Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian - - PowerPoint PPT Presentation

traceback for end to end encrypted messaging
SMART_READER_LITE
LIVE PREVIEW

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian - - PowerPoint PPT Presentation

Oct 16, 2022 284 likes •1.04k views

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging Hello Alice Bob Platform 2 Setting: End-to-end encrypted (E2EE) messaging Hello > 2

slide-1
SLIDE 1

Traceback for End-to-End Encrypted Messaging

Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019

1

slide-2
SLIDE 2

Setting: End-to-end encrypted (E2EE) messaging

2

Platform Alice Bob

Hello

slide-3
SLIDE 3

Setting: End-to-end encrypted (E2EE) messaging

3

Platform Alice Bob

Hello

> 2 billion users

slide-4
SLIDE 4

4

Problem: Viral forwarding of misinformation in E2EE messaging

slide-5
SLIDE 5

5

Problem: Viral forwarding of misinformation in E2EE messaging

slide-6
SLIDE 6

Content moderation for user-driven reports

6

User submits report Moderation decision based on content Action taken on relevant parties

slide-7
SLIDE 7

Content moderation for user-driven reports

7

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review

slide-8
SLIDE 8

Content moderation for user-driven reports

8

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review Ban fake/troll accounts injecting misinformation into network Notify users that have previously shared or received misinformation

slide-9
SLIDE 9

Content moderation for user-driven reports

9

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review Ban fake/troll accounts injecting misinformation into network Notify users that have previously shared or received misinformation Report must provide enough information to execute the following steps

slide-10
SLIDE 10

10

E2EE hides information useful for content moderation of misinformation

slide-11
SLIDE 11

11

  • Platform doesn’t see message content

Message content is encrypted!

E2EE hides information useful for content moderation of misinformation

slide-12
SLIDE 12

12

Message content is encrypted!

  • Platform doesn’t see message content
  • Platform doesn’t see forwarding relationships

E2EE hides information useful for content moderation of misinformation

slide-13
SLIDE 13

13

  • Platform doesn’t see message content
  • Platform doesn’t see forwarding relationships

Message content is encrypted! Forwarding traffic is muddled by

  • ther users and other messages

E2EE hides information useful for content moderation of misinformation

slide-14
SLIDE 14

This work: Tracing in E2EE messaging

14

[TMR CCS’19]

User submits report Moderation decision based on content Action taken on relevant parties

  • Message tracing: new cryptographic functionality for user-driven reporting of

forwards in E2EE messaging

  • Path traceback: chain of messages from source to reporter
  • Tree traceback: entire forwarding tree of messages originating from source
slide-15
SLIDE 15

This work: Tracing in E2EE messaging

15

  • Message tracing: new cryptographic functionality for user-driven reporting of

forwards in E2EE messaging

  • Path traceback: chain of messages from source to reporter
  • Tree traceback: entire forwarding tree of messages originating from source
  • Formal confidentiality and accountability security notions for tracing
  • Implementation and evaluation of practicality

[TMR CCS’19]

User submits report Moderation decision based on content Action taken on relevant parties

slide-16
SLIDE 16

Prior work: Abuse reporting in E2EE messaging

16

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

slide-17
SLIDE 17

Prior work: Abuse reporting in E2EE messaging

17

!

User reports received message to platform

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

slide-18
SLIDE 18

Prior work: Abuse reporting in E2EE messaging

18

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

!

User reports received message to platform m

slide-19
SLIDE 19

Prior work: Abuse reporting in E2EE messaging

19

!

User reports received message to platform m Platform learns message and sender, but nothing more about where message came from or where it reached

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

slide-20
SLIDE 20

This work: Tracing in E2EE messaging

20

!

User reports received message to platform

[TMR CCS’19]

slide-21
SLIDE 21

This work: Tracing in E2EE messaging

21

!

User reports received message to platform

  • Two constructions for message tracing
  • Path traceback

[TMR CCS’19]

m

slide-22
SLIDE 22

This work: Tracing in E2EE messaging

22

!

User reports received message to platform

  • Two constructions for message tracing
  • Path traceback
  • Tree traceback

[TMR CCS’19]

m

slide-23
SLIDE 23

23

Goal: Act like standard E2EE messaging before report

slide-24
SLIDE 24

Before report Platform view: encrypted content and metadata (participants, length, and timing)

24

Goal: Act like standard E2EE messaging before report

slide-25
SLIDE 25

25

Before report Platform view: encrypted content and metadata (participants, length, and timing) User view: messages they receive or send

Goal: Act like standard E2EE messaging before report

slide-26
SLIDE 26

26

Before report Platform view: encrypted content and metadata (participants, length, and timing) User view: messages they receive or send

m m m User shouldn’t learn forwarding info of received messages

Goal: Act like standard E2EE messaging before report

slide-27
SLIDE 27

27

m m User shouldn’t learn forwarding info of received messages m

?

Before report Platform view: encrypted content and metadata (participants, length, and timing) User view: messages they receive or send

Goal: Act like standard E2EE messaging before report

slide-28
SLIDE 28

28

Goal: Reveal limited information after report

slide-29
SLIDE 29

Goal: Reveal limited information after report

29

!

m

After report Platform view: message content and forward links of traceback target (e.g. path, tree)

slide-30
SLIDE 30

Goal: Report consists of accurate information

30

!

m

slide-31
SLIDE 31

31

!

m

Trace accountability An honest user cannot be framed for an action they didn’t perform

Goal: Report consists of accurate information

slide-32
SLIDE 32

32

!

m

Trace accountability An honest user cannot be framed for an action they didn’t perform

Goal: Report consists of accurate information

Malicious user can partition trace, but will be blamed as source

slide-33
SLIDE 33

33

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie

slide-34
SLIDE 34

34

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie m

E2EE channel

slide-35
SLIDE 35

35

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie m

E2EE channel

  • E2EE channel that is decoupled from message tracing
slide-36
SLIDE 36

36

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB m

E2EE channel

  • E2EE channel that is decoupled from message tracing
  • Unique per-message “tracing” key shared between communication partners

“tracing” key

slide-37
SLIDE 37

37

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

  • E2EE channel that is decoupled from message tracing
  • Unique per-message “tracing” key shared between communication partners

kAB

“tracing” key

slide-38
SLIDE 38

38

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

kAB kØ

“null pointer” key randomly generated

slide-39
SLIDE 39

39

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

slide-40
SLIDE 40

40

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

“encrypted pointer”

slide-41
SLIDE 41

41

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

“encrypted pointer” PRF that is also CR (e.g., HMAC)

slide-42
SLIDE 42

42

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

idAB

slide-43
SLIDE 43

43

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

idAB ctAB Table stored on platform

ctAB = Enc(kAB , kØ) idAB = F(kAB , m) idAB

kAB

slide-44
SLIDE 44

44

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

idAB idAB

slide-45
SLIDE 45

45

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

idAB idAB

slide-46
SLIDE 46

46

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m kAB

idAB idAB

slide-47
SLIDE 47

47

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m F(kBC , m) kAB

idAB idAB

slide-48
SLIDE 48

48

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m idBC F(kBC , m) kAB

idAB idAB

slide-49
SLIDE 49

49

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m idBC F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC) kAB

idAB idAB

slide-50
SLIDE 50

50

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m idBC F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC) F(kAB , m) idAB kAB

idAB idAB

slide-51
SLIDE 51

51

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

!

kBC m idBC F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC) F(kAB , m) idAB

Decrypt and dereference ctAB

kØ = Dec(kAB , ctAB) F(kØ , m) not in table

⇒ beginning of forward chain!

kAB

idAB idAB

slide-52
SLIDE 52

52

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

Small and fast to compute! idAB idAB

slide-53
SLIDE 53

53

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m) Before report Platform view: Ciphertexts and PRF outputs without keys User view: Keys without ciphertext

kAB

idAB idAB

slide-54
SLIDE 54

54

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m) After report Platform view: Learns keys only for rows of trace

kAB

Before report Platform view: Ciphertexts and PRF outputs without keys User view: Keys without ciphertext ctAB idBC ctBC idAB idAB

slide-55
SLIDE 55

55

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

Trace accountability Pointer “dereferences” are bound to a message idAB idAB

slide-56
SLIDE 56

56

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

Trace accountability Pointer “dereferences” are bound to a message idAB idAB

slide-57
SLIDE 57

57

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

!

Trace accountability Pointer “dereferences” are bound to a message

k’ m’

idAB idAB

slide-58
SLIDE 58

58

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

!

k’ m’

Trace accountability Pointer “dereferences” are bound to a message To break accountability, F(k’ , m’) must collide with idBC idAB idAB

slide-59
SLIDE 59

Trace accountability Pointer “dereferences” are bound to a message

59

Path traceback Idea: Linked list of encrypted pointers

Alice Bob Charlie kAB kAB m

E2EE channel

ctAB Table stored on platform ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m) idBC ctBC

kBC kBC

idBC

ctAB = Enc(kAB , kØ) idAB = F(kAB , m)

kAB

!

See paper for security proofs!

k’ m’

To break accountability, F(k’ , m’) must collide with idBC idAB idAB

slide-60
SLIDE 60

60

Path traceback Idea: Linked list of encrypted pointers

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review Ban fake/troll accounts injecting misinformation into network Notify users that have previously shared or received misinformation

slide-61
SLIDE 61

61

Path traceback Idea: Linked list of encrypted pointers

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review Ban fake/troll accounts injecting misinformation into network Notify users that have previously shared or received misinformation

slide-62
SLIDE 62

62

Path traceback Idea: Linked list of encrypted pointers

User submits report Moderation decision based on content Action taken on relevant parties Combination of machine learning and human review Ban fake/troll accounts injecting misinformation into network Notify users that have previously shared or received misinformation Need something more than path traceback!

slide-63
SLIDE 63

63

Extension: Tree traceback Idea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie idBC idAB

slide-64
SLIDE 64

64

Extension: Tree traceback Idea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie idBC idAB

“backward pointer”

slide-65
SLIDE 65

65

Extension: Tree traceback Idea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie idBC idAB

“backward pointer” “forward pointer”

slide-66
SLIDE 66

66

Extension: Tree traceback Idea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie idBC idAB Diane idBD

“backward pointer” “forward pointers”

slide-67
SLIDE 67

67

Extension: Tree traceback Idea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie idBC idAB Diane idBD

“backward pointer” “forward pointers”

See paper for full details of construction! (uses PRG and secret sharing)

slide-68
SLIDE 68

68

Performance evaluation

  • Path and Tree traceback implemented in < 500 lines of Rust
  • Server table stored in in-memory Redis database

https://github.com/nirvantyagi/tracing

slide-69
SLIDE 69

69

Performance evaluation

  • Path and Tree traceback implemented in < 500 lines of Rust
  • Server table stored in in-memory Redis database
  • Fast (uses only efficient symmetric cryptography)
  • Client side: < 50 μs to generate and verify tracing tags
  • Server side: Traceback takes < 100 μs / message in trace

https://github.com/nirvantyagi/tracing

slide-70
SLIDE 70

70

Performance evaluation

  • Path and Tree traceback implemented in < 500 lines of Rust
  • Server table stored in in-memory Redis database
  • Fast (uses only efficient symmetric cryptography)
  • Client side: < 50 μs to generate and verify tracing tags
  • Server side: Traceback takes < 100 μs / message in trace
  • Platform storage
  • Stores < 100B / message
  • 1 billion messages / day ⇒ ~ 2TB / month
  • Reasonable to store most recent time period sliding window

https://github.com/nirvantyagi/tracing

slide-71
SLIDE 71

71

Deployment considerations

Can tracing be abused to silence socially valuable content? Future work: Policy and implementation to limit abuse of tracing

User submits report Moderation decision based on content Action taken on relevant parties

slide-72
SLIDE 72

72

Deployment considerations

Future work: Policy and implementation to limit abuse of tracing

User submits report Moderation decision based on content Action taken on relevant parties Threshold number

  • f reports?

Tracing ability is only granted after moderation decision on content is complete?

Can tracing be abused to silence socially valuable content?

slide-73
SLIDE 73

73

Conclusion

https://github.com/nirvantyagi/tracing

  • Message tracing: new cryptographic functionality for user-driven reporting of

forwards in E2EE messaging

  • Path traceback: chain of messages from source to reporter
  • Tree traceback: entire forwarding tree of messages originating from source
  • Formal confidentiality and accountability security notions for tracing
  • Implementation and evaluation of practicality