Protocol Examples: Key Establishment Anonymity

Slides:



Advertisements
Similar presentations
Tor: The Second-Generation Onion Router
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Chapter 5 Network Security Protocols in Practice Part I
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
Xinwen Fu Anonymous Communication & Computer Forensics Computer & Network Forensics.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Key Distribution CS 470 Introduction to Applied Cryptography
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Privacy and Anonymity CS432 - Security in Computing Copyright © 2005, 2006 by Scott Orr and the Trustees of Indiana University.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.
Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Slide 1 Vitaly Shmatikov CS 361S Anonymity Networks.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Supplemental Information on TOR (The Onion Router) CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–
L-25 Security II 1. Today's Lecture Effective secure channels Access control Privacy and Tor 2.
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Benjamin Knapic Nicholas Johnson.  “Tor is free software and an open network that helps you defend against a form of network surveillance that threatens.
Computer Communication & Networks
Anonymous Communication
Protocols for Anonymous Communication
Just Fast Keying (JFK) Protocol
0x1A Great Papers in Computer Security
Anonymous Communication
Application to a “real-world” protocol
Anonymity (Privacy) Suppose you are surfing the Web.
Anonymous Communications
Anonymous Communication
Presentation transcript:

Protocol Examples: Key Establishment Anonymity 18739A: Foundations of Security and Privacy Protocol Examples: Key Establishment Anonymity Dilsun Kaynar (Substituting for Anupam Datta) CMU, Fall 2009

Outline Just Fast Keying (JFK) Protocols for anonymous communication Shared secret creation Mutual authentication with identity protection Protection against DoS Protocols for anonymous communication High-latency Chaum Mixes as a building block Low-latency Onion Routing and Tor Hidden location servers

Part I: Jast Fast Keying (JFK) Protocol

JFK in this course Just Fast Keying (JFK) protocol State-of-the-art key establishment protocol [Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold CCS 2002] “Rational derivation” of the JFK protocol Combine known techniques for shared secret creation, authentication, identity and anti-DoS protection [Datta, Mitchell, Pavlovic Tech report 2002] Modeling JFK in applied pi calculus Specification of security properties as equivalences [Abadi,Fournet POPL 2001] [Abadi, Blanchet, Fournet ESOP 2004] Improves on IKE from IPSec suite (high number of rounds, vulnerable to DoS, complex). Several years after initial adoption IETF, there are non-interoperating implementations Later lecture

Design Objectives for Key Exchange Shared secret Create and agree on a secret which is known only to protocol participants Authentication Participants need to verify each other’s identity Identity protection Eavesdropper should not be able to infer participants’ identities by observing protocol execution Protection against denial of service Malicious participant should not be able to exploit the protocol to cause the other party to waste resources Security property: no one other than participants may have access to the generated key. JFK also aims at simplicity and perfect forward secrecy (guarantees that compromises of a host at time t does not allow an adversary to determine session keys that have been generated and subsequently deleted before time t )

Ingredient 1: Diffie-Hellman A  B: ga B  A: gb Shared secret: gab Diffie-Hellman guarantees perfect forward secrecy Authentication Identity protection DoS protection G is a finite cyclic group, g is a generating element (can be small), a and b are typically large A passive eavesdropper cannot recover the shared secret. Diffie-Hellman problem (computing g to the power ab from g, g to the power a, and g to the power b) is believed to be hard

Ingredient 2: Challenge-Response A  B: m, A B  A: n, sigB{m, n, A} A  B: sigA{m, n, B} Shared secret Authentication A receives his own number m signed by B’s private key and deduces that B is on the other end; similar for B Identity protection DoS protection Signature based challenge response, standard mechanism for mutual authentication, m and n are fresh numbers

DH + Challenge-Response ISO 9798-3 protocol: A  B: ga, A B  A: gb, sigB{ga, gb, A} A  B: sigA{ga, gb, B} Shared secret: gab Authentication Identity protection DoS protection m := ga n := gb Obtained by substituting Diffie-Hellman exponentials for the fresh terms m and n in the challenge-response protocol.

Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: ga, A B  A: gb, EK{sigB{ga, gb, A}} A  B: EK{sigA{ga, gb, B}} Shared secret: gab Authentication Identity protection (for responder only!) DoS protection B’s identity is protected against passive adversaries.

Refresher: Anti-DoS Cookie Typical protocol: Client sends request (message #1) to server Server sets up connection, responds with message #2 Client may complete session or not (potential DoS) Cookie version: Client sends request to server Server sends hashed connection data back Send message #2 later, after client confirms Client confirms by returning hashed data Need extra step to send postponed message

Ingredient 4: Anti-DoS Cookie “Almost-JFK” protocol: A  B: ga, A B  A: gb, hashKb{gb, ga} A  B: ga, gb, hashKb{gb, ga} EK{sigA{ga, gb, B}} B  A: gb, EK{sigB{ga, gb, A}} Shared secret: gab Authentication Identity protection DoS protection? Doesn’t quite work: B must remember his DH exponential b for every connection A cookie mechanism is a standard way of preventing blind denial-of-service attacks. B returns a keyed hash of the Diffie-Hellman exponential that he receives in the first message from A. Only after A returns the cookie in the third message does B create state and perform expensive public key operations. One can use unforgeable “token” to reconstruct state

Additional Features of JFK Keep ga, gb values medium-term, use (ga,nonce) Use same Diffie-Hellman value for every connection (helps against DoS), update every 10 minutes or so Nonce guarantees freshness More efficient, because computing ga, gb, gab is costly Two variants: JFKr and JFKi JFKr protects identity of responder against active attacks and of initiator against passive attacks JFKi protects only initiator’s identity from active attack Responder may keep an authorization list May reject connection after learning initiator’s identity

JFKr Protocol [Aiello et al.] If initiator knows group g in advance Ni, xi xi=gdi I R xr=gdr DH group tr=hashKr(xr,Nr,Ni,IPi) Same dr for every connection Ni, Nr, xr, gr, tr xidr=xrdi=x Ka,e,v=hashx(Ni,Nr,{a,e,v}) derive a set of keys from shared secret and nonces Ni, Nr, xi, xr, tr, ei, hi 2 round-trips, R doesn’t perform expensive operations at message 2. Identities revealed in latter messages ei=encKe(IDi,ID’r,sai,sigKi(Nr,Ni,xr,xi,gr)) hi=hashKa(“i”,ei) er, hr “hint” to responder which identity to use check integrity before decrypting er=encKe(IDr,sar,sigKr(xr,Nr,xi,Ni)) hr=hashKa(“r”,er) real identity of the responder

Part II: Protocols for Anonymous Communication 18739A: Foundations of Security and Privacy Part II: Protocols for Anonymous Communication

Privacy on Public Networks Internet is designed as a public network Machines on your LAN may see your traffic, network routers see all traffic that passes through them Routing information is public IP packet headers identify source and destination Even a passive observer can easily figure out who is talking to whom Encryption does not hide identities Encryption hides payload, but not routing information Even IP-level encryption (tunnel-mode IPSec/ESP) reveals IP addresses of IPSec gateways Public networks are vulnerable to traffic analysis

Applications of Anonymity (I) Privacy Hide online transactions, Web browsing, etc. from intrusive governments, marketers and archivists Untraceable electronic mail Corporate whistle-blowers Political dissidents Socially sensitive communications (online AA meeting) Confidential business negotiations Law enforcement and intelligence Sting operations and honeypots Secret communications on a public network

Applications of Anonymity (II) Digital cash Electronic currency with properties of paper money (online purchases unlinkable to buyer’s identity) Anonymous electronic voting Censorship-resistant publishing

What is Anonymity? Anonymity is the state of being not identifiable within a set of subjects You cannot be anonymous by yourself! Hide your activities among others’ similar activities Unlinkability of action and identity For example, sender and his email are no more related after observing communication than they were before Unobservability (hard to achieve) Any item of interest (message, event, action) is indistinguishable from any other item of interest

Attacks on Anonymity Passive traffic analysis Active traffic analysis Infer from network traffic who is talking to whom To hide your traffic, must carry other people’s traffic! Active traffic analysis Inject packets or put a timing signature on packet flow Compromise of network nodes Attacker may compromise some routers It is not obvious which nodes have been compromised Attacker may be passively logging traffic Better not to trust any individual router Assume that some fraction of routers is good, don’t know which Incentive to share the burden for the sake of anonimity

Before spam, people thought anonymous email was a good idea  Chaum’s Mix Early proposal for anonymous email David Chaum. “Untraceable electronic mail, return addresses, and digital pseudonyms”. Communications of the ACM, February 1981. Public key crypto + trusted re-mailer (Mix) Untrusted communication medium Public keys used as persistent pseudonyms Modern anonymity systems use Mix as the basic building block Before spam, people thought anonymous email was a good idea 

Basic Mix Design Mix B A C E D {r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B {r3,M’}pk(E),E C {r2,{r3,M’}pk(E),E}pk(mix) E D {r4,{r5,M’’}pk(B),B}pk(mix) Mix Adversary knows all senders and all receivers, but cannot link a sent message with a received message

Anonymous Return Addresses M includes {K1,A}pk(mix), K2 where K2 is a fresh public key {r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B B MIX A K1 is created by A and hence messahe can only be decryptrd by A. K2 is used for the secrecy of M’ . Response MIX {K1,A}pk(mix), {r2,M’}K2 A,{{r2,M’}K2}K1 Secrecy without authentication (good for an online confession service )

Mix Cascade Messages are sent through a sequence of mixes Can also form an arbitrary network of mixes (“mixnet”) Some of the mixes may be controlled by attacker, but even a single good mix guarantees anonymity Pad and buffer traffic to foil correlation attacks

Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix are computationally expensive Basic mixnets have high latency Ok for email, not Ok for anonymous Web browsing Challenge: low-latency anonymity network Use public-key cryptography to establish a “circuit” with pairwise symmetric keys between hops on the circuit Then use symmetric decryption and re-encryption to move data messages along the established circuits Each node behaves like a mix; anonymity is preserved even if some nodes are compromised

A simple idea: Basic Anonymizing Proxy Channels appear to come from proxy, not true originator Appropriate for Web connections etc.: SSL, TSL (Lower cost symmetric encryption) Example: The Anonymizer Simple, focuses lots of traffic for more anonymity Main disadvantage: Single point of failure, compromise, attack

Another Idea: Randomized Routing Hide message source by routing it randomly Popular technique: Crowds, Freenet, Onion routing Routers don’t know for sure if the apparent source of a message is the true sender or another router

R R R4 R R3 R R1 R R2 R Onion Routing [Reed, Syverson, Goldschlag ’97] R R R4 R R3 R R1 R R2 Alice R Bob Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path

R2 R4 R3 R1 Route Establishment Alice Bob {M}pk(B) {B,k4}pk(R4),{ }k4 Notice that as the onion is peeled, Alice establishes symmetric keys with each router {R4,k3}pk(R3),{ }k3 {R3,k2}pk(R2),{ }k2 {R2,k1}pk(R1),{ }k1 Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

Tor Second-generation onion routing network Running since October 2003 http://tor.eff.org Developed by Roger Dingledine, Nick Mathewson and Paul Syverson Specifically designed for low-latency anonymous Internet communications Running since October 2003 100 nodes on four continents, thousands of users “Easy-to-use” client proxy Freely available, can use it for anonymous browsing

Tor Circuit Setup (1) Client proxy establish a symmetric session key and circuit with Onion Router #1

Tor Circuit Setup (2) Client proxy extends the circuit by establishing a symmetric session key with Onion Router #2 Tunnel through Onion Router #1

Tor Circuit Setup (3) Client proxy extends the circuit by establishing a symmetric session key with Onion Router #3 Tunnel through Onion Routers #1 and #2

Using a Tor Circuit Client applications connect and communicate over the established Tor circuit Datagrams are decrypted and re-encrypted at each link Client has established a symmetric key with each node in the circuit. It can form an “onion” only with these symmetric keys. At each node the onion is peeled using its symmetric key with Client. This is an improvement over old onions that use public key encryption to move data over the circuit.

Tor Management Issues Many applications can share one circuit Multiple TCP streams over one anonymous connection Tor router doesn’t need root privileges Encourages people to set up their own routers More participants = better anonymity for everyone Directory servers Maintain lists of active onion routers, their locations, current public keys, etc. Control how new routers join the network “Sybil attack”: attacker creates a large number of routers Directory servers’ keys ship with Tor code

Location Hidden Servers Goal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it Accessible from anywhere Resistant to censorship Can survive full-blown DoS attack Resistant to physical attack Can’t find the physical server!

Creating a Location Hidden Server Server creates onion routes to “introduction points” Client obtains service descriptor and intro point address from directory Server gives intro points’ descriptors and addresses to service lookup directory

Using a Location Hidden Server Client creates onion route to a “rendezvous point” Rendezvous point mates the circuits from client & server If server chooses to talk to client, connect to rendezvous point Client sends address of the rendezvous point and any authorization, if needed, to server through intro point

Deployed Anonymity Systems Free Haven project has an excellent bibliography on anonymity Linked from the reference section of course website Tor (http://tor.eff.org) Overlay circuit-based anonymity network Best for low-latency applications such as anonymous Web browsing Mixminion (http://www.mixminion.net) Network of mixes Best for high-latency applications such as anonymous email

Dining Cryptographers Clever idea how to make a message public in a perfectly untraceable manner David Chaum. “The dining cryptographers problem: unconditional sender and recipient untraceability.” Journal of Cryptology, 1988. Guarantees information-theoretic anonymity for message senders This is an unusually strong form of security: defeats adversary who has unlimited computational power Impractical, requires huge amount of randomness In group of size N, need N random bits to send 1 bit

Three-Person DC Protocol Three cryptographers are having dinner. Either NSA is paying for the dinner, or one of them is paying, but wishes to remain anonymous. Each diner flips a coin and shows it to his left neighbor. Every diner will see two coins: his own and his right neighbor’s Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). Odd number of “same”  NSA is paying; even number of “same”  one of them is paying But a non-payer cannot tell which of the other two is paying! About 3. Odd number of “same” arises only if everyone tells the truth (non-payers tell the truth)

Non-Payer’s View: Same Coins “different” ? “same” “different” ? payer payer Even number of “same” so I know someone is paying, but who? I cannot see inside the cloud. If it were H, then the one on the left must be lying, if T then the one on the right. But H and T are equally likely. Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Non-Payer’s View: Different Coins “same” “same” ? “same” ? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Superposed Sending This idea generalizes to any group of size N For each bit of the message, every user generates 1 random bit and sends it to 1 neighbor Every user learns 2 bits (his own and his neighbor’s) Each user announces own bit XOR neighbor’s bit Sender announces own bit XOR neighbor’s bit XOR message bit XOR of all announcements = message bit Every randomly generated bit occurs in this sum twice (and is canceled by XOR), message bit occurs once

DC-Based Anonymity is Impractical Requires secure pairwise channels between group members Otherwise, random bits cannot be shared Requires massive communication overhead and large amounts of randomness DC-net (a group of dining cryptographers) is robust even if some members collude Guarantees perfect anonymity for the other members

Acknowledgement Part 1 of this lecture was based on slides by Anupam Datta Part 2 of this lecture was based on slides by Vitaly Shmatikov