1

Part 3: Personal Data Protection andCryptographic Anonymity Techniques

Aspects: Infrastructures and cryptographic techniques Unobservability - content anonymization, address

anonymization Rules for a responsible usage of the internet

Privacy and Anonymityin the Internet

BaSoTI 2014, Privacy and Anonymity in the Internet

2

Privacy: Do not let others look into your data - encrypt critical data

Data protection: Forbid theft of data Forbid alterations / modifications of personal data Avoid usage of modified documents/modified software

Objectives

3

Anonymity: Hide your relations in communication – this often requires to encrypt

the message content Forbid the observation of your physical location Protect own privacy – do not allow unwanted collection of data:

surveillance, traffic analysis

Effects in case of dishonest parties:discrimination, physical safety attacks, criminal prosecution, censorship, social sorting

Anonymity techniques are built upon crytographic techniques – but require more than bare cryptography

Objectives

4

Aspects of SecurityAccess Control: control the access to a system in general, access to system functions, access to data (e. g. by a firewall)

Confidentiality/Privacy: prohibits unauthorized access by third parties to data, access to identity attributes (done by encryption)

Authenticy: Proof of the identity of the author / originator and authenticity of data (e.g. by a digital signature)

Integrity: Provability that data is orignal, got not altered

Provability/Verifyability: Proof of authenticity and integrity by a authorized third party

Copyright: Protection of intelectual / Cultural properties, Copyright-marks, Identification of illegal copies

5

Attackers capabilities within ananonymity infrastructureAn attacker may gain control over a limited number of links and/or nodes

capabilities - compare to data flow deviations(see Security Lecture):

Interruption: destroy or corrupt messages Interception/Observation: access message content, determine

sender and receiver of messages, find out correllations Modification: modify messages, change message destinations Fabrication: inject new messages into the system, take part in the

anonymity service offered by the infrastructure

6

Cryptographic Techniques (1/3)Encryption function E Key ... KDecryption function D

EK(P) P ... original message S = EK1(P) S ... encrypted TextP = DK2(S)

symmetric cryptographic schems (Private Key): K1=K2

asymmetric cryptographic schemes (public key): K1 public key, specific to a receiver (decoding entity) K2 private (secret) key, specific to a receiver (decoding entity)

7

Cryptographic Techniques (2/3)Symmetric codes:

Encryption is done by an arithmetic transformation of the datausing a secret key. Decryption is the reverse transformationusing the same secret key.

Variants: • One Time Pad: A single but very long key, sender and receiver

combine data bitwise-XOR with the secret key• Pseudo One Time Pad: A short secret key is used to generate a n

infinite long key, e.g. the key as a parameter for a pseudo randomnumber generator that generate the long key, combination usingbitwise XOR operation

• Data as key generator: A first block is encrypted using the key(similarly to one time pad), the next key for the next block isgenerated out of the previous original data, and so on.

8

Cryptographic Techniques (3/3)

asymmetric codes:Pair of a public key and a private key, computationally hardness to guess private key from public key

Variants by different algorithms: RSA (Rivest et al. 1978) – based on difficulty of factorization of big

numbers DSA (Elgamal, 1984) – Digital Signature Algorithm (Standard)

based on the Calculation of discrete logarithms Elliptical Curve-Algorithms (Miller, Koblitz, ca. 1985)

9

Signatures for Authentication (1/3)Digital signatures are used as replacement of written genuine signatures, typically related to an original document (message) that‘s content is signed

Digital signatures are transfered as postfix of a message

A signed message is transferred as follows:message + signature(sender-id, message, random number)

private key: secret of the signing entity used as parameter for the signature function

public key: public for all to check the validity of the signature

Compared to en/decryption: reverse roles of keys

10

Signatures for Authentication (2/3)Sign function:signature = E K-privat ( hash(message) + random_number)

Check function : hash(message) + rest = D K-public, sender (signature)

In case of equality (=) the signature is valid,otherwise: signature invalid, e.g. signature tampered when forwarded wrong message, e.g. tampered during transfer message or signature not sent by the claimed sender

11

Signatures for Authentication (3/3)A simple signature scheme that is not cryptographically strong …However, it represents the general idea.

Choose a prime number MChose Parameters a,b,c in the way that a*b MOD M = c

Public Key: b,c, (M)Private Key: a, (M) Difficulty: a = c/b MOD M

Sign-Function: sig = a*H(msg) MOD MCheck-Function:

if ( sig*b MOD M = c *H(msg) MOD M) { valid=true;}else {valid=false; }

12

Privacy and Unobersvability (1/2)Situation:

Need for privacy: hide the message content of request and response mesages ban observation of who communicates with whom

(hide sender/receiver correllation)

Client Server

Observationby service provider

Observationin the network

13

Privacy and Unobersvability (2/2)

ClientServer

Observation of client server relations

Third-Party Analysis Tools, such as Google Analytics

AnalyticsServer

JavaScript+ parameters

14

Anonymity techniquesStrongest Assumption: The attacker/observer is able toobserve the sending act and the receiving act, and is able totrack a message.

General anonymity approach:

Hide the personal communication in a cover set ofcommunications, cover traffic

Confuse the observer, conceal the particular sender andreceiver and their communication relationship

Hide the receiver address, and the sender address (for a reply) either by broadcast, or by address encryption

15

Anonymity techniquesHide a single transmission among n transmissions

The other n-1 transmissions are the cover traffic

that is either generated as artifical (redundant, random) traffic

or is taken from many different users that mix their transmissions

The cover set should be as big as possible

For anonymity, it must be ensured that an attacker is not able to controlthe entire cover set, i.e. not able to control all the n-1 transmissions

observation of n=6transmissions

16

Anonymity techniques

Broadcast network and implicit addresses:Delivery of the same message to all receiver nodes that take part in the anonymity infrastructure. The message have to contain an attribute that allows the addressee to recognize the message. This attribute can be build using an asymmetric cryptographic system.

→ recipients anonymity

message + encrypted address A

C

Only the desired receiver is able to decrypt its address (or a magic text)

17

Anonymity techniquesDC network:A time-slotted network allows all nodes to send within a slot. One node provides a real message content and the receiver address and XORes both with a secret key . All other nodes provide dummy messages that are generated from secret keys. The keys are formed in a way that the superposition of all messages reveals the original real message content.

Msg|Dest: 0110|10Key-B: 1110 00Key-C: 0001 11

→ sender anonymity

node AMsg|Dest: 0000|00Key-A: 1000 01Key-C: 0001 11

node BMsg|Dest: 0000|00Key-A: 1000 01Key-B: 1110 00

node C

Send: 1001 01 Send: 1001 10 Send: 0110 01

global-XOR: 0110 10

18

Anonymity techniquesPrivate Information Retrieval: Hidden request of data cells from a set of servers with replicated content. The interest on a specific data cell is protected by requests of randomly chosen additional cells. Requests are sent by broadcast (! not necessarily) messages, and all servers send reply messages. A specific XOR-based request encoding and reply decoding method allows to extract the desired data cell anonymously.

comparable to recipients anonymity

A,B,C

A,B,C

A,B,Cwants to read C

A,B,C

A,B,C

A,B,C

m=E‘(A XOR B)

A XOR(A XOR B ) XOR (B XOR C)= C

all channels are encrypted

19

Anonymity techniquesMIX (David Chaum, 1981)Messages are sent to destination through proximity entities(MIX nodes), message content and addresses are encrypted.

Sender anonymity and recipients anonymity

Another similar concept: Onion Router

See next slides for details.

user X

user Y

sender

receiver(e.g. server)

20

MIX – the general principle

MIX receiversender

Process A sends P to B, via MIX1: encrypt using the public key

of the MIX S=EMIX(B:P)2: send S to MIX

S

MIX receives S …1: MIX decrypts B:P

using decryption function B:P=DMIX(S)2: MIX sends P to B

B receives P from MIX (anonymously)

A B

(1) Unobservability: An observer is not able to guess from S and P that A was the originator of message P, assumed that it does not exploit correlations in time

(2) Anonymity: The receiver is not able to relate the received message P to A, it solely sees the message P coming from the Mix (anonymity)

P

21

MIX – Problems and SolutionsProblem Solution

a single MIX knows all communication-relations andmessages

cascading of several MIXes that should operate independently

correlation of incoming andoutgoing messages byobservation of their time andlength

buffering of messages in a MIX anddelayed, reordered forwarding, length-filling (padding)

replay attacks are still possible encryption message + random-number and duplicate detection

up to now no reply messagespossible, needed for HTTP: request, response

manage proximity reply-addresses to follow-up MIXes, the final receiver sendssynchronously a response

22

MIX – functional viewFunctional view on a single MIX:

Data base of previous messages

dropping of duplicates

decryption

messagebuffer

delay and reordering

P,rand = D K-private(S )

S=E K-public(P,rand)

P,E(rand)

for simplification: destination address and addresses of follow-up Mixes are contained in P

Proximity reply addressresolver

reply-adr = index(D(E(rand))

23

MIX - CascadingMIX-Cascades: using a sequence of multiple MIXes,distributes knowledge under assumption that MIXes do not cooperate

MIX1

MIX2

sender

receiver

SM2M1 = EK-Public1 (EK-Public2(M,rand2), rand1)

SM2 = EK-Public2(M,rand2),E(rand1)

M, E(rand2)

store:(address sender, rand1)

store:(address MIX1, rand2)

http://anon.inf.tu-dresden.de

24

Analytics via MIX cascades

ClientServer

observation of client server relations:Analytics system sees the request coming from the last MIX (here this is MIX2)

AnalyticsServer

JavaScript+ parameters

MIX1 MIX2

server:sees the request coming from the last MIX (here this is MIX2)

25

Onion RouterConcept similar to MIXesA message is encrypted several times and routed through several router-nodes that decrypt the message stepwise.

Difference: not a fixed sequence of MIXes a network of routers, a client selects a route from several routes and is

capable to change that route for any later communication phase huge number of onion routers – traffic is distributed and does not

concentrate on a few MIXes circuit-concept – a route that is stable for a specific time no message padding (no length unification), instead circuits can be

used by several IP streams that are interleaved end-to-end integrity checking for a circuit

TOR-Project: www.torproject.org

26

Onion RouterIllustration of TOR‘s operation

R

R

R R

R R

D

TOR router

TOR directory

D

1

C TOR client/proxy

C

encrypted link

unencrypted link

The users client loads a list of TOR nodes from a directory server

27

Onion RouterIllustration of TOR‘s operation

R

R

R R

R R

D

TOR router

TOR directory

D

2

C TOR client/proxy

C

encrypted link

unencrypted link

The users client picks a random route to the destination server

28

Onion RouterIllustration of TOR‘s operation

R

R

R R

R R

D

TOR router

TOR directory

D

3

C TOR client/proxy

C

encrypted link

unencrypted link

The users selects another random path, when another destination server is accessed(path changes regularly)

29

Rules for responsible usage of the Internet Problem / Questions:When is it preferable to allow access to the personal usage behaviour and to open identy attributes?

When it is better to stay anonymous?

Can that decision be controlled for Internet usage?

30

Rules for responsible usage of the Internet Use the Web as productive platform provide valuable content in the Internet. identfy yourself and your contact address as author of articles, blogs etc.BUT: don‘t publish critical private information in the web

(e.g. twitter, facebook)

Be aware keep in mind that observations and analytics are always possible Analytics are mostly pseudonymized as long you don‘t identfy yourself,

possibly personalized when identification data can be used in addition toanalytics

keep in mind that your physical position can be tracked in most mobile services

read the “terms of usage“ when you register to a service

31

Rules for responsible usage of the Internet Example:Schufa (a german Credit scoring service) tries to exploit facebook datato adjust a persons credit score can be dangerous, for example if you have friends with a bad

payment manner potentially a social ranking will be taken

32

Rules for responsible usage of the Internet

Support of privacy and anonymity:

take part in anonymity infrastuctures

use them for your free communications

don‘t use them for illegal actions (unallowed downloads, copyrightviolations, spamming, cyber criminal activities)… most infrastructures allow tracking for law enforcement

33

Rules for responsible usage of the Internet For website publishers / web application programmers: Web sites should make available a privacy policy that is easy to find.

Ideally the policy should be accessible from the home page by looking for the word "privacy."

Privacy policies should state clearly how and when personal information is collected.

Web sites should make it possible for individuals to get access to their own data.

Cookies transactions should be more transparent. Web sites should continue to support anonymous access for Internet

users. Protecting privacy will be one the greatest challenges for the Internet. From „Sufers Aware“: EPIC. (1997). Surfer Beware I: Personal Privacy and the Internet. http://epic.org/reports/surfer-beware.html