1. Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong Kong lhf@cse.cuhk.edu.hk Changjie WANG Dept. of Computer Science & Engineering The Chinese University of Hong Kong cjwang@cse.cuhk.edu.hk Dickson K. W. CHIU Senior Member, IEEE kwchiu@acm.org, dicksonchiu@ieee.org

2. Secure ForumCEC05 -2 Motivation and Background Privacy in forums over the Internet - anonymous through alias Registration via email verification is often unreliable Registration procedures of most of the email providers are not based secured information such as electronic certificates Relatively easy to obtain others’ mail account information through the spread of spyware or to set up an email server through breaking into others’ computers Even registration with e-cert is inadequate to protect the privacy of a participant Forum operator can still know the participant’s ID E.g., user’s email often used for spam  Solution: adapt our protocol for Internet public auctions

3. Secure ForumCEC05 -3 Security Issues in Public Forums Anonymity of participants. Protection of privacy of identities of participants Participants are identified only with their protected aliases nobody can associate the real identity of a participant with the posted messages Traceability and Non-repudiation of Winners. The authority can trace the participant under malicious situations Impossibility of Impersonation. Unforgeability - No one can forge a valid message posting Public Verifiability - anyone can confirm that a message is posted by a legitimate alias Fairness - forum cannot deny any specific valid message Un-involvement of authorities - a one-time participant registration procedure.

4. Secure ForumCEC05 -4 An Anonymous and Secure Forum Scheme Blind signature of RM on alias and temporary key pairs of participant Internet Forum Manager (FM) Registration Manager (RM) Participant 1,Participant 2, … Participant n Identity encryption and binding of alias and temporary key pairs with alias certificate Verify and record the alias certificate Forum ( Monitor ) Bulletin Board Signature from FM on the alias certificate of participant (1) Alias Registration between participant and RM for alias cert (2). Registration between participant and FM (3). Participant enters the forum. (1)(2) (3)

5. Secure ForumCEC05 -5 Alias Registration Participant T RM Generates: wheresnis a random number selected by T. Msg 1 (1) Verifies the validity ofT ’ s signature inMsg 1. (2) Generates: Msg 2 (1) Verifies the validity of RM ’ ssignature inMsg 2. (2) Generates: random numberr,s. (3) Compute alias: (4) Generates: a pair of temporary keys: (5) Blinds thepn T andTP T Gets a RSA signature of RMon (pn T,TP T ) by calculating: Cut-and-Choose protocol between T and RM Msg 3 ),,( 1 snrequestIDMsg T T S T  )||) ((rsnIDHHpn TT  TT TPTS, )(mod),( ) )),(( )(mod)( 3 RM d TT d e TT d nsTPpn nsTPpn ncMsg RM    Signs on c to generate: )(mod),(/ 3RM d TT nTPpnsMsg RM  Self-signed request Blinding so that RM cannot link pn T with T’s identity Could allow multiple alias We require RM to use the RSA scheme, so P RM =(n RM, e RM ) and S RM =d RM.

6. Secure ForumCEC05 -6 Registration Participant with FM T FM Generates: Msg 4 : { Msg 2, r, } Msg 4 (1) Checks database to ensue that in Msg 2 has not been registered before. (2) Verifies the all signatures of RM in Msg 4. (3) Checks that whether the equation holds or not. (4) If the above verifications succeed, FM signs on to generates an alias certificate for T as: Acert T {,, }. Acert T After verification of FM’s signature T obtains the alias certificate Acert T. FM does not know ID T, but he verifies that T has properly registered

7. Secure ForumCEC05 -7 Posting Message at a Forum message Message Acert T pn T message content Time Stamp pn T, TP T Acert T Verification Whether the signature of RM and FM in Acert T is valid? No The Acert T is not authenticated by RM and FM. The message is invalid Whether the signature is valid? Yes No The message cannot be verified with the public key in Acert T Yes Valid Msg Prevent replay attack

8. Secure ForumCEC05 -8 Suspected Participant Tracing To reveal the identity of the suspected participant A, then RM and FM can join hand to reveal his identity. Suppose A submitted Forum sends the message m a to FM as evidence FM verifies from the signature / Acert that A is a registered trader checks FM’s database to find the Msg 2 corresponding to pn A forwards all the information to RM RM ID A that matches Msg 2

9. Secure ForumCEC05 -9 Revoking participants’ alias certificate Maintain a revocation certificate list Even after the certificate revocation, no one, even the FM or RM alone, can identify the participant T. No one else, except the participant T himself, can request a certificate revocation since only T can generate a validated signature of the revocation request

10. Secure ForumCEC05 -10 Analysis (detail proof skipped) Anonymity. No one (not even RM and MM) knows who submitted a bid/ask, which is only attached with Acert T instead of ID T. Traceability. RM and MM can join hand and trace the real identity of a trader from a bid/ask. Impossibility of Impersonation. No one (not even the RM and MM) can impersonate a trader to submit a valid bid/ask. Unforgeability of Valid Bids/Asks. Public Verifiability. Un-involvement of authorities (main contribution over previous schemes)

11. Secure ForumCEC05 -11 Conclusion Secure scheme to protect anonymity yet able to trace malicious suspects Applicability to other Internet group activities, e.g., group mailing lists, messages based chat rooms Limitations: when the real-time requirement is tough, e.g., shared blackboards and voice chat Future work bargaining negotiation integrating with the management of electronic marketplaces

12. Secure ForumCEC05 -12 Question and Answer Thank you!