1 / 21

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006. Motivation. Many uses for anonymous communication channels Elections Anonymous crime tips Whistle-blowing Etc.

scarlson
Télécharger la présentation

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006

  2. Motivation • Many uses for anonymous communication channels • Elections • Anonymous crime tips • Whistle-blowing • Etc. • Standard mail offers some guarantees of anonymity; why not email too?

  3. Contributions • Cryptographic protocols to support an anonymous email system • Keep sender anonymous w.r.t. both the receiver and other parties in the network • Allow receiver to reply to sender without revealing sender’s identity • Protocol can also be used to form anonymous and verifiable rosters • E.g., for an electronic election

  4. Historical Perspective, 1979 • Cryptography had been around for millennia • Usually required the use of shared secrets • Paradigm shift: late 1970s • Diffie & Hellman, “New Directions in Cryptography” (1976) • RSA cryptosystem (1977) • Rapid advancements allow for the sharing of keys (secrets) between strangers

  5. Notation • Keys in public-key cryptosystem • Public key: K • Private key: K-1 • Encryption of x with K denoted by K(x) • Keys are inverses • i.e., K-1(K(x)) = K(K-1(x)) = x

  6. Operations • To prevent certain attacks, Chaum advocates random padding before encryption • i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x • When signing, first pad with some known constant • i.e., K-1(C, y) where C is a known constant

  7. Chaum’s Assumptions • Can’t break the cryptosystem • Anyone can observe all links in the system • The so-called “global passive adversary” • Anyone can inject, replay, remove, or modify messages • Dolev-Yao active attacker model (which they didn’t publish about until 1983)

  8. Sending Anonymous Mail • Rather than sending mail directly to the recipient, send mail to a mix • Principle: Try to reduce correspondence between input- and output-sets • Fool global passive adversaries • What about keeping the message private?

  9. Players (and their public keys) Mixes (Kn) Recipient, A (Ka) One mix protocol Sender -> Mix: K1(R1, Ka(R0, M), A) Mix -> A: Ka(R0, M) Use of public key crypto hides message from mix and nosy parties on the Internet The Crypto!

  10. Cascade Mix Example • Protocol • Sender -> Mix n: Kn(Rn,Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)An-1) • Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2) • … • Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A) • Mix 1 -> A: Ka(R0, M) • As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!

  11. Observations • At each step in the cascade, the current mix • Peels off one layer of encryption • Discovers a forwarding address • Passes message along • So, each mix only knows where a message came from and where its going • Note similarities between onion routing, Crowds, etc…

  12. Return to Sender • This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses? • Embed an untraceable return address! • Format: K1(R1, AX), KX • AX is X’s return address, KX is a temporary public key for X

  13. Example • Protocol: • X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX • Y -> Mix: K1(R1, AX), Kx(R2, M2) • Mix -> X: R1(Kx(R2, M2)) • Note 1: R1 used to alter forwarded message to prevent I/O correspondence • Note 2: Return addresses can be cascaded just like messages. • Note 3: Responses clearly different from initial messages

  14. Possible Attack (not in paper) • Note that K1(R1, AX) and KX aren’t bound • A malicious mix can read reply messages by carrying out a man in the middle attack • With email, lots of times, replies contain the original message!

  15. Attack Example • X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX’ • Note substituted ephemeral public key KX’ • Y -> Mix: K1(R1, AX), Kx’(R2, M2) • Mix can unpack this message, read M2, and reencrypt using KX • Mix -> X: R1(Kx(R2, M2))

  16. A Simple Solution • To prevent the previously mentioned attack, we need only change the first message of the protocol • X -> Mix: K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX • This allows Y to verify that the mix didn’t change KX, since the mix can’t alter anything encrypted with KY

  17. Anonymous Elections • Form a roster of pseudonyms by sending anonymous emails through a mix-net • Output list in a public location • Only entities on the list can take actions in the system

  18. Recommendations for an Untraceable Mail System • To hide number of messages sent, each participant sends same number of messages per interval (some are dummies) • Cover traffic! • To hide number of messages received, must check all messages, not just known good messages • Messages should all be same size • Prevent I/O correlation

  19. Implementing an Advanced Mix • A mix with all of the following properties can be implemented using the techniques presented in this paper • Overview • Break message into fixed size blocks • Each mix “pops” the first block, adds a block of junk to the end • Decrypt removed block to yield a key R which is used to encrypt each block in the new message

  20. Discussion Questions • Why wasn’t Chaum’s mix network ever implemented? • How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?

  21. Discussion Questions (cont.) • This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area? • What do people think of the notion of certified mail and receipts?

More Related