Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin AT&T Research

Publius  Pen name used by authors of Federalist Papers  Federalist Papers influential in convincing NY state voters to ratify US constitution.

Why Publish Anonymously?  Political Dissent  “Whistleblowing”  Radical Ideas  Human Rights Reports

Publius Design Goals  Censorship Resistant  Tamper Evident  Source Anonymous  Updateable  Host Content Deniability  Persistent  Extensible  Freely Available

Related Work  Connection Based Anonymity Hide identity of requestor  Location or Author Based Anonymity Hide identity of author or WWW server

Connection Based Anonymity  Anonymizer HTTP proxy URL rewrite  Proxymate Formerly LPWA HTTP Proxy Pseudonym generation

Connection Based Anonymity  Onion Router Mix Network HTTP Proxy Developed  Crowds HTTP request via Crowd Dynamic Path generation

Onion 1 Onion 2 Onion 3 Onion 4 “Hello World” Onion Routing

Connection Based Anonymity  Freedom Similar to Onion Routing Implemented at transport layer Nym creation – allows multiple pseudonyms Supports HTTP, NNTP, POP3, Telnet, etc.

Location Based Anonymity  Rewebber (aka Janus) Author & Connection Based Tool HTTP Proxy URL Rewrite using public key crypto U= E k (M)=Encrypt message M with public key k k (U)

Location Based Anonymity  Taz & Rewebber Computers with public/private key pair Each runs HTTP proxy server Encryption similar to onion-routing TAZ servers translate name.taz to address Down server = document irretrievable AYATTENTIONTOTHESPEAKER

Eternity Service  Ross Anderson (Univ. of Cambridge)  Network of servers – resists DOS attacks  Fee based  Files cannot be removed or updated  Digital Libraries

Eternity Systems  Usenet Eternity Scaled Down Eternity System Usenet is storage medium Formatting using PGP, SHA1 Send to alt.anonymous.messages Server caches and performs updates Connect via WWW browser

Eternity Inspired Systems  Freenet “Adaptive Network” Local caching Anonymous query, retrieval  Intermemory Self-replicating persistant RAM Donate hard disk space

File Sharing Systems  Napster Peer-to-peer file sharing Peers can capture IP address or peer  Gnutella Anonymous query Peer to peer file transfer, IP capture

Publius Overview Publius Content – Static content (HTML, images, PDF, etc) with desired properties.  Publishers – Post Publius content  Servers – Host Publius content  Retrievers – Browse Publius content

Publius Servers whitehouse.gov library.fr publius.uk Publius Server Table publius.uk library.fr whitehouse.gov

Publish Operation D = Document To Publish K=Key Shamir Secret Sharing Share 1 Share 2 Share 3 K Share 4 MD5 ( D. Share i ) / Mod 5 = Index Into Server Table Index 0 = Index 3 = Store D encrypted under K, and one Share on Server

Publish Overview  Servers available to store content  Encrypt document with secret key K  Secret split key K into (m,k) shares (Shamir)  Store encrypted document and share on m servers  Form URL cryptographically tied to document  Distribute URL – Publius URL readingthis=12asbnm8945

Retrieve Overview  Break apart URL to discover document locations  Retrieve encrypted document and share from k locations  Reassemble Key K from shares  Decrypt retrieved document  Check for tampering  View in WWW browser

Retrieve Operation Share 1 )MD5 (D. Share 2 )… Index = MD5(D. Share 1 ) Mod Table_Size From Get Encrypted File, Share Key = combine Shares D = Decrypt File with Key Tamper Check = MD5(D. Share 1 ) = value in URL

Tradeoffs  N = # servers with Content & Share  K = # Shares needed to reconstruct the Key  Higher N Greater availability Harder to censor  Higher K Decreased performance Greater tamper protection Possibly Easier To Censor

Update and Delete Operations  Update – “update” file, MD5(password. IP)  Delete – MD5(password. IP)  Threats – Place update file on server Brute force to delete files  URL contains update bit - Don’t accept updates  Publish Option – No Delete or Update

Mutually Hyperlinked Content Publish B, Modify A, Publish A Publish B First – Invalid A Link Publish A First – Invalid B Link Problem: Content cryptographically tied to URL

Hyperlinked Content Solution Publish A, B Modify A, B Republish A,B Update A,B Hyperlink Update

User Interface Internet Publius Proxy Browser Based GUI Store MIME type in first three bytes of file Send correct Content-Type to browser

Threats & Limitations Share Deletion or Corruption Update File Deletion or Corruption Denial of Service Attacks Threats to Publisher Anonymity “Rubber-Hose Cryptanalysis”

Live Trial (8/7/2000) 3 Week Server Recruitment Period 100 Volunteers, Test Script distributed 53 successfully installed test script 44 successfully installed. Proxy - server version of client, 9 volunteers Must trust proxy – see file, password for Publish Sees URL for retrieve Over 550 client requests

Contributions & Availability Automatic Tamper Checking Mechanism Update / Delete Method Publishing Mutually Hyperlinked Content 1500 Lines of Perl Uses Crypto – Crypto Library (C++)

Future Work  Remove dependence on server list - URL encodes locations, tamper check  Split content - Krawczyk – Information Dispersal  CPU payment scheme (Dwork, Naor)  Automatic replication across servers - Intermemory model

Publius WWW Site Source Code & Technical Paper