Privacy and Anonymity in the Internet - HTW Dresdensobe/Basoti/Lectures/3_Priv... · 2014-07-30 ·...
Transcript of Privacy and Anonymity in the Internet - HTW Dresdensobe/Basoti/Lectures/3_Priv... · 2014-07-30 ·...
1
Part 3: Personal Data Protection andCryptographic Anonymity Techniques
Aspects: Infrastructures and cryptographic techniques Unobservability - content anonymization, address
anonymization Rules for a responsible usage of the internet
Privacy and Anonymityin the Internet
BaSoTI 2014, Privacy and Anonymity in the Internet
2
Privacy: Do not let others look into your data - encrypt critical data
Data protection: Forbid theft of data Forbid alterations / modifications of personal data Avoid usage of modified documents/modified software
Objectives
3
Anonymity: Hide your relations in communication – this often requires to encrypt
the message content Forbid the observation of your physical location Protect own privacy – do not allow unwanted collection of data:
surveillance, traffic analysis
Effects in case of dishonest parties:discrimination, physical safety attacks, criminal prosecution, censorship, social sorting
Anonymity techniques are built upon crytographic techniques – but require more than bare cryptography
Objectives
4
Aspects of SecurityAccess Control: control the access to a system in general, access to system functions, access to data (e. g. by a firewall)
Confidentiality/Privacy: prohibits unauthorized access by third parties to data, access to identity attributes (done by encryption)
Authenticy: Proof of the identity of the author / originator and authenticity of data (e.g. by a digital signature)
Integrity: Provability that data is orignal, got not altered
Provability/Verifyability: Proof of authenticity and integrity by a authorized third party
Copyright: Protection of intelectual / Cultural properties, Copyright-marks, Identification of illegal copies
5
Attackers capabilities within ananonymity infrastructureAn attacker may gain control over a limited number of links and/or nodes
capabilities - compare to data flow deviations(see Security Lecture):
Interruption: destroy or corrupt messages Interception/Observation: access message content, determine
sender and receiver of messages, find out correllations Modification: modify messages, change message destinations Fabrication: inject new messages into the system, take part in the
anonymity service offered by the infrastructure
6
Cryptographic Techniques (1/3)Encryption function E Key ... KDecryption function D
EK(P) P ... original message S = EK1(P) S ... encrypted TextP = DK2(S)
symmetric cryptographic schems (Private Key): K1=K2
asymmetric cryptographic schemes (public key): K1 public key, specific to a receiver (decoding entity) K2 private (secret) key, specific to a receiver (decoding entity)
7
Cryptographic Techniques (2/3)Symmetric codes:
Encryption is done by an arithmetic transformation of the datausing a secret key. Decryption is the reverse transformationusing the same secret key.
Variants: • One Time Pad: A single but very long key, sender and receiver
combine data bitwise-XOR with the secret key• Pseudo One Time Pad: A short secret key is used to generate a n
infinite long key, e.g. the key as a parameter for a pseudo randomnumber generator that generate the long key, combination usingbitwise XOR operation
• Data as key generator: A first block is encrypted using the key(similarly to one time pad), the next key for the next block isgenerated out of the previous original data, and so on.
8
Cryptographic Techniques (3/3)
asymmetric codes:Pair of a public key and a private key, computationally hardness to guess private key from public key
Variants by different algorithms: RSA (Rivest et al. 1978) – based on difficulty of factorization of big
numbers DSA (Elgamal, 1984) – Digital Signature Algorithm (Standard)
based on the Calculation of discrete logarithms Elliptical Curve-Algorithms (Miller, Koblitz, ca. 1985)
9
Signatures for Authentication (1/3)Digital signatures are used as replacement of written genuine signatures, typically related to an original document (message) that‘s content is signed
Digital signatures are transfered as postfix of a message
A signed message is transferred as follows:message + signature(sender-id, message, random number)
private key: secret of the signing entity used as parameter for the signature function
public key: public for all to check the validity of the signature
Compared to en/decryption: reverse roles of keys
10
Signatures for Authentication (2/3)Sign function:signature = E K-privat ( hash(message) + random_number)
Check function : hash(message) + rest = D K-public, sender (signature)
In case of equality (=) the signature is valid,otherwise: signature invalid, e.g. signature tampered when forwarded wrong message, e.g. tampered during transfer message or signature not sent by the claimed sender
11
Signatures for Authentication (3/3)A simple signature scheme that is not cryptographically strong …However, it represents the general idea.
Choose a prime number MChose Parameters a,b,c in the way that a*b MOD M = c
Public Key: b,c, (M)Private Key: a, (M) Difficulty: a = c/b MOD M
Sign-Function: sig = a*H(msg) MOD MCheck-Function:
if ( sig*b MOD M = c *H(msg) MOD M) { valid=true;}else {valid=false; }
12
Privacy and Unobersvability (1/2)Situation:
Need for privacy: hide the message content of request and response mesages ban observation of who communicates with whom
(hide sender/receiver correllation)
Client Server
Observationby service provider
Observationin the network
13
Privacy and Unobersvability (2/2)
ClientServer
Observation of client server relations
Third-Party Analysis Tools, such as Google Analytics
AnalyticsServer
JavaScript+ parameters
14
Anonymity techniquesStrongest Assumption: The attacker/observer is able toobserve the sending act and the receiving act, and is able totrack a message.
General anonymity approach:
Hide the personal communication in a cover set ofcommunications, cover traffic
Confuse the observer, conceal the particular sender andreceiver and their communication relationship
Hide the receiver address, and the sender address (for a reply) either by broadcast, or by address encryption
15
Anonymity techniquesHide a single transmission among n transmissions
The other n-1 transmissions are the cover traffic
that is either generated as artifical (redundant, random) traffic
or is taken from many different users that mix their transmissions
The cover set should be as big as possible
For anonymity, it must be ensured that an attacker is not able to controlthe entire cover set, i.e. not able to control all the n-1 transmissions
observation of n=6transmissions
16
Anonymity techniques
Broadcast network and implicit addresses:Delivery of the same message to all receiver nodes that take part in the anonymity infrastructure. The message have to contain an attribute that allows the addressee to recognize the message. This attribute can be build using an asymmetric cryptographic system.
→ recipients anonymity
message + encrypted address A
C
Only the desired receiver is able to decrypt its address (or a magic text)
17
Anonymity techniquesDC network:A time-slotted network allows all nodes to send within a slot. One node provides a real message content and the receiver address and XORes both with a secret key . All other nodes provide dummy messages that are generated from secret keys. The keys are formed in a way that the superposition of all messages reveals the original real message content.
Msg|Dest: 0110|10Key-B: 1110 00Key-C: 0001 11
→ sender anonymity
node AMsg|Dest: 0000|00Key-A: 1000 01Key-C: 0001 11
node BMsg|Dest: 0000|00Key-A: 1000 01Key-B: 1110 00
node C
Send: 1001 01 Send: 1001 10 Send: 0110 01
global-XOR: 0110 10
18
Anonymity techniquesPrivate Information Retrieval: Hidden request of data cells from a set of servers with replicated content. The interest on a specific data cell is protected by requests of randomly chosen additional cells. Requests are sent by broadcast (! not necessarily) messages, and all servers send reply messages. A specific XOR-based request encoding and reply decoding method allows to extract the desired data cell anonymously.
comparable to recipients anonymity
A,B,C
A,B,C
A,B,Cwants to read C
A,B,C
A,B,C
A,B,C
m=E‘(A XOR B)
A XOR(A XOR B ) XOR (B XOR C)= C
all channels are encrypted
19
Anonymity techniquesMIX (David Chaum, 1981)Messages are sent to destination through proximity entities(MIX nodes), message content and addresses are encrypted.
Sender anonymity and recipients anonymity
Another similar concept: Onion Router
See next slides for details.
user X
user Y
sender
receiver(e.g. server)
20
MIX – the general principle
MIX receiversender
Process A sends P to B, via MIX1: encrypt using the public key
of the MIX S=EMIX(B:P)2: send S to MIX
S
MIX receives S …1: MIX decrypts B:P
using decryption function B:P=DMIX(S)2: MIX sends P to B
B receives P from MIX (anonymously)
A B
(1) Unobservability: An observer is not able to guess from S and P that A was the originator of message P, assumed that it does not exploit correlations in time
(2) Anonymity: The receiver is not able to relate the received message P to A, it solely sees the message P coming from the Mix (anonymity)
P
21
MIX – Problems and SolutionsProblem Solution
a single MIX knows all communication-relations andmessages
cascading of several MIXes that should operate independently
correlation of incoming andoutgoing messages byobservation of their time andlength
buffering of messages in a MIX anddelayed, reordered forwarding, length-filling (padding)
replay attacks are still possible encryption message + random-number and duplicate detection
up to now no reply messagespossible, needed for HTTP: request, response
manage proximity reply-addresses to follow-up MIXes, the final receiver sendssynchronously a response
22
MIX – functional viewFunctional view on a single MIX:
Data base of previous messages
dropping of duplicates
decryption
messagebuffer
delay and reordering
P,rand = D K-private(S )
S=E K-public(P,rand)
P,E(rand)
for simplification: destination address and addresses of follow-up Mixes are contained in P
Proximity reply addressresolver
reply-adr = index(D(E(rand))
23
MIX - CascadingMIX-Cascades: using a sequence of multiple MIXes,distributes knowledge under assumption that MIXes do not cooperate
MIX1
MIX2
sender
receiver
SM2M1 = EK-Public1 (EK-Public2(M,rand2), rand1)
SM2 = EK-Public2(M,rand2),E(rand1)
M, E(rand2)
store:(address sender, rand1)
store:(address MIX1, rand2)
http://anon.inf.tu-dresden.de
24
Analytics via MIX cascades
ClientServer
observation of client server relations:Analytics system sees the request coming from the last MIX (here this is MIX2)
AnalyticsServer
JavaScript+ parameters
MIX1 MIX2
server:sees the request coming from the last MIX (here this is MIX2)
25
Onion RouterConcept similar to MIXesA message is encrypted several times and routed through several router-nodes that decrypt the message stepwise.
Difference: not a fixed sequence of MIXes a network of routers, a client selects a route from several routes and is
capable to change that route for any later communication phase huge number of onion routers – traffic is distributed and does not
concentrate on a few MIXes circuit-concept – a route that is stable for a specific time no message padding (no length unification), instead circuits can be
used by several IP streams that are interleaved end-to-end integrity checking for a circuit
TOR-Project: www.torproject.org
26
Onion RouterIllustration of TOR‘s operation
R
R
R R
R R
D
TOR router
TOR directory
D
1
C TOR client/proxy
C
encrypted link
unencrypted link
The users client loads a list of TOR nodes from a directory server
27
Onion RouterIllustration of TOR‘s operation
R
R
R R
R R
D
TOR router
TOR directory
D
2
C TOR client/proxy
C
encrypted link
unencrypted link
The users client picks a random route to the destination server
28
Onion RouterIllustration of TOR‘s operation
R
R
R R
R R
D
TOR router
TOR directory
D
3
C TOR client/proxy
C
encrypted link
unencrypted link
The users selects another random path, when another destination server is accessed(path changes regularly)
29
Rules for responsible usage of the Internet Problem / Questions:When is it preferable to allow access to the personal usage behaviour and to open identy attributes?
When it is better to stay anonymous?
Can that decision be controlled for Internet usage?
30
Rules for responsible usage of the Internet Use the Web as productive platform provide valuable content in the Internet. identfy yourself and your contact address as author of articles, blogs etc.BUT: don‘t publish critical private information in the web
(e.g. twitter, facebook)
Be aware keep in mind that observations and analytics are always possible Analytics are mostly pseudonymized as long you don‘t identfy yourself,
possibly personalized when identification data can be used in addition toanalytics
keep in mind that your physical position can be tracked in most mobile services
read the “terms of usage“ when you register to a service
31
Rules for responsible usage of the Internet Example:Schufa (a german Credit scoring service) tries to exploit facebook datato adjust a persons credit score can be dangerous, for example if you have friends with a bad
payment manner potentially a social ranking will be taken
32
Rules for responsible usage of the Internet
Support of privacy and anonymity:
take part in anonymity infrastuctures
use them for your free communications
don‘t use them for illegal actions (unallowed downloads, copyrightviolations, spamming, cyber criminal activities)… most infrastructures allow tracking for law enforcement
33
Rules for responsible usage of the Internet For website publishers / web application programmers: Web sites should make available a privacy policy that is easy to find.
Ideally the policy should be accessible from the home page by looking for the word "privacy."
Privacy policies should state clearly how and when personal information is collected.
Web sites should make it possible for individuals to get access to their own data.
Cookies transactions should be more transparent. Web sites should continue to support anonymous access for Internet
users. Protecting privacy will be one the greatest challenges for the Internet. From „Sufers Aware“: EPIC. (1997). Surfer Beware I: Personal Privacy and the Internet. http://epic.org/reports/surfer-beware.html