There was of course no way of knowing whether you were being watched at any given moment...You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard and, except in darkness, every movement scrutinized.
George Orwell, 1984 (1948)
CS551: Security and Privacy
University of Virginia
Computer Science
Anonymous http://www.rewebber.com/surf_encrypted/MTBKb4IK q25YShD4yVMTkRoqWo1Bu8kpFHRYfkT48tTCovu
Kp7Cktazai94gqryx2aHjXyqVzAEgNpFMDvxmbvyVI
ByOstd5h5h9vlgkO3z6xFxiQ+xJ0eNrRNr3bjVa6uQ=
• Surveillance
– Echelon, TEMPEST, Carnivore
• Anonymity
– Email, Browsing, Publishing
16 April 2020 University of Virginia CS 551 2
• Secret agreement in 1948
• NSA, GCHQ (UK), CSE (Canada), DSD
(Australia), GCSB (New Zealand)
• Listening stations throughout world
– Monitor satellite, microwave, cellular and fiber-optic communications traffic
– Voice recognition and OCR
– Dictionary of suspicious phrases
16 April 2020 University of Virginia CS 551 3
• Established for allies to spy on Soviets during cold war
• More recently: justified as counterterrorism
• Listening stations directed at Intelsat satellites – intercept majority of intercontinental communications
16 April 2020 University of Virginia CS 551 4
Echelon Intercept Station, Menwith Hill, England
16 April 2020 University of Virginia CS 551 5
• Political spying:
– British Prime Minister Margaret Thatcher used
Echelon (Canada) to spy on ministers suspected of disloyalty (1983)
– Senator Strom Thurmond, Congressman Michael
Barnes
– Target Amnesty International, Greenpeace, etc.
• Commercial espionage
– Liason to Department of Commerce, uses intelligence to help American companies get contracts
– 1993 – Clinton asked CIA to spy on Japanese auto makers designing zero-emissions vechicles, and send information to GM, Ford and Chrysler
16 April 2020 University of Virginia CS 551 6
16 April 2020 University of Virginia CS 551 7
• All electronic equipment emits electromagnetic radiation
• Can see what is on someone’s screen with a large antenna outside their office
• TEMPEST (Telecommunications Electronics
Material Protected from Emanating Spurious
Transmissions ?)
– Secret NSA standard for low-emissions computers
• Lots of money wasted because of unreasonable paranoia (probably)
16 April 2020 University of Virginia CS 551 8
16 April 2020
ChainMail’s Antivore
University of Virginia CS 551 9
16 April 2020
From http://www.fbi.gov/programs/carnivore/carnlrgmap.htm
University of Virginia CS 551 10
• Fourth Amendment prohibits unreasonable searches
• Title III Omnibus Crime Control Act (1968)
– FBI may obtain a court order to intercept electronic communications
– Requires service providers to assist law enforcement in tapping wires
• Carnivore designed to be precise filter
• Court order can require ISP (Internet
Surveillance Point) to install Carnivore
16 April 2020 University of Virginia CS 551 11
1. Have an independent organization write a firewall that looks at transmissions from Carnivore to FBI
2. Have an independent organization examine the Carnivore source code
3. Trust them, the FBI would never abuse the information anyway.
16 April 2020 University of Virginia CS 551 12
• FBI refused to open source
• DOJ solicited proposals to review Carnivore source – 11 proposals
– All “good” places (MIT, Purdue, Dartmouth,
UCSD) withdrew after FBI said they couldn’t publish source code and FBI would have complete control over report
– Selected Illinois Institute of Technology
Research Institute
– Paid them ~$175,000 to say Carnivore is okay
16 April 2020 University of Virginia CS 551 13
• Carnivore technology “protects privacy and enables lawful surveillance better than alternatives.”
• Carnivore “does not provide protections, especially audit functions, commensurate with the level of the risks”
• Carnivore “reduces, but does not eliminate” the risk of unauthorized interception of electronic communication by the FBI
16 April 2020 University of Virginia CS 551 14
16 April 2020 University of Virginia CS 551 15
• Encryption
– Can be broken
– Even if not, it still reveals parties communicating (e.g., you visited Amnesty
International’s web site)
• Anonymity Services
– Hide identity
– Still provide 2-way communication
16 April 2020 University of Virginia CS 551 16
SAS
Alice
To: remailer@sas.com
Request-remail-to: bob@bob.com
“Someone likes you.”
To: bob@bob.com
From: anon@sas.com
16 April 2020
“Someone likes you.”
University of Virginia CS 551
Bob
17
• Bob can’t reply to sender
• Eavesdropper can see messages
• Traffic monitoring could detect traffic from Alice to Bob
• ...
16 April 2020 University of Virginia CS 551 18
Pseudonym
4yg029657
Address alice@wonderland.edu
Alice anon.penet.fi
To: remailer@anon.penet.fi
From: alice@wonderland.edu
Request-remailing-to: bob@bob.com
“Someone likes you.”
Bob
To: bob@bob.com
From: 4yg029657@anon.penet.fi <anon>
16 April 2020
“Someone likes you.”
University of Virginia CS 551 19
• Church of Scientology wanted to prevent online publication of Church documents (anonymously posted from anon.penet.fi)
• Church convinced Finnish police to force Julf Helsingius, operator of anon.penet.fi to reveal true identity
(1995)
• Shut down anon.penet.fi remailer
16 April 2020 University of Virginia CS 551 20
Can tell M
A is from Alice
Alice M
A remailer.gamma.com
M
A’ remailer.omega.com
M
A’’
Can tell M
A’’ is going to Bob
Bob
16 April 2020 University of Virginia CS 551 21
• Alice randomly picks n remailers from a list of servers
• Each server has a public-private key pair. Alice knows KU n
.
• The i th server gets
E
KU i
[address of i +1 st server ||
E
KU i+ 1
[ i +2 nd server || E
KUi+2
[ ... ]]]
16 April 2020 University of Virginia CS 551 22
• Alice sends Server 1:
E
KU1
[Address
2
, E
KU2
[Address
Bob
]]
• Server 1 uses
KR
1 to decrypt:
D
KR1
[E
KU1
[Address
2
, E
KU2
[Address
Bob
]]]
= Address
2
, E
KU2
[Address
Bob
]
• Sends
E
KU2
[Address
Bob
] (and message) to
Address
2
.
• Both Server 1 and Server 2 must conspire to know Alice sent a message to Bob
16 April 2020 University of Virginia CS 551 23
remailer 1
M2
Alice
M1
16 April 2020
Eve remailer 2
Bob remailer 3
Where must Eve listen to network to discover Alice and Bob are communicating?
University of Virginia CS 551 24
• Need to make sure incoming/outgoing messages can’t be matched:
– Make sure in/out messages can’t be matched: all messages look the same
– Make sure each remailer is transmitting lots of messages (add dummy ones if necessary)
16 April 2020 University of Virginia CS 551 25
• Add encryption layers around message, one is removed on each hop
• Stall for random time at each remailer before forwarding
From http://www.obscura.com/~loki/remailer/remailer-essay.html
Vulnerabilities:
–Message shrinks each hop (length reveals path)
–Replay attacks
16 April 2020 University of Virginia CS 551 26
• Chaum, Cottrell 97
• Each header contains
RSA-encrypted information about next hop and 3DES key for decrypting message
• 20 hops: message is encrypted 20 times with different 3DES keys
From http://www.obscura.com/~loki/remailer/remaileressay.html
16 April 2020 University of Virginia CS 551 27
• Each packet has a unique ID
• Mixmaster remailer keeps track of all
IDs it has seen, if it gets a packet with the same ID it drops it
• Since ID is in header encrypted with remailer’s public key, no way for attacker to change ID without also changing header
16 April 2020 University of Virginia CS 551 28
• Not just email – do the same thing with all IP packets
• NRL (http://www.onion-router.net/)
• Sender picks random servers for send and return, encrypts with server public keys in reverse order
• Each server decrypts one header to find next destination, mangles packet so it is not recognizable
16 April 2020 University of Virginia CS 551 29
• Janus: (rewebber.com)
– URL
U
http://www.rewebber.com/surf-encrypted/ E k
( U )
(rewrites links) rewebber.com
Alice
E k
(http://www.cs.virginia.edu/~evans/cs551)
Alice’s boss sees request to rewebber.com
16 April 2020 www.cs.virginia.edu
Log shows request from rewebber.com
University of Virginia CS 551 30
• Use the rewebber URL: http://www.rewebber.com/surf_encrypted/MTCyWd$c6R5Nx0be xTDUG4YwzANYBiA300hz3CxsG3QIXdcPYrnoq2zAs22IPv34
GRCLXqG49zQpFvR8r++TNI84Sd6$EKxJgogHZPlOOaqSlJ3H
+1D+oj5swX+vws8Umtk=
• Doesn’t prevent censoring
• Not robust (server can still be attacked)
16 April 2020 University of Virginia CS 551 31
• [Mark Waldman (NYU), Avi Rubin
(AT&T), Lorrie Cranor (AT&T, visiting
UVa Jan 24 th ) 2000]
• “Publius” – pseudonym used by
Alexander Hamilton, John Jay and
James Madison to publish Federalist
Papers
• “Robust, tamper-evident, censorshipresistant web publishing system”
16 April 2020 University of Virginia CS 551 32
• Content encrypted using
K and spread over several web servers
•
K is split into n shares, such that k are needed to reproduce K (but k
– 1 reveal no information)
– Shamir Secret Sharing (PS1)
• Content is tied cryptographically to URL used to retrieve document – can tell if retrieved document was tampered with
16 April 2020 University of Virginia CS 551 33
• Publisher generates random key
K .
• Randomly selects n Publius servers.
• Each server gets
E
K
K .
( M ) and a share of
• URL concatenates name for each server (cryptographically generated based on both M and server location)
16 April 2020 University of Virginia CS 551 34
for i = 1 to n name = hash (M + share[i]) name = XOR (name
65-128
, name
1-64
) location = name MOD serverListSize + 1 if location is unique publiusURL = publiusURL + name keep track of this location else can’t give 2 shares to same location start over with different random K
16 April 2020 University of Virginia CS 551 35
• URL is name
1
, ..., name n
.
• location i
= name i mod serverListSize + 1 .
• Retrieve a key share from k randomly chosen locations (associated with URL).
• Randomly, retrieve
E
K
( M ) from one location.
• Combine all key shares and decrypt to retrieve M .
• Check hashes to make sure
M is untampered.
If not, try again. (Different locations.)
16 April 2020 University of Virginia CS 551 36
• anon.penet.fi: severe limits on size and number of messages any user could send, several days delay for all messages
• Chaining remailers – can’t do this, since they can’t identify users
• Hash cash – require senders to do some work
16 April 2020 University of Virginia CS 551 37
• Before publishing, server sends publisher challenge: c, b .
• To publish, publisher must respond with s such that at least b bits of H ( c + s ) match b -bits of H ( s ) .
• To find a 19 bit SHA-1 collision takes about 20 seconds
• Later use real digital cash...
16 April 2020 University of Virginia CS 551 38
• There are some good reasons for anonymity
– Organizing against oppressive governments
– Whistleblowing, anonymous feedback, etc.
• Anonymity is dangerous
– Criminal transactions, child porn, etc.
• Lots of legal/political/moral issues to resolve...
• Next time: groups 1-3 and 10-12 presentations
– If you want to practice your presentation to me, talk to me now to arrange a time (if you haven’t already).
16 April 2020 University of Virginia CS 551 39