Upload File

anonymity and secure messaging - courses.cs.washington.edu · tor circuit setup (3) 12/9/16 cse 484...

  • Home
  • Documents
  • Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing
30
CSE 484 / CSE M 584: Computer Security and Privacy Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

Upload: others

Post on 08-Jun-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

CSE484/CSEM584:ComputerSecurityandPrivacy

AnonymityandSecureMessaging

Fall2016

Ada(Adam)[email protected]

ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...

Page 2: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

Tor

•  Second-generationonionroutingnetwork–  https://www.torproject.org/– Nowalargeopensourceprojectwithanon-profitorganizationbehindit

–  Specificallydesignedforlow-latencyanonymousInternetcommunications

•  RunningsinceOctober2003•  “Easy-to-use”clientproxy–  Freelyavailable,canuseitforanonymousbrowsing

12/9/16 CSE484/CSEM584-Fall2016 2

Page 3: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

TorBrowserBundle

•  Asingle,downloadablebrowserappwhichdoestherightthing.

12/9/16 CSE484/CSEM584-Fall2016 3

Page 4: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

TorCircuitSetup(1)

12/9/16 CSE484/CSEM584-Fall2016 4

•  ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1

Page 5: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

TorCircuitSetup(2)

12/9/16 CSE484/CSEM584-Fall2016 5

•  ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2–  TunnelthroughOnionRouter#1

Page 6: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

TorCircuitSetup(3)

12/9/16 CSE484/CSEM584-Fall2016 6

•  ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3–  TunnelthroughOnionRouters#1and#2

Page 7: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

UsingaTorCircuit

12/9/16 CSE484/CSEM584-Fall2016 7

•  ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.

Page 8: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

TorManagementIssues

•  Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection

•  Torrouterdoesn’tneedrootprivileges–  Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone

•  Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,

currentpublickeys,etc.–  Controlhownewroutersjointhenetwork

•  “Sybilattack”:attackercreatesalargenumberofrouters

–  Directoryservers’keysshipwithTorcode

12/9/16 CSE484/CSEM584-Fall2016 8

Page 9: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

LocationHiddenService

•  Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit

•  Accessiblefromanywhere•  Resistanttocensorship•  Cansurviveafull-blownDoSattack•  Resistanttophysicalattack–  Can’tfindthephysicalserver!

12/9/16 CSE484/CSEM584-Fall2016 9

Page 10: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

CreatingaLocationHiddenServer

12/9/16 CSE484/CSEM584-Fall2016 10

ServercreatescircuitsTo“introductionpoints”

Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory

Clientobtainsservicedescriptorandintropointaddressfromdirectory

Page 11: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

UsingaLocationHiddenServer

12/9/16 CSE484/CSEM584-Fall2016 11

Clientcreatesacircuittoa“rendezvouspoint”

Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint

Ifserverchoosestotalktoclient,connecttorendezvouspoint

Rendezvouspointsplicesthecircuitsfromclient&server

Page 12: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

AttacksonAnonymity

•  Passivetrafficanalysis–  Inferfromnetworktrafficwhoistalkingtowhom–  Tohideyourtraffic,mustcarryotherpeople’straffic!

•  Activetrafficanalysis–  Injectpacketsorputatimingsignatureonpacketflow

•  Compromiseofnetworknodes–  Attackermaycompromisesomerouters–  Itisnotobviouswhichnodeshavebeencompromised

•  Attackermaybepassivelyloggingtraffic–  Betternottotrustanyindividualrouter

•  Assumethatsomefractionofroutersisgood,don’tknowwhich

12/9/16 CSE484/CSEM584-Fall2016 12

Page 13: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

DeployedAnonymitySystems

•  Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing

•  Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail

•  Not:YikYakJ

12/9/16 CSE484/CSEM584-Fall2016 13

Page 14: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

SomeCaution

•  Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!

12/9/16 CSE484/CSEM584-Fall2016 14

Page 15: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

IdentifyingWebPages:TrafficAnalysis

Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009

12/9/16 CSE484/CSEM584-Fall2016 15

Page 16: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTRANDSECUREMESSAGING

12/9/16 CSE484/CSEM584-Fall2016 16

Page 17: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR–“OffTheRecord”

•  Protocolforend-to-endencryptedinstantmessaging

•  End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.

(Borisov,Goldberg,Brewer2014)

12/9/16 CSE484/CSEM584-Fall2016 17

Page 18: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR–“OffTheRecord”

•  End-to-endencryption•  Authentication•  Deniability,afterthefact•  PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 18

Page 19: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR–“OffTheRecord”

•  End-to-endencryption•  Authentication•  Deniability/Repudability,afterthefact•  PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 19

Page 20: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

12/9/16 CSE484/CSEM584-Fall2016 20

Eve

Alice Bob

“Somethingincriminating”

Page 21: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

•  Duringaconversationsession,messagesareauthenticatedandunmodified.

•  AuthenticationhappensusingaMACderivedfromasharedsecret.

12/9/16 CSE484/CSEM584-Fall2016 21

Page 22: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

•  Duringaconversationsession,messagesareauthenticatedandunmodified.

•  AuthenticationhappensusingaMACderivedfromasharedsecret.

•  Q1

12/9/16 CSE484/CSEM584-Fall2016 22

Page 23: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

•  Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!

12/9/16 CSE484/CSEM584-Fall2016 23

Page 24: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

•  Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!

•  OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!

12/9/16 CSE484/CSEM584-Fall2016 24

Page 25: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Deniability/Repudability

•  EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.

12/9/16 CSE484/CSEM584-Fall2016 25

Page 26: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 26

Eve

Alice Bob

Page 27: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 27

Eve

Alice Bob

Publicinfo,e.g.C1C2C3…Cn

SecretsA SecretsB

Page 28: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 28

Eve

Alice Bob

Publicinfo,e.g.C1C2C3…Cn

SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.

Page 29: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

OTR:Ratcheting

•  Idea:Useanewkeyforeverysession/message/timeperiod.

12/9/16 CSE484/CSEM584-Fall2016 29

Page 30: Anonymity and Secure Messaging - courses.cs.washington.edu · Tor Circuit Setup (3) 12/9/16 CSE 484 / CSE M 584 - Fall 2016 6 • Client proxy extends the circuit by establishing

Signal

12/9/16 CSE484/CSEM584-Fall2016 30

•  End-to-endencryptedchat/IMbasedonOTR

•  Providesvariationsonratcheting,deniability,etc.

•  Widelyused,publiccode,audited.


CSE P 501 –Compilers - courses.cs.washington.edu

CSE 461: Midterm Review - courses.cs.washington.edu

CSE 573: Artificial Intelligence - courses.cs.washington.edu · 2019-01-09 · CSE 573: Artificial Intelligence Winter 2019 Hanna Hajishirzi Problem Spaces and Search ... / / n lp

CSE 461: Multiple Access - courses.cs.washington.edu

CSE 390a Lecture 7 - courses.cs.washington.edu

CSE 444: Database Internals - courses.cs.washington.edu · CSE 444: Database Internals Lectures 17-19 Transactions: Recovery CSE 444 -Winter 2019. The Usual Reminders •HW3 is due

CSE 403 Lecture 20 - courses.cs.washington.edu

CSE 446: Week 1 Decision Trees - courses.cs.washington.edu

Database Systems CSE 414 - courses.cs.washington.edu

Machine Learning (CSE 446): Pratical issues: optimization ...courses.cs.washington.edu/courses/cse446/18wi/slides/practical_annotated.pdfMachine Learning (CSE 446): Pratical issues:

CSE 551 TCPCrypt - courses.cs.washington.edu · CSE 551 TCPCrypt Anna Kornfeld Simpson Qiao Zhang Danyang Zhuo 5/27/2015

Welcome to CSE 332! - courses.cs.washington.edu

CSE 391 - courses.cs.washington.edu

Welcome to CSE 142! - courses.cs.washington.edu

CSE 461: Computer networks - courses.cs.washington.edu

CSE 344 Final Examination - courses.cs.washington.edu

CSE 142, Spring 2012 - courses.cs.washington.edu

CSE-571 Probabilistic Robotics - courses.cs.washington.edu

CSE 444: Database Internals - courses.cs.washington.edu · CSE 444: Database Internals Lecture 9 ... • Quiz section slides are posted CSE 444 ... Rn WHERE cond 1 AND cond

Database Systems CSE 414 - courses.cs.washington.edu€¦ · Database Systems CSE 414 Lectures 4: Joins & Aggregation (Ch. 6.1-6.4) CSE 414 -Spring 2017 1. Announcements •WQ1 is

CSE 143 Lecture 25 - courses.cs.washington.edu

CSE 573: Artificial Intelligence - courses.cs.washington.edu

CSE 440: Introduction to HCI - courses.cs.washington.edu

CSE 473: Artificial Intelligence - courses.cs.washington.edu · CSE 473: Artificial Intelligence Autumn 2010 Machine Learning: Naive Bayes and Perceptron Luke Zettlemoyer Many slides

CSE 403 Lecture 14 - courses.cs.washington.edu

CSE 390a Lecture 2 - courses.cs.washington.edu · CSE 390a Lecture 2 Exploring Shell Commands, Streams, Redirection, and ... •Commands for file manipulation, examination, searching

CSE 592 Applications of Artificial Intelligence Neural ...courses.cs.washington.edu/courses/csep573/03wi/lectures/slides/cla… · 1 CSE 592 Applications of Artificial Intelligence

CSE 242A Integrated Circuit Layout Automation

CSE 427 Computational Biology - courses.cs.washington.edu

CSE$373:$DataStructures$&$Algorithms Course$Victory$Lap$courses.cs.washington.edu/courses/cse373/17wi/lectures/victory.pdf · CSE$373:$DataStructures$&$Algorithms $ Course$Victory$Lap$

CSE 461: Final Review - courses.cs.washington.edu

CSE 391 Lecture 1 - courses.cs.washington.edu

CSE 333 - courses.cs.washington.edu

CSE 373 - courses.cs.washington.edu

CSE 473: Artificial Intelligence - courses.cs.washington.edu · 2011-10-10 · CSE 473: Artificial Intelligence Constraint Satisfaction Luke Zettlemoyer ... Linear constraints solvable