Anonymity and Cryptography George Danezis K.U. Leuven, ESAT/COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium.
[email protected]
Weworc 2007 – Bochum, Germany.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
1 / 30
Outline
Roadmap Introduction to anonymous communications and mix systems A broken design – URE mixes Two ‘secure’ designs – Mixminion and Minx Open problems and conclusion
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
2 / 30
Anonymity Why? Necessary to implement common social interactions: Anonymous electronic cash, credentials or auctions. Election protocols (receipt-freeness). Political speech without fear or censorship.
How? Key Systems: David Chaum’s mix (1981) DC-networks (1985) Onion Routing (1996) / Tor (2004) Reiter and Rubin’s Crowds (1998)
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
3 / 30
Mix systems
What is a mix? A network router for messages or streams. Hides correspondences between inputs and outputs.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
4 / 30
How to hide correspondences? Traffic analysis resistance Disrupt timing of messages – batch, and shuffle Change the traffic characteristic of streams. Fascinating open problem . . . but another talk.
Bitwise unlinkability Ensure input and output bit-patterns are unlinkable. Cryptographic problem. Use cryptographic transformations and padding. Detect and prevent replays. Two flavors: decryption and re-encryption mixes. Threat model: active adversaries.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
5 / 30
A first (insecure) attempt
Decryption Mixes Alice encrypts the message m and final destination B under the mix’s public key Mmix . Encryption uses a hybrid cipher {m}K ≡ RSAK (freshk), fresh IV, RC4 IV,k XOR m. Attack: Active attack {B, m}Kmix XOR 0, t → m XOR t. (Original Mix proposal in 1981 used raw RSA.)
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
6 / 30
Security for mix packet formats
At least CCA2 security Adversary can intercept mix messages. Apply any function to them (identity aside). Use the mix as a decryption oracle. Definition of CCA2 security: (Adaptive) Chosen-ciphertext attack.
More than CCA2 security Secure mutli-hop mixing. Secure indistinguishable replies. Fundamentally different mechanisms than CCA2 systems.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
7 / 30
Mix networks
Why use multiple mixes? Load balancing – no mix is big enough. Distributed trust – one good mix is ‘enough’. Apply multiple layers of encryption A → M1 : {M2 , {M3 , {B, m}K3 }K2 }K1
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
8 / 30
Additional security properties Secure mutli-hop mixing New attack model: active network adversary & corrupt nodes. Should not leak unnecessary routing information. All messages must be the same size. Path length must not leak. Position in the path must not leak.
CCA2 shortcomings e.g. OAEP was not designed for layered encryption. Yet concepts should be similar. Key: make ciphertext non-maleable using redundancy and cryptographic digests. If a modification is detected stop processing. George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
9 / 30
Getting technical: El-Gamal, URE. . .
El-Gamal Encryption (Reminder) Keys Priv: x Pub: y = g x
Encryption Ency (M) = (g k , y k · M) Decryption Decx (c0 , c1 ) = c1 /c0x
Re-encryption ReEncy (c0 , c1 ) = 0 0 (g k · c0 , y k · c1 ) (need y !)
Universal Re-encryption Encryption UEncy (M) = Ency (1); Ency (M) Decryption UDecx (a, b; c, d) = Decx (c, d)
George Danezis (K.U.Leuven)
Re-Encryption URE(a, b; c, d) = 0 0 (az , b z ; az · c, b z · d) (no need for y !)
Anonymity and Cryptography
Weworc 2007
10 / 30
The Gomulkiewicz et al. URE based Mix system Problems with traditional decryption Mixes: Deterministic → replayed messages are identical → attacks! Keeping track of all processed messages → expensive!
Overcoming those problems: Gomulkiewicz et al. Note that URE encryption with many keys can be decrypted step by step. Q if y0...i = 0...i yj then UDecxi (UEncy0...i (M)) = UEncy0...i −1 (M) The intermediary outputs are randomized 6→ replay attacks. Use URE as the encryption method of the decryption mix net!
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
11 / 30
The Gomulkiewicz et al. in practice.
How to construct an onion that travels through Mixes with addresses J0 . . . Ji with keys y0 . . . yi and message M: UEncy0 (J1 ), UEncy0...1 (J2 ), . . . , UEncy0...i (M0 ), . . . , UEncy0...i (Mk )
How do Mixes (say j) process a message with blocks C 0 , . . . , Ci +k : Decrypt all blocks: Cl0 = UDecxj (Cl ) Pad with a block of Junk to keep size constant. send the message to the next address (C 00 )
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
12 / 30
The Gomulkiewicz et al. attacked! Attack intuitions No cryptographic link between blocks → can insert! Given a URE ciphertext UEncY (M) we can construct an arbitrary ciphertext UEncY (M 0 ). (A blinded version of the public key is in the ciphertext.)
Attack implementation Intercept a message after it is sent and insert the following blocks: UEncy0 (JAtt. ), UEncy0 (J1 ), UEncy0...1 (JAtt. ), UEncy0...1 (J2 ), ..., UEncy0...i (JAtt. ) UEncy0...i (M0 ), . . . , UEncy0...i (Mk )
No defence! George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
13 / 30
The Gomulkiewicz et al. attack illustrated!
Figure: After intercepting Alice’s mix packet, the attacker redirects the message to themselves.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
14 / 30
The problem of replies (1)
One way communication is boring!
Anonymous reply addresses: Key concepts Alice wants Bob to reply, without knowing Alice. Attach a cryptographic token to m (reply block.) Alice benefits from anonymity. Hence she encodes the path of the reply into the reply block. Security property: normal and reply messages should be indistinguishable. (Same processing is required.)
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
15 / 30
The problem of replies: an example Normal message Alice sends a message to Bob through M 1...3 . A → M1 : {M2 , k1 , {M3 , k2 , {B, k3 }K3 }K2 }K1 , {{{ma }k3 }k2 }k1 .
Reply message Alice sends to Bob anonymously reply block R R ≡ M10 , {M20 , k1 , {M30 , k2 , {A, k3 }K3 }K2 }K1 . Bob replies by sending B → M10 : R, mb . (Mixes do the same processing.) −1 −1 Alice receives: M30 → A : {{{mb }−1 k3 } k2 } k1
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
16 / 30
The problem of replies (2) The limitations of CCA2 secure mechanisms CCA2 secure encryption: Alice encodes the full plaintext. Mixes with replies: I I
Alice encodes routing information. Bob adds the actual message.
Cannot provide CCA2 security by ensuring the message has not been modified. Message not known when cryptographic envelope is built!
Hard Choices Make replies distinguishable (tagging replies is difficult). New mechanisms.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
17 / 30
A solution concept for anonymous replies
Concept Sensitive information: Final address and message (B, m.) CCA2: detect modification and stop processing. Our approach: in case of modification make (B, m) cryptographically unrecoverable.
Two examples Mixminion: new standard for anonymous email. Minx: an exercise in minimal mix format design. Become famous fast: Heuristic security → prove or break.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
18 / 30
Mixminion: Cryptographic primitives
Conservative stuff 2048bit RSA-OAEP (PKCS#1 Standard) SHA-1 for digest AES 128bit keys in CTR mode (with 0 IV) Use BEAR (or LIONESS) as a variable block size block cipher. Build from SHA-1 and AES128-CTR as a pseudo-random stream.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
19 / 30
Packet configurations Headers, sub-headers and the overall structure of a mixminion packet. Forward
Direct Reply
Anonymized Reply
First Leg 16 subheaders Sender Onion 2kb size
Single Use Reply Block
Sender Onion
Second Leg 16 subheaders 2kb size
Random Data
Single Use Reply Block
Payload 28kb size
Sender Onion Payload
George Danezis (K.U.Leuven)
Payload
Payload
Anonymity and Cryptography
Header Subheader
Subheader Version Shared Secret Digest Next Address
Up to 16 subheaders padded to 2kb
Weworc 2007
20 / 30
The decoding step H1
H2
B
RSA BEAR S
D Steps for all messages
BEAR Check & Decrypt
PRNG
H1’
H2’
B’
HASH
BEAR
H1’’
George Danezis (K.U.Leuven)
BEAR Extra steps for "Swap" messages
HASH
H2’’
Anonymity and Cryptography
B’’
Weworc 2007
21 / 30
Why is it secure? Informal argument To a passive attacker: The packet always looks indistinguishable from RSA heading followed by random noise. To a corrupt mix: No information about route length or position in the route (But first, last and swap). No information about if it is a reply or a normal packet. Tagging attacks. . . I I I
I
Adversary has to tag close to Alice, and only in forward path. If first header is tagged: message is dropped at first honest mix. If second header or body is tagged: Final address and body are lost after first honest mix. Cannot replay a slightly modified onion!
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
22 / 30
Minx: a provocative mix packet format Concepts No modification detection at all! All messages (good and bad) look indistinguishable from random strings. Modified messages are not detected by get routed at random (with termination.) Non-standard crypto: raw RSA and AES in IGE mode.
IGE mode?
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
23 / 30
Minx: Schematics
Structure Next address and secret are indistinguishable from random. IGE used to encrypt body. Security property: perfect error propagation. Final destination and message encrypted using an AONT. Junk is appended to preserve length.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
24 / 30
Security argument (1)
If adversary modifies RSA header → body destroyed.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
25 / 30
Security argument (2)
If adversary modifies AES-IGE header → body destroyed.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
26 / 30
Security argument (3)
If adversary modifies AES-IGE message → body destroyed.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
27 / 30
Open Problems Turning all this into a science Security definitions. Reduction proofs to the security of the primitives. or tagging or distinguishing attacks. Some existing work (Anna Lysyanskaya 2005, Bodo M¨oller 2004) needs to be extended to replies.
More engineering Smaller, faster, less wasteful packet formats. Onion routing does not use RSA. Can we do away with reply prevention? Can we ensure Alice does not know how her message looks?
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
28 / 30
References
George Danezis. Breaking four mix-related schemes based on universal re-encryption. In Sokratis K. Katsikas, Javier Lopez, Michael Backes, Stefanos Gritzalis, and Bart Preneel, editors, ISC, volume 4176 of Lecture Notes in Computer Science, pages 46–59. Springer, 2006. George Danezis and Ben Laurie. Minx: a simple and efficient anonymous packet format. In Vijay Atluri, Paul F. Syverson, and Sabrina De Capitani di Vimercati, editors, WPES, pages 59–65. ACM, 2004. George Danezis, Roger Dingledine, and Nick Mathewson. Mixminion: Design of a type III anonymous remailer protocol. In IEEE Symposium on Security and Privacy, pages 2–15. IEEE Computer Society, 2003.
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
29 / 30
Instead of conclusions. . .
Lessons learnt Cryptographic attacks can be devastating for mix systems (URE mixes). CCA2 security matters: mixes provide decryption oracles. Yet too complex for standard CCA2 secure cryptosystems. New concept of making useful information unrecoverable. Targets for attack and proof: Mixminion and Minx. Real challenge: Traffic analysis resistance!
George Danezis (K.U.Leuven)
Anonymity and Cryptography
Weworc 2007
30 / 30