Presentation is loading. Please wait.

Presentation is loading. Please wait.

Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms

Published byGerard McCarthy Modified over 5 years ago

Similar presentations

Presentation on theme: "Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms"— Presentation transcript:

1 Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms
Authors: David L. Chaum, University of California, Berkeley Presented by: Murtuza Jadliwala

2 Electronic Mail System
Sender Receiver Insecured Telecommunication Channel Problem: Vulnerable to Traffic Analysis Attacks How to hide the content of communication (message)? How to hide who is communicating with whom? More specifically, can the sender send the message anonymously to the receiver? Additional property needed: Untraceable return addresses 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

3 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Motivation Electronic mail was new in the 1980’s  Anonymously sending an electronic mail was a desirable requirement! The idea of anonymous sending an electronic mail could also be used in other applications  Anonymous electronic voting application Verification that ballots have been properly counted is possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

4 Background – Public Key Cryptography
A public-key encryption scheme has six ingredients (Figure 2.7a): • Plaintext: This is the readable message or data that is fed into the algorithm as input. • Encryption algorithm: The encryption algorithm performs various transformations on the plaintext. • Public and private key: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key. For a given message, two different keys will produce two different ciphertexts. • Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext. As the names suggest, the public key of the pair is made public for others to use, while the private key is known only to its owner. A general-purpose public-key cryptographic algorithm relies on one key for encryption and a different but related key for decryption. The essential steps are the following: 1. Each user generates a pair of keys to be used for the encryption and decryption of messages. 2. Each user places one of the two keys in a public register or other accessible file. This is the public key. The companion key is kept private. As Figure 2.7a suggests, each user maintains a collection of public keys obtained from others. 3. If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key. 4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key. With this approach, all participants have access to public keys, and private keys are generated locally by each participant and therefore need never be distributed. As long as a user protects his or her private key, incoming communication is secure. At any time, a user can change the private key and publish the companion public key to replace the old public key. Note that the scheme of Figure 2.7a is directed toward providing confidentiality: Only the intended recipient should be able to decrypt the ciphertext because only the intended recipient is in possession of the required private key. Whether in fact confidentiality is provided depends on a number of factors, including the security of the algorithm, whether the private key is kept secure, and the security of any protocol of which the encryption function is a part. Used for providing confidentiality 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

5 Background – Public Key Cryptography
Figure 2.7b illustrates another mode of operation of public-key cryptography. In this scheme, a user encrypts data using his or her own private key. Anyone who knows the corresponding public key will then be able to decrypt the message. The scheme of Figure 2.7b is directed toward providing authentication and/or data integrity. If a user is able to successfully recover the plaintext from Bob’s ciphertext using Bob’s public key, this indicates that only Bob could have encrypted the plaintext, thus providing authentication. Further, no one but Bob would be able to modify the plaintext because only Bob could encrypt the plaintext with Bob’s private key. Once again, the actual provision of authentication or data integrity depends on a variety of factors. This issue is addressed primarily in Chapter 21, but other references are made to it where appropriate in this text. Used for providing authentication 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

6 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Notations Assume that RSA public-key cryptosystem is used K is the public key (known to everyone) K-1 is the private key (known to only the sender) M is the message. Assume all messages consists of equal sized and equal number of blocks. M = M1M2M3…ML-1 Encryption of M by K (using RSA) is denoted as K(M). K(M) is a random mapping from M to a string of size K(M) K-1 (K(M)) = K(K-1 (M) = M If M = M’, then K(M) = K(M’). To overcome this problem, choose a random string, attach to the message before encrypting  K(R,M) 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

7 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Assumptions No one can determine the mapping between the plaintext and the corresponding encrypted plaintext by just looking at either one of them No one can create forge a message or a signature without the appropriate random string or private key. Anyone may learn the origin, destination(s), and representation of all messages in the underlying telecommunication system Anyone may inject, remove, or modify messages. 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

8 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Anonymous Mail System Kmix(R1, Kr3(R0,M),r3) s1 Mix r1 s2 r2 Kr3(R0,M) s3 r3 s4 r4 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

9 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Anonymous Mail System s1 Mix r1 Timing and Order of arrival can leak information! How to overcome that problem? Mix hides correspondences between its input and outputs. How is this possible? By assumption 1 – Cryptanalytic attack not possible! What if one item is repeated in the input and the output? How to overcome this? Remove redundant items across multiple batches! s2 r2 Batch s3 r3 s4 r4 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

10 Protection against Mix Misbehavior
Mix provides signed receipts of messages to the participants, Y= K-1mix(C, Kmix(R1, Kr3(R0,M),r3)) If a participant is wronged, he can supply X = (Kr3(R0,M), r3), and the retained string R1,along with the signed receipt to the authorities Authorities can verify if Kmix(Y) = C, Kmix(R1,X) 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

11 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Mix Cascades r1 Mix 1 Mix 2 Mix n s1 r2 s2 r3 s3 r4 s4 Advantage: Even if n-1 mixes are misbehaving or cheating, a single honest mix can provide secrecy 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

12 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Mix Cascades Participant provides the following to the Mix1 Kmix1(R1, Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….)) Mix1 yields a lexicographically ordered batch of items, each of the form Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….) The items in the final output batch of a cascade are of the same form as the single mix Kr3(R0,M),r3 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

13 Return Addresses or Certified Mail
If x can send an anonymous messages to y, is it possible for y to respond to x, while still keeping identity of x secret from y? Anonymous mail receipt! Solution: The sender x forms an untraceable return address Kmix(R1,Ax), KX and includes it in the message sent through the mix Ax is the address of x KX is the public key chosen by x 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

14 Return Addresses or Certified Mail
Kmix(R2, Kr3(R0,M, Kmix(R1,s1), Ks1 ),r3) s1 Mix r1 s2 r2 Kr3(R0,M, Kmix(R1,s1), Ks1 ) Rcpt s3 r3 s1, R1(Ks1 (R3,M’)) Rcpt Kmix(R1,s1), Ks1 (R3,M’) s4 r4 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

15 Return Address in Mix Cascades
With a cascade of mixes, the message part is prepared the same as for a single mix Receiver provides the following to the MixN KmixN(RN, Kmix N-1(RN-1, …..Kmix2(R2, K1(R1,s1))….)), Ks1(R’,M’) MixN yields a lexicographically ordered batch of items, each of the form Kmix N-1(RN-1, …..Kmix2(R2, K1(R1,s1))….), RN(Ks1(R’,M’)) The items in the final output batch of a cascade are of the same form as the single mix s1, R1(…..RN-1(RN(Ks1(R’,M’)))…) 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

16 Application: Anonymous Electronic Voting
Digital Pseudonym: Public key of anonymous holder (used to verify signatures made by him) Roster: Collection of “digital pseudonyms” of acceptable anonymous holders maintained by an authority How can an authority form a roster of anonymous pseudonyms? Roster could contain a pseudonyms of registered voters Anonymous Voting: For a single mix, Each voter submits a ballot of the form Kmix( R1, K, K-1( C, V )), where K is the voter’s pseudonym and V is the vote Items in the final lexicographically ordered output batch are of the form K, K-1( C, V )  duplicates need to be avoided in this batch Check if the pseudonym K correctly decrypts the signed vote V If the above is verified, check if K appears in the roster of registered voters The above can be easily extended for a cascading mix 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

17 General Purpose Anonymous Mail Systems
To prevent misbehavior in single mix systems: Require all messages pass through mix cascades To hide the number of messages sent: All senders send messages to the mix (in a batch)  Some senders send dummy messages To hide the number of messages received: Each receiver searches the entire output for messages directed to it Both the above approaches are too costly One solution is to use only subsets rather than entire sets of senders/receivers If a message passes through K mixes in the cascade and contains L blocks (L-K content block, K address blocks) Problem: How to hide the number of mixes a message passes through  Each mix typically strips off 1 address block? Solution: For each mix the message passes through, remove the corresponding address block, but add a junk content block! So number of block in each message is constant 11/10/2018 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)

Download ppt "Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
CS5204 – Fall 2009 1 Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
Public-Key Cryptography CS110 Fall 2002. Conventional Encryption.

Public-Key Cryptography CS110 Fall Conventional Encryption.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1

CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1

Similar presentations

Ads by Google