Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 20, 2013 Anon-Pass: Practical Anonymous Subscriptions Michael Z. Lee †, Alan M. Dunn †, Jonathan Katz *, Brent Waters †, Emmett Witchel † † University.

Published byDominic Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "May 20, 2013 Anon-Pass: Practical Anonymous Subscriptions Michael Z. Lee †, Alan M. Dunn †, Jonathan Katz *, Brent Waters †, Emmett Witchel † † University."— Presentation transcript:

1 May 20, 2013 Anon-Pass: Practical Anonymous Subscriptions Michael Z. Lee †, Alan M. Dunn †, Jonathan Katz *, Brent Waters †, Emmett Witchel † † University of Texas at Austin * University of Maryland

2 -2- Media Subscriptions Unlimited access subscriptions

3 -3- ♪ Let’s build a service ♫♪ ♩♬ ♬ ♪♫ ♩ ♪ ♩♬ ♫♪ ♩♬ ♫♪ ♬♩ ♫♪♫♩♪♩♫♪♫♩♪♩ 1234… 2345… 1234… Sharing Resistance (admission control) X

4 -4- They are collecting information about you.

5 -5- Song 1 time Song 2 Anonymous Media 1234…8720… Accesses can’t be correlated Unlinkability

6 -6- Linked accesses could deanonymize users The Netflix Prize dataset [Narayanan, Shmatikov 2008] Social networks [Narayanan, Shmatikov 2009] Access patterns for enough time could help deanonymize clients

7 -7- But even if tokens are unlinkable… ♫♪ ♩♬ ♬ ♪♫ ♩ ♪ ♩♬ ♫♪ ♩♬ ♫♪ ♬♩ 1234… 128.83.122.105 141.212.15.125 8720… 37.130.227.133128.83.122.105 We assume clients are using a network anonymity service

8 -8- Anonymous Music Service ♫♪ ♩♬ ♬ ♪♫ ♩ ♪ ♩♬ ♫♪ ♩♬ ♫♪ ♬♩ 8720… 1234… Straw Man ♪ ♩ 7964… 1910… 8739… 2372… ♫ 3141… Unlinkability but not sharing resistance

9 -9- How do we get both? Unlinkable Serial Transactions [Syverson et al. 1997] Sharing resistance, unlinkability Anonymous Blacklisting Systems [Tsang et al. 2008] Sharing resistance, unlinkability but needs unbounded storage but computationally expensive

10 -10- And also be practical? Unlinkable Serial Transactions [Syverson et al. 1997] Sharing resistance, unlinkability Anonymous Blacklisting Systems [Tsang et al. 2008] Sharing resistance, unlinkability but needs unbounded storage but computationally expensive Anon-Pass Sharing resistance, unlinkability, and efficiency Example: over 12,000 concurrent clients

11 -11- How? How is Anon-Pass built? How is Anon-Pass used? How does Anon-Pass perform?

12 -12- How is it built? t–1tt+1t+2 time Split up time into epochs Each user has a unique token Each epoch allows a new, unpredictable token for an epoch 1234…

13 -13- t–1tt+1t+2 time Each user has a unique token for an epoch Each epoch allows a new, unpredictable token PRF (t) PRF How is it built? Split up time into epochs Use a pseudorandom function (PRF) <-1234…

14 -14- High Level Protocols Register Get a blinded signature on a secret Login Prove the token used the signed secret (in zero knowledge)

15 -15- Song 1 Song 2 Anonymous Music Service t–1tt+1t+2 time PRF (t)PRF (t+2) 1234…8720…

16 -16- t–1tt+1t+2 time Anonymous Music Service But songs don’t always fit in one epoch 1234…8720…5629… PRF (t)PRF (t+1)PRF (t+2) Song 1

17 -17- t–1tt+1t+2 time Conditional Linkability Anonymous Music Service But songs don’t always fit in one epoch And these accesses are implicitly linked 1234…8720…5629…

18 -18- Accesses can be implicitly linked The service knows when the same song is repeatedly accessed Client is implicitly linked while accessing the same media And unlinkability costs the service provider (and therefore harms the system) Baby+ 0s Baby+15s Baby+30s Baby+45s Baby+60s Baby+75s Baby+90s ….

19 -19- Re-Up Prove the current token and the next token are linked Trades unlinkability for efficiency But the client already lost unlinkability while accessing the same media Our way of getting conditional linkability

20 -20- Re-Up is more efficient Login proves you should be allowed access Login takes 10 expensive operations Re-Up proves you logged in before Re-Up takes only 2

21 -21- Using Login and Re- Up t–1tt+1t+2 time A client must Login to start a new song And Re-Up to continue playing the same song To be unlinkable again, the client must wait until the next epoch Re-Up

22 -22- Epoch Lengths: Long vs. Short A short epoch means less time to be unlinkable And less delay between client actions Happy Clients A long epoch means fewer client requests And lower server load Happy Server Choosing an epoch length depends on the service (e.g., 15 seconds for music, 5 minutes for movies)

23 -23- Re-Up helps balance this tension Short epochs means less wait between unlinkable actions Re-Up instead of Login reduces server load

24 -24- And Anon-Pass is formally proven Formal proof of security holds under the DDHI assumption Stated and proved in the paper Formal proof of soundness holds under the LRSW assumption

25 -25- How? How is Anon-Pass built? How is Anon-Pass used? How does Anon-Pass perform?

26 -26- Anonymous Music Streaming Music download over normal HTTP Unlimited-use Subway Pass NYC’s “unlimited” pass Account Proxy Multiplex accounts to news sites 15 second epoch 6 minute epoch 1 minute epoch How could it be used?

27 -27- System Architecture Client Application subscription servicemy laptop Application Server ♪

28 -28- System Architecture subscription servicemy laptop Authentication Server User Agent Client Application Application Server ♪

29 -29- System Architecture subscription servicemy laptop Gatewa y Application Server ♪ Client Application User Agent Authentication Server 3 rd party service

30 -30- User Agent Purpose: minimize changes to client applications Job: Create Login and Re-Up requests Keep the user secret secure Modified VLC to anonymously stream (54 LoC) No modifications to support browsers

31 -31- Authentication Server Purpose: enforce sharing resistance Job: Verify tokens and token uniqueness Record active tokens Runs on the service or as a 3 rd party

32 -32- Gateway Purpose: enforce access control with minimal change to existing services Job: Prevent unauthorized access and responses Remove verification from the critical path Runs on the service as a front end server

33 -33- How? How is Anon-Pass built? How is Anon-Pass used? How does Anon-Pass perform?

34 -34- Evaluation Environment quad-core 2.66 GHz Intel Core 2 CPU 8GB RAM 1 Gbps network An HTC Evo 3D to evaluate the anonymous subway pass 10 client machine to evaluate the streaming music service

35 -35- Crypto Cost milliseconds 7.8x Faster Other Verify

36 -36- Music Service Scaling Used 10 client machines HTTP server to stream music 15 second epoch Add clients until we run out of resources

37 -37- Music Service Scaling % CPU Steady 8,000 Clients 6,000 Clients 12,000 Clients Login Only vs. Anon-Pass Time Anon-Pass Login Only

38 -38- Anonymous Subway Pass Problem: Need to rate limit between swipes t t+1 But sharing is still possible… A long epoch can simulate that timeout

39 -39- Anonymous Subway Pass Solution: Login and Re-Up at the same time Accesses during later epochs are linkable t–1tt+1t+2 time X

40 -40- Anonymous Subway Pass Implemented as an Android application Clients Login and Re-Up twice (18 minute NYC policy) Takes only 0.2 seconds (on an HTC Evo 3D)

41 -41- Anon-Pass Practical – efficient enough to scale Flexible – works with different services Deployable – minimizes service changes

42 -42-

Download ppt "May 20, 2013 Anon-Pass: Practical Anonymous Subscriptions Michael Z. Lee †, Alan M. Dunn †, Jonathan Katz *, Brent Waters †, Emmett Witchel † † University."

Similar presentations

File Transfer Protocol. FTP (File Transfer Protocol) is used to transfer programs or other information from one computer to another. This simple tool.

File Transfer Protocol. FTP (File Transfer Protocol) is used to transfer programs or other information from one computer to another. This simple tool.
Effective Straggler Mitigation: Attack of the Clones [1]

Effective Straggler Mitigation: Attack of the Clones [1]
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Other time considerations Source: Simon Garrett Modifications by Evan Korth.

Other time considerations Source: Simon Garrett Modifications by Evan Korth.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Using Secondary Storage Effectively In most studies of algorithms, one assumes the RAM model“: –The data is in main memory, –Access to any item of data.

Using Secondary Storage Effectively In most studies of algorithms, one assumes the "RAM model“: –The data is in main memory, –Access to any item of data.
Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.

MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs The University of Michigan Scott Wolchok J. Alex Halderman The University of Texas at Austin.

Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs The University of Michigan Scott Wolchok J. Alex Halderman The University of Texas at Austin.
1 DATABASE TECHNOLOGIES BUS3500 - Abdou Illia, Fall 2007 (Week 3, Tuesday 9/4/2007)

1 DATABASE TECHNOLOGIES BUS Abdou Illia, Fall 2007 (Week 3, Tuesday 9/4/2007)
CORE KAIST EECS Computer Engineering Research Lab A General Purpose Proxy Filtering Mechanism Applied to the Mobile Environment Bruce Zenel Jupyung Lee.

CORE KAIST EECS Computer Engineering Research Lab A General Purpose Proxy Filtering Mechanism Applied to the Mobile Environment Bruce Zenel Jupyung Lee.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.

SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Topic 22: Digital Schemes (2)

Topic 22: Digital Schemes (2)
I Information Systems Technology Ross Malaga 4 Part I Understanding Information Systems Technology Copyright © 2005 Prentice Hall, Inc. 4-1 DATABASE.

I Information Systems Technology Ross Malaga 4 "Part I Understanding Information Systems Technology" Copyright © 2005 Prentice Hall, Inc. 4-1 DATABASE.

Similar presentations

Ads by Google