DC-Networks – The Protocol

2 DC-Networks - The Protocol toc Introduction Time Excluding bad clients Key Exchange Demonstration Some Attacks On-demand disclosure

3 DC-Networks - The Protocol Introduction

4 DC-Networks - The Protocol Is the meal paid by one of the cryptographers? Bob Alice Charlie key exchange Introduction

5 DC-Networks - The Protocol Is the meal paid by one of the cryptographers? Bob Alice Charlie key exchange Introduction Bob: Alice: Charlie: Everybody:

6 DC-Networks - The Protocol Remember the one-time-pad If an attacker knows and if k is random, he does not learn anything about m In other words: Key k “hides” the cleartext m Introduction

7 DC-Networks - The Protocol Bob does not learn anything Bob Alice Charlie key exchange Introduction Bob: Alice: Charlie: Bob can learn:

8 DC-Networks - The Protocol Summary Everybody exchanges keys with everybody Sender Anonymity Everybody gets every message Receiver Anonymity Introduction

9 DC-Networks - The Protocol Time

10 DC-Networks - The Protocol Rounds, separated by ticks In each round, each client needs to: Get the list of all participants (may have changed) Prepare and send the new message Get the final message Know, that all others got the (same) message Time

11 DC-Networks - The Protocol The protocol Time Tick Round Client get participants send receive message add all keys confirmation that others got message Server

12 DC-Networks - The Protocol DC+ “Know, that all others got the same message” Attacker could modify messages to specific clients Solutions Good: Byzantine Agreement, TTP, Group Signatures, Anonymous Signatures... Better: Mangle last message into current Easy, Fast Time

13 DC-Networks - The Protocol Excluding bad clients

14 DC-Networks - The Protocol Broken and malicious clients Broken clients Server logs out any client that did not send Ban lists, reputation systems etc... Malicious clients Anonymous reservation scheme and trap messages Google “DSuKrypt.pdf”, page , Excluding bad clients

15 DC-Networks - The Protocol Anonymous reservation scheme Excluding bad clients Tick X collision counter length #1 #2#3 #4...#23... # a 32 ef f1 f0 0a aa b #1 length chunk server

16 DC-Networks - The Protocol Anonymous reservation scheme Round messages = Reservation slots Client chooses slot at random If collision counter = 1 then reservation succeeded Real message data published via “chunk server” Bonus: Variable block length in reservation slot Excluding bad clients

17 DC-Networks - The Protocol Trap Messages Prevent attacker disturbing messages: Trap messages every now and then Request disclosure of own traps (if caught something) Bonus: Variable block length in reservation slot Excluding bad clients

18 DC-Networks - The Protocol Key Exchange

19 DC-Networks - The Protocol Remember: Diffie & Hellman Key Exchange Server p,q AliceBob publish

20 DC-Networks - The Protocol Diffie & Hellman No direct client to client communication needed Complete key graph Easy distribution Exchange seeds for random number generator Unfortunately, keys become “provable” But: Clients can always exchange real one-time-pads (they even do not have to tell the server) Key Exchange

21 DC-Networks - The Protocol Demonstration

22 DC-Networks - The Protocol Some Attacks

23 DC-Networks - The Protocol Timing attack Attacker knows who sends at which time A client answering too fast did not send the answer Alic e "Everything understandable?""No, the lecturer sucks!!1!" Alic e other participants too short for human reaction other participants Some Attacks

24 DC-Networks - The Protocol Timing attack Solution: Server return message after client sends All clients receive messages delayed at least one round Nice side effects: Only client → server communication (“firewall-proof”) Some Attacks

25 DC-Networks - The Protocol Political attacks Centralized Server? Data Retention Forced to store communication data btw: Does not make sense anyway Warning lawyer threats Crypto bans Some Attacks

26 DC-Networks - The Protocol Political attacks Why do we need a server at all? Participants publish their rounds on MySpace, Wikipedia, phpBB, newspaper etc. Login / Logout: Someone send participants DH-key and publishing URL within the DC-Network Auto-Logout by “not publishing once” Some Attacks

27 DC-Networks - The Protocol On-demand disclosure

28 DC-Networks - The Protocol Original scheme by David Chaum Participants sign round keys Alice and Bob exchange their signatures In case of “disclosure”, all participants publish their keys Alice verifies Bob's key and vice versa On-demand disclosure

29 DC-Networks - The Protocol "Watchmen" scheme n predefined watchmen may work together to disclose sender Client splits round key into n parts Send one part to each watchman In case of “disclosure”, all watchmen post their parts to reconstruct the round key On-demand disclosure

30 DC-Networks - The Protocol How to split a key On-demand disclosure To join parts together, add them

31 DC-Networks - The Protocol Split keys to Dickens and Elisa Bob AliceCharlie On-demand disclosure DickensElisa

32 DC-Networks - The Protocol Split keys to Dickens and Elisa Bob AliceCharlie On-demand disclosure DickensElisa Dickens says: Elisa says: Everyone:

33 DC-Networks - The Protocol Why do the watchmen learn nothing? The first watchmen receive random numbers. Obviously, they learn nothing about k The published values only consist of random numbers On-demand disclosure

34 DC-Networks - The Protocol Problem: Conspiration Alice and Bob exchange an additional key They add to their round message, but not to the key sent to Dickens and Elisa Sum of Dickens and Elisa is still 0 On “disclosure”, both round keys from Alice and Bob mismatch (by resp. ) Of course, both could be considered “bad guys” On-demand disclosure

35 DC-Networks - The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g. “5 out of 10” Google “DSuKrypt.pdf”, page Using Adi Shamirs polynomial interpolation, some restrictions occur All participants must use same set of watchmen (may be necessary anyway) Each watchman must get the same x-coordinates from every participant On-demand disclosure

36 DC-Networks - The Protocol Comparison Comparing the disclosure scheme by David Chaum: Both schemes are insecure against conspirations Using watchmen, a conspiration can not be formed after the message is published Using watchmen, no communication to the participants needed after message is published The disclosure can be kept secret On-demand disclosure

37 DC-Networks - The Protocol Thanks Interesting stuff: D.Chaum, “The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability” (Journal of Cryptology, vol. 1 no. 1, 1988, pp or A.Pfitzmann, “Datensicherheit und Kryptographie” ( pp and German language) Literature