Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security and Cryptography II (Version 2013/04/03) Stefan Köpsell (Slides [mainly] created by Andreas Pfitzmann) Technische Universität Dresden, Faculty.

Similar presentations


Presentation on theme: "1 Security and Cryptography II (Version 2013/04/03) Stefan Köpsell (Slides [mainly] created by Andreas Pfitzmann) Technische Universität Dresden, Faculty."— Presentation transcript:

1 1 Security and Cryptography II (Version 2013/04/03) Stefan Köpsell (Slides [mainly] created by Andreas Pfitzmann) Technische Universität Dresden, Faculty of Computer Science, D-01187 Dresden Nöthnitzer Str. 46, Room 3067 Phone: +49 351 463-38272, e-mail: sk13@inf.tu-dresden.de, https://dud.inf.tu-dresden.de/@inf.tu-dresden.dehttps://dud.inf.tu-dresden.de/

2 2 Symmetric Cryptosystem DES 64-bit block plaintext IP round 1 round 2 round 16 IP -1 64-bit-block ciphertext R0R0 L0L0 R 16 L 16 R1R1 L1L1 R2R2 L2L2 R 15 L 15 K1K1 K2K2 K 16 generation of a key for each of the 16 rounds 64-bit key (only 56 bits in use)

3 3 One round Feistel ciphers fKiKi L i-1 R i-1 L i = R i-1 R i = L i-1  f(R i-1, K i )

4 4 Why does decryption work? f KiKi L i-1 R i-1 L i = R i-1 R i =L i-1  f(R i-1, K i ) f KiKi L i = R i-1 R i-1 L i-1 Decryption trivial L i-1  f(R i-1, K i )  f( L i, K i ) = L i-1  f(L i, K i )  f( L i, K i ) = L i-1 replace R i -1 by L i Encryption round iDecryption round i

5 5 Encryption function f E 48 R i-1 32 P f(R i-1, K i ) 32 KiKi 48 Expansion Use key Mixing Make f (and DES) non- linear (permutations and  are linear) Terms Substitution-permutation networks Confusion - diffusion “substitution box” S can implement any function s : {0,1} 6  {0,1} 4, for example as table. For DES, the functions are fixed. S8S8 S7S7 S6S6 S4S4 S3S3 S2S2 S1S1 S5S5

6 6 Generation of a key for each of the 16 rounds 64-bit key (only 56 bits in use) PC-1 LS 1 LS 2 D0D0 C0C0 D1D1 C1C1 D2D2 C2C2 D 16 C 16 PC-2 K1K1 K2K2 K 16 28 56 48 choose 48 of the 56 bits for each key of the 16 rounds

7 7 The complementation property of DES DES(k, x) = DES(k, x)

8 8 One round fKiKi L i-1 R i-1 L i = R i-1 R i = L i-1  f(R i-1, K i ) complement original

9 9 Encryption function f S8S8 S7S7 S6S6 S5S5 S4S4 S3S3 S2S2 S1S1 E 48 R i-1 32 P f(R i-1, K i ) 32 KiKi 48 complement original, as 0  0 = 1  1 and 1  0 = 0  1 original

10 10 Generalization of DES 1.) 56  16 48 = 768 key bits 2.) variable substitution boxes 3.) variable permutations 4.) variable expansion permutation 5.) variable number of rounds

11 11 Cipher Stream cipher synchronous self synchronizing Block cipher Modes of operation: Simplest: ECB (electronic codebook) each block separately But:concealment: block patterns identifiable authentication: blocks permutable

12 12 Main problem of ECB block borders plaintext blocks ciphertext blocks ECB e.g. 64 bits with DES same plaintext blocks same ciphertext blocks Telefax example (  compression is helpful) ECB

13 13 Electronic Codebook (ECB) encryptiondecryption key plaintext block n ciphertext block n n+1 bit error nn

14 14 Cipher Block Chaining (CBC) All lines transmit as many characters as a block comprises Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus encryptiondecryption key plaintext block n ciphertext block n memory for ciphertext block n-1 plaintext block n n+1 bit error n nn n n+2 If error on the line: Resynchronization after 2 blocks, but block borders have to be recognizable  self synchronizing

15 15 Cipher Block Chaining (CBC) (2) All lines transmit as many characters as a block comprises Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus encryptiondecryption key plaintext block n ciphertext block n memory for ciphertext block n-1 plaintext block n n+1   useable for authentication  use last block as MAC n+2 bit error n nn n 1 modified plaintext bit  from there on completely different ciphertext

16 16 CBC for authentication encryption key plaintext ciphertext block n memory for ciphertext block n-1 plaintext block n    last block  compa- rison ciphertext block n last block ok ?

17 17 Pathological Block cipher x 1 x 2 x 3...x b-1 0 S 1 S 2 S 3...S b-1 1 x 1 x 2 x 3...x b-1 1 x 1 x 2 x 3...x b-1 0 x 1 x 2 x 3...x b-1 S 1 S 2 S 3...S b-1 plaintext block (length b) ciphertext block (length b) secure insecure 1 0 plaintext block (length b-1) ciphertext block (length b-1) pathological

18 18 Cipher FeedBack (CFB) choose encryption shift register 1 b choose or complete choose encryption shift register 1 b key b Block length a Length of the output unit, a  b r Length of the feedback unit, r  b Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus b  r b a aa a plaintext ciphertext plaintext symmetric; self synchronizing n+1 n n

19 19 Cipher FeedBack (CFB) (2) choose encryption shifting register 1 b choose or complete choose encryption shifting register 1 b key b Block length a Length of the output unit, a  b r Length of the feedback unit, r  b Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus b  r b a aa a a a plaintext ciphertext plaintext symmetric; self synchronizing n+1 n+2 n n n

20 20 CFB for authentication choose encryption shift register 1 b choose or complete choose encryption shift register 1 b key b  r b a a a plaintext stream compa- rison ok ?   last content of the shift register encrypted

21 21 Output FeedBack (OFB) choose encryption shift register 1 b choose or complete choose encryption shift register 1 b key b Block length a Length of the output unit, a  b r Length of the feedback unit, r  b Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus b   r b a a a a plaintext ciphertext plaintext symmetric; synchronous Pseudo-one-time-pad n+1 nn

22 22 Plain Cipher Block Chaining (PCBC) encryption key decryption key memory for ciphertext block n-1 memory for plaintext block n-1 memory for ciphertext block n-1 memory for plaintext block n-1 h h h plaintext ciphertext plaintext block n block nblock n All lines transmit as many characters as a block comprises Addition mod appropriately chosen modulus, e.g. 2 Subtraction mod appropriately chosen modulus, e.g. 2 Any function, e.g. addition mod 2 Block length     n nn n+1

23 23 Output Cipher FeedBack (OCFB) choose encryption shift register 1 b choose or complete choose encryption shift register 1 key b Block length a Length of the output unit, a  b r Length of the feedback unit, r  b Addition mod appropriately chosen modulus Subtraction mod appropriately chosen modulus Any function b   r b a a a a plaintext ciphertext plaintext hh  h symmetric; synchronous n n n+1

24 24 Properties of the operation modes ECBCBCPCBCCFBOFBOCFB Utilization of indeterministic block cipher + possible- impossible Use of an asymmetric block cipher results in + asymmetric stream cipher- symmetric stream cipher Length of the units of encryption - determined by block length of the block cipher + user-defined Error extensiononly within the block (assuming the borders of blocks are preserved) 2 blocks (assuming the borders of blocks are preserved) potentially unlimited 1 +  b/r  blocks, if error placed rightmost, else possibly one block less none as long as no bits are lost or added potentially unlimited Qualified also for authentication? yes, if redundancy within every block yes, if deterministic block cipher yes, even concealment in the same pass yes, if deterministic block cipher yes, if adequate redundancy yes, even concealment in the same pass

25 25 Collision-resistant hash function using determ. block cipher encryption plaintext block n memory for intermediate block n-1 last block  efficient any cryptographically strong initial value is fixed! (else trivial collisions: intermediate blocks and truncated plaintexts) last block contains length in bit differently long birthday paradox after 2 b / 2 tests collision b ! nearly no, but well analyzed

26 26 Diffie-Hellman key agreement (1) practically important: patent exhausted before that of RSA  used in PGP from Version 5 on theoretically important: steganography using public keys based on difficulty to calculate discrete logarithms Given a prime number p and g a generator of Z p * g x = h mod p x is the discrete logarithm of h to basis g modulo p: x = log g (h) mod p discrete logarithm assumption

27 27 Discrete logarithm assumption  PPA DL (probabilistic polynomial algorithm, which tries to calculate discrete logarithms)  polynomials Q  L  l  L: (asymptotically holds) If p is a random prime of length l thereafter g is chosen randomly within the generators of Z p * x is chosen randomly in Z p * and g x = h mod p W ( DL (p,g,h)=x)  (probability that DL really calculates the discrete logarithm, decreases faster than ) trustworthy ?? practically as well analyzed as the assumption factoring is hard 1 Q( l ) 1 any polynomial

28 28 Diffie-Hellman key agreement (2) key generation: y  Z p * g y mod p calculating shared key (g x ) y mod p y random number 2 key generation: x  Z p * g x mod p calculating shared key (g y ) x mod p x random number 1 publicly known: p and g  Z p * p, g g x mod pg y mod p calculated keys are equal, because (g y ) x = g yx = g xy = (g x ) y mod p secret area Domain of trust Area of attack

29 29 Diffie-Hellman assumption Diffie-Hellman (DH) assumption: Given p, g, g x mod p and g y mod p Calculating g xy mod p is difficult. DH assumption is stronger than the discrete logarithm assumption Able to calculate discrete Logs  DH is broken. Calculate from p, g, g x mod p and g y mod p either x or y. Calculate g xy mod p as the corresponding partner of the DH key agreement. Until now it couldn’t be shown: Using p, g, g x mod p, g y mod p and g xy mod p either x or y can be calculated.

30 30 Find a generator in cyclic group Z p * Find a generator of a cyclic group Z p * Factor p -1 =: p 1 e 1  p 2 e 2 ...  p k e k 1.Choose a random element g in Z p * 2.For i from 1 to k: b := g mod p If b =1 go to 1. p -1 p i

31 31 Digital signature system Security is asymmetric, too usually: unconditionally secure for recipient only cryptographically secure for signer message domainsignature domain x ss(x)   t true new: signer is absolutely secure against breaking his signatures provable only cryptographically secure for recipient proof of forgery  s‘(x) distribution of risks if signature is forged: 1. recipient 2. insurance or system operator 3. signer

32 32 Fail-stop signature system key generation sign s random number generate proof of forgery key for signing, kept secret x, s(x), “pass” or “fail” x x, s(x) plaintext with signature and test result plaintext t random number‘ key for testing of signature, publicly known test verify plaintext with signature “accept” or proof of forgery “accepted” or “forged” plaintext with signature signer recipient court plaintext with signature

33 33 Undeniable signatures key generation sign s random number key for signing, kept secret x, s(x), “pass” or “fail” x x, s(x) text with signature text with signature and test result text t random number‘ key for testing of signature, publicly known test Interactive protocol for testing the signature

34 34 Signature system for blindly providing of signatures key generation sign s random number x, s(x), “pass” or “fail” x z‘(x) blinded text text with signature and test result Text t random number ‘ z‘ key for testing of signature, publicly known blind unblind and test z‘(x), s(z‘(x)) blinded text with signature RSA p  q = n x  z‘ tx  z‘ t xsxs  z‘-1 z‘-1 (x  z‘ t ) s = x s  z‘x s  z‘

35 35 Threshold scheme (1) Threshold scheme: Secret S n parts k parts: efficient reconstruction of S k-1parts: no information about S Implementation: polynomial interpolation (Shamir, 1979) Decomposition of the secret: Let secret S be an element of Z p, p being a prime number. Polynomial q(x) of degree k-1: Choose a 1, a 2,..., a k-1 randomly in Z p q(x) := S + a 1 x + a 2 x 2 +... + a k-1 x k-1 n parts (i, q(i )) with 1  i  n, where n < p.

36 36 Threshold scheme (2) k parts (x j, q(x j )) (j = 1... k): q(x) = q(x j ) mod p The secret S is q(0). Sketch of proof: 1. k-1 parts (j, q(j )) deliver no information about S, because for each value of S there is still exactly one polynomial of degree k-1. 2. correct degree k-1; delivers for any argument x j the value q(x j ) (because product delivers on insertion of x j for x the value 1 and on insertion of all other x i for x the value 0). k  j=1 k  m=1, m  j (x – x m ) (x j – x m ) Reconstruction of the secret:

37 37 Threshold scheme (3) Polynomial interpolation is Homomorphism w.r.t. + Addition of the parts  Addition of the secrets Share refreshing 1.) Choose random polynomial q‘ for S ‘ = 0 2.) Distribute the n parts (i, q‘(i)) 3.) Everyone adds his “new” part to his “old” part  “new” random polynomial q+q‘ with “old” secret S Repeat this, so that anyone chooses the random polynomial once Use verifiable secret sharing, so that anyone can test that polynomials are generated correctly.

38 38 Protection Goals: Definitions Confidentiality ensures that nobody apart from the communicants can discover the content of the communication. Hiding ensures the confidentiality of the transfer of confidential user data. This means that nobody apart from the communicants can discover the existence of confidential communication. Anonymity ensures that a user can use a resource or service without disclosing his/her identity. Not even the communicants can discover the identity of each other. Unobservability ensures that a user can use a resource or service without others being able to observe that the resource or service is being used. Parties not involved in the communication can observe neither the sending nor the receiving of messages. Integrity ensures that modifications of communicated content (including the sender’s name, if one is provided) are detected by the recipient(s). Accountability ensures that sender and recipients of information cannot successfully deny having sent or received the information. This means that communication takes place in a provable way. Availability ensures that communicated messages are available when the user wants to use them. Reachability ensures that a peer entity (user, machine, etc.) either can or cannot be contacted depending on user interests. Legal enforceability ensures that a user can be held liable to fulfill his/her legal responsibilities within a reasonable period of time.

39 39 Correlations between protection goals ConfidentialityHiding Integrity AnonymityUnobservability Accountability Availability Reachability Legal Enforceability weakens – – implies strengthens + + +

40 40 interceptor possible attackers telephone exchange operator manufacturer (Trojan horse) employee network termination radio television videophone phone internet Observability of users in switched networks countermeasure encryption link encryption

41 41 countermeasure encryption end-to-end encryption interceptor possible attackers telephone exchange operator manufacturer (Trojan horse) employee network termination radio television videophone phone internet Observability of users in switched networks

42 42 countermeasure encryption link encryption end-to-end encryption Problem:traffic data who with whom? when? how long? how much information? Aim: “protect” traffic data (and so data on interests, too) so that they couldn’t be captured. data on interests: Who? What? communication partner interceptor possible attackers telephone exchange operator manufacturer (Trojan horse) employee network termination radio television videophone phone internet Observability of users in switched networks

43 43 interceptor possible attackers radio television videophone phone internet Observability of users in broadcast networks (Examples: bus-, radio networks) any station gets all bits analogue signals (distance, bearing)

44 44 Reality or fiction? Since about 1990 reality Video-8 tape5 Gbyte = 3 * all census data of 1987 in Germany memory costs < 25 EUR 100 Video-8 tapes (or in 2014: 1 hard drive disk with 500 GByte for ≈ 35 EUR) store all telephone calls of one year: Who with whom ? When ? How long ? From where ?

45 45 Excerpt from: 1984 With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end. George Orwell, 1948

46 46/48 Examples of changes w.r.t. anonymity and privacy Broadcast allows recipient anonymity — it is not detectable who is interested in which programme and information

47 47/48 Examples of changes w.r.t. anonymity and privacy Internet-Radio, IPTV, Video on Demand etc. support profiling

48 48/48 Remark: Plain old letter post has shown its dangers, but nobody demands full traceability of them … Anonymous plain old letter post is substituted by „surveillanceable“ e-Mails

49 49/48 The massmedia „newspaper“ will be personalised by means of Web, elektronic paper and print on demand

50 Datenschutz für die Cloud? [http://www.apple.com/icloud/]

51 51 Mechanisms to protect traffic data Protection outside the network Public terminals – use is cumbersome Temporally decoupled processing – communications with real time properties Local selection – transmission performance of the network – paying for services with fees Protection inside the network

52 52 Attacker (-model) Questions: How widely distributed ? (stations, lines) observing / modifying ? How much computing capacity ? (computationally unrestricted, computationally restricted)

53 Realistic protection goals/attacker models: Technical solution possible? 53

54 ===T===Gat e===

55 Soziale Netze – Web 2.0

56 56 Attacker (-model) Questions: How widely distributed ? (stations, lines) observing / modifying ? How much computing capacity ? (computationally unrestricted, computationally restricted) Unobservability of an event E For attacker holds for all his observations B: 0 < P(E|B) < 1 perfect: P(E) = P(E|B) Anonymity of an entity Unlinkability of events if necessary: partitioning in classes

57 57 Protection of the recipient: Broadcast Performance?more capable transmission system Addressing (if possible: switch channels) explicit addresses: routing explicit addresses: routing implicit addresses: attribute for the station of the addressee implicit addresses: attribute for the station of the addressee invisible encryption system invisible encryption system visible example:pseudo random number (generator), visible example:pseudo random number (generator), associative memory to detect address distribution public addressprivate address implicit address invisible very costly, but necessary to establish contact costly visibleshould not be usedchange after use A. Pfitzmann, M. Waidner 1985

58 BitMessage (J. Warren, 2012) messaging system based on –broadcast –implicit invisible private addresses python based clients at: bitmessage.org address: Hash(public encryption key, public signature test key) messages: –encrypted using Elliptic Curve Cryptography –digitally signed –additionally: proof of work  Anti-SPAM broadcast of messages: –P2P-based overly structure –store-and-forward like –pull-based 58

59 59 Equivalence of Encryption Systems and Implicit Addressing invisible invisible public address asymmetric encryption system invisible invisible private address symmetric encryption system

60 60 Broadcast vs. Queries broadcast of separate messages to all recipients message 1 message 2 message 3 message 4... message 1 message 2 message 3 message 4... broadcaster message service everybody can query all messages

61 61 Example for message service query vectors message 1 message 2 message 3 message 4 memory cells message service all contain the same messages in equal order 5 servers available, 3 servers used for superposed querying ?x ?x = 1001 ?y ?y = 1100 ?z´ = 0101 ?z bit position corresponds to memory cell response of the message service: !x = message 1 XOR message 4 !y = message 1 XOR message 2 !z = message 2 XOR message 3 XOR message 4 from this follows by local superposition !x XOR !y XOR !z => message 3 (equal to the content of the wanted (*) memory cell) * ?z = 0111 user invert bit of the memory cell of interest pseudo random short 1 3  = pad x XOR pad y XOR message 3 XOR pad z XOR pad x XOR pad y XOR pad z of the pads servers add responses, which are encrypted with (pseudo-) one-time pads 1 3 XOR !z !y !x server, which gets the long query vector, starts circulation generated by servers themselves when starting circulation * 0 query multiple memory cells = pad x XOR pad y XOR message 2 XOR message 3 XOR pad z (equal to the sum of the wanted (**) memory cells) XOR message 2 David A. Cooper, Kenneth P. Birman 1995 Efficiency improvements: A. Pfitzmann 2001

62 S1S2S3 D[1]: 1101101 D[2]: 1100110 D[3]: 0101110 D[4]: 1010101 D[1]: 1101101 D[2]: 1100110 D[3]: 0101110 D[4]: 1010101 D[1]: 1101101 D[2]: 1100110 D[3]: 0101110 D[4]: 1010101 User is interested in D[2]: Index within Request-Vector = 1234 Set Vector = 0100 Chose random Vector (S1) = 1011 Chose random Vector (S2) = 0110 Calculate Vector (S3) = 1001 Calculations: XOR c S1 ( 1011 ) c S2 ( 0110 ) c S3 ( 1001 ) Private Message Service Replicated Database

63 Private Message Service S1S2S3 D[1]: 1101101 D[2]: D[3]: 0101110 D[4]: 1010101 Sum 0010110 D[1]: D[2]: 1100110 D[3]: 0101110 D[4]: Sum 1001000 D[1]: 1101101 D[2]: D[3]: D[4]: 1010101 Sum 0111000 User is interested in D[2]: Index within Request-Vector = 1234 Set Vector = 0100 Chose random Vector (S1) = 1011 Chose random Vector (S2) = 0110 Calculate Vector (S3) = 1001 Server calculates XOR of the requested records S1: 0010110 S2: 1001000 S3: 0111000 Sum is D[2]: 1100110 Answer of Note: Encryption between Server and Client necessary! Replicated Database

64 64 Example for message service query vectors message 1 message 2 message 3 message 4 memory cells message service all contain the same messages in equal order 5 servers available, 3 servers used for superposed querying ?x ?x = 1001 ?y ?y = 1100 ?z´ = 0101 ?z bit position corresponds to memory cell response of the message service: !x = message 1 XOR message 4 !y = message 1 XOR message 2 !z = message 2 XOR message 3 XOR message 4 from this follows by local superposition !x XOR !y XOR !z => message 3 (equal to the content of the wanted (*) memory cell) * ?z = 0111 user invert bit of the memory cell of interest pseudo random short 1 3  = pad x XOR pad y XOR message 3 XOR pad z XOR pad x XOR pad y XOR pad z of the pads servers add responses, which are encrypted with (pseudo-) one-time pads 1 3 XOR !z !y !x server, which gets the long query vector, starts circulation generated by servers themselves when starting circulation * 0 query multiple memory cells = pad x XOR pad y XOR message 2 XOR message 3 XOR pad z (equal to the sum of the wanted (**) memory cells) XOR message 2 David A. Cooper, Kenneth P. Birman 1995 Efficiency improvements: A. Pfitzmann 2001

65 65 “Query and superpose” instead of “broadcast” re-writable memory cell = implicit address re-writing = addition mod 2 (enables to read many cells in one step) channels trivially realizable Purposes of implicit addresses Broadcast: Efficiency (evaluation of implicit address should be faster than processing the whole message) Query and superpose: Medium Access Control; Efficiency (should reduce number of messages to be read) fixed memory cell = visible implicit address implementation: fixed query vectors for servers 0 1 Number of addresses linear in the expense (of superposing). Improvement: Set of re-writable memory cells = implicit address Message m is stored in a set of a memory cells by choosing a–1 values randomly and choosing the value of the a th cell such that the sum of all a cells is m. For overall n memory cells, there are now 2 n –1 usable implicit addresses, but due to overlaps of them, they cannot be used independently. If collisions occur due to overlap, try retransmit after randomly chosen time intervals. Any set of cells as well as any set of sets of cells can be queried in one step.

66 66 Address owner gives each server s a PBG s. Each server s replaces at each time step t the content of its reserved memory cell S Adr with PBG s (t): S Adr := PBG s (t) User queries via MIXes. (possible in one step.) user employs for message. 1 1 Address owner generates and reads using “query and superpose” before and after the writing of messages, calculates difference. Improvement: for all his invisible implicit addresses together: 1 2 (if ≤ 1 msg) Address is in so far invisible, that at each point of time only a very little fraction of all possible combinations of the cells S Adr are readable. hopping between memory cells = invisible implicit address Idea: User who wants to use invisible implicit address at time t reads the values from reserved memory cells at time t-1. These values identify the memory cell to be used at time t. Impl.: s s (t)(t) s s s s (t)(t) s s Invisible implicit addresses using “query and superpose” (1)

67 67 hopping between memory cells = invisible implicit address can be extended to hopping between sets of memory cells = invisible implicit address Invisible implicit addresses using “query and superpose” (2)

68 68 Fault tolerance (and countering modifying attacks) What if server (intentionally) does 1. not respond or 2. delivers wrong response? 1.Submit the same query vector to another server. 2.Messages should be authenticated so the user can check their integrity and thereby detect whether at least one server did deliver a wrong response. If so, use a disjoint set of servers or lay traps by sending the same query vector to many servers and checking their responses by comparison.

69 69 Protection of the sender Dummy messages don’t protect against addressee of meaningful messages make the protection of the recipient more inefficient Unobservability of neighboring lines and stations as well as digital signal regeneration example: RING-network

70 70......................................................... Flow of the message frame around the ring Proof of anonymity for a RING access method attacker station 1 station 2 alternatives: 123... n+1 empty M. 1 M. n M. 2 empty M. 1 empty M. n M. 2 M. 3 M. 1 empty M. 2 M. 3 empty............... time............................... Digital signal regeneration: The analogue characteristics of bits are independent of their true sender. The idea of physical unobservability and digital signal regeneration can be adapted to other topologies, i.e. tree-shaped CATV networks; It reappears in another context in Crowds, GNUnet, etc. A. Pfitzmann 1983 - 1985

71 Ziel: Senderanonymität für Web-Zugriffe Verbindungsverschlüsselung zwischen Teilnehmern HTTP-Anfragen /-Antworten erfolgen unverschlüsselt Nutzer treffen lokal zufällig Weiterleitungsentscheidung Crowds (Reiter, Rubin, 1998) 71

72 GNUnet (gnunet.org, 2001) 72

73 73 Requirement For each possible error, anonymity has to be guaranteed. Problem Anonymity: little global information Fault tolerance: much global information Principles Fault tolerance through weaker anonymity in a single operational mode (anonymity-mode) Fault tolerance through a special operational mode (fault tolerance- mode) Fault tolerance of the RING-network

74 74 Braided RING Two RINGs operating if no faults S i+1 L i  i+1 L i-1  i+1 L i-1  i SiSi S i-1 Reconfiguration of the outer RING if a station fails SiSi S i-1 S i+1 L i-1  i L i-1  i+1 L i  i+1 Reconfiguration of the inner RING if an outer line fails Reconfiguration of the outer RING if an outer and inner line fails Line used Line not used Line used to transmit half of the messages SiSi S i-1 S i+1 L i-1  i L i  i+1 L i-1  i+1 S i+1 SiSi L i-1  i+1 L i  i+1 S i-1

75 75 Modifying attacks modifying attacks at sender anonymity extend the access method recipient anonymity service delivery publish input and output if dispute: reconfiguration covered in RING- network by attacker model

76 76 Superposed sending (DC-network) + + ++........ +........ station 1 M 1 3A781 M 2 00000 M 3 00000 +........ station 2 +........ station 3 K 2  3 67CD3 K 1  2 2DE92 K 1  3 4265B -K 1  2 E327E -K 1  3 CEAB5 -K 2  3 A943D 67EE2 4AE41 99B6E anonymous access = M 1 M 2 M 3 + + User station Pseudo-random bit-stream generator Modulo- 16-Adder Anonymity of the sender If stations are connected by keys the value of which is completely unknown to the attacker, tapping all lines does not give him any information about the sender. D. Chaum 1985 for finite fields A. Pfitzmann 1990 for abelian groups 3A781

77 Dinning Cryptographers 77 [D. Chaum: „Security without identification: transaction systems to make big brother obsolete“, Communications of the ACM, Volume 28, Issue 10, Oct. 1985]

78 Dinning Cryptographers 78 [D. Chaum: „Security without identification: transaction systems to make big brother obsolete“, Communications of the ACM, Volume 28, Issue 10, Oct. 1985]

79 79 DC-Net – Superposed Sending True Message from A 00110101 Key with B 00101011 Key with C 00110110 Sum 00101000 A sends 00101000 Empty Message from B 00000000 Key with A 00101011 Key with C 01101111 Sum 01000100 B sends 01000100 Empty Message from C 00000000 Key with A 00110110 Key with B 01101111 Sum 01011001 C sends 01011001 Sum = True Message from A 00110101 A B C Key Graph Chaum, 1988 Note: In this example “sum” means XOR

80 80 Superposed sending (DC-network) + + ++........ +........ station 1 M 1 3A781 M 2 00000 M 3 00000 +........ station 2 +........ station 3 K 2  3 67CD3 K 1  2 2DE92 K 1  3 4265B -K 1  2 E327E -K 1  3 CEAB5 -K 2  3 A943D 67EE2 4AE41 99B6E anonymous access = M 1 M 2 M 3 + + User station Pseudo-random bit-stream generator Modulo- 16-Adder Anonymity of the sender If stations are connected by keys the value of which is completely unknown to the attacker, tapping all lines does not give him any information about the sender. D. Chaum 1985 for finite fields A. Pfitzmann 1990 for abelian groups 3A781

81 81 Three distinct topologies station 1 station 2 station 3 key topology + superposition topology transmission topology independent of the others dependent on each other

82 82 Reservation scheme 01000 01000 00000 01010 00100 03110 S1S2S3S4S5S1S2S3S4S5 reservation frame message frame T5T5 T4T4 only different to “1” if “+” “ + ”  time ≥ one round- trip delay

83 83 Superposed receiving Whoever knows the sum of n characters and n-1 of these n characters, can calculate the n-th character. pairwise superposed receiving (reservation scheme: n=2) Two stations send simultaneously. Each subtracts their characters from the sum to receive the character sent by the other station. ==> Duplex channel in the bandwidth of a simplex channel global superposed receiving (direct transmission: n≥2 ) Result of a collision is stored, so that if n messages collide, only n-1 have to be sent again. Collision resolution algorithm using the mean of messages: ≤ 2 S –1 stationaddition mod 2 L SS-1 0... 0message0... 01 L counter overflow area for addition of messages overflow area for addition of counters

84 84 XY X+Y S1S1 S2S2 S 1 (X+Y)-X = Y S 2 (X+Y)-Y = X without superposed receiving with pairwise superposed receiving Pairwise superposed receiving

85 85 71 151 41 11 51 41 11 51 11 41 51 41 51 71 1 71 1 S1S2S3S4S5S1S2S3S4S5 325 103 11 4151 71151 Collision resolution algorithm with mean calculation and superposed receiving  Global superposed receiving = 6 = 3 = 4 = 11    92 222 ≥ one round- trip delay

86 86 71 151 41 11 41 41 11 41 11 41 41 4141 41 71 1 71 1 S1S2S3S4S5S1S2S3S4S5 315 93 11 8241 71151 Collision resolution algorithm with mean calculation and superposed receiving  Global superposed receiving (2 messages equal) = 6 = 3 = 4 = 11    82 222 14 ≥ one round- trip delay 41

87 87 Superposition topology for minimal delay = 1 1 1 1 1 1 1 m m log 2 m 1 tree of XOR gates to superpose the output of the user stations tree of repeaters to amplify the output to the user stations

88 88 & add carry full adder information unit key... 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 L L local superposition mod 2 L & add carry full adder information unit key... 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 L L local superposition mod 2 L... 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 L & add carry full adder L binary transmissionglobal superposition mod 2 L global superposition result Suitable coding for superposed sending... 1 11 0 1 1 1 11 0 1 1 1 11 0 1 1 local superposition result

89 89 + + + + 01100110 01 01 01100110 01100110 01100110 01 0101 + 0101 KMKM M1KM1K -K K + M = C  M = C - K abelian group M 1 + K = O 1 M 2 - K = O 2 Analogy between Vernam cipher and superposed sending Vernam cipher

90 90 Proposition: If stations S i are connected by uniform randomly distributed keys K j which are unknown to the attacker, by observing all the O i, the attacker only finds out about the M i. Proof: m=1, trivial step m-1  m Proof of sender anonymity: proposition and start of induction

91 91 K O m = M m + K SmSm.......... S1S1 S2S2 SLSL S m-1 O L = M L – K +... minimal connectedness: only connected by one key Attacker observes O 1, O 2,...O m. For each combination of messages M ' 1, M ' 2,... M ' m with O i there is exactly one compatible combination of keys : K ' := O m -M ' m The other keys are defined as in the induction assumption, where the output of S L is taken as O L + K '. Proof of sender anonymity: induction step

92 92 Information-theoretic anonymity in spite of modifying attacks Problems: 1)The attacker sends messages only to some users. If he gets an answer, the addressee was among these users. 2)To be able to punish a modifying attack at service delivery, corrupted messages have to be investigated. But this may not apply to meaningful messages of users truthful to the protocol.

93 93 DC + -net to protect the recipient even against modifying attacks: if broadcast error then uniformly distributed modification of keys If K ij is revealed, one will start with C i,..., C i. If disput then stop revealing. If revealed, distribute new,...,. t-s t t-1 s key between station i and j at time t at station i at time t broadcast character ( skew-) field K ij = k t CiCi k=1 For practical reasons: Each station has to send within each s successive points in time a random message and observe, whether the broadcast is “correct“. k=t-s

94 94 Let t-s be the first point in time where V i V j. t-s K ij - K ji...... t+1-s t+2-s tt C i - C j t-s t+1-s t-1. = C i - C j t-s C i - C j t-2......... C i - C j t-s s.........

95 95 Modifying attacks Modifying attacks at sender anonymity recipient anonymity service delivery attacker sends message character ≠ 0, if the others send their message character as well  no transmission of meaningful information To be able to punish a modifying attack at service delivery, corrupted messages have to be investigated. But this may not apply to meaningful messages of users truthful to the protocol.

96 96 Protection of the sender: anonymous trap protocol 1 2... 2n reservation blobscollision free messages n number of users frame length s Each user can cause investigating the reservation blobs directly after their sending if the sending of his reservation blobs did not work. Each user can authorize investigating of his “collision-free” random message, by opening the corresponding reservation blob.

97 97 Blob := committing to 0 or 1, without revealing the value committed to 1)The user committing the value must not be able to change it, but he must be able to reveal it. 1? s Z* p randomly chosen (so user cannot compute e such that s   e ) x := s b mod p with 0 ≤ y ≤ p-2 commit open 2)The others should not get any information about the value. 2? Let 2 u be the smallest number that does not divide p -1 y := y 1, b, y 2 with 0 ≤ y ≤ p-2 and |y 2 | = u -1 x := mod p commit open In a “digital” world you can get exactly one property without assumptions, the other then requires a complexity-theoretic assumption. x y Example: Given a prime number p and the prime factors of p -1, as well as a generator of Z* p (multiplicative group mod p). Using y everybody can calculate mod p. The inverse can not be done efficiently! x y 

98 98 Blobs based on factoring assumption 1?2? prover verifier prover verifier n := p q s := t 2 mod n n, s s  QR n x:= y 2 s b mod n commit x open y x:= y 2 s b mod n x y n, s n=p q, s  QR n n := p q s,  QR n ( ) =1 snsn

99 99 Blobs based on asymmetric encryption system 2? encrypt b with asymmetric encryption system (recall: public encryption key and ciphertext together uniquely determine the plaintext) has to be probabilistic – otherwise trying all possible values is easy communicating the random number used to probabilistically encrypt b means opening the blob computationally unrestricted attackers can calculate b (since they can break any asymmetric encryption system anyway)

100 100 Checking the behavior of the stations To check a station it has to be known: All keys with others The output of the station All the global superposing results received by the station At what time the station may send message characters according to the access protocol (Can be determined using the global superposition results of the last rounds; These results can be calculated using the outputs of all stations.) known = known to all stations truthful to the protocol calculated message characters compare

101 101 Modifying attacks in the reservation phase Collisions in the reservation phase cannot be avoided completely therefore they must not be treated as attack Problem: Attacker A could await the output of the users truthful to the protocol and than A could choose his own message so that a collision is generated. Solution: Each station 1. defines its output using a Blob at first, then 2. awaits the Blobs of all other stations, and finally 3. reveals its own Blob’s content.

102 102 Fault tolerance: 2 modes of operation A-mode anonymous transmission of messages using superposed sending F-mode sender and recipient are not protected fault detection fault localization taking defective components out of operation error recovery of the PRGs, initialization of the access protocol

103 103... of a fault of station 5 widest possible spread of a fault of station 3 station 2 station 1 station 3 station 4 station 5 station 6 station 7 station 8 station 9 station 10 DC- network 1 DC- network 2 DC- network 3 DC- network 4 write and read access to the DC-network read access to the DC-network DC- network 5 Fault tolerance: sender-partitioned DC-network

104 104 Protection of the communication relation: MIX-network MIX 1 batches, discards repeats, MIX 2 batches, discards repeats, D.Chaum 1981 for electronic mail c 1 (z 4,c 2 (z 1,M 1 )) c 1 (z 5,c 2 (z 2,M 2 ))c 1 (z 6,c 2 (z 3,M 3 )) c 2 (z 3,M 3 ) c 2 (z 1,M 1 )c 2 (z 2,M 2 ) M2M2 M3M3 M1M1 d 1 (c 1 (z i,M i )) = (z i,M i ) d 2 (c 2 (z i,M i )) = (z i,M i )

105 105/42 The Mix protocol Idea: Provide unlinkability between incoming and outgoing messages Mix 1Mix 2 A Mix collects messages, changes their coding and forwards them in a different order. If all Mixes work together, they can reveal the way of a given messages.

106 106 Protection of the communication relation: MIX-network MIX 1 batches, discards repeats, MIX 2 batches, discards repeats, D.Chaum 1981 for electronic mail c 1 (z 4,c 2 (z 1,M 1 )) c 1 (z 5,c 2 (z 2,M 2 ))c 1 (z 6,c 2 (z 3,M 3 )) c 2 (z 3,M 3 ) c 2 (z 1,M 1 )c 2 (z 2,M 2 ) M2M2 M3M3 M1M1 d 1 (c 1 (z i,M i )) = (z i,M i ) d 2 (c 2 (z i,M i )) = (z i,M i )

107 107 Basic functions of a MIX discard repeats sufficiently many messages from sufficiently many senders? If needed: insert dummy messages re-encrypt (decrypt or encrypt) change order buffer current input batch output messages MIX input messages all input messages which were or will be re-encrypted using the same key min max 1 HDD access 10 ms 50 ms do nothing test 0 ms dig. sig. 100 ms asym. encr. special HW SW 1 ms 100 ms 1 ns 10 s 11,000001 250,01 ms µ

108 108 Properties of MIXes MIXes should be designed independently produced operated maintained... Messages of the same length buffer re-encrypt change order batch-wise Each message processed only once! inside each batch between the batches sym. encryption system only for first last MIX asym. encryption system required for MIXes in the middle

109 109 Possibilities and limits of re-encryption Aim: (without dummy traffic) Communication relation can be revealed only by: all other senders and recipients together or all MIXes together which were passed through against the will of the sender or the recipient. Conclusions: 1.Re-encryption: never decryption directly after encryption Reason: to decrypt the encryption the corresponding key is needed;  before and after the encoding of the message it is the same  re-encryption is irrelevant 2.Maximal protection: MIXes are passed through simultaneously and therefore in the same order

110 110 Maximal protection Pass through MIXes in the same order MIX 1 MIX i MIX n............

111 111 Re-encryption scheme for sender anonymity c5c5 c4c4 c3c3 c2c2 c1c1 MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 S d1d1 d5d5 d4d4 d3d3 d2d2 cRcR dRdR encryption transfer decryption direct re-encryption scheme for sender anonymity R... MIX n MIX n+1 M n+1... M n M n+1 = c n+1 (M) M i = c i (z i, A i+1, M i+1 ) for i = n,..,1 k1k1 k2k2 k3k3 k4k4 k5k5 k1k1 k2k2 k 3 k4k4 k5k5 in M i = c i (k i, A i+1 ); k i (M i+1 )

112 112 Indirect re-encryption scheme for recipient anonymity MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 S R unobservable transfer c 5 k 5 c 4 k 4 c 3 k 3 c 2 k 2 c 1 k 1 c s k s d 4 k 4 d s k s d 5 k 5 ksk1k2k3k4k5ksk1k2k3k4k5 d 2 k 2 d 3 k 3 d 1 k 1 1 5 3 4 2 6 8 7 9 3 4 5 6 7 8 encryption observable transfer decryption message header message content MIX 0 MIX m MIX m+1 H m+1 = e H j = c j (k j, A j+1, H j+1 ) for j = m,..,0 H6H6 H5H5 H4H4 H3H3 H2H2 H1H1 I1I1 I2I2 I4I4 I3I3 I5I5 I6I6 I H I 1 = k 0 (I) I j = k j-1 (I j-1 ) for j = 2,.., m+1 ksks k1k1 k2k2 k3k3 k4k4 k5k5

113 113 Indirect re-encryption scheme for sender and recipient anonymity MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 S R unobservable transfer c5 k5c4 k4cs ksc5 k5c4 k4cs ks d 4 k 4 ds ksds ks d 5 k 5 ksk4k5ksk4k5 d 2 k 2 d 3 k 3 d 1 k 1 1 5 3 4 6 8 7 9 7 8 encryption observable transfer decryption message header message content k4k4 k5k5 c 3 k 3 c 2 k 2 c 1 k 1 ksk3k2k1ksk3k2k1 k2k2 k3k3 k1k1 4 6 5 3 for sender anonymityfor recipient anonymity 2

114 114 Indirect re-encryption scheme for sender and recipient anonymity MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 S R unobservable transfer c5 k5c4 k4cs ksc5 k5c4 k4cs ks d 4 k 4 ds ksds ks d 5 k 5 ksk4k5ksk4k5 d 2 k 2 d 3 k 3 d 1 k 1 1 5 3 4 6 8 7 9 7 8 encryption observable transfer decryption message header message content k4k4 k5k5 c 3 k 3 c 2 k 2 c 1 k 1 ksk3k2k1ksk3k2k1 k2k2 k3k3 k1k1 4 6 5 3 for sender anonymityfor recipient anonymity 2 3 rd party, to hold the anonymous return addresses for anonymous query delivery using sender anonymity scheme pickup using recipient anonymity scheme, initiated using sender anonymity scheme

115 115 Indirect re-encryption scheme maintaining message length 123 m+2-jm+3-jm+4-j m+1m+2m+3 b... HjHj k j (H j+1 ) blocks with message contents blocks with random contents 12m+1-j m+2-jmm+1m+2m+3 b... H j+1 k j+1 (H j+2 ) blocks with message contents blocks with random contents m+3-j ZjZj Z j-1 re-encrypt with k j k j, A j+1 MjMj M j+1 decrypt with d j decrypt encrypt or decrypt in k j encoded H m+1 = [e] H j = [c j (k j, A j+1 )], k j (H j+1 ) for j = m,..,1

116 116 Indirect re-encryption scheme maintaining message length for special symmetric encryption systems 123 m+2-jm+3-jm+4-j b+1-jb+2-jb+3-j b... HjHj k j (H j+1 ) blocks with message contents blocks with random contents 12m+1-j m+2-jb-jb+1-jb+2-jb-1 b... H j+1 k j+1 (H j+2 ) blocks with message contents blocks with random contents m+3-j ZjZj Z j-1 re-encrypt with k j k j, A j+1 MjMj M j+1 decrypt with d j if k -1 (k(M)) = M and k(k -1 (M)) = M

117 117 Minimally message expanding re-encryption scheme maintaining message length 1 b j b 1 n j bb j -n j ZjZj IjIj random contents k j, A j+1, C j H j+1 re-encrypt with k j MjMj M j+1 decrypt with d j if k -1 (k(M)) = M and k(k -1 (M)) = M message contents HjHj

118 118 Breaking the direct RSA-implementation of MIXes (1) Implementation of MIXes using RSA without redundancy predicate and with contiguous bit strings (David Chaum, 1981) is insecure: (z,M) c MIX ((x,y) ) cd = x,y (mod n) outputs y |z|=b |M|=B M attacker multiplies M with factor f and compares attacker observes, chooses factor f and generates (z,M) f c c  M f Unlinkability, if many factors f are possible. 2 b 2 B ≤ n-1 hold always and normally b << B. If the random bit strings are the most significant bits, it holds (z,M) = z2 B +M and (z,M)f  (z2 B + M)f  z2 Bf + Mf.............

119 119 Breaking the direct RSA-implementation of MIXes (2) Let the identifiers z‘ and M‘ be defined by (z,M)f  z‘2 B + M‘  z2 Bf + Mf  z‘2 B + M‘  2 B (zf - z‘)  M‘ - Mf  zf - z‘  (M‘ - Mf) (2 B ) -1 (1) If the attacker chooses f ≤ 2 b, it holds –2 b < zf - z‘ < 2 2b (2) The attacker replaces in (1) M and M ‘ by all output-message pairs of the batch and tests (2). (2) holds, if b< { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4222771/slides/slide_119.jpg", "name": "119 Breaking the direct RSA-implementation of MIXes (2) Let the identifiers z‘ and M‘ be defined by (z,M)f  z‘2 B + M‘  z2 Bf + Mf  z‘2 B + M‘  2 B (zf - z‘)  M‘ - Mf  zf - z‘  (M‘ - Mf) (2 B ) -1 (1) If the attacker chooses f ≤ 2 b, it holds –2 b < zf - z‘ < 2 2b (2) The attacker replaces in (1) M and M ‘ by all output-message pairs of the batch and tests (2).", "description": "(2) holds, if b<

120 120 Fault tolerance in MIX-networks (1) MIX 6 MIX 7 MIX 8 MIX 9 MIX 10 MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 MIX 11 MIX 12 MIX 13 MIX 14 MIX 15 SR 2 alternative routes via disjoint MIXes SR MIX i‘ or MIX i‘‘ can substitute MIX i MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 MIX 5‘ MIX 1‘ MIX 2‘ MIX 3‘ MIX 4‘ MIX 5‘‘ MIX 1‘‘ MIX 2‘‘ MIX 3‘‘ MIX 4‘‘ coordination protocol

121 121 Fault tolerance in MIX-networks (2) MIX 1 MIX 2 MIX 3 MIX 4 MIX 5 S R d 4 k 4 d 5 k 5 d 2 k 2 d 3 k 3 d 1 k 1 c 5 k 5 c 4 k 4 c 3 k 3 c 2 k 2 c 1 k 1 cEcE coordination protocol dEdE k2k2 k3k3 k5k5 k4k4 In each step, one MIX can be skipped encryption transfer decryption

122 122 Complexity of the basic methods unobservability of neighboring lines and stations as well as digital signal regeneration RING-network DC-networkMIX-network attacker model physically limited computationally restricted w.r.t. service delivery computationally restricted cryptographically strong well analyzed computationally restricted not even well analyzed asymmetric encryption systems are known which are secure against adaptive active attacks expense per user O(n) (  ) transmission O(n) (  ) transmission O(kn) key O(k), practically: ≈ 1 transmission on the last mile... in the core network O(k 2 ), practically: ≈ k n2n2 n2n2 n = number of users k = connectedness key graph of DC-networks respectively number of MIXes

123 123 Encryption in layer models In the OSI model it holds: Layer n doesn’t have to look at Data Units (DUs) of layer n+1 to perform its service. So layer n+1 can deliver (n+1)-DUs encrypted to layer n. For packet-oriented services, the layer n typically furnishes the (n+1)-DUs with a n-header and possibly with an n- trailer, too, and delivers this as n-DU to layer n-1. This can also be done encrypted again. and so on. All encryptions are independent with respect to both the encryption systems and the keys. layer n+1 layer n layer n-1 (n+1)-DU n-DU (n-1)-DU n-header n- trailer encryption

124 124 Arranging it into the OSI layers (1) OSI layers 7 application 6 presentation 5 session 4 transport 3 network 2 data link 1 physical 0 medium end-to-end encryption link encryption end-to-end encryption link encryption user station exchange

125 125 Arranging it into the OSI layers (2) query and superpose addressing implicit query addressing channel selection ring 0 medium digital signal regeneration superpose keys and messages 1 physical anonymous access 2 data link buffer and re-encrypt broad- cast 3 network implicit 4 transport 5 session 6 presentation 7 application RING- network DC-networkMIX-networkbroadcastOSI layers has to preserve anonymity against the communication partner has to preserve anonymity end-to-end encryption realizable without consideration of anonymity

126 126 Problems: series systems w.r.t. availability maintain the anonymity of „honest“ users There are adequate extensions. Tolerating errors and active attacks

127 127 Network extension by stages long distance network with MIXes for some services +... MIX cascade local exchange (LE) broadband cable network... efficiency  hierarchical communication networks user station

128 128 Solution for the ISDN: telephone MIXes Aims: ISDN services on ISDN transmission system 2 independent 64-kbit/s duplex channels on a 144-kbit/s subscriber line hardly any additional delay on established channels establish a channel within 3 s no additional traffic on the long distance network Network structure MIX 1 MIX m RG local exchange LE(R) local exchange LE(G) long distance network 64+64+16=144 kbit/s duplex network termination legacy LE

129 129 Solution for the ISDN: telephone MIXes (1989) Aims: ISDN services on ISDN transmission system 2 independent 64-kbit/s duplex channels on a 144-kbit/s subscriber line hardly any additional delay on established channels establish a channel within 3 s no additional traffic on the long distance network Network structure MIX 1 MIX m MIX‘ m’ MIX‘ 1 RG local exchange LE(R) local exchange LE(G) long distance network 64+64+16=144 kbit/s duplex network termination

130 130 Time-slice channels (1) station Rstation GMIXes(R)MIXes(G)LE(R)LE(G) TS-setup: x TR-setup: x S0S0 TS-setup: y TR-setup: y TS-setup: PBG(sG,1) TR-setup: PBG(sR,1) S1S1 TS-setup: PBG(sR,1) TR-setup: PBG(sG,1) y TR TS call request: c G (k, sR, and sG) x query and superpose instead of broadcast TR TS

131 131 Time-slice channels (2) PBG(sG,2) PBG(sR,2) k(data) S2S2 PBG(sG,1) PBG(sR,1) k(dial tone, data) TS-setup: PBG(sG,2) TR-setup: PBG(sR,2) TS-setup: PBG(sR,2) TR-setup: PBG(sG,2) S3S3 This setup of receiving channels is a very flexible scheme for recipient anonymity.

132 132 Connection configuration later (1) station Rstation GMIXes(R)MIXes(G)LE(R)LE(G) TS-setup: x TR-setup: x S0S0 TS-setup: PBG(sP,0) TR-setup: PBG(sQ,0) TS-setup: PBG(sG,1) TR-setup: PBG(sR,1) S1S1 TS-setup: PBG(sP,1) TR-setup: PBG(sQ,1) from P to P PBG(sQ,0) TR TS call request: c G (k, sR, and sG) x TS TR

133 133 Connection configuration later (2) TS-setup: PBG(sG,2) TR-setup: PBG(sR,2) S2S2 TS-setup: PBG(sP,2) TR-setup: PBG(sQ,2) from P to P PBG(sQ,1) PBG(sR,1) throw away replace StSt PBG(sG,t-1) PBG(sR,t-1) TS-setup: PBG(sG,t-1) TR-setup: PBG(sR,t-1) S t-1 TS-setup: PBG(sR,t-1) TR-setup: PBG(sG,t-1) k(dial tone, data)

134 134 Query and superpose to receive the call requests station Rstation GMIXes(R)MIXes(G)LE(R)LE(G) call request: c G (k, sR, and sG) query and superpose instead of broadcast Query and superpose: Each station has to query in each time slice (else the anonymity set degenerates) Each station should inquiry all its implicit addresses at each query. (possible both for visible and invisible addresses without additional expense) –> The size of the anonymity set is no longer limited by the transmission capacity on the user line, but only by the addition performance of the message servers.

135 135 Radio networks (1) Difference to wired networks Bandwidth of transmission remains scarce The current place of the user is also to be protected Assumptions Mobile user station is always identifiable and locatable if the station sends. Mobile user station is not identifiable and locatable if the station only (passively) receives. Which measures are applicable? + end-to-end encryption + link encryption -dummy messages, unobservability of neighboring lines and stations as well digital signal regeneration, superposed sending  all measures to protect traffic data and data on interests have to be handled in the wired part of the communication network not commend- able not applic- able

136 136 Radio networks (2) + MIXes if the coding in the radio network is different or computing power for encryption is missing MIXes user V user U LE + Broadcast the call request in the whole radio network, only then the mobile station answers. After this the transmission proceeds in one radio cell only. + Filter + Generation of visible implicit addresses + Restrict the region + Keep the user and SIM anonymous towards the mobile station used. 1 2 3 4 5 6 7 8 user U

137 137 No movement profiles in radio networks GSM/UMTS – cellular mobile networks roaming information in central data bases operators of the network can record the information VLR1 net....... BVLR1 C DVLR2... data base HLR 3 1 2 4 A B 5 Maintenance of the roaming information in a domain of trust - at home (HPC) - at trustworthy organizations Protection of the communication relationship using MIXes MIXes 5 net B 8 3 2 7 6 1 4 Alternative concept

138 138 Operatorship of the network components user station terminal equipment network termination all functions important for the service quality of others needed domain of trust of the user: no Trojan horse needed domain of trust of the network operator: correct realization MIXes, Servers:technically easier; organizationally w.r.t. confidence more problematic MIX, Server Superposed sending: technically more expensive; organizationally easier transmission and access protocol key generation and superposition, access protocol transmission wish End-to-end encryption Implicit addressing MIXes Message service Problems here are easier than at switching centers: 1. Network terminations are less complex 2. … cannot be changed quickly (hardware, no remote maintenance) RING-network Superposed sending

139 139 Conclusions & Outlook (1) Using the network transactions between anonymous partners explicit proof of identity is possible at any time Protection of traffic data and data on interests requires appropriate network structure keep options consider early enough Networks offering anonymity can be operated in a “trace users mode” without huge losses in performance, the converse is not true!

140 140 Conclusions & Outlook (2) Trustworthy data protection in general or only at individual payment for interested persons? Concerning traffic data, the latter is technically inefficient. The latter has the contrary effect (suspicion). Everyone should be able to afford fundamental rights!

141 141 Electronic Banking Motivation Banking using paper forms – premium version Customer gets the completely personalized forms from the bank in which only the value has to be filled in. No signature! Electronic banking – usual version Customer gets card and PIN, TAN from his/her bank. http://www.cl.cam.ac.uk/research/security/banking/ Upcoming / Current Customer gets chip card from Bank with key for MAC key pair for digital signature Map exercise of US secret services: observe the citizens of the USSR (1971, Foy 75) Main part (Everything a little bit more precise) Payment system is secure... MAC, digital signature payment system using digital signatures Pseudonyms (person identifier  role-relationship pseudonyms) or

142 142 Security properties of digital payment systems Payment system is secure if user can transfer the rights received, user can loose a right only if he is willing to, if a user who is willing to pay uniquely denotes another user as recipient, only this entity receives the right, user can prove transfers of rights to a third party if necessary (receipt problem), and the users cannot increase their rights even if they collaborate. (integrity, availability) digital via communication network immaterial, digital Problem: messages can be copied perfectly Solution: witness accepts only the first (copy of a) message, without the committer being identified.

143 143 person pseudonyms role pseudonyms public person pseudonym non-public person pseudonym anonymous- person pseudonym business- relationship pseudonym transaction pseudonym A n o n y m i t y Scalability concerning the protection Pseudonyms phone number account number biometric, DNA (as long as no register) pen name one-time password examples

144 144 Pseudonyms: Linkability in detail Distinction between: 1. Initial linking between the pseudonym and its holder 2. Linkability due to the use of the pseudonym across different contexts

145 145 Pseudonyms: Initial linking to holder Public pseudonym: The linking between pseudonym and its holder may be publicly known from the very beginning. Initially non-public pseudonym: The linking between pseudonym and its holder may be known by certain parties (trustees for identity), but is not public at least initially. Initially unlinked pseudonym: The linking between pseudonym and its holder is – at least initially – not known to anybody (except the holder). Phone number with its owner listed in public directories Bank account with bank as trustee for identity, Credit card number... Biometric characteristics; DNA (as long as no registers)

146 146 Pseudonyms: Use across different contexts => partial order A  B stands for “B enables stronger unlinkability than A” number of an identity card, social security number, bank account pen name, employee identity card number customer number contract number one-time password, TAN, one-time use public-key pair

147 147 Notations: transfer of a signed message from X to Y signing the message M: sA(M)sA(M) test the signature: t A (M, s A (M)) ? X M, s A (M) Y ¬  ¬  docu- ment M pApA sender X recipient Y functional notation graphical notation

148 148 Authenticated anonymous declarations between business partners that can be de-anonymized ¬  trusted third party A trusted third party B identification user X user Y ¬  confirmation know document pApA pG(X,g)pG(X,g)   pG(X,g)pG(X,g) identification Generalization: X  B 1  B 2 ...  B n  Y B‘ 1  B‘ 2 ...  B‘ m error / attack tolerance (cf. MIXes) pG‘(Y,g)pG‘(Y,g) confirmation know document pG‘(Y,g)pG‘(Y,g) pG‘(Y,g)pG‘(Y,g) pG(X,g)pG(X,g) pBpB for

149 149 Authenticated anonymous declarations between business partners that can be de-anonymized ¬  trusted third party A trusted third party B identification user X user Y ¬  confirmation know document pApA pG(X,g)pG(X,g)   pG(X,g)pG(X,g) identification Generalization: X  B 1  B 2 ...  B n  Y B‘ 1  B‘ 2 ...  B‘ m error / attack tolerance (cf. MIXes) pG‘(Y,g)pG‘(Y,g) confirmation know document pG‘(Y,g)pG‘(Y,g) pG‘(Y,g)pG‘(Y,g) pG(X,g)pG(X,g) pBpB for trustees for identities

150 150 Security for completely anonymous business partners using active trustee who can check the goods  trustee T pTpT [ 2 ] ¬  customer Xmerchant Y ¬  [ 5 ] [ 3 ] pL(Y,g)pL(Y,g) [ 4 ] [ 1 ] pTpT pTpT delivery to trustee delivery to customer order merchant is „money“ for merchant pL(Y,g)+pL(Y,g)+ money pK(X,g)pK(X,g) order of the customer (money is deposited) checked by T

151 151 Security for completely anonymous business partners using active trustee who can not check the goods  trustee T pTpT [ 2 ] ¬  customer Xmerchant Y ¬  [ 5 ] [ 3 ] pL(Y,g)pL(Y,g) [ 4 ] [ 1 ] pTpT pTpT delivery to trustee delivery to customer order delivery is „money“ for distributor pL(Y,g)+pL(Y,g)+ money pK(X,g)pK(X,g) order of the customer (money is deposited) checked by T [4.1] wait

152 152 Security for completely anonymous business partners using active trustee who can (not) check the goods trustee for values  trustee T pTpT [ 2 ] ¬  customer Xmerchant Y ¬  [ 5 ] [ 3 ] pL(Y,g)pL(Y,g) [ 4 ] [ 1 ] pTpT pTpT delivery to trustee delivery to customer order delivery is „money“ for distributor pL(Y,g)+pL(Y,g)+ money pK(X,g)pK(X,g) order of the customer (money is deposited) checked by T ([4.1] wait)

153 153 Anonymously transferable standard values current owner: digital pseudonym value number: v n 10 $ digital pseudonym 3, transfer order 3 digital pseudonym 2, transfer order 2 digital pseudonym 1, transfer order 1 former owners..... Anonymously transferable standard value

154 Key feature: Bitcoin transfer between pseudonyms (Bitcoin addresses) Bitcoin pseudonym ≡ public key of ECDSA Sender signs transfer Double spending protection: –Bitcoin network keeps history of all transactions –Transactions have timestamps  only oldest is valid Bitcoin network works as “distributed time server” –Binding of transaction and timestamp: „proof-of-work“: search for z: Hash(Transaction, Timestamp, z) = 00000… (0|1)* < w w adjusted over timer https://www.blockchain.info Bitcoin – a decentral payment system 154 [Satoshi Nakamoto: Bitcoin: A Peer-to-Peer Electronic Cash System. 2008]

155 155 Basic scheme of a secure and anonymous digital payment system pBpB [ 3 ] ¬  payer Xrecipient Y ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer choice of pseudonyms p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) authentication by the witness p E B (Y,t) owns the right, got from p Z B (X,t) p Z (X,t) p E (Y,t) PEBPEB PEPE PZPZ PZBPZB have transferred the right to p E (Y,t). have got the right from p Z (X,t). authentication of ownership p Z B (X,t) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) transfer the right to p E B (Y,t) [ 5 ]  witness B

156 156 Transformation of the authentication by the witness  witness B ¬  payer Xrecipient Y ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) p Z (X,t) p E (Y,t) authentication of ownership p Z B (X,t) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) [ 5 ] p E (Y,t) [ 6 ] pBpB have transferred the right to p E (Y,t). transfer the right to p E B (Y,t) have got the right from p Z (X,t). choice of pseudonyms p Z B (Y,t+1) owns the right pBpB [ 3 ] authentication by the witness p E B (Y,t) owns the right, got from p Z B (X,t) pBpB p E B (Y,t) p Z B (X,t) [ 3 ]

157 157 Transformation of the authentication by the witness: Simplified Steps  witness B ¬  recipient Zpayer Y ¬  [ 1 ] pBpB EUR 10 [ 3 ] pBpB EUR 10 [ 4 ] pBpB EUR 10 [ 2 ] pBpB EUR 10 [ 0 ] EUR 10

158 158 Transformation of the authentication by the witness  witness B ¬  payer Xrecipient Y ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) p Z (X,t) p E (Y,t) authentication of ownership p Z B (X,t) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) [ 5 ] p E (Y,t) [ 6 ] pBpB have transferred the right to p E (Y,t). transfer the right to p E B (Y,t) have got the right from p Z (X,t). choice of pseudonyms p Z B (Y,t+1) owns the right pBpB [ 3 ] authentication by the witness p E B (Y,t) owns the right, got from p Z B (X,t) [1] [ 3 ] pBpB EUR 10

159 159 The next round: Y in the role payer to recipient Z  witness B ¬  payer Yrecipient Z ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer p E (Z,t+1)  p E B (Z,t+1) p Z (Y,t+1)  p Z B (Y,t+1) p Z (Y,t+1) p E (Z,t+1) [ 5 ] p E (Z,t+1) [ 0 ] pBpB have transferred the right to p E (Z,t+1). have got the right from p Z (Y,t+1). [ 2 new ] p Z B (Y,t+1) p E B (Z,t+1) authentication of ownership p Z B (Y,t+1) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) transfer the right to p E B (Y,t) choice of pseudonyms p Z B (Y,t+1) owns the right pBpB [ 3 ] authentication by the witness p E B (Z,t+1) owns the right, got from p Z B (Y,t+1)

160 160 Signature system for signing blindly key generation z‘(x) blinded text key for testing of signature, publicly known t s random number text x key for signing, kept secret blind z‘(x), s(z‘(x)) blinded text with signature signing text with signature and test result “pass” or “fail” unblind and test z‘z‘ random number‘ x, s(x),

161 161 RSA as digital signature system with collision-resistant hash function h key generation: p,q prime numbers n := pq t with gcd(t, (p-1)(q-1)) = 1 s  t -1 mod (p-1)(q-1) x, (h(x)) s mod n key for testing of signature, publicly known t, n s, n random number x, (h(x)) s mod n, “pass” or “fail” key for signing, kept secret h(1. comp.)  (2. comp.) t mod n ? signing: (h()) s mod n text with signature and test result x text text with signature test: l security parameter

162 162 One time convertible authentication Recipient choose pseudonym p (test key of arbitrary sign. system) Collision-resistant hash function h p,h(p) choose r  R Z n * (p,h(p))r t (p,h(p)) sr multiply with r -1 get (p,h(p)) s Issuer (i.e. witness) RSA test key t,n, publicly known ((p,h(p))r t ) s

163 163 Secure device: 1 st possibility  witness B as secure device pBpB [ 3 ] ¬  payer Xrecipient Y ¬ [ 4 ] [ 1 ] authentication for the recipient receipt for the payer choice of pseudonyms p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) authentication by the witness have got the right from p Z (X,t). p E B (Y,t) owns the right, got from p Z B (X,t) p Z (X,t) p E (Y,t) [ 5 ] p E (Y,t)  have transferred the right to p E (Y,t). authentication of ownership p Z B (X,t) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) transfer the right to p E B (Y,t)

164 164  Secure device: 2 nd possibility witness B pBpB [ 3 ] ¬  payer Xrecipient Y ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer choice of pseudonyms p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) authentication by the witness have got the right from p Z (X,t). p E B (Y,t) owns the right, got from p Z B (X,t) p Z (X,t) p E (Y,t) authentication of ownership p Z B (X,t) owns the right pBpB [ 2 ] transfer order of the payer p Z B (X,t) [ 5 ] p E (Y,t) transfer the right to p E B (Y,t) sym. encryption system suffices have transferred the right to p E (Y,t).

165 165 Secure and anonymous digit. payment system with accounts  witness B pBpB [ 3 ] ¬  payer X recipient Y ¬  [ 4 ] [ 1 ] authentication for the recipient receipt for the payer choice of pseudonyms p E (Y,t)  p E B (Y,t) p Z (X,t)  p Z B (X,t) authentication by the witness p Z (X,t) p E (Y,t) p Z B (X,t) owns the right pBpB p Z B (X,t) p E (Y,t) have transferred the right to p E (Y,t). have got the right from p Z (X,t). [ 5 ] transfer the right to p E B (Y,t) p E B (Y,t) owns the right, got from p Z B (X,t) [ 2 ] transfer order of the payer authentication of ownership [1.2] [7] [8] p E B (Y,t) p in (Y,t) [6] p K (Y) p in (Y,t) [1.1] [1.3] p K (X) p out (X,t) p Z B (X,t) with accounts

166 166 Offline payment system Payment systems with security by Deanonymizability ksecurity parameter Iidentity of the entity giving out the banknote r i randomly chosen (1  i  k) Ccommitment scheme with information theoretic secrecy blindly signed banknote: s Bank (C(r 1 ), C(r 1  I ), C(r 2 ), C(r 2  I ),..., C(r k ), C(r k  I )), recipient decides, whether he wants to get revealed r i or r i  I. (one-time pad preserves anonymity.) Hand-over to two honest recipients: probability ( i : bank gets to know r i and r i  i ) ≥ 1-e -ck (original owner identifiable)

167 167 Outlook legal certainty vs. liability online / offline debit = pre-paid / pay-now / credit only special software or hardware, too ? universal means of payment or multifaceted bonus systems ? one or multiple currencies ? one or multiple systems ?

168 168 Personal identifier 845 authorizes A: ___ A notifies 845: ___ 845 pays B € B certifies 845: ___ C pays 845 €

169 169 Role pseudonyms (business-relationship and transaction pseudonyms) 762 authorizes A: __ A notifies 762: ___ 451 pays B € B certifies 451: ___ B certifies 314: ___ C pays 314 €

170 Herkömmliche Umsetzung: eine Identität pro Nutzer Identitätsmanagement Alter Führerschein Name Adresse Telefonnummer Steuerklasse Kontonummer E-Mail Wesentliches Problem: Verkettbarkeit von Datensätzen

171 171  Mehrere Teil-Identitäten pro Nutzer  Verwaltung unter Kontrolle des Nutzers Datenschutzgerechtes Identitätsmanagement Alter Name Adresse Steuerklasse Kontonummer p2p2 Name Kontonummer p3p3 Alter Führerschein p5p5 E-Mail p4p4 Name E-Mail p1p1 Telefonnummer

172 172 Diensterbringung erfordert oft nur wenige Daten Angabe der erforderlichen Daten unter Pseudonym verhindert unnötige Verkettbarkeit zu anderen Daten des Nutzers verschiedene Aktionen sind bei Verwendung unterschiedlicher Pseudonyme initial nicht verkettbar Techniken - Pseudonyme Beispiel: Autovermietung benötigtes Datum: Besitz eines gültigen Führer- scheins für das gewünschte Auto p1p1 p2p2

173 173 Anonyme Credentials  Credential = Beglaubigung von Nutzereigenschaften (z.B. „Nutzer hat Fahrerlaubnis“)  Ablauf:  Organisation stellt Credential aus  Nutzer zeigt Credential gegenüber Dienstleister vor  Eigenschaften:  Nutzer kann Credential unter verschiedenen Pseudonymen verwenden (umrechnen)  Bei Verwendung des gleichen Credentials unter verschiedenen Pseudonymen kann der Dienstleister und Ausstellerorganisation nicht feststellen, ob es der gleiche Nutzer war. Credential vorzeigen Credential ausstellen Credentialtypen veröffentlichen Organisation Nutzer Dienstleister

174 174 Techniken – Zertifikate in Form von Anonymen Credentials Nutzer A Zertifikat- ausstellende Organisation habe Führer- schein Nutzer B Nutzer X : Nutzer A hat Führer- schein Diensteanbieter habe Führer- schein habe Führer- schein habe Führer- schein

175 175 FUNKTIONEN DES NEUEN ELEKTRONISCHEN PERSONALAUSWEISE (nPA)

176 176 Neu: Chip im Inneren der Ausweiskarte  drahtlose Kommunikation mittels RFID Technologie

177 177  Chip speichert (fälschungssicher) die auf dem Ausweis aufgedruckten Informationen  optional: Fingerabdrücke  Chip ermöglicht einen authentischen Informationsaustausch zwischen Ausweis(inhaber) und Diensteanbieter im Internet  Ausweis(inhaber) wird über ein dienstspezifisches Pseudonym (wieder)erkannt  Chip ermöglicht sicheres Speichern von digitalen Zertifikaten und das digitale Signieren elektronischer Dokumente  Signaturzertifikate müssen wie bisher von privaten Anbietern gekauft werden Neue Funktionen des nPA

178 178  Diensteanbieter überträgt Berechtigungszertifikat  enthält, welche Daten angefragt werden Gesicherte Kommunikation zwischen Ausweis und Diensteanbieter Diensteanbieter Nutzer Internet

179 179 Ablauf für Erteilung eines Berechtigungszertifikats  im Antrag sind anzugeben:  Informationen über den Anbieter  welche Daten ausgelesen werden  zu welchen Zwecken die Daten ausgelesen werden  Datenschutzbeauftragter/ Datenschutzaussichtsbehörde [http://www.personalausweisportal.de]

180 180  Diensteanbieter überträgt Berechtigungszertifikat  enthält, welche Daten angefragt werden  Nutzer entscheidet, ob er Daten für angegebene Zwecke übertragen möchte  Bestätigung mittels 6-stelliger PIN  Risiko: Eingabe der PIN im Rechner bei einfachem Lesegerät (ohne Tastatur & Display) Gesicherte Kommunikation zwischen Ausweis und Diensteanbieter Diensteanbieter Nutzer Internet

181 181  Pseudonymfunktion  Erzeugung eines pro Anbieter und Ausweis eindeutigen, zufälligen Pseudonyms  Sinn:  sichere Wiedererkennung –ersetzt selbstgewähltes Login/Paßwort  Verhinderung von Mehrfachanmeldung bei Diensten  Umsetzung:  Pseudonym= f (Ausweisgeheimnis, Anbieterkennzeichen)  Anmerkung: Ausweisgeheimnis läßt sich nicht aus Pseudonym und Anbieterkennzeichen zurückberechnen  Alters- und Wohnortbestätigung  übermittelt wird lediglich „Ja“/“Nein“-Entscheidung bezüglich angefragtem Vergleichsdatum  Beispiel: über 18? wohnt in Sachen?  keine vollständige Anschrifts- / Altersübermittlung Datenschutzfreundliche Funktionen

182 182  Liste aktuell nutzbarer Anwendungen:  http://www.ccepa.de/onlineanwendungen  Deutsche Rentenversicherung  Einsicht Rentenkonto  Beratungstermin vereinbaren  HUK24, CosmosDirekt, Schufa  Neukundenregistrierung / Anmelden  Punkteauskunft aus dem Verkehrszentralregister (VZR) Aktuelle Anwendungen

183 183 Multilateral security in digital payment systems Identification in case of fraud using anonymous payment systems costumer bank merchant merchant* r r r*r* r*r* c*c* c*c* c c anonymous fig.: identification in case of fraud c, c*challenges (with merchant ID) r, r*responses conclusive identification of the costumer is possible using different responses to same digital coin

184 184 Cryptography (you already know) Steganography Proposals to regulate cryptography Technical limits of regulating cryptography –Secure digital signatures  Secure encryption –Key Escrow encryption without permanent surveillance  Encryption without Key Escrow –Symmetric authentication  Encryption –Multimedia communication  Steganography –Keys for communication and secret signature keys can be replaced at any time  Key Escrow to backup keys is nonsense Proposals to regulate cryptography harm the good guys only Cryptography and the impossibility of its legal regulation

185 185 attacker embedding extracting key stegotext emb cover senderrecipient key secretmessage emb cover* Steganography secretmessage

186 186 attacker embedding extracting key stegotext emb cover senderrecipient key secretmessage emb cover* Steganography secretmessage Domain of trust Area of attack

187 187 attacker embedding extracting key stegotext emb cover senderrecipient key secretmessage emb cover* Steganography secretmessage Steganography: Secrecy of secrecy exactly the same cannot be detected as much as possible no changes

188 188 attacker embedding extracting key stegotext emb cover senderrecipient key copyrightinform. emb* cover* Steganography co?yr?ght?nfo??. Steganography: Watermarking and Fingerprinting possibly severe changes correlation is enough some 100 bit are enough

189 189 Proposals to regulate cryptography ? Would you regulate cryptography to help fight crime ? If so: How ? ?

190 190 Proposals to regulate cryptography ! Outlaw encryption Outlaw encryption – with the exception of small key lengths Outlaw encryption – with the exception of Key Escrow or Key Recovery systems Publish public encryption keys only within PKI if corresponding secret key is escrowed Obligation to hand over decryption key to law enforcement during legal investigation

191 191 CA s A (A,c A ) 1. t A 3. s CA (A,t A ) generates (s A,t A ) generates (c A,d A ) A test CA-certificate test A-certificate A does not need a certificate for c A issues by CA B 2. t of A c A (secret message) Secure digital signatures —> Secure encryption

192 192 k esc (A,c A ) A A c A (secret message) B B —> Encryption without Key Escrow Key Escrow encryption without permanent surveillance

193 193 k esc (A,c A ) A A k esc (c A (secret message)) B B employ Key Escrow additionally to keep your encryption without Key Escrow secret Key Escrow encryption without permanent surveillance

194 194 A A k esc (c A ( k AB ), k AB ( secret message )) B B hybrid encryption can be used k esc (A,c A ) Key Escrow encryption without permanent surveillance

195 195 k esc (A,k AB ) A A k esc (k AB (secret message)) B B if surveillance is not done or even cannot be done retroactively, symmetric encryption alone does the job Key Escrow encryption without permanent surveillance

196 196 Symmetric authentication  Encryption n falsely authenticated messages form intermingle separate Ronald L. Rivest: Chaffing and Winnowing: Confidentiality without Encryption; MIT Lab for Computer Science, March 22, 1998; http://theory.lcs.mit.edu/~rivest/chaffing.txt

197 197 Symmetric authentication  Encryption falsely authenticated messages form and intermingle without knowing the key separate

198 198 Exchanging keys outside the communication network is easy for small closed groups, in particular it is easy for criminals and terrorists. Large open groups need a method of key exchange which works without transmitting suspicious messages within the communication network – asymmetric encryption cannot be used directly for key exchange. Solution: Uses public keys of a commonly used digital signature systems (DSS, developed and standardized by NSA and NIST, USA) Key exchange for steganography ? Diffie-Hellman Public-Key Agreement

199 199 Key exchange without message exchange Diffie-Hellman Public-Key Agreement secret: x public: g x ygyygy (g y ) x = g yx = g xy = (g x ) y

200 200 Key exchange for steganography ! Diffie-Hellman Public-Key Agreement secret: x public: g x ygyygy (g y ) x = g yx = g xy = (g x ) y C S f(C, g yx ) = f(S, g xy ) attacker embedding extracting key stegotext emb cover senderrecipient key secretmessage emb cover* secretmessage

201 201 Digital Signatures Key Escrow without permanent surveillance Multimedia communication Encryption Key exchange, multiple encryption Steganography Cryptoregulation ignores technical constraints Summary

202 202 A A CA Exchanging new keys is more efficient and more secure than Key Recovery —> Key Recovery for communi- cation is nonsense Encryption: generate new one(s) and exchange Authenticate/encrypt and transmit message(s) once more Authentication: generate new one(s) and exchange using CA Dig. Signature: already generated digital signatures can still be tested; generate new key-pair for new digital signatures and, if you like, let certify your new public key Symmetric Authentication Encryption B B Key Recovery makes sense Communication Long-term storage Loosing secret keys

203 203 Encryption Authen- tication asymmetric (dig. signature) protecting communicationlong-term storage symmetric (MACs) Key Recovery functionally unnecessary, but additional security risk Key Recovery useful Key Recovery – for which keys ?

204 204 Proposals to regulate cryptography harm the good guys only  Steganography  In addition steganography  Use Key Escrow or Key Recovery system for bootstrap  Run PKI for your public encryption keys yourself  Calculate one-time- pad accordingly Outlaw encryption Outlaw encryption – with the exception of small key lengths Outlaw encryption – with the exception of Key Escrow or Key Recovery systems Publish public encryption keys only within PKI if corresponding secret key is escrowed Obligation to hand over decryption key to law enforcement during legal investigation

205 205 Explicit techniques (you already know the theory) Workarounds (Im-)Possibility to regulate anonymous/pseudonymous communication

206 206 (Im-)Possibility to regulate anonymous/pseudonymous communication Anon-Proxies MIXes Cascade: AN.ON P2P: TOR All this exists abroad without regulation – as long as we do not have a global home policy

207 207 (Im-)Possibility to regulate anonymous/pseudonymous communication But even domestic: Public phones, Prepaid phones, open unprotected WLANs, insecure Bluetooth mobile phones,... Data retention is nearly nonsense, since „criminals“ will use workarounds, cf. above


Download ppt "1 Security and Cryptography II (Version 2013/04/03) Stefan Köpsell (Slides [mainly] created by Andreas Pfitzmann) Technische Universität Dresden, Faculty."

Similar presentations


Ads by Google