CS 134 Winter 2016 Privacy and Anonymitykeldefra/teaching/fall2016/uci_compsci...What is Anonymity?...
Transcript of CS 134 Winter 2016 Privacy and Anonymitykeldefra/teaching/fall2016/uci_compsci...What is Anonymity?...
Privacy
• Privacy and Society• Basic individual right & desire• Relevant to corporations & government agencies• Recently increased awareness
• However, general public’s perception of privacy is fickle
• Privacy and Technology in Recent Years• >> Information disclosed on the Internet• >> Handling and transfer of sensitive information• << Privacy and accountability
2
(Image from geekologie.com)
PrivacyonPublicNetworks
• TheInternetisdesignedasapublicnetwork• MachinesonyourLANmayseeyourtraffic,networkroutersseealltrafficthatpassesthroughthem
• Routinginformationispublic• IPpacketheadersidentifysourceanddestination• Evenapassiveobservercaneasilyfigureoutwhoistalkingtowhom
• Encryption(e.g.,SSLorIPSec)doesnothideidentities• Encryptionhidespayload,notroutinginformation• EvenIP-levelencryption(tunnel-modeIPsec/ESP)revealsIPaddressesofIPsecgateways
3
ApplicationsofAnonymity(1)
• Privacy• Hideonlinetransactions,Webbrowsing,etc.fromintrusivegovernments,marketers,archival/searchentities(e.g.,Google)aswellasfromcriminalsandsnoops
• UntraceableElectronicMail• Corporatewhistle-blowers• Politicaldissidentsinoppressivesocieties• Sociallysensitivecommunications(onlineAAorSTDmeeting)• Confidentialbusinessnegotiations
• LawEnforcementandIntelligence• Stingoperationsandhoneypots• Secretcommunicationsonapublicnetwork
• Informers,secretagents,etc.4
ApplicationsofAnonymity(2)
• Digital/ElectronicCash• Electroniccurrencywithpropertiesofpapermoney(onlinepurchasesunlinkabletobuyer’sidentity)
• AnonymousElectronicVoting
• Censorship-ResistantPublishing
• Crypto-Anarchy• “Somepeoplesaythat“anarchywon'twork.”That'snotanargumentagainstanarchy;that'sanargumentagainstwork.” – BobBlackJ
5
ApplicationsofAnonymity(3)
• Porn
• Libel
• Disinformation/Propaganda
• SaleofIllegalSubstances(e.g.,SilkRoad)
• TaxAvoidance(viaUntraceablePayments)
• IncitementtoCriminalActivity(e.g.,Murder,Rioting,Genocide,Terrorism)
6
WhatisAnonymity?
• Anonymity:istheinabilitytoidentifysomeonewithinasetofsubjects(sizevaries)
• DifferentfromPRIVACY– righttobeleftalone• Hideyouractivitiesamongsimilaractivitiesbyothers• Onecannotbeanonymousalone!
• Bigdifferencebetweenanonymityandconfidentiality
• Unlinkability:ofactionandidentity• Forexample,senderandhisemailarenomorerelatedafterobservingcommunicationthantheywerebefore
• Unobservability:(veryhardtoachieve)• Observercannottellwhetheracertainactiontookplace
7
AttacksonAnonymity
• PassiveTrafficAnalysis• Inferfromnetworktrafficwhoistalkingtowhom• Tohideyourtraffic,mustcarryotherpeople’straffic!
• ActiveTrafficAnalysis• Injectpacketsorputatimingsignatureonpacketflow
• CompromiseofNetworkNodes(Routers)• Notobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic• It’sbetternottotrustanyindividualnode
• Assumethatsomefraction ofnodesisgood,butdonotknowwhich
8
Chaum’sMix
• Earlyproposalforanonymousemail• DavidChaum.“Untraceableelectronicmail,returnaddresses,anddigitalpseudonyms”.CommunicationsoftheACM,February1981.
• Public-keycrypto+trustedre-mailer(Mix)• Untrustedcommunicationmedium• Public-keysusedaspersistentpseudonyms
• ModernanonymitysystemsuseMixasthebasicbuildingblock
9
Before spam, people thought anonymous email was a good idea J
BasicMixDesign
10
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversary knows all senders and all receivers, but cannot link a sentmessage with a received message
AnonymousReturnAddresses
•11
A
BMIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
M includes {K1,A}pk(mix’), K2 where K2 is a fresh public key and MIX’ is possibly different from MIX
Response MIX’{K1,A}pk(mix’), {r2,M’}K2
A,{{r2,M’}K2}K1
Secrecy without authentication(good for an online confession service J)
MixCascade
• Messagesaresentthroughasequenceofmixes• Canalsoformanarbitrarynetworkofmixes(“mixnet”)
• Somemixesmaybecontrolledbyattacker,butevenasinglegoodmixguaranteessomeanonymity
• Padandbuffertraffictofoilcorrelationattacks12
DisadvantagesofBasicMixnets
• Public-keyencryptionanddecryptionateachmixarecomputationallyexpensive
• Basicmixnetshavehighlatency• Okforemail,butnotforanonymousWebbrowsing
• Challenge:low-latencyanonymitynetwork• Usepublic-keycryptographytoestablisha“circuit” withpairwisesymmetrickeysbetweenhopsonthecircuit
• Thenusesymmetricdecryptionandre-encryptiontomovedatamessagesalongtheestablishedcircuits
• Eachnodebehaveslikeamix;anonymityispreservedevenifsomenodesarecompromised
13
AnotherIdea:RandomizedRouting
• Hidesourcesbyroutingmessagesrandomly• Populartechnique:Crowds,Freenet,Onionrouting
• Routersdonotknowiftheapparentsourceofamessageisthetruesenderoranotherrouter
14
OnionRouting
15
R R4
R1R2
R
RR3
Bob
R
R
R
• Sender chooses a random sequence of routers• Some routers are honest, some are not• Sender controls path length
Alice
[Reed, Syverson, Goldschlag 1997]
RouteEstablishment
16
R4
R1
R2 R3 BobAlice
{R2,k1}pk(R1),{ }k1{R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3{B,k4}pk(R4),{ }k4
{M}pk(B)
• Routing info for each link encrypted with router’s public key• Each router learns only the identity of the next router
TheOnionRouter(Tor)
• Second-generationonionroutingnetwork• http://tor.eff.org• Specificallydesignedforlow-latency anonymousInternetcommunications(e.g.,Webbrowsing)
• RunningsinceOctober2003
• Hundredsofnodesonallcontinents
• 1.5millionusersasof2016
• “Easy-to-use” clientproxy• Freelyavailable,canuseitforanonymousbrowsing• Availableforsmartphonesandtabletstoo
17
TorCircuitSetup(2)
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2
• TunnelthroughOnionRouter#1
19
TorCircuitSetup(3)
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3
• TunnelthroughOnionRouters#1and#2
20
UsingaTorCircuit
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit(alsotomultipledst-s)
• Datagramsaredecryptedandre-encryptedateachlink
21
TorManagementIssues
• Manyapplicationscanshareonecircuit• MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdonot needrootprivileges• Encouragespeopletosetuptheirownrouters• Moreparticipants=betteranonymityforeveryone
• Directoryservers• Maintainlistsofactiveonionrouters,theirlocations,currentpublickeys,etc.• Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters• Directoryservers’ keysshipwithTorcode
22
LocationHiddenServers
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere
• Resistanttocensorship
• Cansurviveafull-blownDoSattack
• Resistanttophysicalattack• Cannotfindthephysicalserver!
23
CreatingaLocationHiddenServer
24
Server creates circuitsto “introduction points”
Server gives intro points’descriptors and addresses to service lookup directory
Client obtains servicedescriptor and intro pointaddress from directory
UsingaLocationHiddenServer
25
Client creates a circuitto a “rendezvous point”
Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point
If server chooses to talk to client,connect to rendezvous point
Rendezvous pointmatches the circuitsfrom client & server
DeployedAnonymitySystems
• FreeHavenprojecthasanexcellentbibliographyonanonymity• http://www.freehaven.net/anonbib
• Tor(http://tor.eff.org)• Overlaycircuit-basedanonymitynetwork• Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)• Networkofmixes• Bestforhigh-latencyapplicationssuchasanonymousemail
26
DiningCryptographers
• Howtomakeamessagepublic,butinaperfectlyuntraceablemanner• DavidChaum.“Thediningcryptographersproblem:unconditionalsenderandrecipientuntraceability.” JournalofCryptology,1988.
• Guaranteesinformation-theoreticanonymityformessagesenders• VERYstrongformofanonymity:defeatsadversarywhohasunlimitedcomputationalpower
• Difficulttomakepractical• IngroupofsizeN,needNrandombitstosend1bit
27
Three-PersonDCProtocol
• Threecryptographersarehavingdinner.
• EitherNSAispayingforthedinner,oroneofthemispaying,butwishestoremainanonymous.
1. Eachdinerflipsacoinandshowsittohisleftneighbor.• Everydinerseestwocoins:hisownandhisrightneighbor’s
2. Eachdinerannounceswhetherthetwocoinsarethesame.Ifheisthepayer,helies(saystheopposite).
3. IFNumberof“same”=1or3Þ NSAispayingIFNumberof“same”=0or2Þ oneofthemispaying• Butanon-payercannottellwhichoftheothertwoispaying!
28
Non-Payer’sView:SameCoins
29
?
“same” “different”
payer payer
?
“same” “different”
Without knowing the coin tossbetween the other two, non-payercannot tell which of them is lying
Non-Payer’sView:DifferentCoins
30
?
“same” “same”
payer payer
?
“same” “same”
Without knowing the coin tossbetween the other two, non-payercannot tell which of them is lying
Super-posedSending
• ThisideageneralizestoanygroupofsizeN
• Foreachbitofthemessage,everyusergenerates1randombitandsendsittoONEneighbor
• Everyuserlearns2bits(hisownandhisneighbor’s)
• EachuserannouncesownbitXORneighbor’sbit
• SenderannouncesownbitXORneighbor’sbitXORmessagebit
• XORallannouncements=messagebit• Everyrandomlygeneratedbitoccursinthissumtwice(andiscanceledbyXOR),messagebitoccursonce
31