Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CSE484/CSEM584:ComputerSecurityandPrivacy
AnonymityandSecureMessaging
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Tor
• Second-generationonionroutingnetwork– https://www.torproject.org/– Nowalargeopensourceprojectwithanon-profitorganizationbehindit
– Specificallydesignedforlow-latencyanonymousInternetcommunications
• RunningsinceOctober2003• “Easy-to-use”clientproxy– Freelyavailable,canuseitforanonymousbrowsing
12/9/16 CSE484/CSEM584-Fall2016 2
TorBrowserBundle
• Asingle,downloadablebrowserappwhichdoestherightthing.
12/9/16 CSE484/CSEM584-Fall2016 3
TorCircuitSetup(1)
12/9/16 CSE484/CSEM584-Fall2016 4
• ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1
TorCircuitSetup(2)
12/9/16 CSE484/CSEM584-Fall2016 5
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2– TunnelthroughOnionRouter#1
TorCircuitSetup(3)
12/9/16 CSE484/CSEM584-Fall2016 6
• ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3– TunnelthroughOnionRouters#1and#2
UsingaTorCircuit
12/9/16 CSE484/CSEM584-Fall2016 7
• ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.
TorManagementIssues
• Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection
• Torrouterdoesn’tneedrootprivileges– Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone
• Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,
currentpublickeys,etc.– Controlhownewroutersjointhenetwork
• “Sybilattack”:attackercreatesalargenumberofrouters
– Directoryservers’keysshipwithTorcode
12/9/16 CSE484/CSEM584-Fall2016 8
LocationHiddenService
• Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit
• Accessiblefromanywhere• Resistanttocensorship• Cansurviveafull-blownDoSattack• Resistanttophysicalattack– Can’tfindthephysicalserver!
12/9/16 CSE484/CSEM584-Fall2016 9
CreatingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 10
ServercreatescircuitsTo“introductionpoints”
Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory
Clientobtainsservicedescriptorandintropointaddressfromdirectory
UsingaLocationHiddenServer
12/9/16 CSE484/CSEM584-Fall2016 11
Clientcreatesacircuittoa“rendezvouspoint”
Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint
Ifserverchoosestotalktoclient,connecttorendezvouspoint
Rendezvouspointsplicesthecircuitsfromclient&server
AttacksonAnonymity
• Passivetrafficanalysis– Inferfromnetworktrafficwhoistalkingtowhom– Tohideyourtraffic,mustcarryotherpeople’straffic!
• Activetrafficanalysis– Injectpacketsorputatimingsignatureonpacketflow
• Compromiseofnetworknodes– Attackermaycompromisesomerouters– Itisnotobviouswhichnodeshavebeencompromised
• Attackermaybepassivelyloggingtraffic– Betternottotrustanyindividualrouter
• Assumethatsomefractionofroutersisgood,don’tknowwhich
12/9/16 CSE484/CSEM584-Fall2016 12
DeployedAnonymitySystems
• Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing
• Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail
• Not:YikYakJ
12/9/16 CSE484/CSEM584-Fall2016 13
SomeCaution
• Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!
12/9/16 CSE484/CSEM584-Fall2016 14
IdentifyingWebPages:TrafficAnalysis
Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009
12/9/16 CSE484/CSEM584-Fall2016 15
OTRANDSECUREMESSAGING
12/9/16 CSE484/CSEM584-Fall2016 16
OTR–“OffTheRecord”
• Protocolforend-to-endencryptedinstantmessaging
• End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.
(Borisov,Goldberg,Brewer2014)
12/9/16 CSE484/CSEM584-Fall2016 17
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 18
OTR–“OffTheRecord”
• End-to-endencryption• Authentication• Deniability/Repudability,afterthefact• PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 19
OTR:Deniability/Repudability
12/9/16 CSE484/CSEM584-Fall2016 20
Eve
Alice Bob
“Somethingincriminating”
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
12/9/16 CSE484/CSEM584-Fall2016 21
OTR:Deniability/Repudability
• Duringaconversationsession,messagesareauthenticatedandunmodified.
• AuthenticationhappensusingaMACderivedfromasharedsecret.
• Q1
12/9/16 CSE484/CSEM584-Fall2016 22
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
12/9/16 CSE484/CSEM584-Fall2016 23
OTR:Deniability/Repudability
• Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!
• OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!
12/9/16 CSE484/CSEM584-Fall2016 24
OTR:Deniability/Repudability
• EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.
12/9/16 CSE484/CSEM584-Fall2016 25
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 26
Eve
Alice Bob
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 27
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsB
PerfectForwardSecrecy
12/9/16 CSE484/CSEM584-Fall2016 28
Eve
Alice Bob
Publicinfo,e.g.C1C2C3…Cn
SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.
OTR:Ratcheting
• Idea:Useanewkeyforeverysession/message/timeperiod.
12/9/16 CSE484/CSEM584-Fall2016 29
Signal
12/9/16 CSE484/CSEM584-Fall2016 30
• End-to-endencryptedchat/IMbasedonOTR
• Providesvariationsonratcheting,deniability,etc.
• Widelyused,publiccode,audited.