Presentation is loading. Please wait.

Presentation is loading. Please wait.

DC-Networks – The Protocol. 2 DC-Networks - The Protocol toc Introduction Time Excluding bad clients Key Exchange Demonstration Some Attacks On-demand.

Published byShawn Rose Modified over 7 years ago

Similar presentations

Presentation on theme: "DC-Networks – The Protocol. 2 DC-Networks - The Protocol toc Introduction Time Excluding bad clients Key Exchange Demonstration Some Attacks On-demand."— Presentation transcript:

1 DC-Networks – The Protocol

2 2 DC-Networks - The Protocol toc Introduction Time Excluding bad clients Key Exchange Demonstration Some Attacks On-demand disclosure

3 3 DC-Networks - The Protocol Introduction

4 4 DC-Networks - The Protocol Is the meal paid by one of the cryptographers? Bob Alice Charlie key exchange Introduction

5 5 DC-Networks - The Protocol Is the meal paid by one of the cryptographers? Bob Alice Charlie key exchange Introduction Bob: Alice: Charlie: Everybody:

6 6 DC-Networks - The Protocol Remember the one-time-pad If an attacker knows and if k is random, he does not learn anything about m In other words: Key k “hides” the cleartext m Introduction

7 7 DC-Networks - The Protocol Bob does not learn anything Bob Alice Charlie key exchange Introduction Bob: Alice: Charlie: Bob can learn:

8 8 DC-Networks - The Protocol Summary Everybody exchanges keys with everybody Sender Anonymity Everybody gets every message Receiver Anonymity Introduction

9 9 DC-Networks - The Protocol Time

10 10 DC-Networks - The Protocol Rounds, separated by ticks In each round, each client needs to: Get the list of all participants (may have changed) Prepare and send the new message Get the final message Know, that all others got the (same) message Time

11 11 DC-Networks - The Protocol The protocol Time Tick Round Client get participants send receive message add all keys confirmation that others got message Server

12 12 DC-Networks - The Protocol DC+ “Know, that all others got the same message” Attacker could modify messages to specific clients Solutions Good: Byzantine Agreement, TTP, Group Signatures, Anonymous Signatures... Better: Mangle last message into current Easy, Fast Time

13 13 DC-Networks - The Protocol Excluding bad clients

14 14 DC-Networks - The Protocol Broken and malicious clients Broken clients Server logs out any client that did not send Ban lists, reputation systems etc... Malicious clients Anonymous reservation scheme and trap messages Google “DSuKrypt.pdf”, page 191-192, 202-203 Excluding bad clients

15 15 DC-Networks - The Protocol Anonymous reservation scheme Excluding bad clients Tick 00000000X0000000000000 00110001 collision counter length #1 #2#3 #4...#23... #23 01 5a 32 ef f1 f0 0a aa b3 42...... #1 length chunk server

16 16 DC-Networks - The Protocol Anonymous reservation scheme Round messages = Reservation slots Client chooses slot at random If collision counter = 1 then reservation succeeded Real message data published via “chunk server” Bonus: Variable block length in reservation slot Excluding bad clients

17 17 DC-Networks - The Protocol Trap Messages Prevent attacker disturbing messages: Trap messages every now and then Request disclosure of own traps (if caught something) Bonus: Variable block length in reservation slot Excluding bad clients

18 18 DC-Networks - The Protocol Key Exchange

19 19 DC-Networks - The Protocol Remember: Diffie & Hellman Key Exchange Server p,q AliceBob publish

20 20 DC-Networks - The Protocol Diffie & Hellman No direct client to client communication needed Complete key graph Easy distribution Exchange seeds for random number generator Unfortunately, keys become “provable” But: Clients can always exchange real one-time-pads (they even do not have to tell the server) Key Exchange

21 21 DC-Networks - The Protocol Demonstration

22 22 DC-Networks - The Protocol Some Attacks

23 23 DC-Networks - The Protocol Timing attack Attacker knows who sends at which time A client answering too fast did not send the answer Alic e "Everything understandable?""No, the lecturer sucks!!1!" Alic e other participants too short for human reaction other participants Some Attacks

24 24 DC-Networks - The Protocol Timing attack Solution: Server return message after client sends All clients receive messages delayed at least one round Nice side effects: Only client → server communication (“firewall-proof”) Some Attacks

25 25 DC-Networks - The Protocol Political attacks Centralized Server? Data Retention Forced to store communication data btw: Does not make sense anyway Warning lawyer threats Crypto bans Some Attacks

26 26 DC-Networks - The Protocol Political attacks Why do we need a server at all? Participants publish their rounds on MySpace, Wikipedia, phpBB, newspaper etc. Login / Logout: Someone send participants DH-key and publishing URL within the DC-Network Auto-Logout by “not publishing once” Some Attacks

27 27 DC-Networks - The Protocol On-demand disclosure

28 28 DC-Networks - The Protocol Original scheme by David Chaum Participants sign round keys Alice and Bob exchange their signatures In case of “disclosure”, all participants publish their keys Alice verifies Bob's key and vice versa On-demand disclosure

29 29 DC-Networks - The Protocol "Watchmen" scheme n predefined watchmen may work together to disclose sender Client splits round key into n parts Send one part to each watchman In case of “disclosure”, all watchmen post their parts to reconstruct the round key On-demand disclosure

30 30 DC-Networks - The Protocol How to split a key On-demand disclosure To join parts together, add them

31 31 DC-Networks - The Protocol Split keys to Dickens and Elisa Bob AliceCharlie On-demand disclosure DickensElisa

32 32 DC-Networks - The Protocol Split keys to Dickens and Elisa Bob AliceCharlie On-demand disclosure DickensElisa Dickens says: Elisa says: Everyone:

33 33 DC-Networks - The Protocol Why do the watchmen learn nothing? The first watchmen receive random numbers. Obviously, they learn nothing about k The published values only consist of random numbers On-demand disclosure

34 34 DC-Networks - The Protocol Problem: Conspiration Alice and Bob exchange an additional key They add to their round message, but not to the key sent to Dickens and Elisa Sum of Dickens and Elisa is still 0 On “disclosure”, both round keys from Alice and Bob mismatch (by resp. ) Of course, both could be considered “bad guys” On-demand disclosure

35 35 DC-Networks - The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g. “5 out of 10” Google “DSuKrypt.pdf”, page 131-133 Using Adi Shamirs polynomial interpolation, some restrictions occur All participants must use same set of watchmen (may be necessary anyway) Each watchman must get the same x-coordinates from every participant On-demand disclosure

36 36 DC-Networks - The Protocol Comparison Comparing the disclosure scheme by David Chaum: Both schemes are insecure against conspirations Using watchmen, a conspiration can not be formed after the message is published Using watchmen, no communication to the participants needed after message is published The disclosure can be kept secret On-demand disclosure

37 37 DC-Networks - The Protocol Thanks Interesting stuff: D.Chaum, “The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability” (Journal of Cryptology, vol. 1 no. 1, 1988, pp. 65-75 or http://www.cs.cornell.edu/People/egs/herbivore/dcnets.html) A.Pfitzmann, “Datensicherheit und Kryptographie” (http://dud.inf.tu-dresden.de/~pfitza/DSuKrypt.html, pp 176-199 and 123-125. German language) Literature

Download ppt "DC-Networks – The Protocol. 2 DC-Networks - The Protocol toc Introduction Time Excluding bad clients Key Exchange Demonstration Some Attacks On-demand."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,

Scalable Anonymous Group Communication in the Anytrust Model David Wolinsky 1, Henry Corrigan-Gibbs 1, Bryan Ford 1, and Aaron Johnson 2 1 Yale University,
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Homework #5 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Strong Password Protocols

Strong Password Protocols
1 Lecture 18: E-Mail Security issues specific to email security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
Public Key Encryption CS432 – Security in Computing Copyright © 2005, 2008 by Scott Orr and the Trustees of Indiana University.

Public Key Encryption CS432 – Security in Computing Copyright © 2005, 2008 by Scott Orr and the Trustees of Indiana University.
15-499Page 1 15-499:Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F 1 2 3 4 5 6 7 8 9...

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Lecture 5 Page 1 CS 236 Online Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E,P) P = D(K D,C) Often, works the.

Lecture 5 Page 1 CS 236 Online Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E,P) P = D(K D,C) Often, works the.
Public Key Encryption ● Diffie and Hellman – 1976 Famous Paper: New Directions In Cryptography - 1976 New Directions In Cryptography ● First revolutionary.

Public Key Encryption ● Diffie and Hellman – 1976 Famous Paper: New Directions In Cryptography New Directions In Cryptography ● First revolutionary.

Similar presentations

Ads by Google