribution to each msg M, sends M when delay is reached
Mix Padding • In addition to padding messages to some constant length (and segmenting longer messages), mix may introduce dummy messages into traffic • Dummy messages especially useful in timed mixes (may not have many messages to send) • Strong resistance from network guys • Research question: how much does this form of padding help, and what is the relationship between increase in anonymity and cost of padding?