Untraceable Electronic Mail, Return Addresses, and Digital...
Transcript of Untraceable Electronic Mail, Return Addresses, and Digital...
![Page 1: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/1.jpg)
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms
EJ Jung
![Page 2: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/2.jpg)
Goals
1. Hide what you wrote • encryption of any kind • symmetric/asymmetric/stream
2. Hide to whom you sent and when • pseudonym? proxy? • traffic analysis problem
3. Still receive a reply • hidden return address
![Page 3: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/3.jpg)
Despite..
No trusted authority • cannot send the mail to this and ask to forward
Insecure underlying communication • cannot send the mail over “hot channel” • attacker can eavesdrop any message on any link • attacker can inject/modify/record any messeges
![Page 4: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/4.jpg)
Good news(?)
slide 4
?
Given: Everybody knows Bob’s public key
Only Bob knows the corresponding private key
private key
Assumptions: 1. Attacker cannot guess the private key based on public key 2. Attacker cannot convince Alice a wrong public key of Bob
- How to achieve this in real world?
public key
public key pk(A)
Alice Bob
![Page 5: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/5.jpg)
Basic Mix Design
slide 5
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversary knows all senders and all receivers, but cannot link a sent message with a received message
![Page 6: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/6.jpg)
Anonymous Return Address (0)
slide 6
A
B MIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
Response MIX
{r3, {r2,M’}pk(A) ,A}pk(mix) A,{r2,M’} pk(A)
What’s wrong with this? - B knows who A is!
![Page 7: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/7.jpg)
Anonymous Return Address (1)
slide 7
A
B MIX
{r1,K,{r0,K,M}pk(B),B}pk(mix) {r0,K,M}pk(B),B
message includes K where K is a fresh public key
Response MIX
{K, {r2,M’}K}pk(mix) A,{r2,M’}K
what’s wrong with this?? MIX knows that A=K (traceable)
![Page 8: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/8.jpg)
Anonymous Return Address (2)
slide 8
A
B MIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
M includes {K1,A}pk(mix), K2 where K2 is a fresh public key
Response MIX
{K1,A}pk(mix), {r2,M’}K2 A,{{r2,M’}K2}K1
Secrecy without authentication (good for an online confession service )
Q: Why A needs to encrypt {K1,A}pk(mix), not B?
![Page 9: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/9.jpg)
Mix Cascade
Messages are sent through a sequence of mixes • Can also form an arbitrary network of mixes (“mixnet”)
Some of the mixes may be controlled by attacker, but even a single good mix guarantees anonymity
Pad and buffer traffic to foil correlation attacks slide 9
![Page 10: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/10.jpg)
Small tricks
Size-based correlation • send in fixed size blocks
Timing-based correlation • send a random string even in idle times
Frequency-based correlation • send always at maximum rate
![Page 11: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/11.jpg)
Disadvantages of Basic Mixnets
Public-key encryption and decryption at each mix are computationally expensive
Basic mixnets have high latency • Ok for email, not Ok for anonymous Web browsing
Challenge: low-latency anonymity network • Use public-key cryptography to establish a “circuit” with
pairwise symmetric keys between hops on the circuit • Then use symmetric decryption and re-encryption to
move data messages along the established circuits • Each node behaves like a mix; anonymity is preserved
even if some nodes are compromised slide 11
![Page 12: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/12.jpg)
Another Idea: Randomized Routing
Hide message source by routing it randomly • Popular technique: Crowds, Freenet, Onion routing
Routers don’t know for sure if the apparent source of a message is the true sender or another router
slide 12
![Page 13: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/13.jpg)
Onion Routing
slide 13
R R4
R1 R2
R
R R3
Bob
R
R
R
Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path
[Reed, Syverson, Goldschlag ’97]
Alice
![Page 14: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/14.jpg)
Route Establishment
slide 14
R4
R1
R2 R3 Bob
Alice
{R2,k1}pk(R1),{ }k1
{R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4
{M}pk(B)
Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router
![Page 15: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/15.jpg)
Location Hidden Servers
Goal: deploy a server on the Internet that anyone can connect to without knowing where it is or who runs it
Accessible from anywhere Resistant to censorship Can survive full-blown DoS attack Resistant to physical attack
• Can’t find the physical server!
slide 15
![Page 16: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/16.jpg)
Creating a Location Hidden Server
slide 16
Server creates onion routes to “introduction points”
Server gives intro points’ descriptors and addresses to service lookup directory
Client obtains service descriptor and intro point address from directory
![Page 17: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/17.jpg)
Using a Location Hidden Server
slide 17
Client creates onion route to a “rendezvous point”
Client sends address of the rendezvous point and any authorization, if needed, to server through intro point
If server chooses to talk to client, connect to rendezvous point
Rendezvous point mates the circuits from client & server
![Page 18: Untraceable Electronic Mail, Return Addresses, and Digital ...ejung/courses/683/lectures/mixer.pdf · Disadvantages of Basic Mixnets Public-key encryption and decryption at each mix](https://reader033.fdocuments.net/reader033/viewer/2022050504/5f9655da193e1c7bdf391be0/html5/thumbnails/18.jpg)
Deployed Anonymity Systems
Free Haven project has an excellent bibliography on anonymity • http://freehaven.net/anonbib/date.html
TOR (http://www.torproject.org/) • Overlay circuit-based anonymity network • Best for low-latency applications such as anonymous
Web browsing
Mixminion (http://www.mixminion.net) • Network of mixes • Designed for high-latency applications such as
anonymous email slide 18