Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006
Motivation • Many uses for anonymous communication channels • Elections • Anonymous crime tips • Whistle-blowing • Etc. • Standard mail offers some guarantees of anonymity; why not email too?
Contributions • Cryptographic protocols to support an anonymous email system • Keep sender anonymous w.r.t. both the receiver and other parties in the network • Allow receiver to reply to sender without revealing sender’s identity • Protocol can also be used to form anonymous and verifiable rosters • E.g., for an electronic election
Historical Perspective, 1979 • Cryptography had been around for millennia • Usually required the use of shared secrets • Paradigm shift: late 1970s • Diffie & Hellman, “New Directions in Cryptography” (1976) • RSA cryptosystem (1977) • Rapid advancements allow for the sharing of keys (secrets) between strangers
Notation • Keys in public-key cryptosystem • Public key: K • Private key: K-1 • Encryption of x with K denoted by K(x) • Keys are inverses • i.e., K-1(K(x)) = K(K-1(x)) = x
Operations • To prevent certain attacks, Chaum advocates random padding before encryption • i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x • When signing, first pad with some known constant • i.e., K-1(C, y) where C is a known constant
Chaum’s Assumptions • Can’t break the cryptosystem • Anyone can observe all links in the system • The so-called “global passive adversary” • Anyone can inject, replay, remove, or modify messages • Dolev-Yao active attacker model (which they didn’t publish about until 1983)
Sending Anonymous Mail • Rather than sending mail directly to the recipient, send mail to a mix • Principle: Try to reduce correspondence between input- and output-sets • Fool global passive adversaries • What about keeping the message private?
Players (and their public keys) Mixes (Kn) Recipient, A (Ka) One mix protocol Sender -> Mix: K1(R1, Ka(R0, M), A) Mix -> A: Ka(R0, M) Use of public key crypto hides message from mix and nosy parties on the Internet The Crypto!
Cascade Mix Example • Protocol • Sender -> Mix n: Kn(Rn,Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)An-1) • Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2) • … • Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A) • Mix 1 -> A: Ka(R0, M) • As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!
Observations • At each step in the cascade, the current mix • Peels off one layer of encryption • Discovers a forwarding address • Passes message along • So, each mix only knows where a message came from and where its going • Note similarities between onion routing, Crowds, etc…
Return to Sender • This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses? • Embed an untraceable return address! • Format: K1(R1, AX), KX • AX is X’s return address, KX is a temporary public key for X
Example • Protocol: • X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX • Y -> Mix: K1(R1, AX), Kx(R2, M2) • Mix -> X: R1(Kx(R2, M2)) • Note 1: R1 used to alter forwarded message to prevent I/O correspondence • Note 2: Return addresses can be cascaded just like messages. • Note 3: Responses clearly different from initial messages
Possible Attack (not in paper) • Note that K1(R1, AX) and KX aren’t bound • A malicious mix can read reply messages by carrying out a man in the middle attack • With email, lots of times, replies contain the original message!
Attack Example • X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX’ • Note substituted ephemeral public key KX’ • Y -> Mix: K1(R1, AX), Kx’(R2, M2) • Mix can unpack this message, read M2, and reencrypt using KX • Mix -> X: R1(Kx(R2, M2))
A Simple Solution • To prevent the previously mentioned attack, we need only change the first message of the protocol • X -> Mix: K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX • This allows Y to verify that the mix didn’t change KX, since the mix can’t alter anything encrypted with KY
Anonymous Elections • Form a roster of pseudonyms by sending anonymous emails through a mix-net • Output list in a public location • Only entities on the list can take actions in the system
Recommendations for an Untraceable Mail System • To hide number of messages sent, each participant sends same number of messages per interval (some are dummies) • Cover traffic! • To hide number of messages received, must check all messages, not just known good messages • Messages should all be same size • Prevent I/O correlation
Implementing an Advanced Mix • A mix with all of the following properties can be implemented using the techniques presented in this paper • Overview • Break message into fixed size blocks • Each mix “pops” the first block, adds a block of junk to the end • Decrypt removed block to yield a key R which is used to encrypt each block in the new message
Discussion Questions • Why wasn’t Chaum’s mix network ever implemented? • How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?
Discussion Questions (cont.) • This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area? • What do people think of the notion of certified mail and receipts?