Lecture 21:
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Lecture 21: How much do you trust your government? PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on
  • Presentation posted in: General

Lecture 21: How much do you trust your government?.

Download Presentation

Lecture 21: How much do you trust your government?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Anonymous rewebber

Lecture 21:

How much do you trust your government?

There was of course no way of knowing whether you were being watched at any given moment...You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard and, except in darkness, every movement scrutinized.

George Orwell, 1984 (1948)

Anonymous

http://www.rewebber.com/surf_encrypted/MTBKb4IKq25YShD4yVMTkRoqWo1Bu8kpFHRYfkT48tTCovuKp7Cktazai94gqryx2aHjXyqVzAEgNpFMDvxmbvyVIByOstd5h5h9vlgkO3z6xFxiQ+xJ0eNrRNr3bjVa6uQ=

CS551: Security and Privacy

University of Virginia

Computer Science


Anonymous rewebber

Menu

  • Surveillance

    • Echelon, TEMPEST, Carnivore

  • Anonymity

    • Email, Browsing, Publishing

University of Virginia CS 551


Ukusa

UKUSA

  • Secret agreement in 1948

  • NSA, GCHQ (UK), CSE (Canada), DSD (Australia), GCSB (New Zealand)

  • Listening stations throughout world

    • Monitor satellite, microwave, cellular and fiber-optic communications traffic

    • Voice recognition and OCR

    • Dictionary of suspicious phrases

University of Virginia CS 551


Echelon

Echelon

  • Established for allies to spy on Soviets during cold war

  • More recently: justified as counter-terrorism

  • Listening stations directed at Intelsat satellites – intercept majority of inter-continental communications

University of Virginia CS 551


Echelon1

Echelon

Echelon Intercept Station, Menwith Hill, England

University of Virginia CS 551


Questionable uses of echelon

Questionable Uses of Echelon

  • Political spying:

    • British Prime Minister Margaret Thatcher used Echelon (Canada) to spy on ministers suspected of disloyalty (1983)

    • Senator Strom Thurmond, Congressman Michael Barnes

    • Target Amnesty International, Greenpeace, etc.

  • Commercial espionage

    • Liason to Department of Commerce, uses intelligence to help American companies get contracts

    • 1993 – Clinton asked CIA to spy on Japanese auto makers designing zero-emissions vechicles, and send information to GM, Ford and Chrysler

University of Virginia CS 551


Tempest

TEMPEST

University of Virginia CS 551


Van eck monitoring

van Eck Monitoring

  • All electronic equipment emits electromagnetic radiation

  • Can see what is on someone’s screen with a large antenna outside their office

  • TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions ?)

    • Secret NSA standard for low-emissions computers

  • Lots of money wasted because of unreasonable paranoia (probably)

University of Virginia CS 551


Carnivore

Carnivore

ChainMail’s Antivore

University of Virginia CS 551


Carnivore1

Carnivore

From http://www.fbi.gov/programs/carnivore/carnlrgmap.htm

University of Virginia CS 551


Carnivore history

Carnivore History

  • Fourth Amendment prohibits unreasonable searches

  • Title III Omnibus Crime Control Act (1968)

    • FBI may obtain a court order to intercept electronic communications

    • Requires service providers to assist law enforcement in tapping wires

  • Carnivore designed to be precise filter

  • Court order can require ISP (Internet Surveillance Point) to install Carnivore

University of Virginia CS 551


How can we know carnivore isn t sending fbi more than it should

How can we know Carnivore isn’t sending FBI more than it should?

  • Have an independent organization write a firewall that looks at transmissions from Carnivore to FBI

  • Have an independent organization examine the Carnivore source code

  • Trust them, the FBI would never abuse the information anyway.

FBI’s choice

University of Virginia CS 551


Carnivore examination

Carnivore Examination

  • FBI refused to open source

  • DOJ solicited proposals to review Carnivore source – 11 proposals

    • All “good” places (MIT, Purdue, Dartmouth, UCSD) withdrew after FBI said they couldn’t publish source code and FBI would have complete control over report

    • Selected Illinois Institute of Technology Research Institute

    • Paid them ~$175,000 to say Carnivore is okay

University of Virginia CS 551


Iitri report nov 22

IITRI Report (Nov 22)

  • Carnivore technology “protects privacy and enables lawful surveillance better than alternatives.”

  • Carnivore “does not provide protections, especially audit functions, commensurate with the level of the risks”

  • Carnivore “reduces, but does not eliminate” the risk of unauthorized interception of electronic communication by the FBI

University of Virginia CS 551


What is a paranoid emailer web browser web publisher to do

What is a paranoid emailer/web browser/ web publisher to do?

University of Virginia CS 551


Defenses

Defenses

  • Encryption

    • Can be broken

    • Even if not, it still reveals parties communicating (e.g., you visited Amnesty International’s web site)

  • Anonymity Services

    • Hide identity

    • Still provide 2-way communication

University of Virginia CS 551


Simple anonymity service

To: [email protected]

From: [email protected]

“Someone likes you.”

Simple Anonymity Service

SAS

Alice

To: [email protected]

Request-remail-to: [email protected]

“Someone likes you.”

Bob

University of Virginia CS 551


Problems with sas

Problems with SAS

  • Bob can’t reply to sender

  • Eavesdropper can see messages

  • Traffic monitoring could detect traffic from Alice to Bob

  • ...

University of Virginia CS 551


Anon penet fi

anon.penet.fi

anon.penet.fi

Alice

To: [email protected]

From: [email protected]

Request-remailing-to: [email protected]

“Someone likes you.”

Bob

To: [email protected]

From: [email protected] <anon>

“Someone likes you.”

University of Virginia CS 551


Anon penet fi shutdown

anon.penet.fi Shutdown

  • Church of Scientology wanted to prevent online publication of Church documents (anonymously posted from anon.penet.fi)

  • Church convinced Finnish police to force Julf Helsingius, operator of anon.penet.fi to reveal true identity (1995)

  • Shut down anon.penet.fi remailer

University of Virginia CS 551


Chain remailers

Chain Remailers

Can tell MA is from Alice

remailer.gamma.com

MA’

MA

Alice

remailer.omega.com

MA’’

Can tell MA’’ is going to Bob

Bob

University of Virginia CS 551


Chain remailing

Chain Remailing

  • Alice randomly picks n remailers from a list of servers

  • Each server has a public-private key pair. Alice knows KUn.

  • The ith server gets

    EKUi[address of i+1st server ||

    EKUi+1 [i+2nd server || EKUi+2 [ ... ]]]

University of Virginia CS 551


2 chain remailing

2-Chain Remailing

  • Alice sends Server 1:

    EKU1 [Address2, EKU2 [AddressBob]]

  • Server 1 uses KR1 to decrypt:

    DKR1 [EKU1 [Address2, EKU2 [AddressBob]]]

    = Address2, EKU2 [AddressBob]

  • Sends EKU2 [AddressBob] (and message) to Address2.

  • Both Server 1 and Server 2 must conspire to know Alice sent a message to Bob

University of Virginia CS 551


Anonymous rewebber

M2

M1

Eve

remailer 1

remailer 2

Alice

remailer 3

Bob

Where must Eve listen to network to discover Alice and Bob are communicating?

University of Virginia CS 551


Thwarting eavesdroppers

Thwarting Eavesdroppers

  • Need to make sure incoming/outgoing messages can’t be matched:

    • Make sure in/out messages can’t be matched: all messages look the same

    • Make sure each remailer is transmitting lots of messages (add dummy ones if necessary)

University of Virginia CS 551


Cypherpunk remailers

Cypherpunk Remailers

  • Add encryption layers around message, one is removed on each hop

  • Stall for random time at each remailer before forwarding

From http://www.obscura.com/~loki/remailer/remailer-essay.html

  • Vulnerabilities:

    • Message shrinks each hop (length reveals path)

    • Replay attacks

University of Virginia CS 551


Mixmaster

Mixmaster

  • Chaum, Cottrell 97

  • Each header contains RSA-encrypted information about next hop and 3DES key for decrypting message

  • 20 hops: message is encrypted 20 times with different 3DES keys

From http://www.obscura.com/~loki/remailer/remailer-essay.html

University of Virginia CS 551


Replay attacks

Replay Attacks

  • Each packet has a unique ID

  • Mixmaster remailer keeps track of all IDs it has seen, if it gets a packet with the same ID it drops it

  • Since ID is in header encrypted with remailer’s public key, no way for attacker to change ID without also changing header

University of Virginia CS 551


Onion routing

Onion Routing

  • Not just email – do the same thing with all IP packets

  • NRL (http://www.onion-router.net/)

  • Sender picks random servers for send and return, encrypts with server public keys in reverse order

  • Each server decrypts one header to find next destination, mangles packet so it is not recognizable

University of Virginia CS 551


Anonymous web browsing

Anonymous Web Browsing

  • Janus: (rewebber.com)

    • URL U

      http://www.rewebber.com/surf-encrypted/Ek (U)

rewebber.com

(rewrites links)

Alice

Ek (http://www.cs.virginia.edu/~evans/cs551)

www.cs.virginia.edu

Alice’s boss sees

request to rewebber.com

Log shows request from rewebber.com

University of Virginia CS 551


Anonymous publishing

Anonymous Publishing

  • Use the rewebber URL: http://www.rewebber.com/surf_encrypted/MTCyWd$c6R5Nx0bexTDUG4YwzANYBiA300hz3CxsG3QIXdcPYrnoq2zAs22IPv34GRCLXqG49zQpFvR8r++TNI84Sd6$EKxJgogHZPlOOaqSlJ3H+1D+oj5swX+vws8Umtk=

  • Doesn’t prevent censoring

  • Not robust (server can still be attacked)

University of Virginia CS 551


Publius

Publius

  • [Mark Waldman (NYU), Avi Rubin (AT&T), Lorrie Cranor (AT&T, visiting UVa Jan 24th) 2000]

  • “Publius” – pseudonym used by Alexander Hamilton, John Jay and James Madison to publish Federalist Papers

  • “Robust, tamper-evident, censorship-resistant web publishing system”

University of Virginia CS 551


Publius overview

Publius Overview

  • Content encrypted using K and spread over several web servers

  • K is split into n shares, such that k are needed to reproduce K (but k – 1 reveal no information)

    • Shamir Secret Sharing (PS1)

  • Content is tied cryptographically to URL used to retrieve document – can tell if retrieved document was tampered with

University of Virginia CS 551


Publishing

Publishing

  • Publisher generates random key K.

  • Randomly selects n Publius servers.

  • Each server gets EK (M) and a share of K.

  • URL concatenates name for each server (cryptographically generated based on both M and server location)

University of Virginia CS 551


Naming servers

Naming Servers

for i = 1 to n

name = hash (M + share[i])

name = XOR (name65-128, name1-64)

location = name MOD serverListSize + 1

if location is unique

publiusURL = publiusURL + name

keep track of this location

else

can’t give 2 shares to same location

start over with different random K

University of Virginia CS 551


Retrieving from publius

Retrieving from Publius

  • URL is name1, ..., namen.

  • locationi = namei mod serverListSize + 1.

  • Retrieve a key share from k randomly chosen locations (associated with URL).

  • Randomly, retrieve EK (M) from one location.

  • Combine all key shares and decrypt to retrieve M.

  • Check hashes to make sure M is untampered. If not, try again. (Different locations.)

University of Virginia CS 551


How do you prevent denial of service attacks on anonymous services

How do you prevent denial of service attacks on anonymous services?

  • anon.penet.fi: severe limits on size and number of messages any user could send, several days delay for all messages

  • Chaining remailers – can’t do this, since they can’t identify users

  • Hash cash – require senders to do some work

University of Virginia CS 551


Hash cash

Hash Cash

  • Before publishing, server sends publisher challenge: c, b.

  • To publish, publisher must respond with s such that at least b bits of H(c + s) match b-bits of H(s).

  • To find a 19 bit SHA-1 collision takes about 20 seconds

  • Later use real digital cash...

University of Virginia CS 551


Charge

Charge

  • There are some good reasons for anonymity

    • Organizing against oppressive governments

    • Whistleblowing, anonymous feedback, etc.

  • Anonymity is dangerous

    • Criminal transactions, child porn, etc.

  • Lots of legal/political/moral issues to resolve...

  • Next time: groups 1-3 and 10-12 presentations

    • If you want to practice your presentation to me, talk to me now to arrange a time (if you haven’t already).

University of Virginia CS 551


  • Login