Lecture24 – AnonymityandPrivacy

StephenCheckowayUniversityofIllinois atChicago

CS487 – Fall 2017SlidesbasedonMillerandBailey’sECE422

Anonymity

•Anonymity:Concealingyouridentity•InthecontextoftheInternet,wemaywantanonymouscommunications

–Communicationswheretheidentityofthesourceand/ordestinationareconcealed

•Notthesameassecrecy/confidentiality–Confidentialityisaboutmessagecontents,

•(whatwassaid)

•Anonymityisaboutidentities•(whosaiditandtowhom)

NymitySpectrum

•Verinymity–creditcard#s,driver'slicense,address

•Pseudonymity–pennames,manyblogs

•Linkableanonymity–loyaltycards,prepaidmobilephone

•Unlinkableanonymity–payingincash,Tor

Whydoweneedanonymity?

•Necessarytoensurecivilliberties:–Freespeech,freeassociation,autonomy,freedomfromcensorshipandconstantsurveillance

•Privacyisahumanright–Dignity–NotexplicitinUSconstitution,butrelevantto1st4th5th9thamendmentsinbillofrights

•Surveillanceisexploitedforprofit–Targetedmarketingcampaigns–Discrimination(insurance,employment)

ArgumentsagainstPrivacy?

•The"NothingtoHide”Argument–DangersofconstructingaKafkaesqueworld–Optionalreading:'I'veGotNothingtoHide'andOtherMisunderstandingsofPrivacy,DanielJ.Solove

–Typicallyspokenfromaviewofprivilege•Nooneexpectsprivacyanymoreanyway

–KidstodaysharetheirentirelivesonFacebook•Benefitsfromsharing(bettersearchresults?)•Privatecommunicationsabusedbybadguys

HowtogetAnonymity

•Internetanonymityishard*–Difficultifnotimpossibletoachieveonyourown–RightthereineverypacketisthesourceanddestinationIPaddress–*Butit’seasyforbadguys.Why?

•Howdowedoit?•Stateofthearttechnique:Asksomeoneelsetosenditforyou

–Ok,it’sabitmoresophisticatedthanthat...

Proxies

•Proxy:Intermediarythatrelaysourtraffic•Trusted3rdparty,e.g....hidemyass.com

–YousetupanencryptedVPNtotheirsite–Allofyourtrafficgoesthroughthem

•Whyeasyforbadguys?Compromisedmachinesasproxies.

AlicewantstosendamessageMtoBob...

•Bobdoesn’tknowMisfromAlice,and•Evecan’tdeterminethatAliceisindeedcommunicatingwithBob.

•HMAacceptsmessagesencryptedforit.Extractsdestinationandforwards.

Anonymitymotivation

Surveillanceunder:• ThePatriotAct

• Section215• NationalSecurityLetters(NSLs)

• FISAAmendmentAct

Imagecredit:ACLU

GoogleTransparencyReport

NationalSecurityLetters(NSLs)ReportingPeriod NationalSecurityLetters Users/AccountsJanuarytoJune2016 0–499 500–999JulytoDecember2015 1–499 500–999JanuarytoJune2015 0–499 500–999JulytoDecember2014 0–499 500–999JanuarytoJune2014 500–999 500–999JulytoDecember2013 500–999 1000–1499JanuarytoJune2013 0–499 500–999JulytoDecember2012 0–499 500–999JanuarytoJune2012 500–999 1000–1499JulytoDecember2011 0–499 500–999JanuarytoJune2011 0–499 500–999JulytoDecember2010 0–499 1000–1499JanuarytoJune2010 500–999 1500–1999JulytoDecember2009 0–499 500–999JanuarytoJune2009 0–499 500–999

Metadata

•Everythingexceptthecontentsofyourcommunications:– If– When– Howmuch– Who

• What(thisisactuallythedata)“... analysis of telephony metadata often reveals information that could traditionally only be obtained by examining the contents of communications. That is, metadata is often a proxy for content.”— Prof. Edward W. Felten, Computer Science and Public Affairs, Princeton;

(former) Chief Technologist of FTC

XKEYSCORE

“I,sittingatmydesk,certainlyhadtheauthoritiestowiretapanyone,fromyouoryouraccountant,toafederaljudgeoreventhePresident,ifIhadapersonale-mail,”

Technologyasadefense

“Whetherwearesurveilledbyourgovernment,bycriminals,orbyourneighbors,itisfairtosaythatneverhasour abilitytoshieldouraffairsfrompryingeyesbeenatsuchalowebb.Theavailabilityanduseofsecureencryptionmayofferanopportunitytoreclaimsomeportionoftheprivacywehavelost.”

— 9thCircuitcourtopinion,Bernsteinv US DOJ1999“Cryptowars”

EncryptionTools:PGP

•GnuPG,freesoftware–PrettyGoodPrivacy(PGP),PhilZimmerman(1991)–GnuPG (GPG)isafreesoftwarerecreation–Letsyouhideemailcontentviaencryption

•Basicidea:–Hybridencryptiontoconcealmessages–Digitalsignaturesonmessages(hash-then-sign)

PGPcont'd

•Eachuserhas:–Apublicencryptionkey,pairedwithaprivatedecryptionkey–Aprivatesignaturekey,pairedwithapublicverificationkey

•Howdoessending/receivingwork?•Howdoyoufindoutsomeone'spublickey?

Sendingandreceiving

•Tosendamessage:–Signwithyoursignaturekey–Encryptmessageandsignaturewithrecipient'spublicencryptionkey

•Toreceiveamessage:–Decryptwithyourprivatekeytogetmessageandsignature–Usesender'spublicverificationkeytochecksig

Fingerprints

•HowdoyouobtainBob'spublickey?–GetitfromBob'swebsite?(☹ )–GetitfromBob'swebsite,verifyusingout-of-bandcommunication

•Keysareunwieldy-→fingerprints•Afingerprintisacryptographichashofakey

–Keyservers:storepublickeys,lookupbyname/emailaddress,verifywithfingerprint

•Whatifyoudon'tpersonallyknowBob?–WebofTrust(WoT),“friendofafriend”–BobintroducesAlicetoCarobysigningAlice’skey

Drawbacksof(Just)EncryptionI

•WhatifBob'smachinecompromised?–Hiskeymaterialbecomesknown–Pastmessagescanbedecryptedandread–Youalsohavesender'ssignatureonmessagessent,soyoucanproveidentityofsender

•Thesoftwarecreatedlotsofincriminatingrecords–KeymaterialthatdecryptsdatasentoverthepublicInternet–Signatureswithproofsofwhosaidwhat

• Alicebetterwatchwhatshesays–HerprivacydependsonBob’sactions

Drawbacksof(Just)EncryptionII

CasualConversations

•AliceandBobtalkinaroom•Nooneelsecanhear

–Unlessbeingrecorded•Nooneelseknowswhattheysay

–UnlessAliceorBobtellthem•Noonecanprovewhatwassaid

–NotevenAliceorBob•Theseconversationsare“off-the-record”

Desirablecommunicationproperties

•Forwardsecrecy:–Evenifyourkeymaterialiscompromised,pastmessagesshouldbesafe

•Deniability:beabletoplausiblydenyhavingsentamessage•Mimiccasual,off-the-recordconversations

–Deniableauthentication:beconfidentofwhoyouaretalkingto,butunabletoprovetoathirdpartywhatwassaid

Off-the-Record(OTR)Messaging

BobAliceSignbob(gy)

Signalice(gx)

1.UseAuthenticatedDiffie-Hellmantoestablisha(short-lived)sessionkeyEK

SS=(gx) ySS=(gy)xEK=H(SS) EK=H(SS)

OTRII

BobAliceEEK(M)MACMK(EEK(M))

2.Thenusesecret-keyencryptiononmessageM...AndauthenticateusingaMAC

SS=(gx) ySS=(gy)xEK=H(SS) EK=H(SS)

MK=H(EK)MK=H(EK)

Off-the-Record

BobAlicegy’,MACMK(gy’)

gx’,MACMK(gx’)

3.Re-keyusingDiffie-Hellman

SS’=(gx’) y’SS’=(gy’)x’EK’=H(SS’) EK’=H(SS’)

MK’=H(EK’)MK’=H(EK’)MK=H(EK)MK=H(EK)

Off-the-Record

BobAliceMK

4.PublisholdMK

SS’=(gx’) y’SS’=(gy’)x’EK’=H(SS’) EK’=H(SS’)

MK’=H(EK’)MK’=H(EK’)MK=H(EK)MK=H(EK)

Off-the-recordMessaging(OTR)

•Notethisissuitedtointeractivecommunication,notsomuchemail

• But,OTRprovides–messageconfidentiality–authentication–perfectforwardsecrecy–deniability

•Caveat:wedonothaveexamplesof“deniability”servingitspurposeinpractice

UsingOTR

•BuiltintoAdium andPidgin•Butbewaredefaults

–Loggingenabledbydefault–Etiquettedictatesyoushoulddisablethis,sodoeshistory(e.g.,ChelseaManning)

•VerydifferentfromGoogleHangout’s“offtherecord”featurewhichmerelydoesn’tlogtheconversation

Signalandthe“DoubleRatchet”TheprotocolbehindSignalapp(iphone,android)TrevorPerin andMoxieMarlinspike- ForwardsecrecyToday’smessagesaresecret,evenifkeycompromisedtomorrow

- FuturesecrecyTomorrow’smessagesaresecret,evenifkeycompromisedtoday

- DeniabilityNopermanent/transferableevidenceofwhatwassaid

- Usability Toleratesout-of-ordermessagedeliveryhttps://whispersystems.org/docs/specifications/doubleratchet/

PlausiblyDeniableStorage

Goal:Encryptdatastoredonyourharddrive

Problem:Canbecompelledtodecryptit!

Idea:havea“decoy”volumewithbenigninformationonit

Example:VeraCrypt

[Doesthissolvetheproblem?Caveats?]

RecapPrivacy/Anonymity

•Metadata:Everythingexceptthecontentsofyourcommunications:

– If– When– Howmuch– Who

• What (thisisactuallythedata) Signal and OTR

Anonymityforbrowsing?

You Server

Naiveapproach....VPNs

You Server

VPNs

VPNs

“…receivedacourtorderaskingforinformationrelatingtoanaccountassociatedwithsomeoralloftheabovecases.Asstatedinourtermsofserviceandprivacypolicyourserviceisnottobeusedforillegalactivity,andasalegitimatecompanywewillcooperatewithlawenforcementifwereceiveacourtorder”

Betterapproach:Tor

•Low-latencyanonymouscommunicationsystem•Hidemetadata

–whoiscommunicatingwithwhom?–e.g.,justsendinganencryptedmessagetoTheInterceptmaygetyouintrouble

•Hideexistenceofcommunication–anyencryptedmessagemaygetyouintrouble

Tor overview

•Worksatthetransportlayer•AllowsyoutomakeTCPconnectionswithoutrevealingyourIPaddress

•Popularforwebconnections•Tornetworkmadeupofvolunteer-runnodes,oronionrouters,locatedallovertheworld

•Basicidea:AlicewantstoconnecttoawebserverwithoutrevealingherIPaddress

OnionRouting

•Thisapproachgeneralizestoanarbitrarynumberofintermediaries(“mixes”)

•AliceultimatelywantstotalktoBob,withthehelpofHMA,Dan,andCharlie

•Aslongasanyofthemixesishonest,noonecanlinkAlicewithBob

OnionRouting

Tor

Imagecredit:TorProject

Tor

Imagecredit:TorProject

Tor

Imagecredit:TorProject

TrustinTor

•Entrynode:knowsAliceisusingTor,andidentityofmiddlenode,butnotdestination

•Exitnode:knowssomeToruserisconnectingtodestination,butdoesn'tknowwhichuser

•Destination:knowsaToruserisconnectingtoitviatheexitnode

•ImportanttonotethatTordoesnotprovideencryptionbetweenexitanddestination!(e.g.,useHTTPS)

TorHiddenServices

HowtogetTor

•TorBrowserbundleavailable(builtonmodifiedversionoffirefox)

•☺ optionalexercise:downloadanduseit!

•https://www.torproject.org/

•...orvolunteertobeapartoftheTornetwork.

OnionRoutingIssues/Attacks?

•Performance:messagebouncesaroundalot•Attack:rubber-hosecryptanalysisofmixoperators

–Defense:usemixserversindifferentcountries•Attack:adversaryoperatesallofthemixes

–Defense:havelotsofmixservers(Tortoday:~6,500)•Attack:adversaryobserveswhenAlicesendsandwhenBobreceives,linksthetwotogether

•Asidechannelattack– exploitstiminginformation–Defenses:padmessages,introducesignificantdelays

•Tordoestheformer,butnotesthatit’snotenoughfordefense

https://metrics.torproject.org/networksize.html

OnionRoutingIssues,cont.

•Issue:trafficleakage•SupposeallofyourHTTP/HTTPStrafficgoesthroughTor,buttherestofyourtrafficdoesn’t

•Howmighttheoperatorofsensitive.com•deanonymizeyourwebsessiontotheirserver?

Thetrafficleakageproblem

•Answer:theyinspectthelogsoftheirDNSservertoseewholookedupsensitive.comjustbeforeyourconnectiontotheirwebserverarrived

•Hard,generalproblem:anonymityoftenatriskwhenadversarycancorrelateseparatesourcesofinformation

Metadata

• If• When• Howmuch• Who• What

Metadata

• If• When• Howmuch• Who• What←TLS/PGP/OTR/Signal

Metadata

• If• When• Howmuch• Who←• What←TLS/PGP/OTR/Signal

Pond

•"Pondisnotemail.Pondisaforwardsecure,asynchronousmessagingsystemforthediscerning"

•Seekstoprotectagainstleakingtrafficinfoagainstallbutaglobalpassiveadversary

–forwardsecure–nospam–messagesexpireautomaticallyafteraweek

Pond

User

PrivateKeyPublicKey Pond

ServerMessages?Pubkey=Apadding=XXXX..

None.padding=XXXXXXXXXXXXX…

Messages?Pubkey=Apadding=XXXX..

Message=Mpadding=XXXXXXXXX…

Pond

User

PrivateKeyPublicKey Pond

ServerMessages?Pubkey=Apadding=XXXX..

None.padding=XXXXXXXXXXXXX…

Messages?Pubkey=Apadding=XXXX..

Message=Mpadding=XXXXXXXXX…

Privatekey

Metadatasummary

• If• When ←• Howmuch ←• Who←• What ←TLS/PGP

Pond