Anonymity and Privacy Aggelos Kiayias University of Connecticut Computer Security Spring 2008
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Anonymity in networks
• Anonymous Credentials
• Anonymous Payments
• Anonymous E-mail and Routing
• E-voting
• Group, Traceable and Ring Signatures
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Blind SignaturesSigner
signingprotocol
signing key
signaturethat can be
verifiedagainstm, pk
pk
Chaum ‘82
Usermessage
unlinkable
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Anonymous Credentials
Authority
User Gateway
get(blinded)credential
+ idShow credential
Checkcredentialstructure
+ signature
receive service
sign(cred)
Verifycredential
is usedfor the first
time
Blindsignature
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Applications
• Anonymous credentials: each credential can be used once and it is unlinkable to the act of showing the id.
• Can be used to disassociate the id from receiving the service.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Electronic Cash
Bank
User Shop
show(blinded)
Bank,nonce+ id
Show E-Coin
Checkcoin
structure+ signature
receive goods
sign$5-Bank(Bank,nonce)
Verifycoin
was notspent
Withdraw$5
Blindsignature
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Anonymous Communication
User
Web-site
Proxy
UserWeb-site
Trusted party anonymity
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Dining Cryptographers
• The waiter announces that the bill is payed!
• Did one of the cryptographers pay? or did the NSA pick up the bill?
• If a cryptographer payed he wishes to remain anonymous.
anonymous communication without trusted party
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Dining Cryptographers• Consider a dinner for three:
Each cryptographer flips a coin
Shows the coin to the person on the leftIf coins are same and he is not paying he announces
“Same” ... similarly for “Different”)If coins are same and he is paying he flips his answer
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Analysis
• If the number of “Same” is even then a cryptographer is paying.
• If the number of “Same” is odd then NSA is paying!
• A non-payer cannot distinguish which one of the other two is paying.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Indistinguishability of Payer
H T
H “Same”
“Same”“Diff”
H H
H “Same”
“Same”“Diff”
A B
C
A B
C
is paying
curious curious
is paying
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
DC-Net• Setting generalizes to arbitrary number of parties.
• It allows one party (the announcing party) to anonymously send one bit of information to everybody that is present.
• Parties keep on repeating the protocol constantly. Whenever one party wants to transmit the message it transmits it in binary.
• Once a party starts to speak no other party starts speaking till a given fixed termination bitstring is sent.
• if two parties start together they stop and wait a random number of rounds.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Anonymity and the Internet
• Whistle-blowing.
• Fear of censorship or prosecution.
• Communication regarding sensitive personal issues.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Cypherpunk Remailer
remailer
From: Aggelos Kiayias <[email protected]>To: [email protected]
::Anon-To: [email protected]
##Subject: This is the subject...
list of active remailers + statistics: http://stats.melontraffickers.com/
From: Anonymous <[email protected]> To: [email protected] Subject: This is the subject...
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Cypherpunk Encrypted
remailer
From: Aggelos Kiayias <[email protected]>To: [email protected]
::Encrypted: PGP
----- Begin PGP Message ------Version
----- End PGP Message -----
From: [email protected] To: [email protected] Subject: This is the subject...
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Remailer Chains
From: Aggelos Kiayias <[email protected]>To: [email protected]
::Anon-To: [email protected]
::Anon-To: [email protected]
##Subject: This is the subject...
remailer
remailer
remailer
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Mix Network
msg1
msg2
msg1msg2
Q
P
Not possible to relate whether P send msg1 or msg2and similarly for Q (as long as there is one honest mix)
David Chaum, Untraceable Electronic Mail, Return Addressesand Digital Pseudonyms, CACM ‘81
A
B C
D
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Using EncryptionEncrypted with Public-key of A
Send to B; sym_key1
Encrypted with sym_key1 Encrypted with Public-key of B
Send to C; sym_key2
Encrypted with sym_key1
Encrypted with sym_key2 Encrypted with Public-key of C
Stop; sym_key3
Encrypted with sym_key1
Encrypted with sym_key2
Encrypted with sym_key3
destination/ infopayload
fixedblocksize
fixedblocksize
fixedblocksize
fixedblocksize
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Following the route
junk
A B
junk
junk
C
sender
destination
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Mixmaster• A mixnet implementation for remailing.
• Message may be split into packets and each packet is routed differently (but with the same final routing destination who should assemble).
• Each mix node relays messages in batches after randomly permuting them [consistent with the standard notion of mixnets].
• Payload can be either e-mail, or usenet posting or dummy message (why a dummy ?).
http://www.abditum.com/mixmaster-spec.txt
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Limitations• Lack of bidirectional communication:
especially problematic if you want to use anonymity with bidirectional protocols.
• Possibility of replay attacks: can be handled by keeping a log of sent messages and compare.
• Abuse, flooding, etc.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Onion Routing
• An onion directed to a node Ais comprised of the following:
expiration_time
next_hop
Forward(.)
Backward(.)
PAYLOAD
Encryptedwith PK
of A
Hiding routing information, by D. M. Goldschlag, M.G.Reed, P.F. Syverson, Information Hiding Workshop 1996
can be anotheronion
Key_material
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Onion Layersexpiration_timenext_hop = B
Forward(.)
Backward(.)
Encryptedwith PK
of AKey_material
expiration_timenext_hop = D
Forward(.)
Backward(.)
Key_material
Encryptedwith PK
of Bexpiration_timenext_hop = null
null
null
null
Encryptedwith PK
of D
payload
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Onion Peelingexpiration_time
next_hop
Forward(.)
Backward(.)PAYLOAD
Encryptedwith PK
of A
A
1. Decrypt layer2. check expiration time3. Initialize Forward(.) crypto engine using Key_material4. Initialize Backward(.) crypto engine using Key_material5. Pad PAYLOAD to maintain fixed size.6. Forward PAYLOAD to next_hop node.
Key_material B
Create Mode
S
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Circuit Creation
A
B
S
D
choose an ACI = 5123forward movementcreate - mode
choose an ACI = 8612forward movementcreate - mode
choose an ACI = 2523forward movementcreate - mode
ACI = Anonymous Connection Identifier
[5123, 8612]
[8612, 2523]
[. ,5123]
[2523, “outside connection”]
Once the create mode is donethere exists a bidirectional link
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Forwarding
A
B
S
D
DATA
[5123, 8612]
[8612, 2523]
[. ,5123]
Forward1(.)
Forward2(.)
defined in first onion
defined in second onion
Forward2(Forward1( DATA) )
the cirtcuit delivers:
thus we may define:
DATA = Forward1-1(Forward2 -1(MESSAGE) )[2523, “outside connection”]
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Responding
A
B
S
D
DATA
[5123, 8612]
[8612, 2523]
[. ,5123]
Backward1(.)
Backward2(.)
defined in first onion
defined in second onion
Backward2(Backward1( DATA) )
the circuit delivers:
thus S recovers the data:
DATA = Backward1-1(Backward2 -1(MESSAGE) )[2523, “outside connection”]
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Implementing Onion Routing
• Each host runs an onion proxy locally.
• TCP/IP traffic can be directed through virtual circuits created by onions.
http://tor.eff.org/Tor
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Problems with Tor
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Hidden Identity Based Signatures
Hidden ID-based signatures: a digital signature where the corresponding public-key is your name & is (provably) hidden into the signature.
The hiding can be inverted by the OA.
IdentityManager
name
signing keysignature
that provably containsname and can
be verified against pkIMpkIM
the OAcan
open this
Kiayias - Zhou (2007)
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
a glimpse
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Applying HiddenIBS to TORHow to calibrate anonymity of Tor using Hidden-IBS
Add three entities in Tor:
Identity manager (IM)
A Disputes & Grievances (D&G) database
An opening authority (OA)
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
GoalsMinimal anonymity loss if misbehavior does not occur.
Minimal efficiency impact for services that do not require anonymity control.
Transparency to service providers.
the service providers accepting Tor traffic should not have to assist the system [except providing the necessary forensic information]
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
HiddenIBS + TorModify Tor Exit policy: certain type of packets must be HiddenIBS’ed [e.g., http POST requests]
Modify user’s onion proxy : it catches such packets and signs them using user’s HiddenIBS signing credential.
If user does not have a credential, the onion proxy directs user to IM to get one.
Modify exit point: beyond forwarding the packet it registers it to the D&G database (only the hash + signature need to be registered).
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
realization issuesWhat is a user’s identity and how does the Identity Manager verifies it?
IP address, e-mail address, id in a reputation system, etc.
How to deal with misbehaving users?
black-listing. revocation of credentials, time-based or reactive.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
anonymity scalabilityDisputes & Grievances database contains:
hashes of packets + HiddenIBS signatures. we include nonces in the packets to increase entropy.
The D&G size is manageable:
using a SHA-256 hash + our bilinear map based scheme with a 10GB we can store ~ 27.3 million entries.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
propertiesMinimal anonymity loss : D&G database leaks no information about Tor usage, if no misbehavior occurs.
Minimal efficiency impact for services that do not require anonymity control: only a few types of packets need to be signed.
Transparency to service providers: a simple packet log is enough to make an abuse report resulting in blacklisting a user.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
other applicationsApproach is fairly general.
application to other anonymous access systems is possible.
other web-sites than wikipedia need similar abuse protection; e.g. slashdot.
More services: e.g., SMTP traffic is blocked. Using HiddenIBS it can be opened.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Blind Signatures
• we have seen already its application to e-cash and anonymous tokens.
• Another anonymity/privacy application : e-voting
User Signerblinded message
scrambled signature
signed message
message
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
E-Voting using Blind Signatures
voterPC
Electionofficial
blinded choice, proof of identity
scrambled signature
signed choice
choice
Anonymous Channel Votetabulation
Results
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Group Signatures
Alice, pkABob, pkBCharlie, pkCDavid, pkDEric, pkEFrank, pkF
PKIGroup Manager
Verifier
OpeningAuthority
PKI-member signature
Charlie
message
Is convinced thata PKI member signs
message butnot which one
D. Chaum, E. van Heyst, 1991
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Applications
• Can be used to hide the origin of a transaction.
• Prove that you belong in a group without showing who you are.
• They allow Opening Authority to reveal the identity in case of dispute.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Traceable Signatures
Alice, pkABob, pkBCharlie, pkCDavid, pkDEric, pkEFrank, pkF
PKIGroup Manager
Verifier
TracingAuthority
PKI-member signature
Charlie
Is convinced thata PKI member signs
message butnot which one
A. Kiayias, Y. Tsiounis M. Yung, 2004
VerifierPKI-member signature
VerifierPKI-member signature
Charlie’s
OpeningAuthority
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Applications
• As in group signatures but now it is possible to:
• The tracing authority to find all signatures of a “wanted user”
• A user to claim his signatures.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Ring Signatures
Alice, pkABob, pkBCharlie, pkCDavid, pkDEric, pkEFrank, pkF
PKI
VerifierPKI-member signature
message
Is convinced thateither Eric, Frank or Bob
signs the messagebut it is unclear which one
whistle-blowing etc.
CSE281 - Computer Security (Spring 2008) University of Connecticut ©2006-8 Aggelos Kiayias
Privacy for Trusted Computing
• Your hardware proves its identity but only using an identification schema based on the previous signatures.
• Your anonymity can be preserved and still prove you are “among the good guys”
• opening functionality can be disabled.
• Direct Anonymous Attestation