Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval.

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

Internet Protocol Security (IP Sec)
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Conscript Your Friends into Larger Anonymity Sets with JavaScript ACM Workshop on Privacy in the Electronic Society 4 November 2013 Henry Corrigan-Gibbs.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Anonymity without Sacrificing Performance Enhanced Nymble System with Distributed Architecture CS 858 Project Presentation Omid Ardakanian * Nam Pham *
Secure Multiparty Computations on Bitcoin
CSC 774 Advanced Network Security
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
CSC 774 Advanced Network Security
1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Authors Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, Abraham Flaxman Presented by: Jonathan di Costanzo & Muhammad Atif Qureshi 1.
Reusable Anonymous Return Channels
Hang with Your Buddies to Resist Intersection Attacks David Wolinsky, Ewa Syta, Bryan Ford Yale University.
Dissent: Accountable Anonymous Group Messaging Henry Corrigan-Gibbs and Bryan Ford Department of Computer Science Yale University 17 th ACM Conference.
Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
SybilGuard: Defending Against Sybil Attacks via Social Networks Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham Flaxman Presented by Ryan.
Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.
SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.
Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.
Network Aware Resource Allocation in Distributed Clouds.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Chapter 21 Distributed System Security Copyright © 2008.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.
Consider a network in which for any two nodes directly connected with a link, a message either reaches its destination within T time or gets lost. (a)
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Security for Broadcast Network
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
Private key
Fall 2006CS 395: Computer Security1 Key Management.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Network Processing Systems Design
OblivP2P: An Oblivious Peer-to-Peer Content Sharing System
Anonymous Communication
OblivP2P: An Oblivious Peer-to-Peer Content Sharing System
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Anonymous Communication
Dissent: Accountable, Anonymous Communication
Presentation transcript:

Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval Research Laboratory

Motivation – Strength in Numbers Meet tonight at 7 PM in the park for pizza and beer! Bob, you’re going be spending some time in the slammer!

All of you going to be spending time in the slammer!!! Meet tonight at 7 PM in the park for pizza and beer! Motivation – Strength in Numbers

Meet tonight at 7 PM in the park for pizza and beer! This party is over go home!!! Motivation – Strength in Numbers Ugh, we can’t put them all in Jail…

Making Strong Anonymity Scale? Challenge – tradeoff between scale and strength in anonymity systems favoring scale Goals Strong anonymity (timing analysis resistant) Scalability (100s to 1,000s of active participants) Churn tolerant (unannounced member departures) Accountability Achieved in Dissent!

Organization Motivation Existing Approaches Dissent – Strong, Scalable Anonymity Computational efficiency Communication efficiency Churn tolerant Anonymity Accountability Evaluation Conclusions

Organization Motivation Existing Approaches Dissent – Strong, Scalable Anonymity Computational efficiency Communication efficiency Churn tolerant Anonymity Accountability Evaluation Conclusions

Bob Tor – The Onion Router Server 00 Server 10 Server 20 Server 01 Server 11 Server 21 Server 02 Server 12 Server 22 Meet tonight at 7 PM in the park for pizza and beer! Tor is scalable, supports more than 400,000 clients with 1,000 clients per server Anonymizing Relays Public Server time Aha! Got you! Not timing analysis resistant! State-run ISP

DC-net Bob Alice Carol Traffic analysis resistant since all member transmit equal length messages Cleartext message

Practical Considerations Mix-netsTorDC-nets Strong anonymity√√ Scalability√√1√1 Churn tolerant√√ Accountability√2√2 Mix-nets / Shuffles – Chaum, Neff, Wikstrom Onion Routing – Tor and I2P DC-nets – 1 Herbivore and 2 Dissent v1 Herbivore supported many concurrent users but distributed amongst many parallel DC-nets thus lacks the “Strength in Numbers” or large anonymity set sizes

Organization Motivation Existing Approaches Dissent – Strong, Scalable Anonymity Computational efficiency Communication efficiency Churn tolerant Anonymity Accountability Evaluation Conclusions

Key Insight Crystal Anna Ben Amy Bob Alice Carol Brett Server 2 Server 1 Server 0

Key Insight Alice Carol Server 2 Crystal Anna Ben Alex Barry Amy Christine Brett Server 1 Server 0 Bob Use DC-net style anonymity within the Mix-net topology to obtain scalability!

Making Strong Anonymity Scale! Challenge – tradeoff between scale and strength in anonymity systems favoring scale Dissent’s solution Improving Computation Efficiency Improving Communication Efficiency Handling Churn Identifying Disruptions Maintaining Strong Anonymity

Improving Computational Efficiency

Alice Amy Carol Bob Anna Ben Crystal Computational Overhead Crystal Anna Ben Amy Bob Alice Carol Brett Computation overhead due to O(N 2 ) secret shares

Alice Amy Carol Bob Anna Ben Crystal Computational Overhead Crystal Anna Ben Amy Bob Alice Carol Brett Cleartext Computation overhead due to O(N 2 ) secret shares Ciphertext N = 100, 4950 shared secrets, 9900 RNG operations 5.5 ms/peer Server 2 Server 1 Server 0

Computational Improvement Alice Carol Server 2 Crystal Anna Ben AlexAmy Christine Brett Server 1 Server 0 Bob Each server has N secrets Each client has M secrets O(M*N) shared secrets with M << N N = 100 and M = 5, 500 shared secrets, 1000 RNG operations RNG reduction: 1000 << 9900 With M servers and N clients…

Improving Communication Efficiency

Amy Carol Brett Bob Anna Ben Crystal Bandwidth Overhead Crystal Anna Ben Amy Bob Alice Carol Brett Bandwidth overhead due to O(N 2 ) communication Computation overhead due to O(N 2 ) secret shares Alice Cleartext N = 100, Ciphertexts exchanged in DC-nets: 9900

Bandwidth Efficiency Alice Carol Server 2 Crystal Anna Ben Alex Barry Amy Christine Brett Server 1 Server 0 Bob We can construct a DC-net aware multicast tree! Earlier DC-nets had O(N 2 ) communication cost Clients submit their ciphertext upstream to one server Carol Ben Barry Alice Amy Crystal Alex Server 1 Christine Bob Brett Anna Server 2 Server 0 Server 1 Server 2

Bandwidth Efficiency Alice Carol Server 2 Crystal Anna Ben Alex Barry Amy Christine Brett Server 1 Server 0 Bob We can construct a DC-net aware multicast tree! Earlier DC-nets had O(N 2 ) communication cost Clients submit their ciphertext upstream to one server Servers XOR these messages together and share with each other Servers XOR these messages to compute the cleartext and distribute it to their downstream clients N = 100 and M = 5 Ciphertexts exchanged in DC-nets: 9900, Dissent: 205 Server 0 Server 1 Server 2 Cleartext Server 0 Server 1 Server 2 Cleartext Server 0 Server 1 Server 2 Cleartext

Creating Churn Tolerance

Amy Carol Brett Bob Anna Ben Crystal Churn Intolerance Bandwidth overhead due to O(N 2 ) communication Computation overhead due to O(N 2 ) secret shares Garbage Alice What if Alice left without transferring? Crystal Anna Ben Amy Bob Alice Carol Brett The resulting cleartext is garbage due to the dependency on Alice’s secret shares

Tolerating Churn Alice Carol Server 2 Crystal Anna Ben Alex Barry Amy Christine Brett Server 1 Server 0 Bob Server 1 will timeout on Alex The protocol continues uninterrupted, since the servers have yet to compute their ciphertext

Handling Disruptions via Accountability…

DC-net – Disruptions Bob Alice Carol Easily disrupted x How can we prove Bob transmitted the wrong ciphertext without losing anonymity?

Scheduling Key Alice Key Bob Key Carol Shuffle Key Carol Key Alice Key Bob DC-net Slot Carol Slot Bob Slot Alice Alice BobCarol Anonymizing shuffle produces random permutation and hence the schedule How do many members share the DC-net without disrupting each other? Create a transmission schedule!

DC-net Bob Alice Carol Integrity check (parity bit) 111 x Integrity check failed! To determine the disruptor Alice needs to anonymously specify a bit that the disruptor “flipped” from 0 -> 1

Safely Deanonymize a Bit {Bit 1 } Alice 0 0 Shuffle 0 {Bit 1 } Alice 0 Alice BobCarol

DC-net Bob Alice Carol with Bob 1 with Carol 1 with Alice 1 with Bob Revealing the shared secret, Alice can confirm that Bob disrupted the previous round 1 with Alice 0 with Carol In practice, this is a bit more complicated though the details are in the paper.

Progress! We have gained Improvements in computation and communication Ability to tolerate churn Identify disruptors How does this impact strong anonymity?

DC-net – Anonymity Set Anonymity set size: 8 (Honest participants) Anonymity set size: 4 (Honest participants) Crystal Anna Ben Amy Bob Alice Carol Brett

Dissent retains this feature…

Anna Dissent – Anonymity Set Alice Carol Server 2 Crystal Ben Alex Barry Amy Christine Brett Server 1 Server 0 Bob Anonymity set size: 11 (Honest participants) Secret sharing graph prevents the clients upstream server from deanonymizing it Anonymity set remains equal as long as there is 1 honest server Anonymity set size: 7 (Honest participants)

Organization Motivation Existing Approaches Dissent – Strong, Scalable Anonymity Computational efficiency Communication efficiency Churn resistance Anonymity Accountability Evaluation Conclusions

Dissent – Prototype Written in C++ Qt from networking, serialization, and events processing Crypto++ as the crypto library

Related Work Evaluated only up to 40 members Dissent CCS’10 Herbivore TR‘03

Scaling to Thousands of Clients Bandwidth limitations CPU Overheads Latency limited 1,000 clients ~1 second > 5,000 concurrent clients!!

CPU Time 5.5 ms/client

Comparison to Shuffles Dissent keeps up! Verifiable shuffles do not

Churn Resilience Nearly 99% complete in less than 1 second Nearly 50% complete in less than 400 ms

Protocol Breakdown “Fast” DC-net Slow Key Shuffle Really slow blame shuffle Efficient disruption analysis

Organization Motivation Existing Approaches Dissent – Strong, Scalable Anonymity Computational efficiency Communication efficiency Churn resistance Anonymity Accountability Evaluation Conclusions

Key Take Aways We can construct strong and scalable anonymous communication systems O(N 2 ) communication cost to O(N) Churn tolerance Provides an effective means to identify disruptors Two orders of magnitude larger anonymity sets than previous DC-net approaches Maintains strong anonymity properties from DC-nets

Future Work Further bandwidth and computation optimizations Slot length scheduling policies Better ways to anonymously distribute blame Handling long term intersection attacks Formal security analysis Making available for real applications and real users

Finished! Thanks, questions? Dissent – Strong, scalable accountable anonymity Find out more at We’ll be at the poster session tonight!

Extra slides

Evaluation Topology Alice Carol Server 2 Crystal AnnaAlex Barry Amy Christine Server 1 Server 0 Bob 8 – 16 servers 1 – 320 clients per server 24 –5120 clients 100 Mbit/sec LAN with 10 msec delay 100 Mbit/sec shared upstream link with 50 msec delay Servers might be run within a single cloud but owned by different “anonymity providers”

Scaling to Thousands of Clients Bandwidth limitations CPU Overheads

Pure Mix-Nets / Shuffles Data Alice Data Bob Data Carol Alice Bob Carol Server 0 Server 1 Server 2 Data Alice Data Bob Data Carol Data Bob Data Carol Data Alice Data Bob Data Alice Data Carol Data Bob Data Carol Data Alice Data Bob Data Alice Data Carol Data Alice Data Carol Data Bob Each server performs in serial expensive decryption operations Wait until sufficient clients have submitted

Dissent Alice Carol Server 2 Server 1 Server 0 Bob Clients connect to a single upstream server Servers connect with each other

Dissent Alice Carol Server 2 Server 1 Server 0 Bob Clients have a shared secret with each server Diffie-Hellman public keys exchanged during registration Secret A1 Secret A0 Secret A2

Dissent Alice Server 2 Server 1 Server 0 Secret A1 Secret A0 Secret A2 Cleartext A = blame, nonce, next slot length, msg, hash Ciphertext A0 = RNG(Secret A0, length) Ciphertext A = Ciphertext A0 XOR Ciphertext A1 XOR Ciphertext A2 XOR (0, …, 0, Cleartext A, 0, …, 0)

Dissent Alice Server 2 Server 1 Server 0 Ciphertext A Cleartext A = blame, nonce, next slot length, msg, hash Ciphertext A0 = RNG(Secret A0, length) Ciphertext A = Ciphertext A0 XOR Ciphertext A1 XOR Ciphertext A2 XOR (0, …, 0, Cleartext A, 0, …, 0)

Dissent Alice Carol Server 2 Server 1 Server 0 Bob Ciphertext A Ciphertext C Ciphertext B

Dissent Server 2 Server 1 Server 0 Client list exchange [Alice] [Carol] [Alice] [Bob] [Carol]

Dissent Server 2 Server 1 Server 0 Client list exchange Commit 0 Commit 1 Commit 2 Commit 1 Ciphertext evaluation Server 0 knows that Alice, Bob, and Carol submitted: Ciphertext 0 = Ciphertext A XOR Ciphertext A0 XOR Ciphertext B0 XOR Ciphertext C0 Ciphertext commit Commit 0 = Hash(Ciphertext 0 )

Dissent Server 2 Server 1 Server 0 Client list exchange Ciphertext 0 Ciphertext 1 Ciphertext 2 Ciphertext 1 Ciphertext evaluation Server 0 knows that Alice, Bob, and Carol submitted: Ciphertext 0 = Ciphertext A XOR Ciphertext A0 XOR Ciphertext B0 XOR Ciphertext C0 Ciphertext commit Commit 0 = Hash(Ciphertext 0 ) Ciphertext exchange

Dissent Server 2 Server 1 Server 0 Client list exchange Signature 0 Signature 1 Signature 2 Signature 1 Ciphertext evaluation Server 0 knows that Alice, Bob, and Carol submitted: Ciphertext 0 = Ciphertext A XOR Ciphertext A0 XOR Ciphertext B0 XOR Ciphertext C0 Ciphertext commit Commit 0 = Hash(Ciphertext 0 ) Ciphertext exchange Cleartext = Ciphertext 0 XOR Ciphertext 1 XOR Ciphertext 2 Signature 0 = {Cleartext} Key0 Cleartext evaluation Cleartext commit

Dissent Alice Carol Server 2 Server 1 Server 0 Bob Cleartext Cleartext evaluation Cleartext commit Client list exchange Ciphertext evaluation Ciphertext commit Ciphertext exchange Cleartext distribution

Dissent – Blame Alice Server 2 Server 1 Server 0 Cleartext A = blame, nonce, next slot length, msg, hash Ciphertext A0 = RNG(Secret A0, length) Ciphertext A = Ciphertext A0 XOR Ciphertext A1 XOR Ciphertext A2 XOR (0, …, 0, Cleartext A, 0, …, 0)

Identifying Disruptors

Dissent – Blame Alice Server 2 Server 1 Server 0 Ciphertext A

Dissent Alice Carol Server 2 Server 1 Server 0 Bob Cleartext Round will complete as normal, but everyone will see the blame flag set, resulting in a blame shuffle In the blame shuffle, the slot owner will specify a bit to deanonymize which will reveal the offending client / server The message in the shuffle is signed with the slot owner’s anonymous meaning it is safe to deanonymize

Related Work – Herbivore With 40 members, communication delays between.6 and 1.2 seconds Time between messages

Related Work – Earlier Dissent With 44 members, communication delays for the DC-net were 2 minutes Time to transfer 1 MB

Future Work in Dissent Disruption resistance is online, requires additional steps after the protocol has completed Practical use in real environments – Such as using WiFi enabled smart phones Anonymity boxes – isolated environments running within a virtual machine isolating the user’s private information from the anonymity network Participation limits to prevent Sybil attacks

Dissent Disruption Resistance A malicious bit flip resulting from a 0 -> 1 in the cleartext can be used to generate an accusation In a DC-net, client requests accusation shuffle In shuffle, client specifies the flipped bit Servers share bits for this bit index, finding either A server sent bits that do not match his ciphertext – thus he is guilty of the disruption A client’s ciphertext does not match the accumulation of the server’s bits Clients rebut by sharing with servers the shared secret of the offending server, accepting blame, or remaining suspect

Analytical Comparison FeatureDC-NetsHerbivoreDissent MessagesO(N 2 )O(N) SecretsO(N 2 ) O(N*M) AnonO(K) O(K), assuming 1 honest server N = Members (clients) M = Servers K = honest members

Server Count Effects 9 seconds 220 ms 5.5 second 6.25 second

Analytical Comparison FeatureDissentD3 ShuffleCommO(N) serial stepsO(1) AnonO(K), K = honest members O(K), K = honest members, assuming 1 honest server DC-netCommO(N 2 ) messages O(N 2 ) shared secrets O(N) messages O(N) shared secrets AnonO(K), K = honest members O(K), K = honest members, assuming 1 honest server

Client/Server Trust Models Trust all servers Unrealistic in the real world Trust no servers – SUNDR Ideal but complicated due to lack of knowledge and message time constraints Trust at least one server – Anytrust With one honest server, anonymity set is equal to the set of all honest members (clients) No need to know which server to trust (Used in Mix-nets)

DC-Nets Generalized Members share secrets with each other Such as Diffie-Hellman exchanges Can be used to generate variable length string Each member constructs a ciphertext XOR in the string generated by each shared secret Optionally, XOR secret message Positions inside a DC-net can be assigned via randomness (Ethernet style backoff) or a Mix-Net After obtaining a copy of each ciphertext XOR each ciphertext together Effectively, cancelling out generated strings Revealing secret messages

Existing Approaches MethodWeakness Mix-Nets, TorTraffic analysis attacks Group / Ring Signatures Traffic analysis attacks Voting ProtocolsFixed-length messages DC NetsAnonymous DoS attacks DissentIntolerant to churn / long delays between msgs HerbivoreSmall anonymity set