Download presentation
Presentation is loading. Please wait.
Published byRoxanne Boone Modified over 9 years ago
1
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable Privacy Workshop 2012 2.A Probabilistic Analysis of Onion Routing in a Black-box Model in TISSEC (forthcoming) by Joan Feigenbaum, Aaron Johnson, and Paul Syverson 2.Analyzing Dissent security 1.Ongoing work with Ewa Syta, Henry Corrigan- Gibbs, Shu-Chun Weng, and Bryan Ford
2
2 Analyzing Onion-Routing Security ● Abstract (black-box) model of onion routing ● Use Universally Composable (UC) framework ● Focus on information leaked ● Perform anonymity analysis on model
3
3 Onion-Routing Ideal Functionality u with probability b ø with probability 1-b x y Upon receiving destination d from user U d with probability b ø with probability 1-b Send (x,y) to the adversary. F OR
4
4 Black-box Model ● Ideal functionality F OR ● Environment assumptions – Each user gets a destination – Destination for user u chosen from distribution p u ● Adversary compromises a fraction b of routers before execution
5
5 Anonymity Analysis of Black Box ● Can lower bound expected anonymity with standard approximation: b 2 + (1-b 2 )p u d ● Worst case for anonymity is when user acts exactly unlike or exactly like others ● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)p u d ● Anonymity in typical situations approaches lower bound
6
6 Other ideal functionality ● Provably Secure and Practical Onion Routing by Backes, Kate, Goldberg, and Mohammadi Computer Security Foundations Symposium 2012 ● Functional primitive ● Shown to UC-emulate F OR
7
7 Analyzing Dissent security ● Fully rigorous definitions and proofs – Anonymity – Accountability – Integrity ● Standard sequence-of-games anonymity proofs ● Discovered flaws
8
8 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
9
9 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I1I1 m2m2 m3m3 m1m1
10
10 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed ? ?
11
11 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first.
12
12 Discovered Shuffle Flaws 123 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first non-malleably.
13
13 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
14
14 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
15
15 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
16
16 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 3 } 1:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 I1I1 I3I3 I1I1 Problem 3: Self-duplication, no blamed ? ?
17
17 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 3 } 1:3 {I 1 } 2:3 {I 3 } 2:3 {I 1 } 3 I1I1 I3I3 I1I1 Problem 3: Self-duplication, no blamed Solution: Blame duplicate submitters.
18
18 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
19
19 Discovered flaws 1.Adversary can unaccountably duplicate honest users’ plaintexts. 2.Commitments must be non-malleable. 3.Adversary can submit self-duplicates to cause failure with no blame. 4.Equivocation during broadcast can cause inconsistent final state. 5.Some validation checks missing
20
20 Modified Dissent 1.Users non-malleably commit to messages before submission. 2.Duplicate submission punished 3.Explicit reliable broadcasts added 4.Several validation checks added with blame 5.Honest members guaranteed to agree on who to blame
21
21 UC Framework ● Express security primitive as an ideal functionality F ● Construct a protocol Π that UC emulates F ● Running Π can replace using F in any protocol – security composes
22
22 Sequence of Games Anonymity Proof ● Game 0: Original anonymity game ● Game 1: Replace encrypted descriptors during shuffle with encrypted fixed messages ● Game 2: Replace encrypted random seeds after shuffle with encrypted fixed messages ● Game 3: Replace pseudorandom sequences with random sequences
23
23 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 m2m2 m3m3 m2m2 Problem 0: Shuffle duplication attack
24
24 Discovered Shuffle Flaws 123 {I 1 } 1:3 {I 2 } 1:3 {I 3 } 1:3 {I 2 } 2:3 {I 3 } 2:3 {I 2 } 3 {I 3 } 3 {I 2 } 3 I2I2 I3I3 I2I2 Problem 0: Shuffle duplication attack Solution: Duplicates cause NO-GO. Blame lying shuffle.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.