Loading in 2 Seconds...

Create Presentation
Download Presentation

Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms

Loading in 2 Seconds...

Download Presentation
## Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Untraceable Electronic Mail, Return addresses, and Digital**Pseudonyms Authors: David L. Chaum, University of California, Berkeley Presented by: Murtuza Jadliwala**Electronic Mail System**Sender Receiver Insecured Telecommunication Channel Email • Problem: Vulnerable to Traffic Analysis Attacks • How to hide the content of communication (message)? • How to hide who is communicating with whom? More specifically, can the sender send the message anonymously to the receiver? • Additional property needed: Untraceable return addresses CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Motivation**• Electronic mail was new in the 1980’s Anonymously sending an electronic mail was a desirable requirement! • The idea of anonymous sending an electronic mail could also be used in other applications Anonymous electronic voting application • Verification that ballots have been properly counted is possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Background – Public Key Cryptography**Used for providing confidentiality CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Background – Public Key Cryptography**Used for providing authentication CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Notations**• Assume that RSA public-key cryptosystem is used • K is the public key (known to everyone) • K-1 is the private key (known to only the sender) • M is the message. Assume all messages consists of equal sized and equal number of blocks. M = M1M2M3…ML-1 • Encryption of M by K (using RSA) is denoted as K(M). K(M) is a random mapping from M to a string of size K(M) • K-1 (K(M)) = K(K-1 (M) = M • If M = M’, then K(M) = K(M’). To overcome this problem, choose a random string, attach to the message before encrypting K(R,M) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Assumptions**• No one can determine the mapping between the plaintext and the corresponding encrypted plaintext by just looking at either one of them • No one can create forge a message or a signature without the appropriate random string or private key. • Anyone may learn the origin, destination(s), and representation of all messages in the underlying telecommunication system • Anyone may inject, remove, or modify messages. CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Anonymous Mail System**Kmix(R1, Kr3(R0,M),r3) Mix s1 r1 Email s2 r2 Kr3(R0,M) Email s3 r3 s4 r4 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Anonymous Mail System**Mix s1 r1 • Timing and Order of arrival can leak information! How to overcome that problem? • Mix hides correspondences between its input and outputs. How is this possible? • By assumption 1 – Cryptanalytic attack not possible! • What if one item is repeated in the input and the output? How to overcome this? • Remove redundant items across multiple batches! Email s2 r2 Email Batch Email Email Email Email s3 r3 Email s4 r4 Email CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Protection against Mix Misbehavior**• Mix provides signed receipts of messages to the participants, • Y= K-1mix(C, Kmix(R1, Kr3(R0,M),r3)) • If a participant is wronged, he can supply X = (Kr3(R0,M), r3), and the retained string R1,along with the signed receipt to the authorities • Authorities can verify if Kmix(Y) = C, Kmix(R1,X) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Mix Cascades**r1 Mix 1 Mix 2 Mix n s1 r2 s2 … r3 s3 r4 s4 Advantage: Even if n-1mixes are misbehaving or cheating, a single honest mix can provide secrecy CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Mix Cascades**• Participant provides the following to the Mix1 • Kmix1(R1, Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….)) • Mix1 yields a lexicographically ordered batch of items, each of the form • Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….) • The items in the final output batch of a cascade are of the same form as the single mix • Kr3(R0,M),r3 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Return Addresses or Certified Mail**• If x can send an anonymous messages to y, is it possible for yto respond to x, while still keeping identity of x secret from y? • Anonymous mail receipt! • Solution: • The sender x forms an untraceable return address Kmix(R1,Ax), KXand includes it in the message sent through the mix • Ax is the address of x • KX is the public key chosen by x CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Return Addresses or Certified Mail**Kmix(R2, Kr3(R0,M, Kmix(R1,s1), Ks1),r3) Mix s1 r1 Email s2 r2 Kr3(R0,M,Kmix(R1,s1), Ks1) Email Rcpt s3 r3 s1, R1(Ks1 (R3,M’)) Rcpt Kmix(R1,s1), Ks1 (R3,M’) s4 r4 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Return Address in Mix Cascades**• With a cascade of mixes, the message part is prepared the same as for a single mix • Receiver provides the following to the MixN • KmixN(RN, Kmix N-1(RN-1, …..Kmix2(R2, K1(R1,s1))….)), Ks1(R’,M’) • MixNyields a lexicographically ordered batch of items, each of the form • KmixN-1(RN-1, …..Kmix2(R2, K1(R1,s1))….), RN(Ks1(R’,M’)) • The items in the final output batch of a cascade are of the same form as the single mix • s1, R1(…..RN-1(RN(Ks1(R’,M’)))…) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**Application: Anonymous Electronic Voting**• Digital Pseudonym: Public key of anonymous holder (used to verify signatures made by him) • Roster: Collection of “digital pseudonyms” of acceptable anonymous holders maintained by an authority • How can an authority form a roster of anonymous pseudonyms? • Roster could contain a pseudonyms of registered voters • Anonymous Voting: For a single mix, • Each voter submits a ballot of the form Kmix( R1, K, K-1( C, V )), where K is the voter’s pseudonym and V is the vote • Items in the final lexicographically ordered output batch are of the form K, K-1( C, V ) duplicates need to be avoided in this batch • Check if the pseudonym K correctly decrypts the signed vote V • If the above is verified, check if K appears in the roster of registered voters • The above can be easily extended for a cascading mix CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)**General Purpose Anonymous Mail Systems**• To prevent misbehavior in single mix systems: • Require all messages pass through mix cascades • To hide the number of messages sent: • All senders send messages to the mix (in a batch) Some senders send dummy messages • To hide the number of messages received: • Each receiver searches the entire output for messages directed to it • Both the above approaches are too costly • One solution is to use only subsets rather than entire sets of senders/receivers • If a message passes through K mixes in the cascade and contains L blocks (L-K content block, K address blocks) • Problem: How to hide the number of mixes a message passes through Each mix typically strips off 1 address block? • Solution: For each mix the message passes through, remove the corresponding address block, but add a junk content block!So number of block in each message is constant CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)