CS 134 Winter 2018 LECTURE 15 Privacy and Anonymitysconce.ics.uci.edu/134-W18/slides/LEC15.pdf ·...
Transcript of CS 134 Winter 2018 LECTURE 15 Privacy and Anonymitysconce.ics.uci.edu/134-W18/slides/LEC15.pdf ·...
LECTURE 15 Privacy and Anonymity
CS 134 Winter 2018
1
Privacy
• Privacy and Society • Basic individual right & desire • Also relevant to corporations & government
agencies • Recently increased awareness
• But, public’s perception of privacy is fickle
• Privacy and Technology in Recent Years • >>Information disclosed on the Internet • >>Handling and transfer of sensitive
information • <<Privacy and accountability
2
(Image from geekologie.com)
Privacy on Public Networks
• TheInternetisdesignedasapublicnetwork• AnyoneonyourLAN(wiredorwireless)canseeyourtraffic• Networkroutersseealltrafficthatpassesthroughthem
• Routinginformationispublic• IPpacketheadersidentifysourceanddestinationaddresses• Apassiveobservercaneasilyfigureoutwhoistalkingtowhom
• Encryption(e.g.,SSLorIPSec)doesnothideidentities• Encryptionhidespayload,notrouting+addressinginformation• EvenIP-levelencryption(tunnel-modeIPsec/ESP)revealsIPaddressesofIPsecgateways
3
Applications of Anonymity (1)
• Privacy• Hideonlinetransactions,Webbrowsing,etc.fromintrusivegovernments,marketers,archival/searchentities(e.g.,Google)aswellasfromcriminalsandsnoops
• UntraceableElectronicMail• Corporatewhistle-blowers• Politicaldissidentsinoppressivesocieties• Sociallysensitivecommunications(onlineAAorSTDmeeting)• Confidentialbusinessnegotiations
• LawEnforcementandIntelligence• Stingoperationsandhoneypots• Secretcommunicationsonapublicnetwork
• Informers,secretagents,etc.4
Applications of Anonymity (2)
• Digital/ElectronicCash• Electroniccurrencywithpropertiesofpapermoney(onlinepurchasesunlinkabletobuyer’sidentity)
• AnonymousElectronicVoting
• Censorship-ResistantPublishing
• Crypto-Anarchy• “Somepeoplesaythat“anarchywon'twork.”That'snotanargumentagainstanarchy;that'sanargumentagainstwork.”–BobBlackJ
5
Applications of Anonymity (3)
• Porn
• HumanTrafficking
• Libel
• Disinformation=FakeNews/Propaganda
• SaleofIllegalSubstances(e.g.,SilkRoad)
• TaxAvoidance(viaUntraceablePayments)
• IncitementtoCriminalActivity(e.g.,Murder,Rioting,Genocide,Terrorism)6
What is Anonymity?
• Anonymity:inabilitytoidentifysomeonewithinasetofsubjects(sizevaries)• DifferentfromPRIVACY–righttobeleftalone• Tobeanonymous,needtohideyouractivitiesamongsimilaractivitiesbyothers• Onecannotbeanonymousalone!
• Bigdifferencebetweenanonymityandconfidentiality
• Unlinkability:separationofactionandidentityperformingthataction• Forexample,senderandhisemailarenomorerelatedafterobservingcommunicationthantheywerebefore
• Unobservability:inabilitytotellwhetheracertainactiontookplace• veryhardtoachieve
7
Attacks on Anonymity
• PassiveTrafficAnalysis• Inferfromnetworktrafficwhoistalkingtowhom• Tohideyourtraffic,mustcarryotherpeople’straffic!
• ActiveTrafficAnalysis• Injectpacketsorputatimingsignatureonapacketflow
• CompromiseofNetworkNodes(suchasRouters)• Notobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic• Donotfullytrustanyindividualnode
• Assumethatsomefractionofnodesisgood,butdonotknowwhich
8
Chaum’s Mix (David Chaum, ca. 1980-1981)
• Earliestproposalforanonymousemail:• DavidChaum,“Untraceableelectronicmail,returnaddresses,anddigitalpseudonyms”,CommunicationsoftheACM,February1981.
• Public-keycrypto+trustedre-mailer(Mix)• Untrustedcommunicationmedium• Public-keysusedaspersistentpseudonyms
• ModernanonymitysystemsuseMixasthebasicbuildingblock
9
Before spam, people thought anonymous email was a good idea J
Basic Mix Design
10
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversary knows all senders and all receivers, but cannot link a sent message with a received message
Anonymous Return Addresses
• 11
A
B MIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
M includes {K1,A}pk(mix’), K2 where K2 is a fresh public key and MIX’ is possibly different from MIX
Response MIX’
{K1,A}pk(mix’), {r2,M’}K2 A,{{r2,M’}K2}K1
Secrecy without authentication (good for an online confession service J)
Mix Cascade
• Messagesaresentthroughasequenceofmixes• Canalsoformanarbitrarynetworkofmixes(“mixnet”)
• Somemixesmaybecontrolledbyattacker,butevenasinglegoodmixguaranteessomeanonymity
• Padandbuffertraffictofoilcorrelationattacks12
Disadvantages of Basic Mixnets
• Public-keyencryptionanddecryptionateachmixarecomputationallyexpensive
• Basicmixnetshavehighlatency• Okforemail,butnotforanonymousWebbrowsing
• Challenge:low-latencyanonymitynetwork• Usepublic-keycryptographytoestablisha“circuit”withpairwisesymmetrickeysbetweenhopsonthecircuit
• Thenusesymmetricdecryptionandre-encryptiontomovedatamessagesalongtheestablishedcircuits
• Eachnodebehaveslikeamix;anonymityispreservedevenifsomenodesarecompromised
13
Another Idea: Randomized Routing
• Hidesourcesbyroutingmessagesrandomly• Populartechnique:Crowds,Freenet,Onionrouting
• Routersdonotknowiftheapparentsourceofamessageisthetruesenderoranotherrouter
14
Onion Routing
15
R R4
R1 R2
R
R R3
Bob
R
R
R
• Sender chooses a random sequence of routers • Some routers are honest, some are not • Sender controls path length
Alice
[Reed, Syverson, Goldschlag 1997]
Route Establishment
16
R4
R1
R2 R3 Bob Alice
{R2,k1}pk(R1),{ }k1 {R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4
{M}pk(B)
• Routing info for each link encrypted with router’s public key • Each router learns only the identity of the next router
The Onion Router (Tor)
• Second-generationonionroutingnetwork• http://tor.eff.org• Specificallydesignedforlow-latencyanonymousInternetcommunications(e.g.,Webbrowsing)
• RunningsinceOctober2003
• Hundredsofnodesonallcontinents
• 1.5millionusersasof2016
• “Easy-to-use”clientproxy• Freelyavailable,canuseitforanonymousbrowsing• Availableforsmartphonesandtabletstoo
17
Tor Circuit Setup (1)
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
18
Tor Circuit Setup (2)
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2
• TunnelthroughOnionRouter#1
19
Tor Circuit Setup (3)
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3
• TunnelthroughOnionRouters#1and#2
20
Using a Tor Circuit
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit(alsotomultipledst-s)
• Datagramsaredecryptedandre-encryptedateachlink
21
Tor Management Issues
• Manyapplicationscanshareonecircuit• MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdonotneedrootprivileges• Encouragespeopletosetuptheirownrouters• Moreparticipants=betteranonymityforeveryone
• Directoryservers• Maintainlistsofactiveonionrouters,theirlocations,currentpublickeys,etc.• Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters• Directoryservers’keysshipwithTorcode
22
Location Hidden Servers
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere
• Resistanttocensorship
• Cansurviveafull-blownDoSattack
• Resistanttophysicalattack• Cannotfindthephysicalserver!
23
Creating a Location Hidden Server
24
Server creates circuits to “introduction points”
Server gives intro points’ descriptors and addresses to service lookup directory
Client obtains service descriptor and intro point address from directory
Using a Location Hidden Server
25
Client creates a circuit to a “rendezvous point”
Client sends address of the rendezvous point and any authorization, if needed, to server through intro point
If server chooses to talk to client, connect to rendezvous point
Rendezvous point matches the circuits from client & server
Deployed Anonymity Systems
• FreeHavenprojecthasanexcellentbibliographyonanonymity• http://www.freehaven.net/anonbib
• Tor(http://tor.eff.org)• Overlaycircuit-basedanonymitynetwork• Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)• Networkofmixes• Bestforhigh-latencyapplicationssuchasanonymousemail
26
Dining Cryptographers
• Howtomakeamessagepublic,butinaperfectlyuntraceablemanner• DavidChaum.“Thediningcryptographersproblem:unconditionalsenderandrecipientuntraceability.”JournalofCryptology,1988.
• Guaranteesinformation-theoreticanonymityformessagesenders• VERYstrongformofanonymity:defeatsadversarywhohasunlimitedcomputationalpower
• Difficulttomakepractical• IngroupofsizeN,needNrandombitstosend1bit
27
Three-Person DC Protocol
• Threecryptographersarehavingdinner.
• EitherNSAispayingforthedinner,oroneofthemispaying,butwishestoremainanonymous.
1. Eachdinerflipsacoinandshowsittohisleftneighbor.
• Everydinerseestwocoins:hisownandhisrightneighbor’s
2. Eachdinerannounceswhetherthetwocoinsarethesame.Ifheisthepayer,helies(saystheopposite).
3. IFNumberof“same”=1or3⇒NSAispayingIFNumberof“same”=0or2⇒oneofthemispaying
• Butanon-payercannottellwhichoftheothertwoispaying!28
Non-Payer’s View: Same Coins
29
?
“same” “different”
payer payer
?
“same” “different”
Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying
Non-Payer’s View: Different Coins
30
?
“same” “same”
payer payer
?
“same” “same”
Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying
Super-posed Sending
• ThisideageneralizestoanygroupofsizeN
• Foreachbitofthemessage,everyusergenerates1randombitandsendsittoONEneighbor
• Everyuserlearns2bits(hisownandhisneighbor’s)
• EachuserannouncesownbitXORneighbor’sbit
• SenderannouncesownbitXORneighbor’sbitXORmessagebit
• XORallannouncements=messagebit• Everyrandomlygeneratedbitoccursinthissumtwice(andiscanceledbyXOR),messagebitoccursonce
31