anonymity and secure messaging - courses.cs.washington.edu · 2016-12-07 · – confidential...
TRANSCRIPT
![Page 1: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/1.jpg)
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
![Page 2: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/2.jpg)
Cookies
• Alternative/additionaltechnology:– Icecream
• Someofyouaskedifwecouldstudythesetechnologies
12/7/16 CSE484/CSEM584-Fall2016 2
![Page 3: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/3.jpg)
Cookies
• Sectioniscancelled,but:
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 3
![Page 4: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/4.jpg)
Cookies
• Duringsection,we’llhaveaspecialculinaryseminaronthetopicof“DelectableTechnology”
12/7/16 CSE484/CSEM584-Fall2016 4
![Page 5: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/5.jpg)
SecurityMindsetish–ReflectionsonTrustingTrust
12/7/16 CSE484/CSEM584-Fall2016 5
![Page 6: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/6.jpg)
IdentifyingWebPages:ElectricalOutlets
Clarketal.“CurrentEvents:IdentifyingWebpagesbyTappingtheElectricalOutlet”ESORICS2013
12/7/16 CSE484/CSEM584-Spring2016 6
![Page 7: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/7.jpg)
PowerlineEavesdropping
12/7/16 CSE484/CSEM584-Spring2016 7
Enevetal.:Televisions,VideoPrivacy,andPowerlineElectromagneticInterference,CCS2011
![Page 8: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/8.jpg)
PrivacyonPublicNetworks
• Internetisdesignedasapublicnetwork– MachinesonyourLANmayseeyourtraffic,network
routersseealltrafficthatpassesthroughthem• Routinginformationispublic– IPpacketheadersidentifysourceanddestination– Evenapassiveobservercaneasilyfigureoutwhois
talkingtowhom• Encryptiondoesnothideidentities– Encryptionhidespayload,butnotroutinginformation– EvenIP-levelencryption(tunnel-modeIPSec/ESP)
revealsIPaddressesofIPSecgateways
12/7/16 CSE484/CSEM584-Spring2016 8
![Page 9: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/9.jpg)
Questions
Q1:Whatisanonymity?
Q2:WhymightpeoplewantanonymityontheInternet?
Q3:WhymightpeoplenotwantanonymityontheInternet?
12/7/16 CSE484/CSEM584-Spring2016 9
![Page 10: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/10.jpg)
ApplicationsofAnonymity(I)
• Privacy– Hideonlinetransactions,Webbrowsing,etc.from
intrusivegovernments,marketersandarchivists• Untraceableelectronicmail– Corporatewhistle-blowers– Politicaldissidents– Sociallysensitivecommunications(onlineAAmeeting)– Confidentialbusinessnegotiations
• Lawenforcementandintelligence– Stingoperationsandhoneypots– Secretcommunicationsonapublicnetwork
12/7/16 CSE484/CSEM584-Spring2016 10
![Page 11: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/11.jpg)
ApplicationsofAnonymity(II)
• Digitalcash– Electroniccurrencywithpropertiesofpapermoney(onlinepurchasesunlinkabletobuyer’sidentity)
• Anonymouselectronicvoting• Censorship-resistantpublishing
12/7/16 CSE484/CSEM584-Spring2016 11
![Page 12: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/12.jpg)
WhatisAnonymity?
• Anonymityisthestateofbeingnotidentifiablewithinasetofsubjects– Youcannotbeanonymousbyyourself!
• Bigdifferencebetweenanonymityandconfidentiality– Hideyouractivitiesamongothers’similaractivities
• Unlinkabilityofactionandidentity– Forexample,senderandemailhe/shesendsarenomore
relatedafterobservingcommunicationthanbefore• Unobservability(hardtoachieve)– Observercannoteventellwhetheracertainactiontook
placeornot
12/7/16 CSE484/CSEM584-Spring2016 12
![Page 13: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/13.jpg)
Part1:AnonymityinDatasets
12/7/16 CSE484/CSEM584-Spring2016 13
![Page 14: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/14.jpg)
Howtoreleaseananonymousdataset?
• Possibleapproach:removeidentifyinginformationfromdatasets?
12/7/16 CSE484/CSEM584-Spring2016 14
Massachusettsmedical+voterdata[Sweeney1997]
![Page 15: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/15.jpg)
k-Anonymity
• Eachpersoncontainedinthedatasetcannotbedistinguishedfromatleastk-1othersinthedata.
12/7/16 CSE484/CSEM584-Spring2016 15
Doesn’tworkforhigh-dimensionaldatasets(whichtendtobesparse)
![Page 16: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/16.jpg)
DifferentialPrivacy
• Setting:Trustedpartyhasadatabase• Goal:allowqueriesonthedatabasethatareusefulbutpreservetheprivacyofindividualrecords
• Differentialprivacyintuition:addnoisesothatanoutputisproducedwithsimilarprobabilitywhetheranysingleinputisincludedornot
• Privacyofthecomputation,notofthedataset
12/7/16 CSE484/CSEM584-Spring2016 16
[Dworketal.]
![Page 17: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/17.jpg)
Part2:AnonymityinCommunication
12/7/16 CSE484/CSEM584-Spring2016 17
![Page 18: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/18.jpg)
Chaum’sMix
• Earlyproposalforanonymousemail– DavidChaum.“Untraceableelectronicmail,return
addresses,anddigitalpseudonyms”.CommunicationsoftheACM,February1981.
• Publickeycrypto+trustedre-mailer(Mix)– Untrustedcommunicationmedium– Publickeysusedaspersistentpseudonyms
• ModernanonymitysystemsuseMixasthebasicbuildingblock
12/7/16 CSE484/CSEM584-Spring2016 18
Beforespam,peoplethoughtanonymousemailwasagoodideaJ
![Page 19: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/19.jpg)
BasicMixDesign
12/7/16 CSE484/CSEM584-Spring2016 19
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
![Page 20: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/20.jpg)
Q2
12/7/16 CSE484/CSEM584-Spring2016 20
A
C
D
E
B
Mix
{r1,{r0,M}pk(B),B}pk(mix){r0,M}pk(B),B
{r2,{r3,M’}pk(E),E}pk(mix)
{r4,{r5,M’’}pk(B),B}pk(mix)
{r5,M’’}pk(B),B
{r3,M’}pk(E),E
Adversaryknowsallsendersandallreceivers,butcannotlinkasentmessagewithareceivedmessage
![Page 21: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/21.jpg)
AnonymousReturnAddresses
12/7/16 CSE484/CSEM584-Spring2016 21
A
BMIX
{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B
Mincludes{K1,A}pk(mix),K2whereK2isafreshpublickey
ResponseMIX
{K1,A}pk(mix),{r2,M’}K2A,{{r2,M’}K2}K1
Secrecywithoutauthentication(goodforanonlineconfessionserviceJ)
![Page 22: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/22.jpg)
MixCascadesandMixnets
12/7/16 CSE484/CSEM584-Spring2016 22
• Messagesaresentthroughasequenceofmixes• Canalsoformanarbitrarynetworkofmixes(“mixnet”)
• Someofthemixesmaybecontrolledbyattacker,butevenasinglegoodmixensuresanonymity
• Padandbuffertraffictofoilcorrelationattacks
![Page 23: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/23.jpg)
DisadvantagesofBasicMixnets
• Public-keyencryptionanddecryptionateachmixarecomputationallyexpensive
• Basicmixnetshavehighlatency– OKforemail,notOKforanonymousWebbrowsing
• Challenge:low-latencyanonymitynetwork
12/7/16 CSE484/CSEM584-Spring2016 23
![Page 24: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/24.jpg)
AnotherIdea:RandomizedRouting
12/7/16 CSE484/CSEM584-Spring2016 24
• Hidemessagesourcebyroutingitrandomly– Populartechnique:Crowds,Freenet,Onionrouting
• Routersdon’tknowforsureiftheapparentsourceofamessageisthetruesenderoranotherrouter
![Page 25: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/25.jpg)
OnionRouting
12/7/16 CSE484/CSEM584-Spring2016 25
R R4
R1 R2
R
R R3
Bob
R
R
R Alice
[Reed,Syverson,Goldschlag1997]
• Senderchoosesarandomsequenceofrouters• Someroutersarehonest,somecontrolledbyattacker• Sendercontrolsthelengthofthepath
![Page 26: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/26.jpg)
RouteEstablishment
12/7/16 CSE484/CSEM584-Spring2016 26
R4
R1
R2 R3 Bob Alice
{R2,k1}pk(R1),{ }k1 {R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4
{M}pk(B)
• Routinginfoforeachlinkencryptedwithrouter’spublickey• Eachrouterlearnsonlytheidentityofthenextrouter
![Page 27: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/27.jpg)
Tor
• Second-generationonionroutingnetwork– http://tor.eff.org– DevelopedbyRogerDingledine,NickMathewsonandPaulSyverson
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/7/16 CSE484/CSEM584-Spring2016 27
![Page 28: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/28.jpg)
TorCircuitSetup(1)
12/7/16 CSE484/CSEM584-Spring2016 28
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
![Page 29: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/29.jpg)
TorCircuitSetup(2)
12/7/16 CSE484/CSEM584-Spring2016 29
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
![Page 30: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/30.jpg)
TorCircuitSetup(3)
12/7/16 CSE484/CSEM584-Spring2016 30
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
![Page 31: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/31.jpg)
UsingaTorCircuit
12/7/16 CSE484/CSEM584-Spring2016 31
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
![Page 32: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/32.jpg)
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/7/16 CSE484/CSEM584-Spring2016 32
![Page 33: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/33.jpg)
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/7/16 CSE484/CSEM584-Spring2016 33
![Page 34: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/34.jpg)
CreatingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 34
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
![Page 35: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/35.jpg)
UsingaLocationHiddenServer
12/7/16 CSE484/CSEM584-Spring2016 35
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
![Page 36: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/36.jpg)
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/7/16 CSE484/CSEM584-Spring2016 36
![Page 37: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/37.jpg)
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/7/16 CSE484/CSEM584-Spring2016 37
![Page 38: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/38.jpg)
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/7/16 CSE484/CSEM584-Spring2016 38
![Page 39: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/39.jpg)
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/7/16 CSE484/CSEM584-Spring2016 39
![Page 40: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/40.jpg)
OTRANDSECUREMESSAGING
12/7/16 CSE484/CSEM584-Fall2016 40
![Page 41: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/41.jpg)
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
12/7/16 CSE484/CSEM584-Fall2016 41
![Page 42: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/42.jpg)
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 42
![Page 43: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/43.jpg)
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 43
![Page 44: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/44.jpg)
OTR:Deniability
12/7/16 CSE484/CSEM584-Fall2016 44
Eve
Alice Bob
“Somethingincriminating”
![Page 45: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/45.jpg)
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/7/16 CSE484/CSEM584-Fall2016 45
![Page 46: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/46.jpg)
OTR:Deniability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/7/16 CSE484/CSEM584-Fall2016 46
![Page 47: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/47.jpg)
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/7/16 CSE484/CSEM584-Fall2016 47
![Page 48: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/48.jpg)
OTR:Deniability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/7/16 CSE484/CSEM584-Fall2016 48
![Page 49: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/49.jpg)
OTR:Deniability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/7/16 CSE484/CSEM584-Fall2016 49
![Page 50: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/50.jpg)
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 50
Eve
Alice Bob
![Page 51: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/51.jpg)
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 51
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
![Page 52: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/52.jpg)
PerfectForwardSecrecy
12/7/16 CSE484/CSEM584-Fall2016 52
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
![Page 53: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/53.jpg)
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/7/16 CSE484/CSEM584-Fall2016 53
![Page 54: Anonymity and Secure Messaging - courses.cs.washington.edu · 2016-12-07 · – Confidential business negotiations • Law enforcement and intelligence ... • Modern anonymity](https://reader034.vdocuments.net/reader034/viewer/2022050500/5f932e8d89cce50b266f999c/html5/thumbnails/54.jpg)
Signal
12/7/16 CSE484/CSEM584-Fall2016 54
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.