CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy - - PowerPoint PPT Presentation

CS 683 - Security and Privacy Fall 2019

Instructor: Karim Eldefrawy

University of San Francisco

http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm

1

Privacy cy and Anonymity

2

Privacy

• Privacy and Society
• Basic individual right & desire
• Relevant to corporations & government agencies
• Recently increased awareness
• However, general public’s perception of privacy is fickle
• Privacy and Technology in Recent Years
• >> Information disclosed on the Internet
• >> Handling and transfer of sensitive information
• << Privacy and accountability

3 (Image from geekologie.com)

Privacy on Public Networks

• The Internet is designed as a public network
• Machines on your LAN may see your traffic, network routers see all traffic that

passes through them

• Routing information is public
• IP packet headers identify source and destination
• Even a passive observer can easily figure out who is talking to whom
• Encryption (e.g., SSL or IPSec) does not hide identities
• Encryption hides payload, not routing information
• Even IP-level encryption (tunnel-mode IPsec/ESP) reveals IP addresses of IPsec

gateways

4

Applications of Anonymity (1)

• Privacy
• Hide online transactions, Web browsing, etc. from intrusive governments,

marketers, archival/search entities (e.g., Google) as well as from criminals and snoops

• Untraceable Electronic Mail
• Corporate whistle-blowers
• Political dissidents in oppressive societies
• Socially sensitive communications (online AA or STD meeting)
• Confidential business negotiations
• Law Enforcement and Intelligence
• Sting operations and honeypots
• Secret communications on a public network
• Informers, secret agents, etc.

5

Applications of Anonymity (2)

• Digital/Electronic Cash
• Electronic currency with properties of paper money (online purchases unlinkable to

buyer’s identity)

• Anonymous Electronic Voting
• Censorship-Resistant Publishing
• Crypto-Anarchy
• “Some people say that “anarchy won't work.” That's not an argument against

anarchy; that's an argument against work.” – Bob Black J

6

Applications of Anonymity (3)

• Porn
• Libel
• Disinformation / Propaganda
• Sale of Illegal Substances (e.g., Silk Road, Alpha Bay … etc.)
• Tax Avoidance (via Untraceable Payments)
• Incitement to Criminal Activity (e.g., Murder, Rioting, Genocide, Terrorism)

7

What is Anonymity?

• Anonymity: is the inability to identify someone within a set of subjects (size

varies)

• Different from PRIVACY – right to be left alone
• Hide your activities among similar activities by others
• One cannot be anonymous alone!
• Big difference between anonymity and confidentiality
• Unlinkability: of action and identity
• For example, sender and his email are no more related after observing

communication than they were before

• Unobservability: (very hard to achieve)
• Observer cannot tell whether a certain action took place

8

Attacks on Anonymity

• Passive Traffic Analysis
• Infer from network traffic who is talking to whom
• To hide your traffic, must carry other people’s traffic!
• Active Traffic Analysis
• Inject packets or put a timing signature on packet flow
• Compromise of Network Nodes (Routers)
• Not obvious which nodes have been compromised
• Attacker may be passively logging traffic
• It’s better not to trust any individual node
• Assume that some fraction of nodes is good, but do not know which

9

Chaum’s Mix

• Early proposal for anonymous email
• David Chaum. “Untraceable electronic mail, return addresses, and digital

pseudonyms”. Communications of the ACM, February 1981.

• Public-key crypto + trusted re-mailer (Mix)
• Untrusted communication medium
• Public-keys used as persistent pseudonyms
• Modern anonymity systems use Mix as the basic building block

10

Before spam, people thought anonymous email was a good idea J

Basic Mix Design

11

A C D E B

Mix

{r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B {r2,{r3,M’}pk(E),E}pk(mix) {r4,{r5,M’’}pk(B),B}pk(mix) {r5,M’’}pk(B),B {r3,M’}pk(E),E

Adversary knows all senders and all receivers, but cannot link a sent message with a received message

Anonymous Return Addresses

• 12

A B

MIX {r1,{r0,M}pk(B),B}pk(mix) {r0,M}pk(B),B

M includes {K1,A}pk(mix’), K2 where K2 is a fresh public key and MIX’ is possibly different from MIX

Response MIX’

{K1,A}pk(mix’), {r2,M’}K2

A,{{r2,M’}K2}K1

Secrecy without authentication (good for an online confession service J)

Mix Cascade

• Messages are sent through a sequence of mixes
• Can also form an arbitrary network of mixes (“mixnet”)
• Some mixes may be controlled by attacker, but even a single good mix

guarantees some anonymity

• Pad and buffer traffic to foil correlation attacks

13

Disadvantages of Basic Mixnets

• Public-key encryption and decryption at each mix are computationally

expensive

• Basic mixnets have high latency
• Ok for email, but not for anonymous Web browsing
• Challenge: low-latency anonymity network
• Use public-key cryptography to establish a “circuit” with pairwise symmetric keys

between hops on the circuit

• Then use symmetric decryption and re-encryption to move data messages along the

established circuits

• Each node behaves like a mix; anonymity is preserved even if some nodes are

compromised

14

Another Idea: Randomized Routing

• Hide sources by routing messages randomly
• Popular technique: Crowds, Freenet, Onion routing
• Routers do not know if the apparent source of a message is the true sender
• r another router

15

Onion Routing

16

R R4 R1 R2 R R R3

Bob

R R R

• Sender chooses a random sequence of routers
• Some routers are honest, some are not
• Sender controls path length

Alice

[Reed, Syverson, Goldschlag 1997]

Route Establishment

17

R4 R1 R2 R3

Bob Alice

{R2,k1}pk(R1),{ }k1 {R3,k2}pk(R2),{ }k2 {R4,k3}pk(R3),{ }k3 {B,k4}pk(R4),{ }k4 {M}pk(B)

• Routing info for each link encrypted with router’s public key
• Each router learns only the identity of the next router

The Onion Router (Tor)

• Second-generation onion routing network
• http://tor.eff.org
• Specifically designed for low-latency anonymous Internet communications (e.g.,

Web browsing)

• Running since October 2003
• Hundreds of nodes on all continents
• 2+ million users as of 2018
• “Easy-to-use” client proxy
• Freely available, can use it for anonymous browsing
• Available for smartphones and tablets too

18

Tor Circuit Setup (1)

• Client proxy establishes a symmetric session key and circuit with Onion

Router #1

19

Tor Circuit Setup (2)

• Client proxy extends the circuit by establishing a symmetric session key

with Onion Router #2

• Tunnel through Onion Router #1

20

Tor Circuit Setup (3)

• Client proxy extends the circuit by establishing a symmetric session key

with Onion Router #3

• Tunnel through Onion Routers #1 and #2

21

Using a Tor Circuit

• Client applications connect and communicate over the established Tor

circuit (also to multiple dst-s)

• Datagrams are decrypted and re-encrypted at each link

22

Tor Management Issues

• Many applications can share one circuit
• Multiple TCP streams over one anonymous connection
• Tor router do not need root privileges
• Encourages people to set up their own routers
• More participants = better anonymity for everyone
• Directory servers
• Maintain lists of active onion routers, their locations, current public keys, etc.
• Control how new routers join the network
• “Sybil attack”: attacker creates a large number of routers
• Directory servers’ keys ship with Tor code

23

Location Hidden Servers

• Goal: deploy a server on the Internet that anyone can connect to without

knowing where it is or who runs it

• Accessible from anywhere
• Resistant to censorship
• Can survive a full-blown DoS attack
• Resistant to physical attack
• Can not find the physical server!

24

Creating a Location Hidden Server

25

Server creates circuits to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

Using a Location Hidden Server

26

Client creates a circuit to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point matches the circuits from client & server

Deployed Anonymity Systems

• Free Haven project has an excellent bibliography on anonymity
• http://www.freehaven.net/anonbib
• Tor (http://tor.eff.org)
• Overlay circuit-based anonymity network
• Best for low-latency applications such as anonymous Web browsing
• Mixminion (http://www.mixminion.net)
• Network of mixes
• Best for high-latency applications such as anonymous email

27

Dining Cryptographers

• How to make a message public, but in a perfectly untraceable manner
• David Chaum. “The dining cryptographers problem: unconditional sender and

recipient untraceability.” Journal of Cryptology, 1988.

• Guarantees information-theoretic anonymity for message senders
• VERY strong form of anonymity: defeats adversary who has unlimited

computational power

• Difficult to make practical
• In group of size N, need N random bits to send 1 bit

28

Three-Person DC Protocol

• Three cryptographers are having dinner.
• Either NSA is paying for the dinner, or one of them is paying,

but wishes to remain anonymous. 1. Each diner flips a coin and shows it to his left neighbor.

• Every diner sees two coins: his own and his right neighbor’s

2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). 3. IF Number of “same”=1 or 3 Þ NSA is paying IF Number of “same”=0 or 2 Þ one of them is paying

• But a non-payer cannot tell which of the other two is paying!

29

Non-Payer’s View: Same Coins

30

?

“same” “different”

payer payer

?

“same” “different”

Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Non-Payer’s View: Different Coins

31

?

“same” “same”

payer payer

?

“same” “same”

Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying

Super-posed Sending

• This idea generalizes to any group of size N
• For each bit of the message, every user generates 1 random bit and sends

it to ONE neighbor

• Every user learns 2 bits (his own and his neighbor’s)
• Each user announces own bit XOR neighbor’s bit
• Sender announces own bit XOR neighbor’s bit XOR message bit
• XOR all announcements = message bit
• Every randomly generated bit occurs in this sum twice (and is canceled by XOR),

message bit occurs once

32

33

An Anonymi ymity ty Ap Applicati tion Examp mple: e: Elect ctronic c Cash (E-Ca Cash) a and Bi Bitcoin

34

Motivation For E-Cash

Conventional Cash is:

• Counterfeitable
• Slow
• Costly
• Vulnerable
• Bad for Remote Transactions

35

Credit Cards, Bank Cards, Checks, and Phone/Subway cards: Easy Fraud Little Privacy

36

Off-line Electronic Cash is for 2-Party (PayeràPayee) Payment

Deposit

Payment

Withdrawal

• Low Communication Requirements

37

In Contrast, On-line Payments:

“OK”

E-Cash in 1970s

• Stephen Wiesner‘s (graduate student at Columbia) paper “Conjugate Coding and

Quantum Money” sent in 1970 to IEEE Transactions on Information Theory

• Paper immediately rejected
• Published in 1983 as is in ACM SIGACT
• Proposed design of unforgaeble bank notes based on quantum properties
• Influenced Quantum (Cryptographic) Key Distribution (QKD)

E-Cash in 1980s and 1990s

• Chaum’s “Blind Signatures for Untraceable Payments” paper is the first to

propose (realizable) E-Cash using blind digital signatures

• Based on RSA (Rivest Shamir and Adelman) signatures
• RSA breaks if one can factor large composite numbers (100s of decimal digits,

1000s of bits)

• DigiCash (anonymous ecash) launched by Chaum in 1990. DigiCash

declared bankruptcy in 1998.

1970s 2000s 1990s

Requirements for Anonymous Payments (afterwards known as E-Cash)

From Chaum’s “Blind Signatures for Untraceable Payments” paper:

• Unlinkability: third parties can not determine payee (amount

and time of payment)

• Provability: individuals can provide (unforgaeble) proof of

payment, or determine identity of payee under exceptional circumstance (e.g., by courts)

• Revocation: revoke stolen coins or payment media

Anonymous Payments

user 1 user 2

Anonymous Payments

user 1 user 2

Anonymous Payments

withdraw coins withdraw coins user 1 user 2

Anonymous Payments

user 1 user 2

transfer coins user 2

Anonymous Payments

Was it user 1

• r user 2?

user 2

Anonymous Payments

47

Overspending: Problem with Off-line E-Cash

Step 1: The bad user copies his money

48

Step 2: The bad user gives copied cash to multiple people

49

The Bank is aware of trouble only later

!!!

50

• 1. Use tamper-resistant hardware to prevent over-

spending (e.g., MONDEX in Europe)

• 2. Trace over-spenders
• 3. Blacklist over-spenders
• 4. Put a bound on dollar-value for off-line transactions

Techniques to Contain Over-Spending (prior to Bitcoin and Blockchains)

51

Tracing be used to fight big-time international crime

But, tracing could be abused on many levels

52

Minting the Money/Coins

Heart of Each Coin is a Digital Signature

Secret Minting Key to Create Coins (Signatures)

Public Verification Key to Recognize Coins

53

Minting a Conventional Coin

E-Cash Withdrawer

SN= 12345 SN = 12345 BankSig SN= 12345 SN = 12345 BankSig

The Mint

54

Without Anonymity Mint Knows Serial Number

One Dollar

SN 12345

The Mint E-Cash Withdrawer $1 signing key

55

Minting an Untraceable Coin

E-Cash User The Mint

SN= 12345 SN = 12345 BankSig BankSig BankSig

56

Blind Signing is (Like) Signing Through a Veil

One Dollar

The Mint $1 signing key E-Cash Withdrawer

57

Minting a Trustee-Traceable Coin

E-Cash User The Mint

SN= 12345 SN = 12345 BankSig BankSig BankSig

58

Escrowing Trustee-Traceable Coins

SN= 12345

E-Cash User

Trustee 1 Trustee 2 escrow key1 escrow key2

59

Recall: Cryptographic Assumptions

Infeasible Tasks

• 1. Factoring. Given a number N = pq, find p and q

primes of at least 2048 bits

• 1a. RSA assumption.

Given exponent e and me (mod N), find m

60

• 2. Discrete log. Given a prime p, a generator g,

and gx (mod p), find x Infeasible Tasks

(continued)

• f at least 2048 bits

Recall: Cryptographic Assumptions

61

Example of Coin Minting

Public Information:

N H()

• - Large Composite Number
• - Cryptographic hash function

Private Minting Information: Key = p,q prime numbers such that N=pq A coin has the form: (x,H(x)d mod N), 1 < x < N

62

Minting a Conventional Coin with RSA (Traceable)

E-Cash User The Mint

x,H(x)

x,H(x)d

x,H(x)

x,H(x)d

63

x H(x) H(x)d mod N

Anti-counterfeiting Assumption:

Without knowing the key, it is difficult to find pre-images that map to the same point

= p,q

Where: d = e-1 mod phi(N)

Blind (Digital) Signatures

• Message is blinded (disguised or randomized) before it is

signed

• Signature can be publicly verified against the original

message (unblinded one) similar to a standard digital signature

• Typically employed in privacy-preserving protocols where

signer and author of message are different entities

• Main goal is to provide unlinkability: prevent signer from

linking the blinded message it signs to a later un-blinded version that it may be called upon to verify

Anonymous Payments via Blind Signatures

(to withdraw coins: obtain Bank’s signature on a coin (m))

(6) I got this coin: sig(m) for coin m Was it M?

(4) transfer coins: sig(m) (1) send blinded coin/message (m’) (2) sign coin: sig(m’) (3) unblind the coin to obtain sig(m)

(6) Not sure!? I saw a random value: m’

(5) receive goods or services

66

Blind Digital Signatures à Payer’s Privacy [Chaum]

E-Cash User The Mint

chooses random

x,r

x,H(x)

x, H(x)d

reH(x) reH(x)

rH(x)d rH(x)d

RSA-based Blind Signatures

• Public key (e, N) and corresponding private key (d, p, q), such that N =p*q

and e*d = 1 mod Φ(N)

• Choose a random r coprime to N, i.e., GCD(r, N) = 1. re mod N is then used as

a blinding factor. (GCD = greatest common divisor)

• m’ = m * re mod N ( m’ is random, does not leak any info about m)
• m’ is sent to the signing authority who signs it as
• s’ = (m’)d mod N = md * red mod N = md * r mod N
• s’ is sent back to the message owner who unblinds it by multiplying by r-1 to
• btain the signature s = md mod N

Anonymous Payments via RSA-based Blind Signatures

(to withdraw coins: obtain Bank’s signature on a coin (m))

(6) I got this coin: s = md * modN Was it M?

(4) transfer coins: send coin s (1) m’ = m * re modN (2) s’ = md * r modN (3) s = s’ * r-1 modN = md * modN

(6) Not sure!? I saw a random value: s’ = md * r modN

(5) receive goods or services

69

• p1, p2: two large prime numbers such that p2 | p1-1
• G: subgroup of Zp1 such that |G| = p2
• g: generator of G
• I: the user’s identity (set up by bank),

expressed as a number

*

= Coin = (ga mod p1, gb mod p1, H(ga,gb)d mod N) where I = ab mod p2

Tracing Double-Spenders

70

Buyer

ga mod p1, gb mod p1, H(ga,gb)1/3

Seller

• verify Bank’s signature
• send random challenge k
• verify gr=(ga)kgb

k

r = ak+b

r

Tracing Double-Spenders

71

Two Payments with the same coin yield Buyer’s Identity r = ak + b r’ = ak’ + b

a,b

I

Tracing Double-Spenders

r = ak + b

a?,b?

?

A lot of E-Cash and anonymous payment schemes followed similar blueprints in the 1990s and early 2000s

2009-2016

• 2009: Bitcoin paper by Satoshi Nakamoto
• Pseudonym for individual or a group
• 2009-2011: slow start …
• 2011-2013: Silk Road and Dread Pirate Roberts
• End 2013: Bitcoin price skyrockets
• a lot of people notice
• 2014-2015: Price drops by 75%
• 2016: Price up again
• 2017: Craziness!!!
• 2018: ???

In 2018

Large Ecosystem Market Capitalization over $120 Billion (over $300 Billion in 2017) Number of transactions growing steadily

Bitcoin (BTC) Preliminaries

• Cryptographic Hash Function: a hash function that is hard to invert,

i.e., computationally infeasible to recreate data from hash value alone, e.g., the secure hash algorithm (SHA)

• Required properties of a Cryptographic Hash Function:

i. easy to compute hash value h( ) of any message m ii. given h(m) it is (computationally) infeasible to recover m iii. infeasible to modify m without h(m) being also modified iv. infeasible to find two different m with same hash (collision resistance)

• Proof-of-Work Schemes/Protocols: originally invented as an

economic measure to prevent denial-of-service and spam by requiring clients to solve computationally-demanding puzzles, e.g., find a number that has a certain preamble (say 3 zeros) in its hash

Stepping Back

Stepping back: most physical and digital currencies today effectively exist in the form of a ledger.

Electronic Accounts in Banks Blockcain in Bitcoin (BTC)

Questions Answered by Bitcoin (BTC)

How to maintain integrity of a public ledger in a distributed manner (BTC answer: longest chain of verified transactions) How to use such a ledger for transactions (BTC answer: transferring coins via signatures) How to incentivize people to allocate CPU power to ensure integrity of the longest chain (BTC answer: reward with new minted coins when verifying transactions, also called mining)

Bitcoin’s Peer-to-Peer Network

• A peer-to-peer network without any “central” authority for

ensuring integrity of transactions and keeping track of

• wnership of (Bit)coins (and minting them)
• Ledger and history of ALL transactions are public and

available for anyone to inspect

Transactions in Bitcoin

Owner 0 is transferring Coin(s) to Owner 1 A (Bit)coin is defined as a chain of digital signatures.

Timestamps in Bitcoin

• Hash a block of items (transactions) to be time stamped and widely publish

the hash

• The time stamp proves that data must have existed in order to have gotten

into the hash

• Each timestamp includes previous timestamp in the hash, forming chain

(the Btitcoin blockchain)

• Each additional time stamp reinforces the ones before it

Hash Hash Block Item Item … Block Item Item …

Proof-of-Work (PoW) and Incentives in Bitcoin

• PoW in Bitcoin is finding a value that when hashed (SHA-

256) the hash begins with a certain number of zeros (control

• f difficulty level)
• Incentive for Mining/Ensuring Integrity of Blockchain: The

first transaction in a block is a special transaction that starts a new coin owned by the creator of the block.

Block Tx Tx … Previous Hash Nonce (to be found) Block Tx Tx … Previous Hash Nonce (to be found)

Operation of Bitcoin’s Network

1) New transactions are broadcast to all nodes 2) Each node collects new transactions into a block 3) Each node works on finding a difficult proof-of-work for its block 4) When a node finds a proof-of-work, it broadcasts the block to all nodes 5) Nodes accept block only if all transactions in it are valid and not already spent 6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash

51% Attack

Blockchain Size

More Features of Bitcoin

Additional Features:

• Saving disk space by using hash (Merkle)

trees to compress history of coins

• Allow multiple inputs and outputs to be

handled with one transaction

Alternative Coins (Alt-Coins)

Digital Currency Scheme Centralized/ Decentralized Can be Regulated? Security Guarantees Privacy/Anonymity Guarantees Resilience Guarantees Bitcoin, Namecoin Fully (P2P) Decentralized No SHA-256 proof-of- work Unrecoverable (but Linkable) Anonymity P2P Decentralized Ledger Litecoin Fully (P2P) Decentralized No Scrypt-based proof-of-work Unrecoverable (but Linkable) Anonymity P2P Decentralized Ledger Zerocoin Fully (P2P) Decentralized No SHA-256 proof-of- work Unrecoverable, Unlinkable Anonymity P2P Decentralized Ledger PPcoin Fully (P2P) Decentralized No SHA-256 proof-of- work/proof-of- stake Unrecoverable (but Linkable) Anonymity P2P Decentralized Ledger Ripple Fully (P2P) Decentralized No Trust-based consensus Anonymity Level Varies P2P Decentralized Ledger

–Essentially all following the Bitcoin blueprint –Ethereum is the new kid on the block (smart

contracts via a “Turing complete” language)