Anonymity and Cryptography

1 downloads 0 Views 572KB Size Report
Outline. Roadmap. Introduction to anonymous communications and mix systems. A broken design – URE mixes. Two 'secure' designs – Mixminion and Minx.
Anonymity and Cryptography George Danezis K.U. Leuven, ESAT/COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium. [email protected]

Weworc 2007 – Bochum, Germany.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

1 / 30

Outline

Roadmap Introduction to anonymous communications and mix systems A broken design – URE mixes Two ‘secure’ designs – Mixminion and Minx Open problems and conclusion

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

2 / 30

Anonymity Why? Necessary to implement common social interactions: Anonymous electronic cash, credentials or auctions. Election protocols (receipt-freeness). Political speech without fear or censorship.

How? Key Systems: David Chaum’s mix (1981) DC-networks (1985) Onion Routing (1996) / Tor (2004) Reiter and Rubin’s Crowds (1998)

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

3 / 30

Mix systems

What is a mix? A network router for messages or streams. Hides correspondences between inputs and outputs.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

4 / 30

How to hide correspondences? Traffic analysis resistance Disrupt timing of messages – batch, and shuffle Change the traffic characteristic of streams. Fascinating open problem . . . but another talk.

Bitwise unlinkability Ensure input and output bit-patterns are unlinkable. Cryptographic problem. Use cryptographic transformations and padding. Detect and prevent replays. Two flavors: decryption and re-encryption mixes. Threat model: active adversaries.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

5 / 30

A first (insecure) attempt

Decryption Mixes Alice encrypts the message m and final destination B under the mix’s public key Mmix . Encryption uses a hybrid cipher {m}K ≡ RSAK (freshk), fresh IV, RC4 IV,k XOR m. Attack: Active attack {B, m}Kmix XOR 0, t → m XOR t. (Original Mix proposal in 1981 used raw RSA.)

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

6 / 30

Security for mix packet formats

At least CCA2 security Adversary can intercept mix messages. Apply any function to them (identity aside). Use the mix as a decryption oracle. Definition of CCA2 security: (Adaptive) Chosen-ciphertext attack.

More than CCA2 security Secure mutli-hop mixing. Secure indistinguishable replies. Fundamentally different mechanisms than CCA2 systems.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

7 / 30

Mix networks

Why use multiple mixes? Load balancing – no mix is big enough. Distributed trust – one good mix is ‘enough’. Apply multiple layers of encryption A → M1 : {M2 , {M3 , {B, m}K3 }K2 }K1

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

8 / 30

Additional security properties Secure mutli-hop mixing New attack model: active network adversary & corrupt nodes. Should not leak unnecessary routing information. All messages must be the same size. Path length must not leak. Position in the path must not leak.

CCA2 shortcomings e.g. OAEP was not designed for layered encryption. Yet concepts should be similar. Key: make ciphertext non-maleable using redundancy and cryptographic digests. If a modification is detected stop processing. George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

9 / 30

Getting technical: El-Gamal, URE. . .

El-Gamal Encryption (Reminder) Keys Priv: x Pub: y = g x

Encryption Ency (M) = (g k , y k · M) Decryption Decx (c0 , c1 ) = c1 /c0x

Re-encryption ReEncy (c0 , c1 ) = 0 0 (g k · c0 , y k · c1 ) (need y !)

Universal Re-encryption Encryption UEncy (M) = Ency (1); Ency (M) Decryption UDecx (a, b; c, d) = Decx (c, d)

George Danezis (K.U.Leuven)

Re-Encryption URE(a, b; c, d) = 0 0 (az , b z ; az · c, b z · d) (no need for y !)

Anonymity and Cryptography

Weworc 2007

10 / 30

The Gomulkiewicz et al. URE based Mix system Problems with traditional decryption Mixes: Deterministic → replayed messages are identical → attacks! Keeping track of all processed messages → expensive!

Overcoming those problems: Gomulkiewicz et al. Note that URE encryption with many keys can be decrypted step by step. Q if y0...i = 0...i yj then UDecxi (UEncy0...i (M)) = UEncy0...i −1 (M) The intermediary outputs are randomized 6→ replay attacks. Use URE as the encryption method of the decryption mix net!

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

11 / 30

The Gomulkiewicz et al. in practice.

How to construct an onion that travels through Mixes with addresses J0 . . . Ji with keys y0 . . . yi and message M: UEncy0 (J1 ), UEncy0...1 (J2 ), . . . , UEncy0...i (M0 ), . . . , UEncy0...i (Mk )

How do Mixes (say j) process a message with blocks C 0 , . . . , Ci +k : Decrypt all blocks: Cl0 = UDecxj (Cl ) Pad with a block of Junk to keep size constant. send the message to the next address (C 00 )

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

12 / 30

The Gomulkiewicz et al. attacked! Attack intuitions No cryptographic link between blocks → can insert! Given a URE ciphertext UEncY (M) we can construct an arbitrary ciphertext UEncY (M 0 ). (A blinded version of the public key is in the ciphertext.)

Attack implementation Intercept a message after it is sent and insert the following blocks: UEncy0 (JAtt. ), UEncy0 (J1 ), UEncy0...1 (JAtt. ), UEncy0...1 (J2 ), ..., UEncy0...i (JAtt. ) UEncy0...i (M0 ), . . . , UEncy0...i (Mk )

No defence! George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

13 / 30

The Gomulkiewicz et al. attack illustrated!

Figure: After intercepting Alice’s mix packet, the attacker redirects the message to themselves.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

14 / 30

The problem of replies (1)

One way communication is boring!

Anonymous reply addresses: Key concepts Alice wants Bob to reply, without knowing Alice. Attach a cryptographic token to m (reply block.) Alice benefits from anonymity. Hence she encodes the path of the reply into the reply block. Security property: normal and reply messages should be indistinguishable. (Same processing is required.)

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

15 / 30

The problem of replies: an example Normal message Alice sends a message to Bob through M 1...3 . A → M1 : {M2 , k1 , {M3 , k2 , {B, k3 }K3 }K2 }K1 , {{{ma }k3 }k2 }k1 .

Reply message Alice sends to Bob anonymously reply block R R ≡ M10 , {M20 , k1 , {M30 , k2 , {A, k3 }K3 }K2 }K1 . Bob replies by sending B → M10 : R, mb . (Mixes do the same processing.) −1 −1 Alice receives: M30 → A : {{{mb }−1 k3 } k2 } k1

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

16 / 30

The problem of replies (2) The limitations of CCA2 secure mechanisms CCA2 secure encryption: Alice encodes the full plaintext. Mixes with replies: I I

Alice encodes routing information. Bob adds the actual message.

Cannot provide CCA2 security by ensuring the message has not been modified. Message not known when cryptographic envelope is built!

Hard Choices Make replies distinguishable (tagging replies is difficult). New mechanisms.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

17 / 30

A solution concept for anonymous replies

Concept Sensitive information: Final address and message (B, m.) CCA2: detect modification and stop processing. Our approach: in case of modification make (B, m) cryptographically unrecoverable.

Two examples Mixminion: new standard for anonymous email. Minx: an exercise in minimal mix format design. Become famous fast: Heuristic security → prove or break.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

18 / 30

Mixminion: Cryptographic primitives

Conservative stuff 2048bit RSA-OAEP (PKCS#1 Standard) SHA-1 for digest AES 128bit keys in CTR mode (with 0 IV) Use BEAR (or LIONESS) as a variable block size block cipher. Build from SHA-1 and AES128-CTR as a pseudo-random stream.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

19 / 30

Packet configurations Headers, sub-headers and the overall structure of a mixminion packet. Forward

Direct Reply

Anonymized Reply

First Leg 16 subheaders Sender Onion 2kb size

Single Use Reply Block

Sender Onion

Second Leg 16 subheaders 2kb size

Random Data

Single Use Reply Block

Payload 28kb size

Sender Onion Payload

George Danezis (K.U.Leuven)

Payload

Payload

Anonymity and Cryptography

Header Subheader

Subheader Version Shared Secret Digest Next Address

Up to 16 subheaders padded to 2kb

Weworc 2007

20 / 30

The decoding step H1

H2

B

RSA BEAR S

D Steps for all messages

BEAR Check & Decrypt

PRNG

H1’

H2’

B’

HASH

BEAR

H1’’

George Danezis (K.U.Leuven)

BEAR Extra steps for "Swap" messages

HASH

H2’’

Anonymity and Cryptography

B’’

Weworc 2007

21 / 30

Why is it secure? Informal argument To a passive attacker: The packet always looks indistinguishable from RSA heading followed by random noise. To a corrupt mix: No information about route length or position in the route (But first, last and swap). No information about if it is a reply or a normal packet. Tagging attacks. . . I I I

I

Adversary has to tag close to Alice, and only in forward path. If first header is tagged: message is dropped at first honest mix. If second header or body is tagged: Final address and body are lost after first honest mix. Cannot replay a slightly modified onion!

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

22 / 30

Minx: a provocative mix packet format Concepts No modification detection at all! All messages (good and bad) look indistinguishable from random strings. Modified messages are not detected by get routed at random (with termination.) Non-standard crypto: raw RSA and AES in IGE mode.

IGE mode?

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

23 / 30

Minx: Schematics

Structure Next address and secret are indistinguishable from random. IGE used to encrypt body. Security property: perfect error propagation. Final destination and message encrypted using an AONT. Junk is appended to preserve length.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

24 / 30

Security argument (1)

If adversary modifies RSA header → body destroyed.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

25 / 30

Security argument (2)

If adversary modifies AES-IGE header → body destroyed.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

26 / 30

Security argument (3)

If adversary modifies AES-IGE message → body destroyed.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

27 / 30

Open Problems Turning all this into a science Security definitions. Reduction proofs to the security of the primitives. or tagging or distinguishing attacks. Some existing work (Anna Lysyanskaya 2005, Bodo M¨oller 2004) needs to be extended to replies.

More engineering Smaller, faster, less wasteful packet formats. Onion routing does not use RSA. Can we do away with reply prevention? Can we ensure Alice does not know how her message looks?

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

28 / 30

References

George Danezis. Breaking four mix-related schemes based on universal re-encryption. In Sokratis K. Katsikas, Javier Lopez, Michael Backes, Stefanos Gritzalis, and Bart Preneel, editors, ISC, volume 4176 of Lecture Notes in Computer Science, pages 46–59. Springer, 2006. George Danezis and Ben Laurie. Minx: a simple and efficient anonymous packet format. In Vijay Atluri, Paul F. Syverson, and Sabrina De Capitani di Vimercati, editors, WPES, pages 59–65. ACM, 2004. George Danezis, Roger Dingledine, and Nick Mathewson. Mixminion: Design of a type III anonymous remailer protocol. In IEEE Symposium on Security and Privacy, pages 2–15. IEEE Computer Society, 2003.

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

29 / 30

Instead of conclusions. . .

Lessons learnt Cryptographic attacks can be devastating for mix systems (URE mixes). CCA2 security matters: mixes provide decryption oracles. Yet too complex for standard CCA2 secure cryptosystems. New concept of making useful information unrecoverable. Targets for attack and proof: Mixminion and Minx. Real challenge: Traffic analysis resistance!

George Danezis (K.U.Leuven)

Anonymity and Cryptography

Weworc 2007

30 / 30