1 / 41

Privacy Enhancing Technologies

Privacy Enhancing Technologies. Spring 2012. What is Privacy?. “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies focus on Anonymity. What is anonymity?. Unobservability Unlinkability Sender anonymity Receiver anonymity.

chidi
Télécharger la présentation

Privacy Enhancing Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Enhancing Technologies Spring 2012

  2. What is Privacy? • “The right to be let alone” • Confidentiality • Anonymity • Access Control • Most privacy technologies focus on Anonymity

  3. What is anonymity? • Unobservability • Unlinkability • Sender anonymity • Receiver anonymity

  4. Overview of Anonymity Concepts • Chaum’s MIX • Dining Cryptographers • Onion Routing • Crowds

  5. Applications beyond privacy • Digital Cash • Anonymous e-voting • Censorship-resistant publishing • Untraceable e-mail

  6. Chaum’s MIX • Presented first in 1981 by David Chaum • Uses public key cryptography for anonymous e-mail • Basic Idea: • E-mails would be sent to a “Mix” which would then forward them onto reciepents • Key building block for anonymity systems

  7. Example Km(B, KB(A,M)) KB(A,M) A B

  8. Example Km(B, KB(A,M)) KB(D,M) B A KB(A,M) Km(E, KE(C,M)) C Km(B, KB(D,M)) KE(C,M) E D

  9. What does this buy us? • Unlinkability • The adversary knows all the senders and receivers but cannot link senders to receivers

  10. MIX Cascade • What if some of the mixes are controlled by adversaries? • A cascade of mixes can be used to handle compromised mixes • How many adversaries can this withstand? • N-1

  11. Dining Cryptographers • Also introduced by Chaum • Purpose is to release a public message in a perfectly untraceable manner

  12. The Protocol • N cryptographers are having dinner • Waiter tells them that the dinner has been paid for • They want to know whether it was paid by one of them or the NSA agent in the corner

  13. The Protocol • Each diner flips a coin and shows it to his left neighbor • Each diner announces whether he and his neighbor’s coin flips are the same or different. The payer lies. • Even number of “same” => NSA paidOdd number of “same” => one the diners paid

  14. Example – NSA Pays Different Same Different Same

  15. Example – Diner Pays Same Same Payer Different Same

  16. Problems with DC • Very Impractical • Only one bit sent at a time • Each party has to have pairwise secure channels • Massive communication overhead

  17. How much anonymity is afforded to the sender in DC? • We know the sender is one of N diners • This is sometimes called K-anonymity • We know you are one of k persons, but that’s the best we can do • This is term is used especially with respect to databases

  18. Anonymity via Random Routing • Hide message source through random routing • Routers don’t know for sure who the source of the message is

  19. Many methods • Onion routing • Crowds • Tor • …

  20. Onion Routing • Sender chooses a random sequence of routers • Some are honest, some aren’t • Similar to MIX cascade • Goal: Hostile routers shouldn’t learn Alice is talking to Bob

  21. Onion Routing • Onion encryption: • { R2, { R3, { Bob, {M}K4 }K3 }K2 }K1 R1, K1 R2, K2 R3, K3 Alice, K1, K2,K3,K4 Bob, K4

  22. Crowds • Routers form a random path • Different than onion routing because the routers choose path, not sender • After receiving a message router flips a biased coin • With probability p, the router forwards the message to another router • With probability 1-p, the router forwards the message to the recipient

  23. Example From: R3 To: Bob R R4 R2 R3 R R R R1 Bob Alice

  24. Probabilistic Notions of Anonymity • Beyond suspicion • The observed source of the message is no more likely to be the true sender than anybody else • Probable innocence • Probability that the observed source of the message is the true sender is less than 50% • Guaranteed by Crowds if there are sufficiently many honest routers: Ngood+Nbad ≥ pf/(pf-0.5)•(Nbad +1) • Possible innocence • Non-trivial probability that the observed source of the message is not the true sender

  25. A Couple of issues • Is probable innocence enough? 1% 1% 1% 49% 1% 1% … 1% • Multiple-paths vulnerability • Can attacker relate multiple paths from same sender? • E.g., browsing the same website at the same time of day • Each new path gives attacker a new observation • Can’t keep paths static since members join and leave

  26. Digital Cash • Cash is a universally anonymous payment system • How can we have anonymous payments online? • Idea • Alice can pay for something with a digital cash token • If she double-spent a digital cash, her identity should be revealed

  27. Blind signatures • Blind signatures are used when you want someone to sign something but you don’t want them to see what they are signing • E.g. A notary • This is done by multiplying the message by a secret number (called blinding). • The signer signs the blinded message • The secret number can be divided out to get a signed version of the message

  28. RSA Blind Signatures • Alice wants Bob to sign message M. • She gives him M*rebmod n • Bob signs this giving Alice s’=(M*reb)db mod n = Mdb reb*db mod n = Mdb r mod n • Alice can then remove the blind by calculating s= s’*r-1 mod n = Mdb mod

  29. Example • Alice’s Message: 28 • Bob’s public key: 17 • Bob’s private key: 53 (n = 77) • Alice asks Bob to sign 70(=28*617 mod 77) • Bob signs 70 and sends Alice 42 • Alice multiplies 42 by 13 (mod 77) to get 7 • 2853 mod 77 = 7

  30. Getting Cash • Alice creates a bunch (lets say N) of money orders for the same amount (say $100) • Each is given a unique identifier • Each includes n pairs of identity bit strings $100 ID: 1234567 Identity bit strings: I1 = (I1L, I1R) I2 = (I2L, I2R) . . . In = (InL, InR)

  31. How the identity bit strings were created • Secret splitting! • How it works: • Alice created an identity I • She then picked n random numbers: r1…rn • Then she calculates sj = I  rj • Ij = (sj, rj) • For all j, I = sj  rj

  32. Getting Cash • Alice blinds these messages and sends them to the bank to sign • The bank asks Alice to unblind n-1 messages (banks choice) • Alice complies and when the banks sees they are all “well formed” then sign the remaining money order • Alice unblinds this remaining (signed) money order and spends it

  33. Spending Cash • Alice presents a token to a merchant • The merchant asks Alice to randomly reveal either the right or left half of each identity bit string • Essentially they send her a random bit string of length n, called a selector string. • If bit j is 0, Alice reveals IjLand if bit j is 1 Alice reveals IjR

  34. Merchant cashes the token • The merchant takes the token to the bank • Note that the token has half of the identity bit strings revealed • The bank verifies the signature and adds the token to a database of spent tokens

  35. Catching Cheaters • When the bank checks the signature on a token it also check to see if the token has previously been spent • If it has, Alice’s identity is likely to be revealed • Why? Because its unlikely that both merchants sent her the same selector string • This means that there is at least one identity pair for which the bank has both halves

  36. Secure Multi-party Computation • Imagine that you want to compute something (say an average salary), but you don’t want the people you are computing with to find out your inputs. • Solution: Secure Multi-party computation

  37. Secure Multi-party Computation • Dining Cryptographers is a special case of this problem • The diners want to compute who paid without admitting they paid • Computing an average is an easy case of Secure Multi-party computation

  38. Secure Sum • Imagine that Alice, Bob, Carol and Dave want to compute the average of their salaries. • Also, assume they all have public and private keys (Ea, Da respectively for Alice)

  39. Secure Sum • Alice picks a random number r and adds it to her salary (Sa). • Alice sends Bob Cb = Eb(Sa+ r) • Bob decrypts Cb and adds his salary to the result and sends Carol Cc= (Sb+Sa+ r) • And so forth until… • Dave then sends Ca=Ea(Sd+Sc+ Sb+Sa+ r) to Alice • Alice computes (Da(Ca) – r) and divides it by 4 to get the average salary • Alice then broadcasts the result to Bob, Carol, and Dave

  40. Problems with Secure Sum • This protocol depends on Alice being honest. • Alice can use 2 different r’s and misrepresent the average • This can be prevented using a bit commitment scheme • This allows the others to guarantee later that Alice used the same r • But! Then Bob could figure out her salary

  41. Conclusion • Anonymity is one of the technological foundations for privacy • MIX nets are used to hide linkability between senders and receivers • Onion routing and crowds are essentially implementations of MIX cascades • DC nets allow for anonymous publishing • Digital Cash allows for anonymous transactions

More Related