1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

Slides:

Advertisements

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Advertisements

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.

Conscript Your Friends into Larger Anonymity Sets with JavaScript ACM Workshop on Privacy in the Electronic Society 4 November 2013 Henry Corrigan-Gibbs.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval.

1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

CIS 5371 Cryptography 3b. Pseudorandomness.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker ： LIN, KENG-CHU.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 4 – Consensus and reliable.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

SSH Secure Login Connections over the Internet

Adaptively Secure Broadcast, Revisited

Information Theory and Security Prakash Panangaden McGill University First Canada-France Workshop on Foundations and Practice of Security Montréal 2008.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

A Tale of Research: From Crowds to Deeper Understandings Matthew Wright Jan. 25, : Adv. Network Security.

CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.

Preserving Link Privacy in Social Network Based Systems Prateek Mittal University of California, Berkeley Charalampos Papamanthou.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

SIA: Secure Information Aggregation in Sensor Networks B. Przydatek, D. Song, and A. Perrig. In Proc. of ACM SenSys 2003 Natalia Stakhanova cs610.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

The Silk Road: An Online Marketplace

1 Limiting Privacy Breaches in Privacy Preserving Data Mining In Proceedings of the 22 nd ACM SIGACT – SIGMOD – SIFART Symposium on Principles of Database.

Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.

Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.

Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum

PeerFlow: Secure Load Balancing in Tor Aaron Johnson1 Rob Jansen1 Aaron Segal2 Nicholas Hopper3 Paul Syverson1 1U.S. Naval Research Laboratory 2Yale.

OblivP2P: An Oblivious Peer-to-Peer Content Sharing System

OblivP2P: An Oblivious Peer-to-Peer Content Sharing System

Secure and Insecure Mixing

Modern symmetric-key Encryption

Cryptography Lecture 12.

CMSC 414 Computer and Network Security Lecture 3

Anupam Das , Nikita Borisov

What’s a little leakage between friends?

Provable Security at Implementation-level

Cryptography Lecture 5.

Cryptography Lecture 11.

Dissent: Accountable, Anonymous Communication

Announcement Sign up google sheet for in class lectures

Presentation transcript:

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable Privacy Workshop A Probabilistic Analysis of Onion Routing in a Black-box Model in TISSEC (forthcoming) by Joan Feigenbaum, Aaron Johnson, and Paul Syverson 2.Analyzing Dissent security 1.Ongoing work with Ewa Syta, Henry Corrigan- Gibbs, Shu-Chun Weng, and Bryan Ford

2 Analyzing Onion-Routing Security ● Abstract (black-box) model of onion routing ● Use Universally Composable (UC) framework ● Focus on information leaked ● Perform anonymity analysis on model

3 Onion-Routing Ideal Functionality u with probability b ø with probability 1-b x y Upon receiving destination d from user U d with probability b ø with probability 1-b Send (x,y) to the adversary. F OR

4 Black-box Model ● Ideal functionality F OR ● Environment assumptions – Each user gets a destination – Destination for user u chosen from distribution p u ● Adversary compromises a fraction b of routers before execution

5 Anonymity Analysis of Black Box ● Can lower bound expected anonymity with standard approximation: b 2 + (1-b 2 )p u d ● Worst case for anonymity is when user acts exactly unlike or exactly like others ● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)p u d ● Anonymity in typical situations approaches lower bound

6 Other ideal functionality ● Provably Secure and Practical Onion Routing by Backes, Kate, Goldberg, and Mohammadi Computer Security Foundations Symposium 2012 ● Functional primitive ● Shown to UC-emulate F OR

7 Analyzing Dissent security ● Fully rigorous definitions and proofs – Anonymity – Accountability – Integrity ● Standard sequence-of-games anonymity proofs ● Discovered flaws

8 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

9 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I1I1 m2m2 m3m3 m1m1

10 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed ? ?

11 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first.

12 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first non-malleably.

13 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

14 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

15 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

16 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 3 } 1:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 I1I1 I3I3 I1I1 Problem 3: Self-duplication, no blamed ? ?

17 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 3 } 1:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 I1I1 I3I3 I1I1 Problem 3: Self-duplication, no blamed Solution: Blame duplicate submitters.

18 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

19 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing

20 Modified Dissent 1.Users non-malleably commit to messages before submission. 2.Duplicate submission punished 3.Explicit reliable broadcasts added 4.Several validation checks added with blame 5.Honest members guaranteed to agree on who to blame

21 UC Framework ● Express security primitive as an ideal functionality F ● Construct a protocol Π that UC emulates F ● Running Π can replace using F in any protocol – security composes

22 Sequence of Games Anonymity Proof ● Game 0: Original anonymity game ● Game 1: Replace encrypted descriptors during shuffle with encrypted fixed messages ● Game 2: Replace encrypted random seeds after shuffle with encrypted fixed messages ● Game 3: Replace pseudorandom sequences with random sequences

23 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 m2m2 m3m3 m2m2 Problem 0: Shuffle duplication attack

24 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 0: Shuffle duplication attack Solution: Duplicates cause NO-GO. Blame lying shuffle.