Presentation is loading. Please wait.

Presentation is loading. Please wait.

Censorship-Resistant Publishing Systems Marc Waldman Computer Science Department New York University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Censorship-Resistant Publishing Systems Marc Waldman Computer Science Department New York University."— Presentation transcript:

1 Censorship-Resistant Publishing Systems Marc Waldman Computer Science Department New York University

2 What is a Censorship-Resistant Publishing System? A system that maintains document availability in the presence of adversaries who wish to suppress the document.

3 Why Censorship-Resistant Publishing? Political Dissent Political Dissent “Whistleblowing” “Whistleblowing” Human Rights Reports Human Rights Reports

4 Possible Solutions Collection of WWW servers Collection of WWW servers - CGI scripts to accept files - each file replicated on other participating servers Usenet Usenet - Send file to Usenet server - Automatically replicated via NNTP

5 Small group of WWW servers Censorship-resistant properties Censorship-resistant properties - replication of content - multiple administrators Problems Problems - Small static set of servers - Flooding - Overwriting or deleting - Name Squatting

6 Usenet Censorship-resistant properties Censorship-resistant properties - globally distributed (resists admin threats) - huge capacity (resists storage flooding) Problems Problems - published document (article) short lived - propagation time unpredictable - no tamper check mechanism - cancel/supercede requests - easily filled with meaningless articles

7 Document Availability Threats Legal and illegal threats against server admin Legal and illegal threats against server admin Adversarial content modification Adversarial content modification Document Flooding Document Flooding Legal and illegal threats against publisher Legal and illegal threats against publisher Name Squatting Name Squatting Malicious hosting servers Malicious hosting servers

8 “Eternity Service” Proposal Worldwide collection of servers that store documents (prevents legal threats) Worldwide collection of servers that store documents (prevents legal threats) Publisher pays (anonymous e-cash) for document to be published on random subset of servers Publisher pays (anonymous e-cash) for document to be published on random subset of servers (prevents document flooding) Once published, document can’t be deleted Once published, document can’t be deleted (prevents illegal threats against publisher) Request and receive documents via anonymous communication channel Request and receive documents via anonymous communication channel (protects readers) (protects readers)

9 “Eternity Service” Design Challenges Servers Servers - Adding, removing, adversarial servers Document Naming Document Naming - name squatting, updating, searching Replica Placement Replica Placement - efficient retrieval

10 “Eternity Service” Design Challenges Content Storage Content Storage - File or block based storge, encryption Tamper Protection Tamper Protection - Detect malicious & accidental tampering Untraceable Communication Channel Untraceable Communication Channel - “Real-time” or e-mail based

11 Eternity Service Inspired Censorship-Resistant Systems Design goals similar to Eternity Service Design goals similar to Eternity Service Scaled down design, some implementations available Scaled down design, some implementations available - Janus - Rewebber - Usenet Eternity - Freenet - FreeHaven - Publius - Tangler

12 Janus Provides URL rewriting service to hide true location of WWW page Provides URL rewriting service to hide true location of WWW page Based on public key cryptography Based on public key cryptography E k (U)=Encrypt URL U with public key k U=http://www.cs.nyu.edu/ Janus URL hides true location of U Janus URL hides true location of U http://www.rewebber.de/surf-encrypted/E(U) http://www.rewebber.de/surf-encrypted/E k (U) Janus acts as HTTP proxy, retrieving and rewriting pages. Janus acts as HTTP proxy, retrieving and rewriting pages.

13 Janus In Action Internet http://www.cs.nyu.edu http://www.rewebber.de/surf-encrypted/E(U) http://www.rewebber.de/surf-encrypted/E k (U) User Janus index.html with URLs encrypted 1 2 3 4

14 Janus For Censorship-Resistant Publishing Must trust Janus not to divulge true URL Must trust Janus not to divulge true URL Not fault-tolerant Not fault-tolerant - Janus URL encodes single server - Access available only through Janus Janus controls all returned content Janus controls all returned content - Content could be modified or censored

15 Taz and Rewebber Collection of volunteer servers Collection of volunteer servers - Each has public/private key pair - Public keys well known to all users - Each runs a special HTTP proxy server URL to hide is encrypted using layered technique URL to hide is encrypted using layered technique - Similar to onion-routing - Results in long URLs TAZ servers translate names to URLs TAZ servers translate names to URLs

16 Server 1 Server 2 Server 3 Server 4 nyu.edu Rewebber Layered Encryption Server 5 http://VeryLongURL LongURLMediumURLSmallURL Publisher uses public keys of servers to encrypt URL “nyu.edu” Want URL to be hidden behind 5 other servers. Encrypt in reverse path order (use public key of server 5 first)

17 Taz and Rewebber In Action User 1. Apple_Pie_Recipe.taz TAZ Server 2. http://VeryLongURL LongURL 4 MediumURL 5 SmallURL 3. http://VeryLongURL ApplePie.com 6 7. get recipe.html

18 Rewebber For Censorship-Resistant Publishing Do not need to trust single entity Do not need to trust single entity - Single coopering server hides true URL Allows anonymous retrieval Allows anonymous retrieval - No limit on URL size - Padding can be applied after each decryption Not fault tolerant Not fault tolerant - Single faulty or malicious server can prevent document from being retrieved No tamper protection mechanism No tamper protection mechanism - A server can modify content on return trip

19 Publius Collection of volunteer servers Collection of volunteer servers - Each server donates disk space - Runs script to interpret Publius commands Publication process encrypts document Publication process encrypts document - encrypted document stored on subset of servers - part of encryption key stored with document Publication process results in a Publius URL Publication process results in a Publius URL - Tells location of encrypted documents - Provides tamper check mechanism Provides secure update and support for mutually hyperlinked content Provides secure update and support for mutually hyperlinked content

20 Cryptographic Hash A function that takes an arbitrary sized input and maps it to a fixed sized output value such that 1) It is computationally infeasible to find a specific input that matches a pre-specified output 2) It is computationally infeasible to find any two distinct inputs that map to the same output MD5 cryptographic hash output = 128 bits SHA-1 cryptographic hash output = 160 bits

21 Publius Servers whitehouse.gov library.fr publius.uk www.redcross.org www.nyu.edu Publius Server Table publius.uk www.nyu.edu library.fr whitehouse.gov www.redcross.org

22 Publish Operation D = Document To Publish K=Encryption Key Shamir Secret Sharing Share 1 Share 2 Share 3 K Share 4 MD5 ( D. Share i ) Mod 5 = Index Into Server Table Index 3 = www.nyu.edu Store D encrypted under K, and Share i on www.nyu.edu

23 Publius URL Cryptographic hash value determines location of document. MD5 ( D. Share i ) Mod 5 = Index Into Server Table To Form Publius URL – Perform hash on each Share and concatenate resulting MD5 values. http://!publius!/1e6adsg673h0=hgj7889340=yareyoureading this=12asbnm8945 The URL is cryptographically tied to document. Provides a tamper check mechanism.

24 Publius Retrieve Operation Break apart URL to discover document locations Break apart URL to discover document locations Retrieve encrypted document and share from k locations Retrieve encrypted document and share from k locations Reassemble Key K from shares Reassemble Key K from shares Decrypt retrieved document Decrypt retrieved document Check for tampering Check for tampering View in WWW browser View in WWW browser All work done by a client-side HTTP proxy All work done by a client-side HTTP proxy

25 Publius For Censorship-Resistant Publishing Fault tolerant – don’t need all shares or documents to retrieve document Fault tolerant – don’t need all shares or documents to retrieve document Tamper resistant – All documents retrieved from servers are checked for tampering Tamper resistant – All documents retrieved from servers are checked for tampering Encryption protects hides content from someone who doesn’t know URL (including server admin) Encryption protects hides content from someone who doesn’t know URL (including server admin) Scalability problems – Everyone needs list of servers Scalability problems – Everyone needs list of servers Flooding can be a problem. Publius file size limit is 100K. Flooding can be a problem. Publius file size limit is 100K.

26 The Tangler Censorship-Resistant Publishing System Designed to be a practical and implementable censorship-resistant publishing system. Designed to be a practical and implementable censorship-resistant publishing system. Addresses some deficiencies of previous work Addresses some deficiencies of previous work Contributions include – Contributions include – - A unique publication mechanism called entanglement - The design of a self-policing storage network that ejects faulty nodes

27 Tangler Design Small group (<100) of volunteer servers Small group (<100) of volunteer servers Each server has public/private key pair Each server has public/private key pair Each server donates disk space to system (publishing limit) Each server donates disk space to system (publishing limit) Agreement on volunteer servers, public keys and donated disk space Agreement on volunteer servers, public keys and donated disk space Published documents are divided into equal sized blocks, and combined with blocks of previously published documents (entanglement) Published documents are divided into equal sized blocks, and combined with blocks of previously published documents (entanglement) Entangled blocks are stored on servers Entangled blocks are stored on servers Each server verifies other servers compliance with Tangler protocols Each server verifies other servers compliance with Tangler protocols

28 Tangler Goals Anonymity – Users can publish and read documents anonymously Anonymity – Users can publish and read documents anonymously Document availability through replication Document availability through replication Integrity guarantees on data (tamper & update) Integrity guarantees on data (tamper & update) No server is storing objectionable documents No server is storing objectionable documents - Decoupling between document and blocks - Blocks not permanently tied to specific servers - Server cannot chose which blocks to store or serve Misbehaving servers should be ejected from system Misbehaving servers should be ejected from system

29 Publish Operation Document broken into data blocks Document broken into data blocks Data blocks transformed into server blocks Data blocks transformed into server blocks Server blocks combined with those of previously published server blocks (entanglement) Server blocks combined with those of previously published server blocks (entanglement) Entangled server blocks are stored on servers Entangled server blocks are stored on servers + DataBlocks Previously Published Server Blocks New Server Blocks Server Blocks Blocks

30 Document Retrieval Operation Retrieve entangled server blocks from servers Retrieve entangled server blocks from servers Entanglement is fault tolerant – don’t need Entanglement is fault tolerant – don’t need all entangled blocks to re-form data blocks DisEntangle Operation re-forms original data blocks DisEntangle Operation re-forms original data blocks Data Blocks Entangled Server Blocks

31 Block Entanglement Algorithm Utilizes Shamir’s Secret Sharing Algorithm Utilizes Shamir’s Secret Sharing Algorithm - Given a secret S can form n shares - Any k of them can re-form S - Less than k shares provide no information about S Entanglement is a secret sharing scheme with n=4 and k=3 Entanglement is a secret sharing scheme with n=4 and k=3 Two shares are previously published server blocks Two shares are previously published server blocks Two additional shares are created Two additional shares are created

32 Benefits Of Entanglement Dissociates blocks served from documents published Dissociates blocks served from documents published - Single block belongs to multiple documents - Servers just hosting blocks Incentive Incentive - Cache server blocks of entangled documents - Monitor availability of other server blocks - Re-inject blocks that have been deleted

33 Tangler Servers (Tangle-Net) All servers fall into one of two categories – All servers fall into one of two categories – non-faulty = follow Tangler protocols faulty = servers that exhibit Byzantine failures All non-faulty servers are synchronized to within 10 minutes of correct time. All non-faulty servers are synchronized to within 10 minutes of correct time. Time is divided into rounds (24 hour period) Time is divided into rounds (24 hour period) - Round 0 = Jan 1, 2002 (12:00AM) Fourteen consecutive rounds form an epoch Fourteen consecutive rounds form an epoch

34 Tangler Round Round Activity (concurrent actions) Round Activity (concurrent actions) - Request storage tokens from other servers - Grant storage tokens to other servers - Send and receive blocks - Monitor protocol compliance of other servers - Process join requests - Entangle new collections and retrieve old collections End of round End of round - Commit to blocks received from servers (Merkle Tree) - Generate public/private key pair for the round - Broadcast next round commitment and public key

35 Storage Tokens Two step protocol to store blocks Two step protocol to store blocks First Step - Acquire storage tokens First Step - Acquire storage tokens - Every server entitled to number of storage tokens from every other server - Tokens acquired non-anonymously, requests are signed by requestor Second Step – Redeem Token Second Step – Redeem Token - Send block & token anonymously to storing server - Anonymous communication supported by Mix-Net

36 Storage Token Request Server B Server A 92180 XXXXX Server A Server_A_Tokens-- XXXXX Server B Unblind Token 92180 Server A wants to store block 92180 on Server B Server A wants to store block 92180 on Server B Server A creates a blinded request for a token Server A creates a blinded request for a token The blinded request is sent to server B The blinded request is sent to server B Server B signs the request and returns it to A Server B signs the request and returns it to A Server A unblinds request obtaining the token Server A unblinds request obtaining the token

37 Redeeming A Token Server A sends token & block through Server A sends token & block through Mix-Net to B Server B checks token signature, stores block, and returns signed receipt over Mix-Net Server B checks token signature, stores block, and returns signed receipt over Mix-Net Server B commits to hash tree of all blocks Server B commits to hash tree of all blocks Mix-Net storage receipt block 92180 Server A Server B 92180 Server B

38 Membership Changes At end of epoch all non-faulty servers perform Byzantine Consensus algorithm At end of epoch all non-faulty servers perform Byzantine Consensus algorithm Each server can vote out any other members Each server can vote out any other members New servers can join at any time but must serve as a storage-only server for a probationary period of two complete epochs New servers can join at any time but must serve as a storage-only server for a probationary period of two complete epochs A probationary server is admissible if it was not ejectable for at least two consecutive epochs. A probationary server is admissible if it was not ejectable for at least two consecutive epochs. Majority vote wins Majority vote wins

39 Threats Majority of servers are adversarial Majority of servers are adversarial - Adversarial servers join - Force non-faulty servers off Publishing server discovery Publishing server discovery - Force suspected server off network - Should be able to republish on another server but may not have same credit limit Probabilistic failure (difficult to remove) Probabilistic failure (difficult to remove)

40 Summary There is a need for censorship-resistant publishing tools. There is a need for censorship-resistant publishing tools. Several systems have been proposed and some have been implemented. Several systems have been proposed and some have been implemented. Each system has strength and weaknesses. System design is greatly influenced by your adversary model. Each system has strength and weaknesses. System design is greatly influenced by your adversary model.

41 Publius and Tangler URLs Publius Publiuswww.cs.nyu.edu/~waldman/publius.html Tangler Tanglerwww.scs.cs.nyu.edu/tangler

42

Download ppt "Censorship-Resistant Publishing Systems Marc Waldman Computer Science Department New York University."

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin.

Publius A Robust, Tamper Evident, Censorship Resistant WWW Based Publishing System Marc Waldman NYU – CS Dept. Lorrie Cranor AT&T Research Aviel Rubin.
Lorrie Cranor AT&T Labs Avi Rubin AT&T Labs Marc Waldman

Lorrie Cranor AT&T Labs Avi Rubin AT&T Labs Marc Waldman
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Freenet A Distributed Anonymous Information Storage and Retrieval System Ian Clarke Oskar Sandberg Brandon Wiley Theodore W.Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System Ian Clarke Oskar Sandberg Brandon Wiley Theodore W.Hong.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google