Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

Off-the-Record Communication, or, Why Not To Use PGP
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Sri Lanka Institute of Information Technology
The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Reusable Anonymous Return Channels
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.
Public Key Model 8. Cryptography part 2.
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Programming Satan’s Computer
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
Public-Key Cryptography CS110 Fall Conventional Encryption.
Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.
Anonymity - Background Prof. Newman, instructor CSE-E (don’t leave message) Office Hours (tentative): 10-noon TR - subject:
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
R. Newman Anonymity - Background. Defining anonymity Defining anonymity Need for anonymity Need for anonymity Defining privacy Defining privacy Threats.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Fall 2006CS 395: Computer Security1 Key Management.
1 Anonymous Communications CSE 5473: Network Security Lecture due to Prof. Dong Xuan Some material from Prof. Joan Feigenbaum.
INCS 741: Cryptography Overview and Basic Concepts.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Anonymous Communication
Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms
0x1A Great Papers in Computer Security
Anonymity - Background
Anonymous Communication
Advanced Computer Networks
Anonymity – Chaum Mixes
Anonymous Communication
Presentation transcript:

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006

Motivation  Many uses for anonymous communication channels  Elections  Anonymous crime tips  Whistle-blowing  Etc.  Standard mail offers some guarantees of anonymity; why not too?  Many uses for anonymous communication channels  Elections  Anonymous crime tips  Whistle-blowing  Etc.  Standard mail offers some guarantees of anonymity; why not too?

Contributions  Cryptographic protocols to support an anonymous system  Keep sender anonymous w.r.t. both the receiver and other parties in the network  Allow receiver to reply to sender without revealing sender’s identity  Protocol can also be used to form anonymous and verifiable rosters  E.g., for an electronic election  Cryptographic protocols to support an anonymous system  Keep sender anonymous w.r.t. both the receiver and other parties in the network  Allow receiver to reply to sender without revealing sender’s identity  Protocol can also be used to form anonymous and verifiable rosters  E.g., for an electronic election

Historical Perspective, 1979  Cryptography had been around for millennia  Usually required the use of shared secrets  Paradigm shift: late 1970s  Diffie & Hellman, “New Directions in Cryptography” (1976)  RSA cryptosystem (1977)  Rapid advancements allow for the sharing of keys (secrets) between strangers  Cryptography had been around for millennia  Usually required the use of shared secrets  Paradigm shift: late 1970s  Diffie & Hellman, “New Directions in Cryptography” (1976)  RSA cryptosystem (1977)  Rapid advancements allow for the sharing of keys (secrets) between strangers

Notation  Keys in public-key cryptosystem  Public key: K  Private key: K -1  Encryption of x with K denoted by K(x)  Keys are inverses  i.e., K -1 (K(x)) = K(K -1 (x)) = x  Keys in public-key cryptosystem  Public key: K  Private key: K -1  Encryption of x with K denoted by K(x)  Keys are inverses  i.e., K -1 (K(x)) = K(K -1 (x)) = x

Operations  To prevent certain attacks, Chaum advocates random padding before encryption  i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x  When signing, first pad with some known constant  i.e., K -1 (C, y) where C is a known constant  To prevent certain attacks, Chaum advocates random padding before encryption  i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x  When signing, first pad with some known constant  i.e., K -1 (C, y) where C is a known constant

Chaum’s Assumptions  Can’t break the cryptosystem  Anyone can observe all links in the system  The so-called “global passive adversary”  Anyone can inject, replay, remove, or modify messages  Dolev-Yao active attacker model (which they didn’t publish about until 1983)  Can’t break the cryptosystem  Anyone can observe all links in the system  The so-called “global passive adversary”  Anyone can inject, replay, remove, or modify messages  Dolev-Yao active attacker model (which they didn’t publish about until 1983)

Sending Anonymous Mail  Rather than sending mail directly to the recipient, send mail to a mix  Principle: Try to reduce correspondence between input- and output-sets  Fool global passive adversaries  What about keeping the message private?  Rather than sending mail directly to the recipient, send mail to a mix  Principle: Try to reduce correspondence between input- and output-sets  Fool global passive adversaries  What about keeping the message private?

The Crypto!  Players (and their public keys)  Mixes (K n )  Recipient, A (K a )  One mix protocol  Sender -> Mix: K 1 (R 1, K a (R 0, M), A)  Mix -> A: K a (R 0, M)  Use of public key crypto hides message from mix and nosy parties on the Internet  Players (and their public keys)  Mixes (K n )  Recipient, A (K a )  One mix protocol  Sender -> Mix: K 1 (R 1, K a (R 0, M), A)  Mix -> A: K a (R 0, M)  Use of public key crypto hides message from mix and nosy parties on the Internet

Cascade Mix Example  Protocol  Sender -> Mix n: K n (R n, K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )A n-1 )  Mix n -> Mix n-1: K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )  …  Mix 2 -> Mix 1: K 1 (R 1, K a (R 0, M), A)  Mix 1 -> A: K a (R 0, M)  As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!  Protocol  Sender -> Mix n: K n (R n, K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )A n-1 )  Mix n -> Mix n-1: K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 ) ……  Mix 2 -> Mix 1: K 1 (R 1, K a (R 0, M), A)  Mix 1 -> A: K a (R 0, M)  As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!

Observations  At each step in the cascade, the current mix  Peels off one layer of encryption  Discovers a forwarding address  Passes message along  So, each mix only knows where a message came from and where its going  Note similarities between onion routing, Crowds, etc…  At each step in the cascade, the current mix  Peels off one layer of encryption  Discovers a forwarding address  Passes message along  So, each mix only knows where a message came from and where its going  Note similarities between onion routing, Crowds, etc…

Return to Sender  This is all fine and good for one way (anonymous threats and the like), but how can we arrange responses?  Embed an untraceable return address!  Format: K 1 (R 1, A X ), K X  A X is X’s return address, K X is a temporary public key for X  This is all fine and good for one way (anonymous threats and the like), but how can we arrange responses?  Embed an untraceable return address!  Format: K 1 (R 1, A X ), K X  A X is X’s return address, K X is a temporary public key for X

Example  Protocol:  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X  Y -> Mix: K 1 (R 1, A X ), K x (R 2, M 2 )  Mix -> X: R 1 (K x (R 2, M 2 ))  Note 1: R 1 used to alter forwarded message to prevent I/O correspondence  Note 2: Return addresses can be cascaded just like messages.  Note 3: Responses clearly different from initial messages  Protocol:  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X  Y -> Mix: K 1 (R 1, A X ), K x (R 2, M 2 )  Mix -> X: R 1 (K x (R 2, M 2 ))  Note 1: R 1 used to alter forwarded message to prevent I/O correspondence  Note 2: Return addresses can be cascaded just like messages.  Note 3: Responses clearly different from initial messages

Possible Attack (not in paper)  Note that K 1 (R 1, A X ) and K X aren’t bound  A malicious mix can read reply messages by carrying out a man in the middle attack  With , lots of times, replies contain the original message!  Note that K 1 (R 1, A X ) and K X aren’t bound  A malicious mix can read reply messages by carrying out a man in the middle attack  With , lots of times, replies contain the original message!

Attack Example  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X’  Note substituted ephemeral public key K X’  Y -> Mix: K 1 (R 1, A X ), K x’ (R 2, M 2 )  Mix can unpack this message, read M 2, and reencrypt using K X  Mix -> X: R 1 (K x (R 2, M 2 ))  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X’  Note substituted ephemeral public key K X’  Y -> Mix: K 1 (R 1, A X ), K x’ (R 2, M 2 )  Mix can unpack this message, read M 2, and reencrypt using K X  Mix -> X: R 1 (K x (R 2, M 2 ))

A Simple Solution  To prevent the previously mentioned attack, we need only change the first message of the protocol  X -> Mix: K 1 (R 1, K Y (R 0, K X, M 1 ), A Y ), K 1 (R 1, A X ), K X  This allows Y to verify that the mix didn’t change K X, since the mix can’t alter anything encrypted with K Y  To prevent the previously mentioned attack, we need only change the first message of the protocol  X -> Mix: K 1 (R 1, K Y (R 0, K X, M 1 ), A Y ), K 1 (R 1, A X ), K X  This allows Y to verify that the mix didn’t change K X, since the mix can’t alter anything encrypted with K Y

Anonymous Elections  Form a roster of pseudonyms by sending anonymous s through a mix-net  Output list in a public location  Only entities on the list can take actions in the system  Form a roster of pseudonyms by sending anonymous s through a mix-net  Output list in a public location  Only entities on the list can take actions in the system

Recommendations for an Untraceable Mail System  To hide number of messages sent, each participant sends same number of messages per interval (some are dummies)  Cover traffic!  To hide number of messages received, must check all messages, not just known good messages  Messages should all be same size  Prevent I/O correlation  To hide number of messages sent, each participant sends same number of messages per interval (some are dummies)  Cover traffic!  To hide number of messages received, must check all messages, not just known good messages  Messages should all be same size  Prevent I/O correlation

Implementing an Advanced Mix  A mix with all of the following properties can be implemented using the techniques presented in this paper  Overview  Break message into fixed size blocks  Each mix “pops” the first block, adds a block of junk to the end  Decrypt removed block to yield a key R which is used to encrypt each block in the new message  A mix with all of the following properties can be implemented using the techniques presented in this paper  Overview  Break message into fixed size blocks  Each mix “pops” the first block, adds a block of junk to the end  Decrypt removed block to yield a key R which is used to encrypt each block in the new message

Discussion Questions  Why wasn’t Chaum’s mix network ever implemented?  How should we characterize advancements in anonymous over the years? Technological? Responses to better understanding of threats?  Why wasn’t Chaum’s mix network ever implemented?  How should we characterize advancements in anonymous over the years? Technological? Responses to better understanding of threats?

Discussion Questions (cont.)  This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?  What do people think of the notion of certified mail and receipts?  This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?  What do people think of the notion of certified mail and receipts?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.