Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Slides:

Advertisements

Similar presentations

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Advertisements

Modelling and Analysing of Security Protocol: Lecture 11 Modelling Checking Tom Chothia CWI.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

A Survey Anonymity and Anonymous File-Sharing Tom Chothia (Joint work with Konstantinos Chatzikokolakis)

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Students’ online profiles for employability and community Frances Chetwynd, Karen Kear, Helen Jefferis and John Woodthorpe The Open University.

Network Layer and Transport Layer.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.

Analysing the MUTE Anonymous File-Sharing System Using the Pi-calculus Tom Chothia CWI.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 12 Probabilistic Modelling Checking of Anonymous Systems Tom Chothia CWI.

Alice and Bob’s Revenge? AliceBob Elvis. If there is a protocol If there is a protocol then there must be a shortest protocol 1.Alice  Bob : ??? 2.Bob.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

A Tale of Research: From Crowds to Deeper Understandings Matthew Wright Jan. 25, : Adv. Network Security.

CSCI 5234 Web Security1 Privacy & Anonymity in the WWW Ch. 12, Oppliger.

Privacy and Anonymity CS432 - Security in Computing Copyright © 2005, 2006 by Scott Orr and the Trustees of Indiana University.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

@Yuan Xue CS 285 Network Security Fall 2008.

Freenet: A Distributed Anonymous Information Storage and Retrieval System Presenter: Chris Grier ECE 598nb Spring 2006.

Anonymity on the Internet Presented by Randy Unger.

Anonymous Communication -- a brief survey

Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Anonymity – Crowds R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.

Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.

Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.

Lecture Topics: 11/27 Networks Layered Model Ethernet IP.

Computer Networking P2P. Why P2P? Scaling: system scales with number of clients, by definition Eliminate centralization: Eliminate single point.

Tiffanie Donovan CSC /27/12. Societal Topics-Weeks 7 & 8 Internet Regulation Internet regulation has the operation of keeping people from viewing.

Lecture 13: Anonymity on the Web Modified from Levente Buttyan, Michael K. Reiter and Aviel D. Rubin.

Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

6° of Darkness or Using Webs of Trust to Solve the Problem of Global Indexes.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

ISDS 4120 Project 1 DWAYNE CARRAL JR 3/27/15. There are seven layers which make up the OSI (Open Systems Interconnection Model) which is the model for.

Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.

Wireless Network Security CSIS 5857: Encoding and Encryption.

A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.

P2P Networking: Freenet Adriane Lau November 9, 2004 MIE456F.

1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.

1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 

Anonymous Communication

Towards Measuring Anonymity

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas.

An Introduction to Privacy and Anonymous Communication

Anonymous Communication

Anonymous Communication

“You have zero privacy anyway, get over it”

Presentation transcript:

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory

Today’s Lecture Practical course issues. Theoretical anonymity. –Dinning Cryptographers Protocol –Definitions of Anonymity –The Crowds Protocol BREAK Practical anonymous systems –Onion Routing and the Tor System –Mix Networks –Anonymous File-sharing Systems: MUTE –Anonymous Publishing: Freenet

The rest of the course Today: 12th Oct, Protocols for anonymity (homework) 19th Oct moved to 22th Oct 11:15 to 13:00: – Model Checking & Fair exchange protocols. 26th Oct, : Summary Lecture (Homework due) 2nd, 9th, 16th, 23rd and 30th Nov Student presentations

Homework You have only got questions 1 and 2 back. You have not been told your mark for question 3. Attacks exist against some of your protocols. As part of the current homework you have to analysis your own protocol using ProVerif. If you can find and correct a fault in your protocol you will win back half the marks lost for that fault in homework 1.

Qu. 1: Typing attack 1. A  B : A 2. B  A : N b 3. A  B : { A, B, N b } Kas 4. B  S : { A, B, { A, B, N b } Kas } Kbs 5. S  B : { A, B, N b } Kbs

Qu. 2: Early SSL 1. A  B : E B (Kab) 2. B  A : { N b } Kab 3. A  B : { CA, Sign A ( N b ) } Kab

Today’s Lecture Practical course issues. Theoretical anonymity. –Dinning Cryptographers Protocol –Definitions of Anonymity –The Crowds Protocol BREAK Practical anonymous systems –Onion Routing and the Tor System –Mix Networks –Anonymous File-sharing Systems: MUTE –Anonymous Publishing: Freenet

IP address When you connect to another computer you send it our IP address. It is ever hard to communicate well without revealing your real IP address. Recent count case (last week) decided that your IP address can be used to identify you in court.

“You have zero privacy anyway, get over it” Scott, CEO of SUN microsystems.

Dining Cryptographers Nodes form a ring Each adjacent pair picks a random number Each node broadcasts the sum (xor) of the adjacent numbers The user who wants to send a message also adds the message The total sum (xor) is: r 1 +r 2 +r 2 +r 3 +r 3 + r 4 +r 4 +r 5 +r 5 +r 1 +m = m r1r1 r4r4 r5r5 r3r3 r2r2 r 1 +r 2 r 5 +r 1 r 4 +r 5 r 3 +r 4 r 2 +r 3 +m

Dinning Cryptographers It's impossible to tell who added m. Beyond suspicion even to a global attacker. Very inefficient: everyone must send the same amount of data as the real sender.

A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication Key Confirmation Mutual Belief in Key

The Theory of Anonymity Anonymity means different things to different users. The right definitions are key to understand any system. “On the Internet nobody knows you’re a dog”

The Theory of Anonymity Anonymity is a difficult notion to define. –Systems have multiple agents –which have different views of the system –and wish to hide different actions –to variable levels. Sometimes you just want some doubt, sometimes you want to act unseen.

The Theory of Anonymity In a system of anonymous communication you can be: –A sender –A receive / responder –A helpful node in the system –An outsider (who may see all or just some of the communications). We might want anonymity for any of these, from any of these.

Some Kinds of Anonymity Sender anonymity. Receiver anonymity. Sender-receiver unlinkability. For the Sender Receive Another participant in the protocol. Outside observer that can see all/some of the network

Levels of Anonymity Reiter and Rubin provide the classification: Beyond suspicion: the user appears no more likely to have acted than any other. Probable innocence: the user appears no more likely to have acted than to not to have. Possible innocence: there is a nontrivial probability that it was not the user.

Beyond suspicion All users are Beyond suspicion: Prob Users ABCDE

Beyond suspicion Not Beyond Suspicion: Prob Users ABCDE

Probable Innocence All users are Probably Innocence Prob Users ABCDE 50%

Probable Innocence All users are Probably Innocence Prob Users ABCDE 50%

Probable Innocence All users are Probably Innocence Prob Users ABCDE 50%

Probable Innocence All users are Probably Innocence Prob Users ABCDE 50%

Probable Innocence All users are Probably Innocence Prob Users ABCDE 50%

Possible Innocence There a small change it is not you. Prob Users ABCDE 50%

Definitions These definitions do not take into account how likely each principal is to be guilty to start off with. Or quantify what the attack learns from a run of the protocol. This is currently a hot research topic, so far there are lots of complicated definitions but no clear winner.

Example: The Anonymizer An Internet connection reveals your IP number. The Anonymizer promise “Anonymity” Connection made via The Anonymizer. The Server see only the Anonymizer. S ? The Anonymizer

Example: The Anonymizer The sender is Beyond Suspicion to the server. The server knows The Anonymizer is being used. If there is enough other traffic, you are Probably Innocence to a global observer. The global observer knows you are using the “The Anonymizer” There is no anonymity to the “The Anonymizer”

Example: The Anonymizer From the small print: … we disclose personal information only in the good faith belief that we are required to do so by law, or that doing so is reasonably necessary … … Note to European Customers: The information you provide us will be transferred outside the European Economic Area

Crowds A crowd is a group of n nodes The initiator selects randomly a node (called forwarder) and forwards the request to it A forwarder: –With prob. 1-p f selects randomly a new node and forwards the request to him –With prob. p f sends the request to the server server

Crowds The sender is beyond suspicion to the server. Some of the nodes could be corrupted. The initiator could forward the message to a corrupted node. The sender has probable innocence to other nodes.

Today’s Lecture Practical course issues. Theoretical anonymity. –Dinning Cryptographers Protocol –Definitions of Anonymity –The Crowds Protocol BREAK Practical anonymous systems –Onion Routing and the Tor System –Mix Networks –Anonymous File-sharing Systems: MUTE –Anonymous Publishing: Freenet