CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz

advertisement
CMSC 414
Computer and Network Security
Lecture 20
Jonathan Katz
Administrative items
 Midterm next week
– Based on everything from last midterm through today
Zero knowledge (ZK)
 ZK proofs can offer deniability and secrecy
 A zero-knowledge protocol for graph 3-
colorability
 Warning: the aim here is simplicity, and many
subtleties and details are purposely being ignored
Applications of zero-knowledge
 (Deniable) authentication
– Generalization of the protocol we saw last time
– Again, many subtleties and details omitted!
 Anonymous credentials
 Group signatures/trusted computing
Anonymity vs. pseudonymity
 Anonymity
– No one can identify the source of any messages
– Unlinkability – cannot even tell that messages
originated from the same person
 Pseudonymity
– No one can identify the source of a set of messages…
– …but they can tell that they all came from the same
person, with a known pseudonym
 There is a broad scale of achievable anonymity…
– Best you can hope for is limited by the network size!
Traffic analysis
 May be possible to learn who is communicating
with whom using traffic analysis
 Typically, even if communication is encrypted the
headers are not
– Need unencrypted headers for routing
 How is it possible to communicate anonymously?
Anonymous communication
 You are sitting around a table with n people
 How do you send an anonymous message to
another person?
 How do you broadcast a message to everyone
without revealing your identity?
– Linear-round protocol?
– Constant-round protocol (DC-nets)
 Is this secure only for “honest-but-curious”
behavior, or also for malicious behavior?
Anonymizers
 Single anonymizer proxy…
 How to achieve bidirectional communication
– Note: one side need not know the other
 Anonymizers already exist!
– Email
– http
Anonymizers
 Issues/drawbacks?
– Robustness
– Useful for hiding the source from the destination; less
useful for preventing full-fledged traffic analysis…
• Unless encryption is used, which it typically would not be
 Possible attacks
– Latency vs. timing correlation
• 0-latency solution using spurious messages?
– One user sending multiple messages to the same server
– Message sizes
– Replay attacks
Download