Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Dissent: Accountable Anonymous Group Communication Bryan Ford Joan Feigenbaum, David Wolinsky, Henry Corrigan-Gibbs, Shu-Chun Weng, Ewa Syta Yale University.

Published byOctavia Page Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Dissent: Accountable Anonymous Group Communication Bryan Ford Joan Feigenbaum, David Wolinsky, Henry Corrigan-Gibbs, Shu-Chun Weng, Ewa Syta Yale University."— Presentation transcript:

1 1 Dissent: Accountable Anonymous Group Communication Bryan Ford Joan Feigenbaum, David Wolinsky, Henry Corrigan-Gibbs, Shu-Chun Weng, Ewa Syta Yale University Vitaly Shmatikov, Aaron Johnson University of Texas at Austin Presented at MPI-SWS – Jan 4, 2012

2 2 Why do we want anonymity online? Many motivations: Discuss sensitive/controversial topics safely; protect freedom of speech Citizens of authoritarian states evading repression Voting in elections or deliberative organizations Collaborative content creation/editing, e.g., Wikipedia Protect secrecy of bids in commercial auctions Law-enforcement “tip” or whistleblowing hotlines Peer review processes for research, journalism …

3 3 Motivating Scenario Alice, Bob, Charlie, Dave, & friends Citizens of Repressistan Wish to connect, organize online safely Government is powerful but not all-powerful Can't just “turn off Internet” indefinitely or throw all protesters in jail: cost is too high Must identify and make examples of the movement's outspoken “activist leaders” Alice & friends need “strength in numbers”

4 4 Being Anonymous: Naive Ways Anonymous Client Anonymous Client Anonymizing Relay Public Server Assume the Internet is “anonymous enough” –IP addresses never provided real anonymity; many ways to track users, machines, browsers Use centralized anonymizing relays/proxies –Central point of failure, prime compromise target

5 5 Being Anonymous: Better Ways MIX networks, onion routing systems: e.g., Tor Tunnel through a series of anonymizing relays Protects even if any one is malicious or hacked Anonymous Client Anonymous Client Anonymizing Relays Public Server

6 6 ClientServercorrelate ClientServercorrelate Limitations of Onion Routing Vulnerable to traffic analysis, correlation attacks –compromised, colluding first & last hop relays –compromised entry relay and server –first & last links cross same monitored network path ClientServercorrelate

7 7 Limitations of Onion Routing Vulnerable to anonymous abuse No accountability for misbehavior –No one knows you're a dog, so everyone gets to behave like a dog Unlimited supply of “fresh” pseudonyms –Create sock-puppet “supporters” in online forums –Vote many times in online polls, elections –Get banned, come back with new IP address (loser is next user of old IP address or exit relay)

8 8 Dining Cryptographers (DC-nets) Another fundamental Chaum invention from the 80s... Ex. 1: “Alice+Bob” sends a 1-bit secret to Charlie. Alice Bob Charlie 1 Alice+Bob’s Shared Random Bit Alice’s Secret 0 1 1

9 9 Dining Cryptographers (DC-nets) Another fundamental Chaum invention from the 80s... Ex. 2: Homogeneous 3-member group anonymity Alice Bob Charlie Alice’s Secret 1 1 Alice+Bob's Random Bit Alice+Charlie's Random Bit 0 Bob+Charlie's Random Bit 1 0 0 1 =1

10 10 Dining Cryptographers (DC-nets) Tantalizingly strong anonymity guarantees: Unconditional information-theoretic anonymity –(if we use “real” random coins, which we won't) Optimal security against traffic analysis & collusion –Anonymity set = nodes not colluding with adversary Never successfully used in practical systems: No provision for accountability or proportionality –Malicious member can jam by sending random bits Not readily scalable to large groups –Especially with node failure, network churn

11 11 Talk Outline ✔ Online Anonymity: What and Why? An Accountable Group Anonymity Model A MIX-based Accountable Shuffle Dining On Schedule: Accountable DC-nets Current Results and Ongoing Work

12 12 Dissent: Accountable, Proportional Group Anonymity A group communication model akin to DC-nets Assumes a well-defined group of N ≥ 2 parties wishes to communicate with each other online Members have persistent identities known to each other – may or may not be “public” Wish to hide which member sent a message, but make it clear that some member sent it Wish to maintain proportionality: each member gets one message, vote, bid, etc. per “round”

13 13 Bulletin Boards, Chat Rooms Alice Bob Charlie Dave Hey all, did you hear about X? - Azalia Yeah, that's insane - Damian No joke! - Claire

14 14 Group Voting, Deliberation Alice Bob Charlie Dave NO! YES Boris's last edit was bad, roll it back! - Damian YES

15 15 Anonymous Auctions Alice Bob Charlie Dave Hey, anyone want my old Y? - Boris I bid $10 - Azalia I bid $20 - Damian SOLD to Damian, where to meet? - Boris

16 16 “Shuffling” Into Group Anonymity Input: secret message m i of length L i from each group member i m3m3 m1m1 m2m2 Output: send all members' messages to target(s) in shuffled order m3m3 m1m1 m2m2 Member 1Member 2Member 3 L3L3 L1L2L2 Dissent Protocol: randomly permute and decrypt messages

17 17 Anonymity with Accountability Dissent's group model facilitates accountability: Not “just anyone” may send, vote, bid, etc. → group membership can reflect “credentials” –Board members, journalists, etc., acting collectively 1-to-1 shuffle prevents Sybil attacks –Each “real” group member can send exactly one message per shuffle, cannot act like many users Resistant to anonymous disruption attacks –If any member attempts to jam or block protocol, Dissent exposes attacker's real identity, can expel

18 18 Dissent Network Model Quasi-Client/Server Model: Client nodes represent group members (users) wishing to post messages anonymously Server nodes are intermediaries that facilitate anonymous group communication Servers Clients

19 19 Dissent Network Model Dissent “servers” could actually be: Dedicated or volunteer servers, like Tor relays Super-peers chosen from clients, P2P-style Cloud-based virtual services run professionally “Servers” or “Super-peers” or “Cloud services” Clients

20 20 Anonymity set Dissent Trust Model Any number of clients may be malicious, collude A client's effective “anonymity set” includes all clients not colluding with adversary –(trivally optimal for colluding adversary model) Clients Servers

21 21 Anonymity set Dissent Trust Model All but one server may be malicious, collude Clients need not know which server(s) to trust Clients of dishonest servers are still protected! –Unlike existing MIX, DC-nets cascading schemes Clients Servers

22 22 Talk Outline ✔ Online Anonymity: What and Why? ✔ An Accountable Group Anonymity Model A MIX-based Accountable Shuffle Dining On Schedule: Accountable DC-nets Current Results and Ongoing Work

23 23 The Dissent Shuffle – Overview Assuming N clients, M servers: 1.Servers choose inner, outer encryption keys 2.Clients encrypt messages in 2M “onion layers” 3.Servers MIX and decrypt outer layers 4.Clients validate result, broadcast go/no-go 5.Servers either: –Decrypt inner layers of permuted messages, or –Reveal permutation and trace at least one disruptor

24 24 Phase 1: Setup Assume at outset: –All nodes know each others' public signing keys –All nodes sign and verify all messages Each client i chooses: –Secret message m i padded to fixed length L Each server j creates outer and inner encryption key pairs: (O j,O' j ) and (I j, I' j ) Each server i broadcasts public encryption keys O' j, I' j to all clients

25 25 Phase 2: Onion Encryption Each client i: Encrypts m i with inner keys I' M,...,I' 1 to create m' i Encrypts m' i with outer keys O' M,...,O' 1 to create m'' i Example with N = 3 clients, M = 2 servers: m1m1 m2m2 m3m3 m' 1 = { { }I' 2 }I' 1 m' 2 = { { }I' 2 }I' 1 m' 3 = { { }I' 2 }I' 1 m'' 1 = { { }O' 2 }O' 1 m'' 2 = { { }O' 2 }O' 1 m'' 3 = { { }O' 2 }O' 1

26 26 Phase 3: Anonymization (1) Server 1 collects messages (m'' I, …, m'' N ). For j ← 1 to M, server j –Decrypts j th outer encryption layer with key O j –Randomly permutes the list of partially decrypted messages, temporarily saves the random permutation –Forwards permuted message list to server j+1 (if j < N) Server M broadcasts permuted m' i list to all nodes

27 27 Phase 3: Anonymization (2) mimi m' i = { { }I' 2 }I' 1 m'' i = { { }O' 2 }O' 1 Server 1 decrypt, permute m1m1 {{ }} {{ }} m2m2 {{ }} {{ }} m3m3 {{ }} {{ }} Input to server 1: encrypted messages m'' i m3m3 {{ }} { } m1m1 {{ }} { } m2m2 {{ }} { } Output from server M: partly decrypted messages m' i in random, secret order m2m2 {{ }} m1m1 {{ }} m3m3 {{ }} Server 2 decrypt, permute

28 28 Phase 4: Validation After anonymization, no client or server knows the final permutation, but every client i should see his own m' i in the list! Each client i looks for m' I in the permuted list Present → client i broadcasts “GO” Absent → client i broadcasts “NO-GO”

29 29 Phase 5: Decryption or Blame Each server j collects all GO/NO-GO messages GO messages from all clients: –Each server j broadcasts his private inner key I j –All clients use inner keys I 1,...,I M to decrypt all m' i revealing all cleartext messages m i NO-GO message from any client: –Each server j broadcasts proof that he decrypted and permuted messages properly in Phase 3 –All servers use these proofs to uncover disruptor(s)

30 30 Anonymity of the Shuffle Every server secretly randomizes the shuffle Even if any subset of servers collude, any single honest server protects all clients Resists traffic analysis, correlation attacks: traffic reveals nothing about who sent what Malicious ciphertext substitution or duplication always detected at GO/NO-GO if not before All key security properties provable (see CCS '10 paper for details)

31 31 Accountability of the Shuffle Any NO-GO message obliges all nodes to “prove their innocence”, i.e., that they: Correctly encrypted messages in phase 2 Correctly decrypted/permuted in phase 3 Correctly validated final list in phase 4 This process reveals the “secret” permutation, but leaves permuted cleartexts (m j ) undecipherable Protected by all honest servers' inner keys

32 32 Scalability of the Shuffle All phases parallelizable except 3: anonymization M servers “take turns” permuting & decrypting Not show-stopping if N clients ≫ M servers Scenario 1: servers are M independently run, cloud-based “Dissent service providers” Each “server” is a parallel, fault-tolerant cluster Scenario 2: servers are M super-peers chosen randomly from N ≫ M clients in P2P setting If fN clients are faulty, f M chance of failure

33 33 Talk Outline ✔ Online Anonymity: What and Why? ✔ An Accountable Group Anonymity Model ✔ A MIX-based Accountable Shuffle Dining On Schedule: Accountable DC-nets Current Results and Ongoing Work

34 34 Inefficient when only some clients are “talking” All clients must pad messages to same length If one “talker” wants to send useful L-byte file, each “listener” must send L bytes of garbage M-server serialized path still incurs latency We'd prefer if entire protocol was parallelizable Shuffle must “start over” if a client comes or goes Natural or malicious churn could cause DoS Limitations of MIX-based Shuffle

35 35 Solution Use MIX-based shuffle to bootstrap & schedule a dining cryptographers (DC-nets) phase Outline 1.Setup pseudonym keys and transmit schedule 2.Share secrets between all client/server pairs 3.Transmit any number of DC-nets rounds

36 36 Setup 1: Nym-Key Schedule Use MIX-based shuffle above to “bootstrap” 1.Each client creates fresh pseudonym keypair 2.Servers MIX-shuffle public nym-keys ● Yields an agreed-upon permutation of nym-keys ● Each client knows all keys but only its own position K2K2 MIX-based Dissent Shuffle K' 2 K3K3 K' 3 K1K1 K' 1 K' 2 K' 3 K' 1 nym-keypair per client shuffle public keys agreed-upon nym-key permutation

37 37 Setup 2: Shared Secrets Each node publishes a Diffie-Hellman (DH) key –Owner of each key well-known, not anonymous Each client forms DH secret with each server, each server forms DH secret with each client Use each secret as seed for shared PRNG M Servers N Clients N×M secret matrix

38 38 Transmission Rounds Transmission proceeds in rounds scheduled by agreed-upon nym-key permutation 1.All clients send bits on behalf of slot 1's owner 2.All clients send bits on behalf of slot 2's owner 3.… Clients know which nym-key owns a given slot, but not which client owns which (other) slots. K' 2 K' 3 K' 1 Time K' 2 K' 3 K' 1 …Schedule

39 39 Computing Cipherstreams In an L-bit transmission round: Each server j XORs together next L bits of PRNG streams shared with each client Each client i XORs together next L bits of PRNG streams shared with each server –If client i holds nym-key for current round, further XORs in his L-bit message Servers collect, XOR all cipherstreams –Shared PRNG streams cancel, leaving message

40 40 The Cipherstream Matrix Client 1 1101 0011 0110 1011 1001 0010 Ex: N=3 clients, M = 2 servers, L = 4 bits, client 2 owns nym-key for current round ⊗⊗⊗ ⊗⊗ ⊗⊗ Client 2Client 3 Server 1 Server 2 1110 1010 ⊗ anonymous message servers' cipher- streams clients' cipherstreams 01111011 1010 0010 ⊗ ⊗⊗⊗ 1010 secret streams

41 41 Anonymity Properties Assuming at least 1 server is honest: Each honest client shares secret PRNG stream with that server –These shared streams unknown to adversary –Different combination XORed in each cipherstream –Adversary can't distinguish any honest client's cipherstream (individually) from random bits Guarantee depends on strength of DH, PRNG

42 42 Accountability Properties Owner of transmission slot must sign message with private nym-key for that slot Nodes can verify signature, corruption obvious On corruption, nontrivial multi-round blame protocol required to identify source of corruption Guaranteed to succeed within “a few rounds” Ongoing work: DC-nets protocol with proactive zero-knowledge proofs of correctness

43 10/2/2016 Scalability Properties All computation, transmission fully parallelizable P2P multicast-trees can optimize network usage: 1.XOR all cipherstreams on way up tree 2.Root multicasts plaintext result back down Low latency/load, bandwidth 2× “plain” multicast ⊕ ⊕ 1. XOR combining 2. multicast

44 10/2/2016 Robustness Properties We assume servers are “reliable” Must ensure either via selection or design Server churn requires re-shuffle, restart Clients may join/leave frequently, however Servers must recompute their cipherstreams Clients don't need to, as their cipherstreams depend only on secrets shared with servers

45 45 Talk Outline ✔ Online Anonymity: What and Why? ✔ An Accountable Group Anonymity Model ✔ A MIX-based Accountable Shuffle ✔ Dining On Schedule: Accountable DC-nets Current Results and Ongoing Work

46 10/2/2016 Current Status Two working but less-scalable prototypes built, tested already (one Python, one C++) –See CCS '10 paper for performance/evaluation Third, more scalable prototype mostly done, implementing the techniques discussed here –Evaluation not yet done → no concrete results yet

47 47 Further Ongoing Work Proactive handling of network churn –e.g., ECC-encode messages across multiple redundant combining/distribution trees Handling intersection attacks –Risk if user retains a pseudonym “a long time” –Defense: hide which members are online –Exploring use of ring signatures, anonymous deniable authentication schemes... Deployment in “real” group communication apps!

48 10/2/2016 Conclusion The Dissent project is exploring anonymity in a group communication context Stronger security compared to onion routing –Anonymity: resistant to traffic analysis –Accountability: resistant to sybil attacks, disruption Early prototypes working, but many challenges remain before realistic deployment! http://dedis.cs.yale.edu/2010/anon/

Download ppt "1 Dissent: Accountable Anonymous Group Communication Bryan Ford Joan Feigenbaum, David Wolinsky, Henry Corrigan-Gibbs, Shu-Chun Weng, Ewa Syta Yale University."

Similar presentations

Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,

Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,
Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval.

Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University, 2 US Naval.
1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan.

1 Dissent: Accountable, Anonymous Communication Joan Feigenbaum Joint work with Bryan Ford, Henry Corrigan-Gibbs, Yixuan.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University.

Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Hang with Your Buddies to Resist Intersection Attacks David Wolinsky, Ewa Syta, Bryan Ford Yale University.

Hang with Your Buddies to Resist Intersection Attacks David Wolinsky, Ewa Syta, Bryan Ford Yale University.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Analysis of Onion Routing Presented in 294-4 by Jayanthkumar Kannan On 10/8/03.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Similar presentations

Ads by Google