Page 1
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Page 2
Tor
• Second-generationonionroutingnetwork– https://www.torproject.org/– Nowalargeopensourceprojectwithanon-profitorganizationbehindit
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/9/16 CSE484/CSEM584-Fall2016 2
Page 3
TorBrowserBundle
• Asingle,downloadablebrowserappwhichdoestherightthing.
12/9/16 CSE484/CSEM584-Fall2016 3
Page 4
TorCircuitSetup(1)
12/9/16 CSE484/CSEM584-Fall2016 4
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
Page 5
TorCircuitSetup(2)
12/9/16 CSE484/CSEM584-Fall2016 5
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
Page 6
TorCircuitSetup(3)
12/9/16 CSE484/CSEM584-Fall2016 6
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
Page 7
UsingaTorCircuit
12/9/16 CSE484/CSEM584-Fall2016 7
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
Page 8
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/9/16 CSE484/CSEM584-Fall2016 8
Page 9
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/9/16 CSE484/CSEM584-Fall2016 9
Page 10
CreatingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 10
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
Page 11
UsingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 11
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
Page 12
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/9/16 CSE484/CSEM584-Fall2016 12
Page 13
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/9/16 CSE484/CSEM584-Fall2016 13
Page 14
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/9/16 CSE484/CSEM584-Fall2016 14
Page 15
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/9/16 CSE484/CSEM584-Fall2016 15
Page 16
OTRANDSECUREMESSAGING
12/9/16 CSE484/CSEM584-Fall2016 16
Page 17
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
(Borisov,Goldberg,Brewer2014)
12/9/16 CSE484/CSEM584-Fall2016 17
Page 18
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 18
Page 19
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability/Repudability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 19
Page 20
OTR:Deniability/Repudability
12/9/16 CSE484/CSEM584-Fall2016 20
Eve
Alice Bob
“Somethingincriminating”
Page 21
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/9/16 CSE484/CSEM584-Fall2016 21
Page 22
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/9/16 CSE484/CSEM584-Fall2016 22
Page 23
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/9/16 CSE484/CSEM584-Fall2016 23
Page 24
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/9/16 CSE484/CSEM584-Fall2016 24
Page 25
OTR:Deniability/Repudability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/9/16 CSE484/CSEM584-Fall2016 25
Page 26
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 26
Eve
Alice Bob
Page 27
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 27
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
Page 28
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 28
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
Page 29
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/9/16 CSE484/CSEM584-Fall2016 29
Page 30
Signal
12/9/16 CSE484/CSEM584-Fall2016 30
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.