Publius A Robust, Tamper Evident,

Censorship Resistant WWW Based Publishing System

Marc WaldmanNYU – CS Dept.

Lorrie CranorAT&T Research

Aviel RubinAT&T Research

Publius Pen name used by authors of Federalist Papers Federalist Papers influential in convincing NY

state voters to ratify US constitution.

Why Publish Anonymously? Political Dissent

“Whistleblowing”

Radical Ideas

Human Rights Reports

Publius Design Goals

Censorship Resistant Tamper Evident Source Anonymous Updateable Host Content Deniability Persistent Extensible Freely Available

Related Work

Connection Based Anonymity

Hide identity of requestor

Location or Author Based Anonymity

Hide identity of author or WWW server

Connection Based Anonymity Anonymizer

HTTP proxy

URL rewrite

Proxymate

Formerly LPWA

HTTP Proxy

Pseudonym generation

www.anonymizer.com

www.proxymate.com

Connection Based Anonymity

Onion RouterMix NetworkHTTP Proxy Developed

CrowdsHTTP request via CrowdDynamic Path generation

www.onion-router.net

www.research.att.com/projects/crowds

Onion 1

Onion 2

Onion 3

Onion 4

“Hello World”

Onion Routing

Connection Based Anonymity

Freedom

Similar to Onion Routing

Implemented at transport layer

Nym creation – allows multiple pseudonyms

Supports HTTP, NNTP, POP3, Telnet , etc.

http://www.freedom.net

Location Based Anonymity Rewebber (aka Janus) www.rewebber.de

Author & Connection Based ToolHTTP ProxyURL Rewrite using public key crypto

U=http://www.cs.nyu.edu/~waldman/publius.html

Ek (M)=Encrypt message M with public key k

http://www.rewebber.com/surf-encrypted/Ek(U)

Location Based Anonymity

Taz & Rewebber

Computers with public/private key pair

Each runs HTTP proxy server

Encryption similar to onion-routing

TAZ servers translate name.taz to address

Down server = document irretrievable

www.firstserver.com:100/STOPREADINGTHISANDPAYATTENTIONTOTHESPEAKER

Eternity Service

Ross Anderson (Univ. of Cambridge) Network of servers – resists DOS attacks Fee based Files cannot be removed or updated Digital Libraries

Eternity Systems

Usenet Eternity

Scaled Down Eternity System

Usenet is storage medium

Formatting using PGP, SHA1

Send to alt.anonymous.messages

Server caches and performs updates

Connect via WWW browser

Eternity Inspired Systems Freenet

“Adaptive Network”Local caching

Anonymous query, retrieval

IntermemorySelf-replicating persistant RAMDonate hard disk space

File Sharing Systems

Napster

Peer-to-peer file sharing

Peers can capture IP address or peer

Gnutella

Anonymous query

Peer to peer file transfer, IP capture

Publius Overview

Publius Content – Static content (HTML, images, PDF, etc) with desired properties.

Publishers – Post Publius content Servers – Host Publius content Retrievers – Browse Publius content

Publius Servers

whitehouse.gov

library.fr

publius.uk

www.redcross.org

www.nyu.edu

Publius Server Table

publius.uk

www.nyu.edu

library.fr

whitehouse.gov

www.redcross.org

Publish OperationD = Document To Publish K=Key

Shamir Secret Sharing

ShareShare11 ShareShare22 ShareShare33

K

ShareShare44

MD5 ( D . Sharei ) / Mod 5 = Index Into Server Table

Index 0 = www.redcross.org Index 3 = www.nyu.edu

Store D encrypted under K, and one Share on Server

Publish Overview Servers available to store content Encrypt document with secret key K Secret split key K into (m,k) shares (Shamir) Store encrypted document and share on m servers Form URL cryptographically tied to document Distribute URL – Publius URL http://!publius!/

1e6adsg673h0=hgj7889340=yareyoureadingthis=12asbnm8945

Retrieve Overview

Break apart URL to discover document locations

Retrieve encrypted document and share from k locations

Reassemble Key K from shares Decrypt retrieved document Check for tampering View in WWW browser

Retrieve Operationhttp://!publius!/MD5(D.Share1 )MD5 (D.Share2)…

http://!publius!/unReaDableUrL

Index = MD5(D.Share1) Mod Table_Size

From www.redcross.org Get Encrypted File, Share

Key = combine Shares

D = Decrypt File with Key

Tamper Check = MD5(D.Share1) = value in URL

Tradeoffs N = # servers with Content & Share K = # Shares needed to reconstruct the Key Higher N

Greater availability

Harder to censor Higher K

Decreased performance

Greater tamper protection

Possibly Easier To Censor

Update and Delete Operations Update – “update” file, MD5(password.IP)

Delete – MD5(password .IP)

Threats – Place update file on server Brute force to delete files

URL contains update bit - Don’t accept updates

Publish Option – No Delete or Update

Mutually Hyperlinked Content

Publish B, Modify A, Publish A

Publish B First – Invalid A LinkPublish A First – Invalid B Link

Problem: Content cryptographically tied to URL

Hyperlinked Content Solution

Publish A, B

Modify A, B

Republish A,B

Update A,B

Hyperlink

HyperlinkHyperlink

Update

Update

User Interface

InternetPublius Proxy

Browser Based GUI

http://!publius!/URL http://!publius!/PUBLISH

http://!publius!/UPDATE http://!publius!/DELETE

Store MIME type in first three bytes of fileSend correct Content-Type to browser

Threats & Limitations

• Share Deletion or Corruption • Update File Deletion or Corruption • Denial of Service Attacks

• Threats to Publisher Anonymity

• “Rubber-Hose Cryptanalysis”

Live Trial (8/7/2000)

• 3 Week Server Recruitment Period

• 100 Volunteers, Test Script distributed

• 53 successfully installed test script

• 44 successfully installed.

• Proxy - server version of client, 9 volunteers Must trust proxy – see file, password for Publish Sees URL for retrieve

• Over 550 client requests

Contributions & Availability

• Automatic Tamper Checking Mechanism

• Update / Delete Method

• Publishing Mutually Hyperlinked Content

• 1500 Lines of Perl

• Uses Crypto++ 3.2 – Crypto Library (C++)

Future Work

Remove dependence on server list

- URL encodes locations, tamper check Split content

- Krawczyk – Information Dispersal CPU payment scheme (Dwork, Naor) Automatic replication across servers

- Intermemory model

Publius WWW Site

Source Code & Technical Paper

http://cs.nyu.edu/waldman/publius