Lecture 21: How much do you trust your government?

Lecture 21:

How much do you trust your government?

There was of course no way of knowing whether you were being watched at any given moment...You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard and, except in darkness, every movement scrutinized.

George Orwell, 1984 (1948)

CS551: Security and Privacy

University of Virginia

Computer Science

Anonymous http://www.rewebber.com/surf_encrypted/MTBKb4IK q25YShD4yVMTkRoqWo1Bu8kpFHRYfkT48tTCovu

Kp7Cktazai94gqryx2aHjXyqVzAEgNpFMDvxmbvyVI

ByOstd5h5h9vlgkO3z6xFxiQ+xJ0eNrRNr3bjVa6uQ=

Menu

• Surveillance

– Echelon, TEMPEST, Carnivore

• Anonymity

– Email, Browsing, Publishing

16 April 2020 University of Virginia CS 551 2

UKUSA

• Secret agreement in 1948

• NSA, GCHQ (UK), CSE (Canada), DSD

(Australia), GCSB (New Zealand)

• Listening stations throughout world

– Monitor satellite, microwave, cellular and fiber-optic communications traffic

– Voice recognition and OCR

– Dictionary of suspicious phrases


Echelon

• Established for allies to spy on Soviets during cold war

• More recently: justified as counterterrorism

• Listening stations directed at Intelsat satellites – intercept majority of intercontinental communications


Echelon

Echelon Intercept Station, Menwith Hill, England


Questionable Uses of Echelon

• Political spying:

– British Prime Minister Margaret Thatcher used

Echelon (Canada) to spy on ministers suspected of disloyalty (1983)

– Senator Strom Thurmond, Congressman Michael

Barnes

– Target Amnesty International, Greenpeace, etc.

• Commercial espionage

– Liason to Department of Commerce, uses intelligence to help American companies get contracts

– 1993 – Clinton asked CIA to spy on Japanese auto makers designing zero-emissions vechicles, and send information to GM, Ford and Chrysler


TEMPEST


van Eck Monitoring

• All electronic equipment emits electromagnetic radiation

• Can see what is on someone’s screen with a large antenna outside their office

• TEMPEST (Telecommunications Electronics

Material Protected from Emanating Spurious

Transmissions ?)

– Secret NSA standard for low-emissions computers

• Lots of money wasted because of unreasonable paranoia (probably)


Carnivore

16 April 2020

ChainMail’s Antivore

University of Virginia CS 551 9

Carnivore

16 April 2020

From http://www.fbi.gov/programs/carnivore/carnlrgmap.htm


Carnivore History

• Fourth Amendment prohibits unreasonable searches

• Title III Omnibus Crime Control Act (1968)

– FBI may obtain a court order to intercept electronic communications

– Requires service providers to assist law enforcement in tapping wires

• Carnivore designed to be precise filter

• Court order can require ISP (Internet

Surveillance Point) to install Carnivore


How can we know Carnivore isn’t sending FBI more than it should?

1. Have an independent organization write a firewall that looks at transmissions from Carnivore to FBI

2. Have an independent organization examine the Carnivore source code

3. Trust them, the FBI would never abuse the information anyway.


Carnivore Examination

• FBI refused to open source

• DOJ solicited proposals to review Carnivore source – 11 proposals

– All “good” places (MIT, Purdue, Dartmouth,

UCSD) withdrew after FBI said they couldn’t publish source code and FBI would have complete control over report

– Selected Illinois Institute of Technology

Research Institute

– Paid them ~$175,000 to say Carnivore is okay


IITRI Report (Nov 22)

• Carnivore technology “protects privacy and enables lawful surveillance better than alternatives.”

• Carnivore “does not provide protections, especially audit functions, commensurate with the level of the risks”

• Carnivore “reduces, but does not eliminate” the risk of unauthorized interception of electronic communication by the FBI


What is a paranoid emailer/web browser/ web publisher to do?


Defenses

• Encryption

– Can be broken

– Even if not, it still reveals parties communicating (e.g., you visited Amnesty

International’s web site)

• Anonymity Services

– Hide identity

– Still provide 2-way communication


Simple Anonymity Service

SAS

Alice

To: remailer@sas.com

Request-remail-to: bob@bob.com

“Someone likes you.”

To: bob@bob.com

From: anon@sas.com

16 April 2020


University of Virginia CS 551

Bob

17

Problems with SAS

• Bob can’t reply to sender

• Eavesdropper can see messages

• Traffic monitoring could detect traffic from Alice to Bob

• ...


anon.penet.fi

Pseudonym

4yg029657

Address alice@wonderland.edu

Alice anon.penet.fi

To: remailer@anon.penet.fi

From: alice@wonderland.edu

Request-remailing-to: bob@bob.com


Bob

To: bob@bob.com

From: 4yg029657@anon.penet.fi <anon>

16 April 2020



anon.penet.fi Shutdown

• Church of Scientology wanted to prevent online publication of Church documents (anonymously posted from anon.penet.fi)

• Church convinced Finnish police to force Julf Helsingius, operator of anon.penet.fi to reveal true identity

(1995)

• Shut down anon.penet.fi remailer


Chain Remailers

Can tell M

A is from Alice

Alice M

A remailer.gamma.com

M

A’ remailer.omega.com

M

A’’

Can tell M

A’’ is going to Bob

Bob


Chain Remailing

• Alice randomly picks n remailers from a list of servers

• Each server has a public-private key pair. Alice knows KU n

.

• The i th server gets

E

KU i

[address of i +1 st server ||

E

KU i+ 1

[ i +2 nd server || E

KUi+2

[ ... ]]]


2-Chain Remailing

• Alice sends Server 1:

E

KU1

[Address

2

, E

KU2

[Address

Bob

]]

• Server 1 uses

KR

1 to decrypt:

D

KR1

[E

KU1

[Address

2

, E

KU2

[Address

Bob

]]]

= Address

2

, E

KU2

[Address

Bob

]

• Sends

E

KU2

[Address

Bob

] (and message) to

Address

2

.

• Both Server 1 and Server 2 must conspire to know Alice sent a message to Bob


remailer 1

M2

Alice

M1

16 April 2020

Eve remailer 2

Bob remailer 3

Where must Eve listen to network to discover Alice and Bob are communicating?


Thwarting Eavesdroppers

• Need to make sure incoming/outgoing messages can’t be matched:

– Make sure in/out messages can’t be matched: all messages look the same

– Make sure each remailer is transmitting lots of messages (add dummy ones if necessary)


Cypherpunk Remailers

• Add encryption layers around message, one is removed on each hop

• Stall for random time at each remailer before forwarding

From http://www.obscura.com/~loki/remailer/remailer-essay.html

Vulnerabilities:

–Message shrinks each hop (length reveals path)

–Replay attacks


Mixmaster

• Chaum, Cottrell 97

• Each header contains

RSA-encrypted information about next hop and 3DES key for decrypting message

• 20 hops: message is encrypted 20 times with different 3DES keys

From http://www.obscura.com/~loki/remailer/remaileressay.html


Replay Attacks

• Each packet has a unique ID

• Mixmaster remailer keeps track of all

IDs it has seen, if it gets a packet with the same ID it drops it

• Since ID is in header encrypted with remailer’s public key, no way for attacker to change ID without also changing header


Onion Routing

• Not just email – do the same thing with all IP packets

• NRL (http://www.onion-router.net/)

• Sender picks random servers for send and return, encrypts with server public keys in reverse order

• Each server decrypts one header to find next destination, mangles packet so it is not recognizable


Anonymous Web Browsing

• Janus: (rewebber.com)

– URL

U

 http://www.rewebber.com/surf-encrypted/ E k

( U )

(rewrites links) rewebber.com

Alice

E k

(http://www.cs.virginia.edu/~evans/cs551)

Alice’s boss sees request to rewebber.com

16 April 2020 www.cs.virginia.edu

Log shows request from rewebber.com


Anonymous Publishing

• Use the rewebber URL: http://www.rewebber.com/surf_encrypted/MTCyWd$c6R5Nx0be xTDUG4YwzANYBiA300hz3CxsG3QIXdcPYrnoq2zAs22IPv34

GRCLXqG49zQpFvR8r++TNI84Sd6$EKxJgogHZPlOOaqSlJ3H

+1D+oj5swX+vws8Umtk=

• Doesn’t prevent censoring

• Not robust (server can still be attacked)


Publius

• [Mark Waldman (NYU), Avi Rubin

(AT&T), Lorrie Cranor (AT&T, visiting

UVa Jan 24 th ) 2000]

• “Publius” – pseudonym used by

Alexander Hamilton, John Jay and

James Madison to publish Federalist

Papers

• “Robust, tamper-evident, censorshipresistant web publishing system”


Publius Overview

• Content encrypted using

K and spread over several web servers

•

K is split into n shares, such that k are needed to reproduce K (but k

– 1 reveal no information)

– Shamir Secret Sharing (PS1)

• Content is tied cryptographically to URL used to retrieve document – can tell if retrieved document was tampered with


Publishing

• Publisher generates random key

K .

• Randomly selects n Publius servers.

• Each server gets

E

K

K .

( M ) and a share of

• URL concatenates name for each server (cryptographically generated based on both M and server location)


Naming Servers

for i = 1 to n name = hash (M + share[i]) name = XOR (name

65-128

, name

1-64

) location = name MOD serverListSize + 1 if location is unique publiusURL = publiusURL + name keep track of this location else can’t give 2 shares to same location start over with different random K


Retrieving from Publius

• URL is name

1

, ..., name n

.

• location i

= name i mod serverListSize + 1 .

• Retrieve a key share from k randomly chosen locations (associated with URL).

• Randomly, retrieve

E

K

( M ) from one location.

• Combine all key shares and decrypt to retrieve M .

• Check hashes to make sure

M is untampered.

If not, try again. (Different locations.)


How do you prevent denial of service attacks on anonymous services?

• anon.penet.fi: severe limits on size and number of messages any user could send, several days delay for all messages

• Chaining remailers – can’t do this, since they can’t identify users

• Hash cash – require senders to do some work


Hash Cash

• Before publishing, server sends publisher challenge: c, b .

• To publish, publisher must respond with s such that at least b bits of H ( c + s ) match b -bits of H ( s ) .

• To find a 19 bit SHA-1 collision takes about 20 seconds

• Later use real digital cash...


Charge

• There are some good reasons for anonymity

– Organizing against oppressive governments

– Whistleblowing, anonymous feedback, etc.

• Anonymity is dangerous

– Criminal transactions, child porn, etc.

• Lots of legal/political/moral issues to resolve...

• Next time: groups 1-3 and 10-12 presentations

– If you want to practice your presentation to me, talk to me now to arrange a time (if you haven’t already).


Lecture 21: How much do you trust your government?

Lecture 21:

How much do you trust your government?

Menu

UKUSA

Echelon

Echelon

Questionable Uses of Echelon

TEMPEST

van Eck Monitoring

Carnivore

Carnivore

Carnivore History

How can we know Carnivore isn’t sending FBI more than it should?

Carnivore Examination

IITRI Report (Nov 22)

What is a paranoid emailer/web browser/ web publisher to do?

Defenses

Simple Anonymity Service

Problems with SAS

anon.penet.fi

anon.penet.fi Shutdown

Chain Remailers

Chain Remailing

2-Chain Remailing

Thwarting Eavesdroppers

Cypherpunk Remailers

Mixmaster

Replay Attacks

Onion Routing

Anonymous Web Browsing

Anonymous Publishing

Publius

Publius Overview

Publishing

Naming Servers

Retrieving from Publius

How do you prevent denial of service attacks on anonymous services?

Hash Cash

Charge

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib