1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan.

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

Anonymity without Sacrificing Performance Enhanced Nymble System with Distributed Architecture CS 858 Project Presentation Omid Ardakanian * Nam Pham *
Secure Multiparty Computations on Bitcoin
Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dissent: Accountable Anonymous Group Messaging Henry Corrigan-Gibbs and Bryan Ford Department of Computer Science Yale University 17 th ACM Conference.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Cryptographic Technologies
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Hybrid Signcryption with Outsider Security
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
COEN 351 E-Commerce Security Essentials of Cryptography.
Cryptography, Authentication and Digital Signatures
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Collusion-Resistant Anonymous Data Collection Method Mafruz Zaman Ashrafi See-Kiong Ng Institute for Infocomm Research Singapore.
Lecture 2: Introduction to Cryptography
COEN 351 E-Commerce Security
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
Lecture 5.1: Message Authentication Codes, and Key Distribution
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
CS 6204, Spring 2005 Dining Cryptographers, Glenn Fink1 Dining Cryptographers Paper by David Chaum (1988) Presentation by Glenn Fink.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Fall 2006CS 395: Computer Security1 Key Management.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
1 Dissent: Accountable Anonymous Group Communication Bryan Ford Joan Feigenbaum, David Wolinsky, Henry Corrigan-Gibbs, Shu-Chun Weng, Ewa Syta Yale University.
Anonymous Communication
0x1A Great Papers in Computer Security
Anonymous Communication
Anonymous Communication
Dissent: Accountable, Anonymous Communication
Presentation transcript:

1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan Geng, Vitaly Shmatikov (UT Austin), and Shu-chun Weng Supported by DARPA

2 Problem Statement A group of N ≥ 2 parties wish to communicate anonymously, either with each other or with someone outside of the group. They have persistent, “real-world” identities and are known, by themselves and the recipients of their communications, to be a group. They want a protocol with four properties: Integrity Anonymity  Accountability o Efficiency

3 Accountability Group member i exposes group member j if i obtains proof, verifiable by a third party (not necessarily in the group), that j disrupted a protocol run. The protocol maintains accountability if no honest member is ever exposed, and, after every run, either: o every honest member successfully receives every honest member’s message, or o every honest member exposes at least one disruptive member.

4 Need for Anonymity (1) Communication in hostile environments From the BAA: “The goal of the program is to develop technology that will enable safe, resilient communications over the Internet, particularly in situations in which a third party is attempting to discover the identity or location of the end users or block the communication.”

5 Need for Anonymity (2) Cash transactions Twelve-step programs (pseudonymy) Law-enforcement “tip” hotlines Websites about sensitive topics, e.g., sexuality, politics, religion, or disease Voting...

6 Need for Accountability Authoritative, credentialed group, e.g.: o Board of Directors of an organization o Registered voters o Parents Internal disagreement may be acknowledged but should not be exploited. Disruption is expected and must be combated. ? It’s not clear that “accountability” is the right word to use here (… and that’s part of a longer story).

7 Outline Prior work on anonymous communication Dissent, version 1 (ACM CCS 2010) Ongoing work on Dissent, version 2 Future work

8 Outline Prior work on anonymous communication Dissent, version 1 (ACM CCS 2010) Ongoing work on Dissent, version 2 Future work

9 Major Themes in Prior Work General-purpose anonymous-communication mechanisms o MIX networks and Onion Routing (OR) o Dining-Cryptographers networks (DC-nets) Special-purpose mechanisms, e.g.: o Anonymous voting o Anonymous authentication, e.g., group or ring signatures o E-cash

10 Basic Operation of Onion Routing Client picks a few (e.g., three) anonymizing relays from a cloud of available relays. He then builds and uses an onion of cryptographic tunnels through the relays to his communication partner. Anonymous Client Anonymous Client Anonymizing Relays Public Server

11 Properties of Onion Routing Key advantages: o Scalable to large groups of clients and relays o Can be made interactive (e.g., Tor) o Widely deployed (e.g., Tor) Key disadvantages: o Many vulnerabilities to traffic analysis o No accountability: Anonymous disruptors can  Spam or DoS-attack relays or innocent nodes  Compromise other users’ anonymity [Borisov et al. ’07]

12 Dining Cryptographers (DC-nets) Information-theoretic group anonymity Ex. 1: “Alice+Bob” sends a 1-bit secret to Charlie. Alice Bob Charlie 1 Alice+Bob’s Shared Random Bit Alice’s Secret 0 1 1

13 Dining Cryptographers (DC-nets) Information-theoretic group anonymity Ex. 2: Homogeneous 3-member anonymity group Alice Bob Charlie Alice’s Secret 1 1 Alice+Bob's Random Bit Alice+Charlie's Random Bit 0 Bob+Charlie's Random Bit =1

14 Properties of DC-nets Schemes Key advantages: o Provable, information-theoretic anonymity o Resistence to traffic analysis and collusion Key disadvantages: o Not easy to scale up or implement efficiently o Not widely deployed o No accountability: Anonymous disruptors can  Spam or DoS-attack the group without discovery  Force group reformation without being eliminated

15 Outline Prior work on anonymous communication DISSENT, version 1 (ACM CCS 2010) Ongoing work on DISSENT, version 2 Future work

16 Starting Point: Verifiable, Anonymous Shuffling [Brickell and Shmatikov ’06] N parties with equal-length messages m 1, …, m N send m π(1), …, m π(N) to a data collector. The protocol provably provides o Integrity: {m 1, …, m N } = {m π(1), …, m π(N) } o Anonymity: π is random and not known by anyone. o Resistance to traffic analysis and collusion Dissent v.1 adds accountability and the ability to handle variable-length messages efficiently.

17 Dissent, version 1: Overview Assumptions: – Equal-length messages – Each group member has a signature key pair; all messages are signed. Phase 1: Setup – Each member chooses two encryption key pairs for this run. Phase 2: Onion encryption – Each member encrypts his message with everyone’s encryption keys. Phase 3: Anonymization – Each member applies a random permutation to the set of messages. Phase 4: Validation – Each member i checks that (uncorrupted) m i is in the permuted set. Phase 5: Decryption or Blame – If all phase-4 checks succeed, decrypt all of the messages. – Else, honest members run a protocol that allows each of them to expose at least one disruptive member.

18 Phase 1: Setup Recall that o Members know each others' public verification keys. o Members sign (and verify signatures on) all messages. Each group member i chooses: o Secret message m i (and pads it if necessary) o Outer encryption key pair (O i, O' i ) o Inner encryption key pair (I i, I' i ) Each group member i broadcasts public encryption keys O i, I i

19 Phase 2: Onion Encryption Each group member i: Encrypts m i with inner keys I N,...,I 1 to create m' i Encrypts m' i with outer keys O N,...,O 1 to create m'' i Example with N = 3: m1m1 m2m2 m3m3 m' 1 = { { { }I 3 }I 2 }I 1 m' 2 = { { { }I 3 }I 2 }I 1 m' 3 = { { { }I 3 }I 2 }I 1 m'' 1 = { { { }O 3 }O 2 }O 1 m'' 2 = { { { }O 3 }O 2 }O 1 m'' 3 = { { { }O 3 }O 2 }O 1

20 Phase 3: Anonymization (1) Member 1 collects (m'' I, …, m'' N ). For i ← 1 to N, member i o Decrypts the i th layer of outer-key encryption o Randomly permutes the resulting list (of partially decrypted messages) and (temporarily) saves the random permutation o Forwards the permuted list to member i+1 (if i < N) Member N broadcasts the permuted m' i list.

21 Phase 3: Anonymization (2) mimi m' i = { { { }I 3 }I 2 }I 1 m'' i = { { { }O 3 }O 2 }O 1 m1m1 {{ { }} } {{ { }} } m2m2 {{ { }} } {{ { }} } m3m3 {{ { }} } {{ { }} } Node 1: Decrypt, Permute m2m2 {{ { }} } m1m1 {{ { }} } m3m3 {{ { }} } Node 2: Decrypt, Permute Node 3: Decrypt, Permute m3m3 {{ { }} } {{ }} m1m1 {{ { }} } {{ }} m2m2 {{ { }} } {{ }} Input to member 1: encrypted messages m'' i m1m1 {{ { }} } { } m3m3 {{ { }} } { } m2m2 {{ { }} } { } Output from member n: partly decrypted messages m' i in random, secret order

22 Phase 4: Validation After the anonymization phase, no member knows the final permutation, but every member i should see his own m' i in the list! Each member i looks for m' i in the permuted list. Present → member i broadcasts “GO”. Absent → member i broadcasts “NO-GO” and destroys his inner decryption key I' i.

23 Phase 5: Decryption or Blame Each member i collects all GO/NO-GO messages. GO messages from all nodes (including self): o Each member i broadcasts his own inner decryption key I' i. o All members use keys I' 1,..., I' N to decrypt all the m' j, revealing all the cleartext messages m j. NO-GO message from any node: o Each member i broadcasts the proof that he decrypted and permuted properly in Phase 3. o All members use these proofs to expose disruptor(s).

24 How Dissent Provides Accountability Any NO-GO message obliges all members to “prove their innocence,” i.e., that they: o correctly encrypted messages in Phase 2 o correctly decrypted/permuted in Phase 3 o correctly validated the final list in Phase 4 This process reveals the “secret” permutation but leaves the permuted cleartexts m j undecipherable: They are protected by all honest nodes' inner decryption keys, which have not been revealed.

25 Handling Variable-Length Messages Anonymous-shuffle protocols pad all messages to a common length in order to resist traffic analysis. What if the message load is unbalanced, e.g.: o Member i wants to send an L=646MB video. o Members j ≠ i have nothing to send in this run of the protocol. The group must shuffle the video and N-1 646MB padded cleartexts, resulting in O(NL) bits per node and O(N 2 L) bits total.

26 Dissent, v.1: “Bulk Send” variant Use the (slow) accountable-shuffle protocol to exchange randomly permuted metadata. Interpret the random permutation as a “schedule” for exchange of data, which is done using DC-nets. Accountability of the Dissent shuffle allows each group member to verify that all members transmitted the correct data in the proper DC-nets “timeslot.” Cost of the case in which just one member wants to send L=646MB drops to O(L) bits per node and O(NL) bits total.

27 Dissent, version 1: Bulk Send (1) Shuffle metadata describing the messages that the nodes want to send. L1L1 { – } 1 {S 1→2 } 2 {S 1→3 } 3 L2L2 {S 2→1 } 1 { – } 2 {S 2→3 } 3 L3L3 {S 3→1 } 1 {S 3→2 } 2 { – } 3 Message Length PRNG Seeds Dissent Shuffle L1L1 { – } 1 {S 1→2 } 2 {S 1→3 } 3 L2L2 {S 2→1 } 1 { – } 2 {S 2→3 } 3 L3L3 {S 3→1 } 1 {S 3→2 } 2 { – } 3 Permuted Message Descriptors

28 Dissent, version 1: Bulk Send (2) The shuffled message descriptors form a schedule for a DC-nets transmission. L1L1 { – } 1 {S 1→2 } 2 {S 1→3 } 3 L2L2 {S 2→1 } 1 { – } 2 {S 2→3 } 3 L3L3 {S 3→1 } 1 {S 3→2 } 2 { – } 3 Permuted Message Descriptors Node 1 → Node 2 → Node 3 → R(S 3→1 ) R(S 3→2 ) M 3 R(S 3→1 )... M 1... R(S 1→2 ) R(S 1→3 ) R(S 2→1 ) M 2 R(S 2→1 )... R(S 2→3 )

29 Outline Prior work on anonymous communication Dissent, version 1 (ACM CCS 2010) Ongoing work on Dissent, version 2 Future work

30 Ongoing work Reduce latency o Multiple bulk sends per shuffle Increase scalability o Combine Dissent with OR o More scalable shuffle protocols Increase availability o Allow dynamic group membership but avoid intersection attacks

31 Dissent, Version 1 Time Shuffle Bulk send Shuffle Bulk send There are very few bits to be sent in this bulk-send round, but a full shuffle round is still needed.

32 Proposal for Dissent, Version 2 Shuffle Bulk send ShuffleBulk send Time Reuse the permutation Challenges Integrity: check sum is not feasible Anonymity: same permutation

33 Combine Dissent with OR Basic idea: Replace a single-node relay in an OR network with a Dissent group. Combines the accountability of Dissent with the scalability of OR. Builds on earlier work (“Herbivore” and “CliqueNets”) that replaced single-node relays with DC-Nets (thus increasing the security of OR but not providing accountability).

34 Outline Prior work on anonymous communication Dissent, version 1 (ACM CCS 2010) Ongoing work on Dissent, version 2 Future work

35 Multi-year DARPA Project Mathematical rigor o Formal definitions and proofs * Carefully formulated assumptions Experimental rigor o C++ implementation o Larger-scale and more diverse experiments o Generative traffic models for cases that don’t satisfy * Networking issues o Integrate Dissent with standard network protocols (e.g., transport-layer protocols) o Formulate an integrated notion of “traffic-indistinguishability”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.