Presentation is loading. Please wait.

Presentation is loading. Please wait.

Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003.

Published byCale Minott Modified over 9 years ago

Similar presentations

Presentation on theme: "Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003."— Presentation transcript:

1 Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003 CS 294-4: Peer-to-peer systems

2 Speech, censorship, and anonymity Speech, publication spread ideas Many ideas are controversial, some revolutionary People in power like to stay in power Those in power may try to censor ideas or persecute people they see as threats

3 ...and the Internet... “The Net treats censorship as damage and routes around it” --John Gilmore “On the Internet, nobody knows you're a dog,” caption to a New Yorker cartoon by Peter Steiner Do these sentiments accurately represent the state of the internet?

4 ...and Reality. Church of Scientology Among other incidents, tried to force Julf Helsingius to reveal identities anonymized through remailer DMCA Copyright owners can force service providers to remove content (must stay down during dispute) Generally, an automatic, semipermanent record of much internet activity is (or could be) kept

5 Core goals: Censorship resistant Tamper evident Deniable Fault-tolerant Persistent Freely available Additional goals: Source anonymous; updateable; extensible Publius design goals

6 Related tools Anonymizers Onion routing Crowds Rewebber Freenet Eternity Service

7 Eternity Service (Ross Anderson) General problem: assure availability Most work focused on confidentiality and integrity Eternity service: persistent, available data Can't be deleted by anyone, including servers and author Threat model: governments ban it, attack it But law tends to lag technology Need strong cryptography, wide distribution

8 Freenet Very similar in goals: defeat censorship, provide anonymity Different approaches: routing vs. lookup, anonymous servers vs. key shares,... We'll come back to this later

9 Overview of Publius Publishers, servers, retrievers Supports static content Assume static systemwide list of servers Each server doesn't know what it hosts Key split into 'shares' Special Publius URL Authors (and only authors) can update, delete

10 K-way key splitting Goal: split key K into n shares such that any k of them can recover the key but any k-1 cannot The strategy: find a polynomial q of degree k-1 Evaluate q at n points (q(1), q(2),..., q(n)) q(0) = K, the other q(i) are the shares Can interpolate polynomial to find q(0) with any k points, but k-1 points give no information!

11 Example: k = 2 (q(i) = m*i + q(0))

12 Publishing Alice encodes content M with key K: {M} K She splits K into n shares (k can recover K) For each share: name i = wrap(H(M, share)), location i = (name i mod m) + 1 Why wrap (xor of halves)? To save space? If fewer than d unique locations are obtained, start over with another K

13 Publishing (continued) What is d? d is the number of Publius servers that will end up hosting the content (k <= d <= m) Coupon collector's problem: expect y ln(y) coupons Therefore we choose d and then set n = d ln(d) At each location i : publish {M} K, share i, and some other information in directory name i Publius URL comprises at least d concatenated name i s

14 Retrieving Bob wants to view content; he gets Publius URL He gets the name i s and computes location i s Choose k servers arbitrarily: get {M} K from one and get shares from all k Recover K, decrypt, and check name i s If there's a problem, try different k shares

15 Retrieving (continued) More on problems... If the name i calculation works, either the data are uncorrupted or a collision has been found in SHA-1! If something does go wrong, Bob can try a different set of k shares, up to (n choose k) combinations Other options: Berlekamp-Welch, brute-force search of n*(n choose k) share/document combinations A note: Bob can be retrieving the content through a normal web browser with a Publius proxy

16 Deleting Alice, the author, creates passwords H(servername, PW) from a master PW Specific to each server Alice authenticates with password to delete Problem...?

17 Deleting Alice, the author, creates passwords H(servername, PW) from a master PW Specific to each server Alice authenticates with password to delete Problem...? The password is sent in the clear! Should public keys be passed with server list?

18 Update Optional 'update' file in name i directory Redirects to updated version If 'update' exists, retrievals follow it Uses same password as delete But this indirection seems very kludgy

19 Update Optional 'update' file in name i directory Redirects to updated version If 'update' exists, retrievals follow it Uses same password as delete But this indirection seems very kludgy Would it be better to always have a level of indirection? Would it be better to prohibit updates?

20 Mutually linked documents Problem: Publius names are based on content, so a dependency loop can't be resolved directly Solution: Use an update

21 Limitations and threats Share deletion/corruption Cannot recover key if n-k+1 shares are toast Higher n and lower k lead to more protection against censorship Updates Malicious servers can add/change/delete 'update' files Need enough servers collaborating to do real damage

22 More threats Denial of service A malicious user could saturate Publius with junk Solution: Hash Cash? No connection-based anonymity 'Rubber-Hose cryptanalysis' Unlike Eternity, authors can delete: open to coercion Coercing enough servers difficult if well distributed

23 Other potential problems Could a server be held legally negligent for not knowing what it hosts? It could find out by obtaining the Publius URL and retrieving the document, or querying enough other servers Lack of connection-based anonymity is especially bad here Any one of the n servers can compromise an author's anonymity

24 Back to Freenet Key similarities: Both aim to keep publishers anonymous Both aim to preserve content Key differences: Freenet: adversary doesn't know where content is; Publius: server doesn't know what it stores What about resistance to censorship?

25 That's all folks!

Download ppt "Publius: A robust, tamper-evident, censorship-resistant web publishing system By Waldman, Rubin, and Cranor Presented by Marco Barreno October 8th, 2003."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin.

Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin.
Lorrie Cranor AT&T Labs Avi Rubin AT&T Labs Marc Waldman

Lorrie Cranor AT&T Labs Avi Rubin AT&T Labs Marc Waldman
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Cryptography In Censorship Resistant Web Publishing Systems By Hema Hariharan Swati B Shah.

Cryptography In Censorship Resistant Web Publishing Systems By Hema Hariharan Swati B Shah.
Computers and Society Carnegie Mellon University Spring 2006 Cranor/Tongia/Farber 1 Regulating Online Speech.

Computers and Society Carnegie Mellon University Spring 2006 Cranor/Tongia/Farber 1 Regulating Online Speech.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
P2P: Advanced Topics Filesystems over DHTs and P2P research Vyas Sekar.

P2P: Advanced Topics Filesystems over DHTs and P2P research Vyas Sekar.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Identity, Anonymity,

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Identity, Anonymity,

Similar presentations

Ads by Google