1 / 24

Analyzing Anonymity Protocols

Analyzing Anonymity Protocols. Analyzing onion-routing security Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable Privacy Workshop 2012 A Probabilistic Analysis of Onion Routing in a Black-box Model in TISSEC (forthcoming)

jennica
Télécharger la présentation

Analyzing Anonymity Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyzing Anonymity Protocols • Analyzing onion-routing security • Anonymity Analysis of Onion Routing in the Universally ComposableFrameworkin Provable Privacy Workshop 2012 • A Probabilistic Analysis of Onion Routing in a Black-box Modelin TISSEC (forthcoming) by Joan Feigenbaum, Aaron Johnson, and Paul Syverson • Analyzing Dissent security • Ongoing work with EwaSyta, Henry Corrigan-Gibbs, Shu-Chun Weng, and Bryan Ford

  2. Analyzing Onion-Routing Security • Abstract (black-box) model of onion routing • Use Universally Composable (UC) framework • Focus on information leaked • Perform anonymity analysis on model

  3. Onion-Routing Ideal Functionality Upon receiving destination d from user U u with probability b øwith probability 1-b x d with probability b øwith probability 1-b y Send (x,y) to the adversary. FOR

  4. Black-box Model • Ideal functionality FOR • Environment assumptions • Each user gets a destination • Destination for user u chosen from distribution pu • Adversary compromises a fraction b of routers before execution

  5. Anonymity Analysis of Black Box • Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pud • Worst case for anonymity is when user acts exactly unlike or exactly like others • Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pud • Anonymity in typical situations approaches lower bound

  6. Other ideal functionality • Provably Secure and Practical Onion Routingby Backes, Kate, Goldberg, and MohammadiComputer Security Foundations Symposium 2012 • Functional primitive • Shown to UC-emulate FOR

  7. Analyzing Dissent security • Fully rigorous definitions and proofs • Anonymity • Accountability • Integrity • Standard sequence-of-games anonymity proofs • Discovered flaws

  8. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  9. Discovered Shuffle Flaws 1 2 3 {I1}1:3 {I2}2:3 {I1}3 I2 m2 {I2}1:3 {I1}2:3 {I3}3 I3 m3 {I3}1:3 {I3}2:3 {I2}3 I1 m1

  10. Discovered Shuffle Flaws 1 2 3 ? {I2}1:3 {I2}2:3 {I2}3 I2 ? {I2}1:3 {I2}2:3 {I3}3 I3 {I3}1:3 {I3}2:3 {I2}3 I2 Problem 1: Client duplication, no blamed

  11. Discovered Shuffle Flaws 1 2 3 {I2}1:3 {I2}2:3 {I2}3 I2 {I2}1:3 {I2}2:3 {I3}3 I3 {I3}1:3 {I3}2:3 {I2}3 I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first.

  12. Discovered Shuffle Flaws 1 2 3 {I2}1:3 {I2}2:3 {I2}3 I2 {I2}1:3 {I2}2:3 {I3}3 I3 {I3}1:3 {I3}2:3 {I2}3 I2 Problem 1: Client duplication, no blamed Solution: Commit to messages first non-malleably.

  13. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  14. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  15. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  16. Discovered Shuffle Flaws 1 2 3 ? {I1}1:3 {I1}2:3 {I1}3 I1 ? {I1}1:3 {I1}2:3 {I1}3 I3 {I3}1:3 {I3}2:3 {I1}3 I1 Problem 3: Self-duplication, no blamed

  17. Discovered Shuffle Flaws 1 2 3 {I1}1:3 {I1}2:3 {I1}3 I1 {I1}1:3 {I1}2:3 {I1}3 I3 {I3}1:3 {I3}2:3 {I1}3 I1 Problem 3: Self-duplication, no blamed Solution: Blame duplicate submitters.

  18. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  19. Discovered flaws • Adversary can unaccountably duplicate honest users’ plaintexts. • Commitments must be non-malleable. • Adversary can submit self-duplicates to cause failure with no blame. • Equivocation during broadcast can cause inconsistent final state. • Some validation checks missing

  20. Modified Dissent • Users non-malleably commit to messages before submission. • Duplicate submission punished • Explicit reliable broadcasts added • Several validation checks added with blame • Honest members guaranteed to agree on who to blame

  21. UC Framework • Express security primitive as an ideal functionality F • Construct a protocol Π that UC emulatesF • Running Π can replace using F in any protocol – security composes

  22. Sequence of Games Anonymity Proof • Game 0: Original anonymity game • Game 1: Replace encrypted descriptors during shuffle with encrypted fixed messages • Game 2: Replace encrypted random seeds after shuffle with encrypted fixed messages • Game 3: Replace pseudorandom sequences with random sequences

  23. Discovered Shuffle Flaws 1 2 3 {I1}1:3 {I2}2:3 {I2}3 I2 m2 {I2}1:3 {I2}2:3 {I3}3 I3 m3 {I3}1:3 {I3}2:3 {I2}3 I2 m2 Problem 0: Shuffle duplication attack

  24. Discovered Shuffle Flaws 1 2 3 {I1}1:3 {I2}2:3 {I2}3 I2 {I2}1:3 {I2}2:3 {I3}3 I3 {I3}1:3 {I3}2:3 {I2}3 I2 Problem 0: Shuffle duplication attack Solution: Duplicates cause NO-GO. Blame lying shuffle.

More Related