Lecture 21:
1 / 39

Lecture 21: How much do you trust your government? - PowerPoint PPT Presentation

  • Uploaded on

Lecture 21: How much do you trust your government?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Lecture 21: How much do you trust your government?' - dimaia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Anonymous rewebber

Lecture 21:

How much do you trust your government?

There was of course no way of knowing whether you were being watched at any given moment...You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard and, except in darkness, every movement scrutinized.

George Orwell, 1984 (1948)



CS551: Security and Privacy

University of Virginia

Computer Science

Anonymous rewebber

  • Surveillance

    • Echelon, TEMPEST, Carnivore

  • Anonymity

    • Email, Browsing, Publishing

University of Virginia CS 551


  • Secret agreement in 1948

  • NSA, GCHQ (UK), CSE (Canada), DSD (Australia), GCSB (New Zealand)

  • Listening stations throughout world

    • Monitor satellite, microwave, cellular and fiber-optic communications traffic

    • Voice recognition and OCR

    • Dictionary of suspicious phrases

University of Virginia CS 551


  • Established for allies to spy on Soviets during cold war

  • More recently: justified as counter-terrorism

  • Listening stations directed at Intelsat satellites – intercept majority of inter-continental communications

University of Virginia CS 551


Echelon Intercept Station, Menwith Hill, England

University of Virginia CS 551

Questionable uses of echelon
Questionable Uses of Echelon

  • Political spying:

    • British Prime Minister Margaret Thatcher used Echelon (Canada) to spy on ministers suspected of disloyalty (1983)

    • Senator Strom Thurmond, Congressman Michael Barnes

    • Target Amnesty International, Greenpeace, etc.

  • Commercial espionage

    • Liason to Department of Commerce, uses intelligence to help American companies get contracts

    • 1993 – Clinton asked CIA to spy on Japanese auto makers designing zero-emissions vechicles, and send information to GM, Ford and Chrysler

University of Virginia CS 551


University of Virginia CS 551

Van eck monitoring
van Eck Monitoring

  • All electronic equipment emits electromagnetic radiation

  • Can see what is on someone’s screen with a large antenna outside their office

  • TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions ?)

    • Secret NSA standard for low-emissions computers

  • Lots of money wasted because of unreasonable paranoia (probably)

University of Virginia CS 551


ChainMail’s Antivore

University of Virginia CS 551


From http://www.fbi.gov/programs/carnivore/carnlrgmap.htm

University of Virginia CS 551

Carnivore history
Carnivore History

  • Fourth Amendment prohibits unreasonable searches

  • Title III Omnibus Crime Control Act (1968)

    • FBI may obtain a court order to intercept electronic communications

    • Requires service providers to assist law enforcement in tapping wires

  • Carnivore designed to be precise filter

  • Court order can require ISP (Internet Surveillance Point) to install Carnivore

University of Virginia CS 551

How can we know carnivore isn t sending fbi more than it should
How can we know Carnivore isn’t sending FBI more than it should?

  • Have an independent organization write a firewall that looks at transmissions from Carnivore to FBI

  • Have an independent organization examine the Carnivore source code

  • Trust them, the FBI would never abuse the information anyway.

FBI’s choice

University of Virginia CS 551

Carnivore examination
Carnivore Examination should?

  • FBI refused to open source

  • DOJ solicited proposals to review Carnivore source – 11 proposals

    • All “good” places (MIT, Purdue, Dartmouth, UCSD) withdrew after FBI said they couldn’t publish source code and FBI would have complete control over report

    • Selected Illinois Institute of Technology Research Institute

    • Paid them ~$175,000 to say Carnivore is okay

University of Virginia CS 551

Iitri report nov 22
IITRI Report (Nov 22) should?

  • Carnivore technology “protects privacy and enables lawful surveillance better than alternatives.”

  • Carnivore “does not provide protections, especially audit functions, commensurate with the level of the risks”

  • Carnivore “reduces, but does not eliminate” the risk of unauthorized interception of electronic communication by the FBI

University of Virginia CS 551

Defenses should?

  • Encryption

    • Can be broken

    • Even if not, it still reveals parties communicating (e.g., you visited Amnesty International’s web site)

  • Anonymity Services

    • Hide identity

    • Still provide 2-way communication

University of Virginia CS 551

Simple anonymity service

To: bob@bob.com should?

From: anon@sas.com

“Someone likes you.”

Simple Anonymity Service



To: remailer@sas.com

Request-remail-to: bob@bob.com

“Someone likes you.”


University of Virginia CS 551

Problems with sas
Problems with SAS should?

  • Bob can’t reply to sender

  • Eavesdropper can see messages

  • Traffic monitoring could detect traffic from Alice to Bob

  • ...

University of Virginia CS 551

Anon penet fi
anon.penet.fi should?



To: remailer@anon.penet.fi

From: alice@wonderland.edu

Request-remailing-to: bob@bob.com

“Someone likes you.”


To: bob@bob.com

From: 4yg029657@anon.penet.fi <anon>

“Someone likes you.”

University of Virginia CS 551

Anon penet fi shutdown
anon.penet.fi Shutdown should?

  • Church of Scientology wanted to prevent online publication of Church documents (anonymously posted from anon.penet.fi)

  • Church convinced Finnish police to force Julf Helsingius, operator of anon.penet.fi to reveal true identity (1995)

  • Shut down anon.penet.fi remailer

University of Virginia CS 551

Chain remailers
Chain Remailers should?

Can tell MA is from Alice







Can tell MA’’ is going to Bob


University of Virginia CS 551

Chain remailing
Chain Remailing should?

  • Alice randomly picks n remailers from a list of servers

  • Each server has a public-private key pair. Alice knows KUn.

  • The ith server gets

    EKUi[address of i+1st server ||

    EKUi+1 [i+2nd server || EKUi+2 [ ... ]]]

University of Virginia CS 551

2 chain remailing
2-Chain Remailing should?

  • Alice sends Server 1:

    EKU1 [Address2, EKU2 [AddressBob]]

  • Server 1 uses KR1 to decrypt:

    DKR1 [EKU1 [Address2, EKU2 [AddressBob]]]

    = Address2, EKU2 [AddressBob]

  • Sends EKU2 [AddressBob] (and message) to Address2.

  • Both Server 1 and Server 2 must conspire to know Alice sent a message to Bob

University of Virginia CS 551

Anonymous rewebber

M2 should?



remailer 1

remailer 2


remailer 3


Where must Eve listen to network to discover Alice and Bob are communicating?

University of Virginia CS 551

Thwarting eavesdroppers
Thwarting Eavesdroppers should?

  • Need to make sure incoming/outgoing messages can’t be matched:

    • Make sure in/out messages can’t be matched: all messages look the same

    • Make sure each remailer is transmitting lots of messages (add dummy ones if necessary)

University of Virginia CS 551

Cypherpunk remailers
Cypherpunk Remailers should?

  • Add encryption layers around message, one is removed on each hop

  • Stall for random time at each remailer before forwarding

From http://www.obscura.com/~loki/remailer/remailer-essay.html

  • Vulnerabilities:

    • Message shrinks each hop (length reveals path)

    • Replay attacks

University of Virginia CS 551

Mixmaster should?

  • Chaum, Cottrell 97

  • Each header contains RSA-encrypted information about next hop and 3DES key for decrypting message

  • 20 hops: message is encrypted 20 times with different 3DES keys

From http://www.obscura.com/~loki/remailer/remailer-essay.html

University of Virginia CS 551

Replay attacks
Replay Attacks should?

  • Each packet has a unique ID

  • Mixmaster remailer keeps track of all IDs it has seen, if it gets a packet with the same ID it drops it

  • Since ID is in header encrypted with remailer’s public key, no way for attacker to change ID without also changing header

University of Virginia CS 551

Onion routing
Onion Routing should?

  • Not just email – do the same thing with all IP packets

  • NRL (http://www.onion-router.net/)

  • Sender picks random servers for send and return, encrypts with server public keys in reverse order

  • Each server decrypts one header to find next destination, mangles packet so it is not recognizable

University of Virginia CS 551

Anonymous web browsing
Anonymous Web Browsing should?

  • Janus: (rewebber.com)

    • URL U

      http://www.rewebber.com/surf-encrypted/Ek (U)


(rewrites links)


Ek (http://www.cs.virginia.edu/~evans/cs551)


Alice’s boss sees

request to rewebber.com

Log shows request from rewebber.com

University of Virginia CS 551

Anonymous publishing
Anonymous Publishing should?

  • Use the rewebber URL: http://www.rewebber.com/surf_encrypted/MTCyWd$c6R5Nx0bexTDUG4YwzANYBiA300hz3CxsG3QIXdcPYrnoq2zAs22IPv34GRCLXqG49zQpFvR8r++TNI84Sd6$EKxJgogHZPlOOaqSlJ3H+1D+oj5swX+vws8Umtk=

  • Doesn’t prevent censoring

  • Not robust (server can still be attacked)

University of Virginia CS 551

Publius should?

  • [Mark Waldman (NYU), Avi Rubin (AT&T), Lorrie Cranor (AT&T, visiting UVa Jan 24th) 2000]

  • “Publius” – pseudonym used by Alexander Hamilton, John Jay and James Madison to publish Federalist Papers

  • “Robust, tamper-evident, censorship-resistant web publishing system”

University of Virginia CS 551

Publius overview
Publius Overview should?

  • Content encrypted using K and spread over several web servers

  • K is split into n shares, such that k are needed to reproduce K (but k – 1 reveal no information)

    • Shamir Secret Sharing (PS1)

  • Content is tied cryptographically to URL used to retrieve document – can tell if retrieved document was tampered with

University of Virginia CS 551

Publishing should?

  • Publisher generates random key K.

  • Randomly selects n Publius servers.

  • Each server gets EK (M) and a share of K.

  • URL concatenates name for each server (cryptographically generated based on both M and server location)

University of Virginia CS 551

Naming servers
Naming Servers should?

for i = 1 to n

name = hash (M + share[i])

name = XOR (name65-128, name1-64)

location = name MOD serverListSize + 1

if location is unique

publiusURL = publiusURL + name

keep track of this location


can’t give 2 shares to same location

start over with different random K

University of Virginia CS 551

Retrieving from publius
Retrieving from Publius should?

  • URL is name1, ..., namen.

  • locationi = namei mod serverListSize + 1.

  • Retrieve a key share from k randomly chosen locations (associated with URL).

  • Randomly, retrieve EK (M) from one location.

  • Combine all key shares and decrypt to retrieve M.

  • Check hashes to make sure M is untampered. If not, try again. (Different locations.)

University of Virginia CS 551

How do you prevent denial of service attacks on anonymous services
How do you prevent denial of service attacks on anonymous services?

  • anon.penet.fi: severe limits on size and number of messages any user could send, several days delay for all messages

  • Chaining remailers – can’t do this, since they can’t identify users

  • Hash cash – require senders to do some work

University of Virginia CS 551

Hash cash
Hash Cash services?

  • Before publishing, server sends publisher challenge: c, b.

  • To publish, publisher must respond with s such that at least b bits of H(c + s) match b-bits of H(s).

  • To find a 19 bit SHA-1 collision takes about 20 seconds

  • Later use real digital cash...

University of Virginia CS 551

Charge services?

  • There are some good reasons for anonymity

    • Organizing against oppressive governments

    • Whistleblowing, anonymous feedback, etc.

  • Anonymity is dangerous

    • Criminal transactions, child porn, etc.

  • Lots of legal/political/moral issues to resolve...

  • Next time: groups 1-3 and 10-12 presentations

    • If you want to practice your presentation to me, talk to me now to arrange a time (if you haven’t already).

University of Virginia CS 551