Presentation is loading. Please wait.

Presentation is loading. Please wait.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

Published byVictor Davidson Modified over 9 years ago

Similar presentations

Presentation on theme: "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David."— Presentation transcript:

1 Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006

2 Motivation  Many uses for anonymous communication channels  Elections  Anonymous crime tips  Whistle-blowing  Etc.  Standard mail offers some guarantees of anonymity; why not email too?  Many uses for anonymous communication channels  Elections  Anonymous crime tips  Whistle-blowing  Etc.  Standard mail offers some guarantees of anonymity; why not email too?

3 Contributions  Cryptographic protocols to support an anonymous email system  Keep sender anonymous w.r.t. both the receiver and other parties in the network  Allow receiver to reply to sender without revealing sender’s identity  Protocol can also be used to form anonymous and verifiable rosters  E.g., for an electronic election  Cryptographic protocols to support an anonymous email system  Keep sender anonymous w.r.t. both the receiver and other parties in the network  Allow receiver to reply to sender without revealing sender’s identity  Protocol can also be used to form anonymous and verifiable rosters  E.g., for an electronic election

4 Historical Perspective, 1979  Cryptography had been around for millennia  Usually required the use of shared secrets  Paradigm shift: late 1970s  Diffie & Hellman, “New Directions in Cryptography” (1976)  RSA cryptosystem (1977)  Rapid advancements allow for the sharing of keys (secrets) between strangers  Cryptography had been around for millennia  Usually required the use of shared secrets  Paradigm shift: late 1970s  Diffie & Hellman, “New Directions in Cryptography” (1976)  RSA cryptosystem (1977)  Rapid advancements allow for the sharing of keys (secrets) between strangers

5 Notation  Keys in public-key cryptosystem  Public key: K  Private key: K -1  Encryption of x with K denoted by K(x)  Keys are inverses  i.e., K -1 (K(x)) = K(K -1 (x)) = x  Keys in public-key cryptosystem  Public key: K  Private key: K -1  Encryption of x with K denoted by K(x)  Keys are inverses  i.e., K -1 (K(x)) = K(K -1 (x)) = x

6 Operations  To prevent certain attacks, Chaum advocates random padding before encryption  i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x  When signing, first pad with some known constant  i.e., K -1 (C, y) where C is a known constant  To prevent certain attacks, Chaum advocates random padding before encryption  i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x  When signing, first pad with some known constant  i.e., K -1 (C, y) where C is a known constant

7 Chaum’s Assumptions  Can’t break the cryptosystem  Anyone can observe all links in the system  The so-called “global passive adversary”  Anyone can inject, replay, remove, or modify messages  Dolev-Yao active attacker model (which they didn’t publish about until 1983)  Can’t break the cryptosystem  Anyone can observe all links in the system  The so-called “global passive adversary”  Anyone can inject, replay, remove, or modify messages  Dolev-Yao active attacker model (which they didn’t publish about until 1983)

8 Sending Anonymous Mail  Rather than sending mail directly to the recipient, send mail to a mix  Principle: Try to reduce correspondence between input- and output-sets  Fool global passive adversaries  What about keeping the message private?  Rather than sending mail directly to the recipient, send mail to a mix  Principle: Try to reduce correspondence between input- and output-sets  Fool global passive adversaries  What about keeping the message private?

9 The Crypto!  Players (and their public keys)  Mixes (K n )  Recipient, A (K a )  One mix protocol  Sender -> Mix: K 1 (R 1, K a (R 0, M), A)  Mix -> A: K a (R 0, M)  Use of public key crypto hides message from mix and nosy parties on the Internet  Players (and their public keys)  Mixes (K n )  Recipient, A (K a )  One mix protocol  Sender -> Mix: K 1 (R 1, K a (R 0, M), A)  Mix -> A: K a (R 0, M)  Use of public key crypto hides message from mix and nosy parties on the Internet

10 Cascade Mix Example  Protocol  Sender -> Mix n: K n (R n, K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )A n-1 )  Mix n -> Mix n-1: K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )  …  Mix 2 -> Mix 1: K 1 (R 1, K a (R 0, M), A)  Mix 1 -> A: K a (R 0, M)  As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!  Protocol  Sender -> Mix n: K n (R n, K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 )A n-1 )  Mix n -> Mix n-1: K n-1 (R n-1, …, K 1 (R 1, K a (R 0, M), A) … A n-2 ) ……  Mix 2 -> Mix 1: K 1 (R 1, K a (R 0, M), A)  Mix 1 -> A: K a (R 0, M)  As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!

11 Observations  At each step in the cascade, the current mix  Peels off one layer of encryption  Discovers a forwarding address  Passes message along  So, each mix only knows where a message came from and where its going  Note similarities between onion routing, Crowds, etc…  At each step in the cascade, the current mix  Peels off one layer of encryption  Discovers a forwarding address  Passes message along  So, each mix only knows where a message came from and where its going  Note similarities between onion routing, Crowds, etc…

12 Return to Sender  This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses?  Embed an untraceable return address!  Format: K 1 (R 1, A X ), K X  A X is X’s return address, K X is a temporary public key for X  This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses?  Embed an untraceable return address!  Format: K 1 (R 1, A X ), K X  A X is X’s return address, K X is a temporary public key for X

13 Example  Protocol:  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X  Y -> Mix: K 1 (R 1, A X ), K x (R 2, M 2 )  Mix -> X: R 1 (K x (R 2, M 2 ))  Note 1: R 1 used to alter forwarded message to prevent I/O correspondence  Note 2: Return addresses can be cascaded just like messages.  Note 3: Responses clearly different from initial messages  Protocol:  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X  Y -> Mix: K 1 (R 1, A X ), K x (R 2, M 2 )  Mix -> X: R 1 (K x (R 2, M 2 ))  Note 1: R 1 used to alter forwarded message to prevent I/O correspondence  Note 2: Return addresses can be cascaded just like messages.  Note 3: Responses clearly different from initial messages

14 Possible Attack (not in paper)  Note that K 1 (R 1, A X ) and K X aren’t bound  A malicious mix can read reply messages by carrying out a man in the middle attack  With email, lots of times, replies contain the original message!  Note that K 1 (R 1, A X ) and K X aren’t bound  A malicious mix can read reply messages by carrying out a man in the middle attack  With email, lots of times, replies contain the original message!

15 Attack Example  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X’  Note substituted ephemeral public key K X’  Y -> Mix: K 1 (R 1, A X ), K x’ (R 2, M 2 )  Mix can unpack this message, read M 2, and reencrypt using K X  Mix -> X: R 1 (K x (R 2, M 2 ))  X -> Mix: K 1 (R 1, K Y (R 0, M 1 ), A Y ), K 1 (R 1, A X ), K X  Mix -> Y: K Y (R 0, M 1 ), K 1 (R 1, A X ), K X’  Note substituted ephemeral public key K X’  Y -> Mix: K 1 (R 1, A X ), K x’ (R 2, M 2 )  Mix can unpack this message, read M 2, and reencrypt using K X  Mix -> X: R 1 (K x (R 2, M 2 ))

16 A Simple Solution  To prevent the previously mentioned attack, we need only change the first message of the protocol  X -> Mix: K 1 (R 1, K Y (R 0, K X, M 1 ), A Y ), K 1 (R 1, A X ), K X  This allows Y to verify that the mix didn’t change K X, since the mix can’t alter anything encrypted with K Y  To prevent the previously mentioned attack, we need only change the first message of the protocol  X -> Mix: K 1 (R 1, K Y (R 0, K X, M 1 ), A Y ), K 1 (R 1, A X ), K X  This allows Y to verify that the mix didn’t change K X, since the mix can’t alter anything encrypted with K Y

17 Anonymous Elections  Form a roster of pseudonyms by sending anonymous emails through a mix-net  Output list in a public location  Only entities on the list can take actions in the system  Form a roster of pseudonyms by sending anonymous emails through a mix-net  Output list in a public location  Only entities on the list can take actions in the system

18 Recommendations for an Untraceable Mail System  To hide number of messages sent, each participant sends same number of messages per interval (some are dummies)  Cover traffic!  To hide number of messages received, must check all messages, not just known good messages  Messages should all be same size  Prevent I/O correlation  To hide number of messages sent, each participant sends same number of messages per interval (some are dummies)  Cover traffic!  To hide number of messages received, must check all messages, not just known good messages  Messages should all be same size  Prevent I/O correlation

19 Implementing an Advanced Mix  A mix with all of the following properties can be implemented using the techniques presented in this paper  Overview  Break message into fixed size blocks  Each mix “pops” the first block, adds a block of junk to the end  Decrypt removed block to yield a key R which is used to encrypt each block in the new message  A mix with all of the following properties can be implemented using the techniques presented in this paper  Overview  Break message into fixed size blocks  Each mix “pops” the first block, adds a block of junk to the end  Decrypt removed block to yield a key R which is used to encrypt each block in the new message

20 Discussion Questions  Why wasn’t Chaum’s mix network ever implemented?  How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?  Why wasn’t Chaum’s mix network ever implemented?  How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?

21 Discussion Questions (cont.)  This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?  What do people think of the notion of certified mail and receipts?  This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area?  What do people think of the notion of certified mail and receipts?

Download ppt "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.

The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Similar presentations

Ads by Google