Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe.

Published byCecily Robertson Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe."— Presentation transcript:

1 Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus Jacobson

2 Course Admin HW4 Posted – Covers IPSec (lecture 8) and Wireless Security (lecture 10) – Due 11am on Dec 01 (Monday) – Lab exercise involves capturing WiFi packets using Wireshark – Labs active this Friday (this will be our last lab in the course) 9/9/20152Lecture 11: Privacy

3 Course Admin Final Exam: – 7-9:30pm on Dec 10 (Wednesday), in classroom – Cumulative – Focus more on Post Mid-Term Material (65%) – Our last lecture on Dec 3 – we will do exam review then No class next week – Fall/Thanksgiving break! 9/9/2015Lecture 11: Privacy3

4 A Case History: AOL Web Search Query Log Leakage AOL's disturbing glimpse into users' lives, CNET News, August 7, 2006 AOL's disturbing glimpse into users' lives, CNET News, August 7, 2006 – 21 million search queries posed over a 3-month long period; 650,000 users – No user identification information released per se, but?? Search Log still available: – http://www.gregsadetsky.com/aol-data/ http://www.gregsadetsky.com/aol-data/ 9/9/20154Lecture 11: Privacy

5 Other Scenarios where privacy is important Location-based search Web browsing Electronic voting Electronic payments Email conversation … 9/9/2015Lecture 11: Privacy5

6 Today’s Outline Anonymizing Network (or Mix Network) Anonymizing Network Applications Requirements Robustness Types of Anonymizing Networks – Decryption based (Onion Routing) – Re-encryption based 9/9/20156Lecture 11: Privacy

7 Definition: Mix Server (or Relay) 9/9/20157 A mix server: Receives inputs Produces “related” outputs The relationship between inputs and outputs is secret InputsOutputs ? Mix Server Lecture 11: Privacy

8 Definition: Mix Network 9/9/20158 Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ??? Lecture 11: Privacy

9 Applications Hide:  “who voted for whom?”  “who paid whom?”  “who communicated with whom?”  “what is the source of a message?” Good for protecting privacy for election and communication Used as a privacy building block 9/9/20159Lecture 11: Privacy

10 Electronic Voting Demonstration 1.“Who do you like best?” 2.Put your ballot into a WHITE envelope and put again in a RED one and sign on it 9/9/201510 Jerry  Washington  Lincoln  Roosevelt Lecture 11: Privacy

11 Electronic Voting Demo. (Cont’d) Administrators will 1.Verify signatures together 2.1 st Admin. shuffles and opens RED envelopes 3.Send them to 2 nd Admin. 4.2 nd Admin. shuffles again and opens WHITE envelopes 5.Count ballots together 9/9/201511Lecture 11: Privacy

12 A real system for elections Sign voter 1 (encr(encr (vote 1 ))) Sign voter 2 (encr(encr (vote 2 ))). Sign voter n (encr(encr (vote n ))) 9/9/201512 Jerry vote 1 vote 2 vote 3. vote n Mix Net  Washington  Lincoln  Roosevelt Mix Net Lecture 11: Privacy

13 “Choose one person you like to pay $5” Put your ballot into an WHITE envelope and put again in a RED one and sign on it 9/9/201513 Jerry Name of the person ( ___________ ) Electronic Payment Demo. Lecture 11: Privacy

14 Electronic Payment Demo. (Cont’d) Administrators will 1.Verify signatures together 2.Deduct $5 from each account 3.1 st Admin. shuffles and opens RED envelopes 4.Send them to 2 nd Admin. 5.2 nd Admin. shuffles again and opens WHITE envelopes 6.Credit $5 to recipients 9/9/201514Lecture 11: Privacy

15 For Payments Sign payer 1 (encr(encr (payee 1 ))) Sign payer 2 (encr(encr (payee 2 ))). Sign payer n (encr(encr (payee n ))) 9/9/201515 payee 1 payee 2 payee 3. payee n DEDUCTDEDUCT Credit Jerry Name (________ ) Mix Net Lecture 11: Privacy

16 For email communication encr (email 1, addressee 1 ) encr (email 2, addressee 2 ). encr (email n, addressee n ) 9/9/201516...... Mix Net Deliver To: Jerry Don’t forget to have lunch. Lecture 11: Privacy

17 Other Uses Anonymous web browsing; web searching (Anonymizer)Anonymizer 9/9/201517 From LPWA homepage Lecture 11: Privacy

18 Other Uses (Cont’d) 9/9/201518 Location privacy for cellular devices – Location-based service is GOOD ! Landline-phone calling to 911 in the US, 112 in Europe All cellular carrier since December 2005 – RISK ! Location-based spam Harm to a reputation Lecture 11: Privacy

19 Other Uses Anonymous VoIP calls Anonymous acquisition of security patches 9/9/201519Lecture 11: Privacy

20 Other uses (Cont’d) Sometimes abuses Avoid legislation (e.g., piracy) P2P sharing of copyright content Terrorism: communication with media – 2008 Mumbai attacks 2008 Mumbai attacks 9/9/201520Lecture 11: Privacy

21 Principle 9/9/201521 Chaum ’81 Message 1 Message 2 server 1server 2server 3 Privacy Efficiency Trust Robustness Requirements : Lecture 11: Privacy

22 Requirements 1.Privacy Nobody knows who said what 2.Efficiency Mixing is efficient (= practically useful) 3.Trust How many entities do we have to trust? 4.Robustness Will replacement cheaters be caught? What if a certain number of mix servers fail? 9/9/201522Lecture 11: Privacy

23 But what about robustness? encr(Berry) encr(Kush) 9/9/201523 Kush STOP I ignore his output and produce my own There is no robustness! Lecture 11: Privacy

24 Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: – Inputs: ciphertexts – Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: – Inputs: ciphertexts – Outputs: re-encryption of the inputs 9/9/201524 InputsOutputs ? Lecture 11: Privacy

25 First Solution 9/9/201525 Chaum ’81, implemented by Syverson, GoldschlagSyverson, Goldschlag Not robust (or: tolerates  cheaters for correctness) Requires every server to participate (and in the “right” order!) Lecture 11: Privacy

26 Re-encryption Mixnet 0.Setup: mix servers generate a shared key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof 9/9/2015Lecture 11: Privacy26

27 Recall: Discrete Logarithm Assumption p, q primes such that q|p-1 g is an element of order q and generates a group G q of order q x in Z q, y = g x mod p Given (p, q, g, y), it is computationally hard to compute x – No polynomial time algorithm known – p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key Lecture 11: Privacy9/9/201527

28 ElGamal Encryption Encryption (of m in G q ): – Choose random r in Zq – k = g r mod p – c = my r mod p – Output (k,c) Decryption of (k,c) – M = ck -x mod p Secure under discrete logarithm assumption Lecture 11: Privacy9/9/201528

29 ElGamal Example: dummy Let’s construct an example KeyGen: – p = 11, q = 2 or 5; let’s say q = 5 – 2 is a generator of Z 11 * – g = 2 2 = 4 – x = 2; y = 4 2 mod 11 = 5 Enc(3): – r = 4  k = 4 4 mod 11 = 3 – c = 3*5 4 mod 11 = 5 Dec(3,5): – m = 5*3 -2 mod 11 = 3 Lecture 11: Privacy9/9/201529

30 (t+1,n)- Secret Sharing Motivation: to secure the cryptosystem against t (< n/2) corruptions Split the secret among n entities so that  any set of t+1 or more entities can recover the secret  an adversary who corrupts at most t entities, learns nothing about the secret Tool: Shamir’s Polynomial Secret Sharing f(z)  degree t polynomial (mod q) f(0)  x f(i)  ss i INSECURE SECURE Polynomial interpolation: for any G, s.t. |G|=t+1 (n=7, t=3) Lecture 11: Privacy9/9/201530

31 Re-encryption technique Input: a ciphertext (k,c) wrt public key y 1.Pick a number r’ randomly from [0…q-1] 2.Compute k’ = kg r’ mod p c’ = cy r’ mod p 3.Output (k’, c’) Same decryption technique! Compute m k’c’ -x Lecture 11: Privacy9/9/201531

32 A simple Mix (k 1, c 1 ) (k 2, c 2 ). (k n, c n ) RE-ENCRYPTRE-ENCRYPT RE-ENCRYPTRE-ENCRYPT (k’ 1,c’ 1 ) (k’ 2,c’ 2 ). (k’ n,c’ n ) (k’’ 1,c’’ 1 ) (k’’ 2,c’’ 2 ). (k’’ n,c’’ n ) Note: different cipher text, different re-encryption exponents! 9/9/2015Lecture 11: Privacy32

33 And to get privacy… permute, too! (k 1, c 1 ) (k 2, c 2 ). (k n, c n ) (k’’ 1,c’’ 1 ) (k’’ 2,c’’ 2 ). (k’’ n,c’’ n ) Lecture 11: Privacy9/9/201533

34 And, finally…the Proof Mix servers must prove correct re-encryption – Given n El Gamal ciphertexts E(m i ) as input – and n El Gamal ciphertexts E(m’ i ) as output – Compute: E(  mi) and E(  =m’i) – Ask Mix for Zero-Knowledge proof that these ciphertexts decrypt to same plaintexts Lecture 11: Privacy9/9/201534

35 Anonymizing Network in practice: Tor A low-latency anonymizing network http://www.torproject.org/ Currently 1000 or so routers distributed all over in the internet Peer-based: a client can choose to be a router A request is routed to/fro a series of a circuit of three routers A new circuit is chosen every 10 minutes No real-world implementation of re-encryption mix as yet Lecture 11: Privacy9/9/201535

Download ppt "Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

Similar presentations

Ads by Google