Transcription

Lecture 24 – Anonymity and PrivacyStephen CheckowayUniversity of Illinois at ChicagoCS 487 – Fall 2017Slides based on Miller and Bailey’s ECE 422

Anonymity Anonymity: Concealing your identity In the context of the Internet, we may want anonymouscommunications–Communications where the identity of the source and/ordestination are concealed Not the same as secrecy/confidentiality–Confidentiality is about message contents, (what was said) Anonymity is about identities (who said it and to whom)

Nymity Spectrum Verinymity–credit card #s, driver's license, address Pseudonymity–pen names, many blogs Linkable anonymity–loyalty cards, prepaid mobile phone Unlinkable anonymity–paying in cash, Tor

Why do we need anonymity? Necessary to ensure civil liberties:–Free speech, free association, autonomy, freedom from censorshipand constant surveillance Privacy is a human right–Dignity–Not explicit in US constitution, but relevant to 1st 4th 5th 9thamendments in bill of rights Surveillance is exploited for profit–Targeted marketing campaigns–Discrimination (insurance, employment)

Arguments against Privacy? The "Nothing to Hide” Argument–Dangers of constructing a Kafkaesque world–Optional reading: 'I've Got Nothing to Hide' and OtherMisunderstandings of Privacy, Daniel J. Solove–Typically spoken from a view of privilege No one expects privacy anymore anyway–Kids today share their entire lives on Facebook Benefits from sharing (better search results?) Private communications abused by bad guys

How to get Anonymity Internet anonymity is hard*–Difficult if not impossible to achieve on your own–Right there in every packet is the source and destination IP address–* But it’s easy for bad guys. Why? How do we do it? State of the art technique: Ask someone else to send it for you–Ok, it’s a bit more sophisticated than that.

Proxies Proxy: Intermediary that relays our traffic Trusted 3rd party, e.g. . hidemyass.com–You set up an encrypted VPN to their site–All of your traffic goes through them Why easy for bad guys? Compromised machines as proxies.

Alice wants to send a message M to Bob . Bob doesn’t know M is from Alice, and Eve can’t determine that Alice is indeed communicating withBob. HMA accepts messages encrypted for it. Extracts destinationand forwards.

Anonymity motivationSurveillance under: The Patriot Act Section 215 National Security Letters (NSLs) FISA Amendment Act

Image credit: ACLU

Google Transparency ReportNational Security Letters (NSLs)Reporting PeriodJanuary to June 2016July to December 2015January to June 2015July to December 2014January to June 2014July to December 2013January to June 2013July to December 2012January to June 2012July to December 2011January to June 2011July to December 2010January to June 2010July to December 2009January to June 2009National Security 00–1999500–999500–999

Metadata Everything except the contents of your communications:– If– When– How much– Who What (this is actually the data)“. analysis of telephony metadata often reveals information that couldtraditionally only be obtained by examining the contents of communications.That is, metadata is often a proxy for content.”— Prof. Edward W. Felten, Computer Science and Public Affairs, Princeton;(former) Chief Technologist of FTC

XKEYSCORE“I, sitting at my desk, certainly had theauthorities to wiretap anyone, from you oryour accountant, to a federal judge or eventhe President, if I had a personal e-mail,”

Technology as a defense

“Whether we are surveilled by our government, by criminals, or byour neighbors, it is fair to say that never has our ability to shieldour affairs from prying eyes been at such a low ebb. The availabilityand use of secure encryption may offer an opportunity to reclaimsome portion of the privacy we have lost.”— 9th Circuit court opinion, Bernstein v US DOJ 1999“Crypto wars”

Encryption Tools: PGP GnuPG, free software–Pretty Good Privacy (PGP), Phil Zimmerman (1991)–GnuPG (GPG) is a free software recreation–Lets you hide email content via encryption Basic idea:–Hybrid encryption to conceal messages–Digital signatures on messages (hash-then-sign)

PGP cont'd Each user has:–A public encryption key, paired with a private decryption key–A private signature key, paired with a public verification key How does sending/receiving work? How do you find out someone's public key?

Sending and receiving To send a message:–Sign with your signature key–Encrypt message and signature with recipient's public encryptionkey To receive a message:–Decrypt with your private key to get message and signature–Use sender's public verification key to check sig

Fingerprints How do you obtain Bob's public key?–Get it from Bob's website? ( )–Get it from Bob's website, verify using out-of-band communication Keys are unwieldy - fingerprints A fingerprint is a cryptographic hash of a key–Key servers: store public keys, look up by name/email address, verifywith fingerprint What if you don't personally know Bob?–Web of Trust (WoT), “friend of a friend”–Bob introduces Alice to Caro by signing Alice’s key

Drawbacks of (Just) Encryption I What if Bob's machine compromised?–His key material becomes known–Past messages can be decrypted and read–You also have sender's signature on messages sent, so you can proveidentity of sender The software created lots of incriminating records–Key material that decrypts data sent over the public Internet–Signatures with proofs of who said what Alice better watch what she says–Her privacy depends on Bob’s actions

Drawbacks of (Just) Encryption II

Casual Conversations Alice and Bob talk in a room No one else can hear–Unless being recorded No one else knows what they say–Unless Alice or Bob tell them No one can prove what was said–Not even Alice or Bob These conversations are “off-the-record”

Desirable communication properties Forward secrecy:–Even if your key material is compromised, past messages should besafe Deniability: be able to plausibly deny having sent a message Mimic casual, off-the-record conversations–Deniable authentication: be confident of who you are talking to, butunable to prove to a third party what was said

Off-the-Record (OTR) Messaging1. Use Authenticated Diffie-Hellman to establish a (short-lived)session key EKSignalice(gx)AliceSS (gy)xEK H(SS)BobSignbob(gy)SS (gx) yEK H(SS)

OTR II2. Then use secret-key encryption on message M. And authenticate using a MACEEK(M)AliceMACMK(EEK(M))SS (gy)xEK H(SS)MK H(EK)BobSS (gx) yEK H(SS)MK H(EK)

Off-the-Record3. Re-key using Diffie-Hellmangx’, MACMK(gx’)AliceSS’ (gy’)x’EK’ H(SS’)MK’ H(EK’)MK H(EK)Bobgy’, MACMK(gy’)SS’ (gx’) y’EK’ H(SS’)MK’ H(EK’)MK H(EK)

Off-the-Record4. Publish old MKMKAliceSS’ (gy’)x’EK’ H(SS’)MK’ H(EK’)MK H(EK)BobSS’ (gx’) y’EK’ H(SS’)MK’ H(EK’)MK H(EK)

Off-the-record Messaging (OTR) Note this is suited to interactive communication, not so muchemail But, OTR provides–message confidentiality–authentication–perfect forward secrecy–deniability Caveat: we do not have examples of “deniability” serving its purpose inpractice

Using OTR Built in to Adium and Pidgin But beware defaults–Logging enabled by default–Etiquette dictates you should disable this, so does history (e.g.,Chelsea Manning) Very different from Google Hangout’s “off the record” featurewhich merely doesn’t log the conversation

Signal and the “Double Ratchet”The protocol behind Signal app (iphone,android)Trevor Perin and Moxie Marlinspike- Forward secrecyToday’s messages are secret, even if key compromised tomorrow- Future secrecyTomorrow’s messages are secret, even if key compromised today- DeniabilityNo permanent/transferable evidence of what was said- UsabilityTolerates out-of-order message ions/doubleratchet/

Plausibly Deniable StorageGoal: Encrypt data stored on your hard driveProblem: Can be compelled to decrypt it!Idea: have a “decoy” volume with benign information on itExample: VeraCrypt[Does this solve the problem? Caveats?]

Recap Privacy/Anonymity Metadata: Everything except the contents of yourcommunications:– If– When– How much– Who What(this is actually the data)Signal and OTR

Anonymity for browsing?YouServer

Naive approach . VPNsYouServer

VPNs

VPNs“ received a court order asking for informationrelating to an account associated with some orall of the above cases. As stated in our terms ofservice and privacy policy our service is not tobe used for illegal activity, and as a legitimatecompany we will cooperate with lawenforcement if we receive a court order”

Better approach: Tor Low-latency anonymous communication system Hide metadata–who is communicating with whom?–e.g., just sending an encrypted message to The Intercept may getyou in trouble Hide existence of communication–any encrypted message may get you in trouble

Tor overview Works at the transport layer Allows you to make TCP connections without revealing your IPaddress Popular for web connections Tor network made up of volunteer-run nodes, or onionrouters, located all over the world Basic idea: Alice wants to connect to a web server withoutrevealing her IP address

Onion Routing This approach generalizes to an arbitrary number ofintermediaries (“mixes”) Alice ultimately wants to talk to Bob, with the help of HMA,Dan, and Charlie As long as any of the mixes is honest, no one can link Alice withBob

Onion Routing

TorImage credit:Tor Project

TorImage credit:Tor Project

TorImage credit:Tor Project

Trust in Tor Entry node: knows Alice is using Tor, and identity of middlenode, but not destination Exit node: knows some Tor user is connecting to destination,but doesn't know which user Destination: knows a Tor user is connecting to it via the exitnode Important to note that Tor does not provide encryptionbetween exit and destination! (e.g., use HTTPS)

Tor Hidden Services

How to get Tor Tor Browser bundle available (built on modified version offirefox) optional exercise: download and use it! https://www.torproject.org/ .or volunteer to be a part of the Tor network.

Onion Routing Issues/Attacks? Performance: message bounces around a lot Attack: rubber-hose cryptanalysis of mix operators–Defense: use mix servers in different countries Attack: adversary operates all of the ml–Defense: have lots of mix servers (Tor today: 6,500) Attack: adversary observes when Alice sends and when Bobreceives, links the two together A side channel attack – exploits timing information–Defenses: pad messages, introduce significant delays Tor does the former, but notes that it’s not enough for defense

Onion Routing Issues, cont. Issue: traffic leakage Suppose all of your HTTP/HTTPS traffic goes through Tor, butthe rest of your traffic doesn’t How might the operator of sensitive.com deanonymize your web session to their server?

The traffic leakage problem Answer: they inspect the logs of their DNS server to see wholooked up sensitive.com just before your connection to theirweb server arrived Hard, general problem: anonymity often at risk whenadversary can correlate separate sources of information

Metadata If When How much Who What

Metadata If When How much Who What TLS/PGP/OTR/Signal

Metadata If When How much Who What TLS/PGP/OTR/Signal

Pond "Pond is not email. Pond is a forward secure, asynchronousmessaging system for the discerning" Seeks to protect against leaking traffic info against all but aglobal passive adversary–forward secure–no spam–messages expire automatically after a week

PondPrivate KeyPublic KeyUserMessages? Pubkey A padding XXXX.None. padding XXXXXXXXXXXXX Messages? Pubkey A padding XXXX.Message M padding XXXXXXXXX PondServer

PondPrivate KeyPublic KeyUserMessages? Pubkey A padding XXXX.None. padding XXXXXXXXXXXXX Messages? Pubkey A padding XXXX.Message M padding XXXXXXXXX Private keyPondServer

Metadata summary If When How much Who What Pond TLS/PGP