Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003.

Slides:

Advertisements

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin.

Lorrie Cranor AT&T Labs Avi Rubin AT&T Labs Marc Waldman

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

PGP Overview 2004/11/30 Information-Center meeting peterkim.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Cryptography In Censorship Resistant Web Publishing Systems By Hema Hariharan Swati B Shah.

Computers and Society Carnegie Mellon University Spring 2006 Cranor/Tongia/Farber 1 Regulating Online Speech.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

P2P: Advanced Topics Filesystems over DHTs and P2P research Vyas Sekar.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Identity, Anonymity,

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Applied Cryptography for Network Security

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

SSH Secure Login Connections over the Internet

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Freenet. Anonymity  Napster, Gnutella, Kazaa do not provide anonymity  Users know who they are downloading from  Others know who sent a query  Freenet.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 Anonymity and Privacy Enhancing.

Content Overlays (Nick Feamster). 2 Content Overlays Distributed content storage and retrieval Two primary approaches: –Structured overlay –Unstructured.

CIS 450 – Network Security Chapter 8 – Password Security.

COEN 351 E-Commerce Security Essentials of Cryptography.

Freenet: A Distributed Anonymous Information Storage and Retrieval System Presenter: Chris Grier ECE 598nb Spring 2006.

Cryptography, Authentication and Digital Signatures

Secure Distributed Document Sharing System Dukyun Nam, Seunghyun Han, CDS&N Lab. ICU.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.

Mackenzie Hazelwood.  Stores and allows users to share documents  Document types include word, spreadsheet, drawings, and power points  Allows owner.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Identity, Anonymity, and.

Peer-to-Peer Network Tzu-Wei Kuo. Outline What is Peer-to-Peer(P2P)? P2P Architecture Applications Advantages and Weaknesses Security Controversy.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

Freenet “…an adaptive peer-to-peer network application that permits the publication, replication, and retrieval of data while protecting the anonymity.

Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.

COEN 351 E-Commerce Security

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Digital Rights Management / DMCA Anti-Circumvention Edward W. Felten Dept. of Computer Science Princeton University.

Freenet: Anonymous Storage and Retrieval of Information

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 

Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications * CS587x Lecture Department of Computer Science Iowa State University *I. Stoica,

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Exercise ?: TOR.

0x1A Great Papers in Computer Security

SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET

NET 536 Network Security Lecture 8: DNS Security

CLIENT/SERVER COMPUTING ENVIRONMENT

NET 536 Network Security Lecture 6: DNS Security

Presentation transcript:

Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003 CS 294-4: Peer-to-peer systems

Speech, censorship, and anonymity Speech, publication spread ideas Many ideas are controversial, some revolutionary People in power like to stay in power Those in power may try to censor ideas or persecute people they see as threats

...and the Internet... “The Net treats censorship as damage and routes around it” --John Gilmore “On the Internet, nobody knows you're a dog,” caption to a New Yorker cartoon by Peter Steiner Do these sentiments accurately represent the state of the internet?

...and Reality. Church of Scientology Among other incidents, tried to force Julf Helsingius to reveal identities anonymized through r er DMCA Copyright owners can force service providers to remove content (must stay down during dispute) Generally, an automatic, semipermanent record of much internet activity is (or could be) kept

Core goals: Censorship resistant Tamper evident Deniable Fault-tolerant Persistent Freely available Additional goals: Source anonymous; updateable; extensible Publius design goals

Related tools Anonymizers Onion routing Crowds Rewebber Freenet Eternity Service

Eternity Service (Ross Anderson) General problem: assure availability Most work focused on confidentiality and integrity Eternity service: persistent, available data Can't be deleted by anyone, including servers and author Threat model: governments ban it, attack it But law tends to lag technology Need strong cryptography, wide distribution

Freenet Very similar in goals: defeat censorship, provide anonymity Different approaches: routing vs. lookup, anonymous servers vs. key shares,... We'll come back to this later

Overview of Publius Publishers, servers, retrievers Supports static content Assume static systemwide list of servers Each server doesn't know what it hosts Key split into 'shares' Special Publius URL Authors (and only authors) can update, delete

K-way key splitting Goal: split key K into n shares such that any k of them can recover the key but any k-1 cannot The strategy: find a polynomial q of degree k-1 Evaluate q at n points (q(1), q(2),..., q(n)) q(0) = K, the other q(i) are the shares Can interpolate polynomial to find q(0) with any k points, but k-1 points give no information!

Example: k = 2 (q(i) = m*i + q(0))

Publishing Alice encodes content M with key K: {M} K She splits K into n shares (k can recover K) For each share: name i = wrap(H(M, share)), location i = (name i mod m) + 1 Why wrap (xor of halves)? To save space? If fewer than d unique locations are obtained, start over with another K

Publishing (continued) What is d? d is the number of Publius servers that will end up hosting the content (k <= d <= m) Coupon collector's problem: expect y ln(y) coupons Therefore we choose d and then set n = d ln(d) At each location i : publish {M} K, share i, and some other information in directory name i Publius URL comprises at least d concatenated name i s

Retrieving Bob wants to view content; he gets Publius URL He gets the name i s and computes location i s Choose k servers arbitrarily: get {M} K from one and get shares from all k Recover K, decrypt, and check name i s If there's a problem, try different k shares

Retrieving (continued) More on problems... If the name i calculation works, either the data are uncorrupted or a collision has been found in SHA-1! If something does go wrong, Bob can try a different set of k shares, up to (n choose k) combinations Other options: Berlekamp-Welch, brute-force search of n*(n choose k) share/document combinations A note: Bob can be retrieving the content through a normal web browser with a Publius proxy

Deleting Alice, the author, creates passwords H(servername, PW) from a master PW Specific to each server Alice authenticates with password to delete Problem...?

Deleting Alice, the author, creates passwords H(servername, PW) from a master PW Specific to each server Alice authenticates with password to delete Problem...? The password is sent in the clear! Should public keys be passed with server list?

Update Optional 'update' file in name i directory Redirects to updated version If 'update' exists, retrievals follow it Uses same password as delete But this indirection seems very kludgy

Update Optional 'update' file in name i directory Redirects to updated version If 'update' exists, retrievals follow it Uses same password as delete But this indirection seems very kludgy Would it be better to always have a level of indirection? Would it be better to prohibit updates?

Mutually linked documents Problem: Publius names are based on content, so a dependency loop can't be resolved directly Solution: Use an update

Limitations and threats Share deletion/corruption Cannot recover key if n-k+1 shares are toast Higher n and lower k lead to more protection against censorship Updates Malicious servers can add/change/delete 'update' files Need enough servers collaborating to do real damage

More threats Denial of service A malicious user could saturate Publius with junk Solution: Hash Cash? No connection-based anonymity 'Rubber-Hose cryptanalysis' Unlike Eternity, authors can delete: open to coercion Coercing enough servers difficult if well distributed

Other potential problems Could a server be held legally negligent for not knowing what it hosts? It could find out by obtaining the Publius URL and retrieving the document, or querying enough other servers Lack of connection-based anonymity is especially bad here Any one of the n servers can compromise an author's anonymity

Back to Freenet Key similarities: Both aim to keep publishers anonymous Both aim to preserve content Key differences: Freenet: adversary doesn't know where content is; Publius: server doesn't know what it stores What about resistance to censorship?

That's all folks!