A solution for secure, anonymous, group

communication on Online Social Networks

Pritha D NarayanappaCollaborative work with Daniel Iland, Divya Sambasivan,

Michael Nekrasov & Prof. Elizabeth Belding

Prof. Ben Zhao(Chair) and Prof. Heather ZhengMaster’s Project Defense

November 22, 2016

Outline

• Motivation

• SecurePost – Properties

• Design and Architecture – Overview

Internet Freedom

• 67% of all internet users, live in countries where online criticism of the authorities, are subject to censorship.

• Authorities in 38 countries made arrests based on social media posts over the past year.

• 27% of all internet users live in countries where people have been arrested for publishing, sharing, or liking content on Facebook.

State of freedom on the Internet today

Scenario

Alice

Bob Dave

Activists

Public

Local government

SecurePost

• Android Application that allows secure, verifiable group communication on Twitter and Facebook pages.

• Allows groups to share an account without sharing the account password.

• Not intended for private online communication.

Architecture

Android Application: Allows a group of people to share an account/page. Chrome Plugin: Allows

anyone on the Internet to verify the authenticity of a post.

SecurePost Server: A relay between the users and the OSNs.

Properties of SecurePost

• Restricted access : Allows multiple users to post to an account while not sharing other privileges.

• Authenticity : Everyone on the Internet can verify that the message really came from the group.

• Integrity : Tampering and manipulation of text will invalidate the post.

• Anonymity : A post cannot be linked to a member of a group.

Shared Account Setup

Generates OAuth Tokens

Alice

OAuth Tokens

SecurePost ServerWants to share a Twitter account

• 2048-bit RSA key pair for post privilege• 256-bit AES key to encrypt the RSA post privilege key pair• Encrypt ( , RSA key pair for post privilege) =

Public Key for post privilege

Shared Account Setup

Public Key for post privilege

Design

The post privilege public key should be part of the Twitter account’s public profile.

• Adding the key in the “Bio/About” section of the Twitter account.

• Adding the key to the profile image.

Shared Account Setup• The server shares a time-based chain of tokens.

OAuth Tokens + bootstrap data

SecurePost Server

Token chain info

Token Chain Info = SecureRandomString + StartTimeSHA256(SecureRandomString) Token 1SHA256(Token 1) Token 2 ….SHA256(Token n-1) Token n

Alicen

2

n-1

1

Alice SecurePost Server

Bob Malicious User

Doesn’t possess a

valid key nor valid token!

Token Chain Info +

Inviting members

Alice

Bob

• Decryption yields the RSA key pair generated by Alice.

• This Private key is used to sign all tweets.

Toke

n + Post1

+ Signatu

re

Post1 + SignatureToken + Post2 + Signature

Post2 + Signature

Posting to OSN

Every group member

Sends along with group info:

Post text + MAC(Post_PrK, Post text) + Time-based Token

For every request received:

1. Checks if token is valid for current time interval.

2. Verifies (Post_PubK, MAC)

3. If valid, embed MAC in image.

4. Post, Post Text + image to OSN.

5. If OSN is currently unreachable, then the post is stored, and posted later.

SecurePost Server

Server Validation

Integrity check by the plugin

Integrity check by the plugin

Integrity check by the plugin

21

Design

Anonymity: No post/tweet can be associated with a particular member of the group.

• OSN server sees only the SecurePost server’s IP address.

• Even if the SecurePost server is compromised, it stores no member information.

AliceSecurePost Server

• 2048-bit RSA key pair for admin privilege• 256-bit AES key to encrypt the RSA admin privilege key pair• Encrypt ( , RSA key pair for post privilege + RSA key pair admin privilege ) =

Public Key for admin privilege

Shared Account Setup [2] • To give some members privilege to change settings of an account as well, an

admin privilege key pair is also created.

Other features

Reset the group, removing all members.

Notifications that can only be read, when the right password is entered.

Password secured access to shared accounts.

My Contribution

• Implementation of the Server:– Decoupled Android application and server functionality.– Java server - Using embedded Jetty.– Used a SQLite database and Redis for caching.– Provides REST API.

• Chrome plugin:– Message signature extraction from images and use of the public key

to verify authenticity.• Android Application:

– Facebook functionality.– Join/invite schema via QR codes and via links.– Encrypted notifications of new posts using GCM.– Orbot (ToR) integration.– Profile/cover image change through app.

Target Audience Feedback• Mongolia (Attended by Daniel Iland):

• The initial design had cryptographic signature added to the end of posts and not embedded in an image.• The appearance of random characters in a post was not preferred by the

users!

• Inviting new group members via SMS was also not preferred.• Introduced QR code based in person invites and email based remote invite..

• Rights Con (Attended by Pritha D N):

• Users – mostly journalists, wanted the ability to post images/videos with a verifiable signature.

There is a peaceful demonstration today at 8.<㙼䆢롲꾶셚䘏쥱㤳䊌렅큢틳몎앲지링쓬쩏밀㯍㼕졚롇㱘䡊䠕늋톙㡜>

User Survey• A group of 56 students from UCSB beta tested the Application.

• The survey the users completed, provided us useful insights on the usability, utility, usefulness of our Application.

• 59% of the testers used Android 6.0 and 14% used Android 5/5.1.

• The top rated features were:• One click to lock the app - The notification dismissal locks the

application.• The self destruct password.• The idea of sharing an account but not sharing password.

• 42% of the respondents found SecurePost to be useful to them and 59% would recommend it to their friends.

Vulnerability• Single point of failure, if the server is brought down.

• It is not possible to remove a particular member from the group.• Resetting a group – removing all the members is the only solution.

• Susceptible to replay attacks [max 5 minute window].

• If a member is subject to traffic analysis, then the timing of the post could give away the identity of the person.

• Authorship attribution and stylometric techniques could break the perceived anonymity of users.

Limitations • SecurePost requires a network connection to function.

• If Twitter or Facebook is currently unavailable (but the server is), the server can store and later forward to Social media.

• The posts will still be available to the members of the group immediately.

• Accessing the account (to change profile, description, etc) only through SecurePost is recommended.

• It is recommended to use Orbot (ToR) while the Super User first logs in to permit SecurePost.

Future Work• Ability to validate and verify image and video posts.

• Adding all account management features in the App, so that Super User need not login through non-anonymous channels.

• Making the login to OSN by Super User, anonymous without use of ToR.

Thank YouQuestions?

1. Using JavaScript/JQuery , identify all the posts on a page by id/class $(body).find(".userContentWrapper")

2. Create a dummy hidden “canvas” and ”image” DOM element.3. Set the “src” attribute of the image to the URL of the image.4. Onload event listener of the image, loads the data onto the canvas element.5. The canvas element, allows us to read each pixel value.

canvas_context.getImageData(xcord, ycord, 1, 1)6. Similarly, identify the cover image DOM and get the pixel representation of the cover

image.7. Reversing the text embedding process gives us both the Post_Public_Key and each

message signature.8. Used the JS RSA sign utility to verify the signature of each post.

Class = userContentWrapper

Class = mtm, img

Class = _4on7