Create Presentation
Download Presentation

Download

Download Presentation

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms

Download Presentation
## Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Untraceable Electronic Mail, Return Addresses, and Digital**Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006**Motivation**• Many uses for anonymous communication channels • Elections • Anonymous crime tips • Whistle-blowing • Etc. • Standard mail offers some guarantees of anonymity; why not email too?**Contributions**• Cryptographic protocols to support an anonymous email system • Keep sender anonymous w.r.t. both the receiver and other parties in the network • Allow receiver to reply to sender without revealing sender’s identity • Protocol can also be used to form anonymous and verifiable rosters • E.g., for an electronic election**Historical Perspective, 1979**• Cryptography had been around for millennia • Usually required the use of shared secrets • Paradigm shift: late 1970s • Diffie & Hellman, “New Directions in Cryptography” (1976) • RSA cryptosystem (1977) • Rapid advancements allow for the sharing of keys (secrets) between strangers**Notation**• Keys in public-key cryptosystem • Public key: K • Private key: K-1 • Encryption of x with K denoted by K(x) • Keys are inverses • i.e., K-1(K(x)) = K(K-1(x)) = x**Operations**• To prevent certain attacks, Chaum advocates random padding before encryption • i.e., use K(R, x) where R is a random string rather than K(x) to encrypt x • When signing, first pad with some known constant • i.e., K-1(C, y) where C is a known constant**Chaum’s Assumptions**• Can’t break the cryptosystem • Anyone can observe all links in the system • The so-called “global passive adversary” • Anyone can inject, replay, remove, or modify messages • Dolev-Yao active attacker model (which they didn’t publish about until 1983)**Sending Anonymous Mail**• Rather than sending mail directly to the recipient, send mail to a mix • Principle: Try to reduce correspondence between input- and output-sets • Fool global passive adversaries • What about keeping the message private?**Players (and their public keys)**Mixes (Kn) Recipient, A (Ka) One mix protocol Sender -> Mix: K1(R1, Ka(R0, M), A) Mix -> A: Ka(R0, M) Use of public key crypto hides message from mix and nosy parties on the Internet The Crypto!**Cascade Mix Example**• Protocol • Sender -> Mix n: Kn(Rn,Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2)An-1) • Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A) … An-2) • … • Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A) • Mix 1 -> A: Ka(R0, M) • As long as (n-1) mixes remain uncompromised, the anonymity properties of the message are preserved!**Observations**• At each step in the cascade, the current mix • Peels off one layer of encryption • Discovers a forwarding address • Passes message along • So, each mix only knows where a message came from and where its going • Note similarities between onion routing, Crowds, etc…**Return to Sender**• This is all fine and good for one way email (anonymous threats and the like), but how can we arrange responses? • Embed an untraceable return address! • Format: K1(R1, AX), KX • AX is X’s return address, KX is a temporary public key for X**Example**• Protocol: • X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX • Y -> Mix: K1(R1, AX), Kx(R2, M2) • Mix -> X: R1(Kx(R2, M2)) • Note 1: R1 used to alter forwarded message to prevent I/O correspondence • Note 2: Return addresses can be cascaded just like messages. • Note 3: Responses clearly different from initial messages**Possible Attack (not in paper)**• Note that K1(R1, AX) and KX aren’t bound • A malicious mix can read reply messages by carrying out a man in the middle attack • With email, lots of times, replies contain the original message!**Attack Example**• X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX • Mix -> Y: KY(R0, M1), K1(R1, AX), KX’ • Note substituted ephemeral public key KX’ • Y -> Mix: K1(R1, AX), Kx’(R2, M2) • Mix can unpack this message, read M2, and reencrypt using KX • Mix -> X: R1(Kx(R2, M2))**A Simple Solution**• To prevent the previously mentioned attack, we need only change the first message of the protocol • X -> Mix: K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX • This allows Y to verify that the mix didn’t change KX, since the mix can’t alter anything encrypted with KY**Anonymous Elections**• Form a roster of pseudonyms by sending anonymous emails through a mix-net • Output list in a public location • Only entities on the list can take actions in the system**Recommendations for an Untraceable Mail System**• To hide number of messages sent, each participant sends same number of messages per interval (some are dummies) • Cover traffic! • To hide number of messages received, must check all messages, not just known good messages • Messages should all be same size • Prevent I/O correlation**Implementing an Advanced Mix**• A mix with all of the following properties can be implemented using the techniques presented in this paper • Overview • Break message into fixed size blocks • Each mix “pops” the first block, adds a block of junk to the end • Decrypt removed block to yield a key R which is used to encrypt each block in the new message**Discussion Questions**• Why wasn’t Chaum’s mix network ever implemented? • How should we characterize advancements in anonymous email over the years? Technological? Responses to better understanding of threats?**Discussion Questions (cont.)**• This article explains how anonymous rosters can be used for electronic voting. Did Chaum oversimplify the problem, or do current systems ignore his work in this area? • What do people think of the notion of certified mail and receipts?