Transcript www.inf.tu-dresden.de

1
Security and Cryptography II
(Version 2013/04/03)
Stefan Köpsell
(Slides [mainly] created by Andreas Pfitzmann)
Technische Universität Dresden, Faculty of Computer Science, D-01187 Dresden
Nöthnitzer Str. 46, Room 3067
Phone: +49 351 463-38272, e-mail: [email protected], https://dud.inf.tu-dresden.de/
2
Symmetric Cryptosystem DES
64-bit block plaintext
64-bit key
(only 56 bits in use)
IP
L0
R0
round 1
L1
R1
round 2
L2
R2
L15
R15
round 16
L16
R16
IP -1
64-bit-block ciphertext
K1
K2
K16
generation of
a key for
each of the
16 rounds
3
One round
Feistel ciphers
Li-1
Ri-1
f
Li = Ri-1
Ki
Ri = Li-1  f(Ri-1, Ki)
4
Why does decryption work?
Encryption round i
Li-1
Decryption round i
f
Li = Ri-1
Ri=Li-1f(Ri-1, Ki)
Ri-1
Ki
Ri=Li-1f(Ri-1, Ki)
Li = Ri-1
f
Ri-1
Decryption
trivial
Li-1  f(Ri-1, Ki)  f( Li , Ki) =
Li-1  f(Li, Ki)  f( Li , Ki) = Li-1
Li-1
replace Ri -1 by Li
Ki
5
Encryption function f
Ri-1
32
E
Expansion
48
Use key
48
Ki
48
S1
S2
S3
S4
S5
32
Mixing
P
32
S6
S7
S8
Make f (and DES) nonlinear (permutations and
 are linear)
“substitution box” S can implement any
function s : {0,1}6  {0,1}4,
for example as table.
For DES, the functions are fixed.
f(Ri-1, Ki)
Terms
• Substitution-permutation networks
• Confusion - diffusion
6
Generation of a key for each of the 16 rounds
64-bit key
(only 56 bits in use)
28
28
choose 48 of the
56 bits for each
key of the 16
rounds
PC-1
C0
D0
LS1
LS1
C1
D1
K1
PC-2
LS2
LS2
C2
D2
C16
D16
56
48
PC-2
K2
PC-2
K16
7
The complementation property of DES
DES(k, x) = DES(k, x)
8
One round
complement
complement
Li-1
Ri-1
complement
f
Ki
original
complement
Li = Ri-1
complement
Ri = Li-1  f(Ri-1, Ki)
9
Encryption function f
Ri-1 complement
32
E
48
48 complement
Ki
48 original, as 0  0 = 1  1 and 1  0 = 0  1
S1
S2
S3
S4
S5
S6
32 original
P
32
f(Ri-1, Ki)
original
S7
S8
10
Generalization of DES
1.) 56  16 • 48 = 768 key bits
2.) variable substitution boxes
3.) variable permutations
4.) variable expansion permutation
5.) variable number of rounds
11
Cipher
Stream cipher
synchronous
self synchronizing
Block cipher
Modes of operation:
Simplest: ECB (electronic codebook)
each block separately
But:
concealment: block patterns identifiable
authentication: blocks permutable
12
Main problem of ECB
e.g. 64 bits
with DES
block borders
plaintext blocks
ECB
ciphertext blocks
same plaintext blocks
ECB
same ciphertext blocks
Telefax example ( compression is helpful)
13
Electronic Codebook (ECB)
key
bit error
encryption
decryption
n+1 n
plaintext
block n
key
ciphertext
block n
n+1 n
plaintext
block n
14
Cipher Block Chaining (CBC)
All lines transmit as many characters as a block comprises
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
n+1 n
memory for
ciphertext block
n-1
key
encryption
plaintext
block n
If error on the line:
Resynchronization
after 2 blocks,
but block borders
have to be
recognizable
memory for
ciphertext block
n-1
key
bit error
 n+2 n+1 n

ciphertext
block n
self synchronizing
decryption
n+2 n+1n
n+2 n+1n
plaintext
block n
15
Cipher Block Chaining (CBC) (2)
All lines transmit as many characters as a block comprises
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
1 modified
plaintext bit
 from there on
completely
different ciphertext
n n+1 n+2
memory for
ciphertext block
n-1
memory for
ciphertext block
n-1
key
bit error
key
encryption
n+2 n+1 n
plaintext
block n
n+2 n+1n
n+2 n+1n


ciphertext
block n
useable for authentication  use last block as MAC
decryption
plaintext
block n
16
CBC for authentication
memory for
ciphertext block
n-1
ciphertext
block n
key
encryption
plaintext
block n
ciphertext
block n
key

encryption
last
 block
comparison
last
block

memory for
ciphertext block
n-1

plaintext
ok ?
17
Pathological Block cipher
plaintext block (length b)
x1 x2 x3
...
xb-1
0
x1 x2 x3
...
secure
S1 S2 S3
...
Sb-1
xb-1
1
insecure
1
x1 x2 x3
ciphertext block (length b)
plaintext block (length b-1)
x1 x2 x3
...
xb-1
0
S1 S2 S3
...
Sb-1
1
ciphertext block (length b-1)
...
xb-1
pathological
0
18
Cipher FeedBack (CFB)
b
a
r
Block length
Length of the output unit, a  b
Length of the feedback unit, r  b
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
symmetric;
self synchronizing
shift register
1
shift register
b
1
b
n+1
b
b
r
key
encryption
encryption
b
choose
or
complete
choose
a
a
plaintext
r
a

b
choose
or
complete
a
choose
a
ciphertext
n+1 n

key
a
a
a
n+1 n
plaintext
19
Cipher FeedBack (CFB) (2)
b
a
r
Block length
Length of the output unit, a  b
Length of the feedback unit, r  b
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
symmetric;
self synchronizing
shifting register
shifting register
1
1
b
b
n n+1n+2
b
b
r
r
encryption
key
encryption
choose
or
complete
b
choose
a
a
a
a
n+2 n+1 n
plaintext
choose
or
complete
 n+2 n+1
n
ciphertext
b
choose
a

key
a
a
a
plaintext
20
CFB for authentication
shift register
1
b
b
encryption
key
shift register

b
choose
a
1
r
r
last content
of the shift
register
encrypted
choose
or
complete
a
b
b
encryption
choose
or
complete
a
key
comparison ok ?
last content
of the shift
register
encrypted
b
choose
a
a
a

plaintext stream

plaintext stream
21
Output FeedBack (OFB)
b
a
r
Block length
Length of the output unit, a  b
Length of the feedback unit, r  b
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
symmetric;
synchronous
Pseudo-one-time-pad
shift register
1
shift register
b
r
r
1
b
b
key
encryption

b
choose
or
complete
choose
or
complete
encryption
b

choose
plaintext
b
choose
a
a
key
a
a
ciphertext
n+1
n
n+1
a
n
plaintext
22
Plain Cipher Block Chaining (PCBC)
All lines transmit as many characters as a block comprises
Addition mod appropriately chosen modulus, e.g. 2
Subtraction mod appropriately chosen modulus, e.g. 2
h Any function, e.g. addition mod 2Block length
memory for
plaintext
block n-1
memory for
ciphertext
block n-1
memory for
ciphertext
block n-1
memory for
plaintext
block n-1
n+1
h
key
key
n+1
h
n+1

encryption


n+1 n
plaintext
block n
ciphertext
block n

decryption
n+1 n
n+1 n
plaintext
block n
23
Output Cipher FeedBack (OCFB)
b
a
r
Block length
Length of the output unit, a  b
Length of the feedback unit, r  b
Addition mod appropriately chosen modulus
Subtraction mod appropriately chosen modulus
h
Any function
symmetric;
synchronous
shift register
1
b
b
key
shift register
encryption
r
r
choose
or
complete
choose
or
complete
h

b
n+1
encryption

key
b
choose
a
plaintext
b
h
choose
a
1
a
a

ciphertext
n+1 n

a
n+1 n
plaintext
24
Properties of the operation modes
ECB
Utilization of
indeterministic
block cipher
CBC
PCBC
CFB
OFB
OCFB
+ possible
- impossible
Use of an
asymmetric
block cipher
results in
+ asymmetric stream cipher
- symmetric stream cipher
Length of the
units of
encryption
- determined by block length of the block
cipher
+ user-defined
Error extension
only within
the block
(assuming
the borders
of blocks
are
preserved)
2 blocks
(assuming
the borders
of blocks are
preserved)
potentially
unlimited
1 + b/r
blocks, if
error placed
rightmost,
else possibly
one block
less
none as long
as no bits are
lost or added
potentially
unlimited
Qualified also for
authentication?
yes, if
redundancy
within every
block
yes, if
deterministic
block cipher
yes, even
concealment
in the same
pass
yes, if
deterministic
block cipher
yes, if
adequate
redundancy
yes, even
concealment
in the same
pass
25
Collision-resistant hash function using determ. block cipher
efficient !
any nearly
cryptographically strong no, but well analyzed
initial value is fixed!
memory for
intermediate block
n-1
differently
long

(else trivial collisions:
intermediate blocks and
truncated plaintexts)
plaintext
block n
encryption
last block contains length in bit

last
b block
birthday paradox
b /2
after 2
tests collision
26
Diffie-Hellman key agreement (1)
practically important:
theoretically important:
patent exhausted before that of RSA
 used in PGP from Version 5 on
steganography using public keys
based on difficulty to calculate discrete
logarithms
Given a prime number p and g a generator of Zp*
gx = h mod p
x is the discrete logarithm of h to basis g modulo p:
x = logg(h) mod p
discrete logarithm assumption
27
Discrete logarithm assumption
 PPA DL
(probabilistic polynomial algorithm, which tries to
calculate discrete logarithms)
 polynomials Q
 L  l  L:
(asymptotically holds)
If p is a random prime of length l
thereafter
g is chosen randomly within the generators of Zp*
x is chosen randomly in Zp*
and gx = h mod p
1
W(DL(p,g,h)=x) 
Q(l )
(probability that DL really calculates the discrete logarithm,
1
decreases faster than
)
any polynomial
trustworthy ??
practically as well analyzed as the assumption factoring is hard
28
Diffie-Hellman key agreement (2)
publicly known:
p and g  Zp*
p, g
random
number 1
key
generation:
x  Zp*
key
generation:
y  Zp*
g x mod p
g y mod p
g x mod p
Domain
of trust
g y mod p
y
x
calculating
shared key
x
(g y) mod p
secret area
random
number 2
p, g
calculated keys are equal, because
x
y
(g y) = g yx = g xy = (g x) mod p
Area of attack
calculating
shared key
y
(g x) mod p
Domain
of trust
29
Diffie-Hellman assumption
Diffie-Hellman (DH) assumption:
Given p, g, g x mod p and g y mod p
Calculating g xy mod p is difficult.
DH assumption is stronger than the discrete logarithm assumption
• Able to calculate discrete Logs  DH is broken.
Calculate from p, g, g x mod p and g y mod p either
x or y. Calculate g xy mod p as the corresponding partner
of the DH key agreement.
• Until now it couldn’t be shown:
Using p, g, g x mod p, g y mod p and gxy mod p
either x or y can be calculated.
30
Find a generator in cyclic group Zp*
Find a generator of a cyclic group Zp*
Factor p -1 =: p1e1  p2e2  . . .  pkek
1. Choose a random element g in Zp*
2. For i from 1 to k:
b := g
p -1
pi
mod p
If b=1 go to 1.
31
Digital signature system
Security is asymmetric, too
usually: unconditionally secure for recipient
only cryptographically secure for signer
new: signer is absolutely secure against breaking his signatures
provable only cryptographically secure for recipient
message domain
x

signature domain
s
s(x)
proof of forgery
 s‘(x)

t
true
distribution of risks if signature is forged: 1. recipient
2. insurance or system operator
3. signer
32
Fail-stop signature system
random number
signer
t
key for testing of
signature,
publicly known
s
recipient
plaintext with signature
and test result
x, s(x),
“pass” or
“fail”
key
generation
plaintext
with signature
test
x, s(x)
plaintext
sign
plaintext with
signature
court
x
random number‘
plaintext with signature
“accepted” or
“forged”
key for signing,
kept secret
verify
“accept”
or
proof of forgery
generate
proof of
forgery
33
Undeniable signatures
random number
t
key for testing of
signature,
publicly known
key
generation
s
text with signature
and test result
x, s(x),
“pass” or
“fail”
text with
signature
test
x, s(x)
key for signing,
kept secret
text
sign
x
random number‘
Interactive protocol for
testing the signature
34
Signature system for blindly providing of signatures
random number
RSA
t
key for testing of
signature,
publicly known
key
generation
pq=n
s
Text
x  z‘ t
x
blind
blinded text
z‘(x)
sign
t s
(x  z‘ ) =
random number ‘
z‘
text with signature
and test result
x, s(x), xs
“pass” or
“fail”
unblind
and test
 z‘-1
blinded text
with signature
z‘(x), s(z‘(x))
x s  z‘
35
Threshold scheme (1)
Threshold scheme:
Secret S
n
parts
k
parts: efficient reconstruction of S
k-1 parts: no information about S
Implementation: polynomial interpolation (Shamir,
1979)
Decomposition of the secret:
Let secret S be an element of Zp, p being a prime number.
Polynomial q(x) of degree k-1:
Choose a1, a2, ... , ak-1 randomly in Zp
q(x) := S + a1x + a2x2 + ... + ak-1xk-1
n parts (i, q(i)) with 1  i  n, where n < p.
36
Threshold scheme (2)
Reconstruction of the secret:
k parts (xj, q(xj)) (j = 1 ... k):
k
q(x) =

j=1
k
q(xj)

(x – xm)
(xj – xm)
mod p
m=1, mj
The secret S is q(0).
Sketch of proof:
1. k-1 parts (j, q(j)) deliver no information about S, because for
each value of S there is still exactly one polynomial of degree k-1.
2. correct degree k-1; delivers for any argument xj the value q(xj)
(because product delivers on insertion of xj for x the value 1 and
on insertion of all other xi for x the value 0).
37
Threshold scheme (3)
Polynomial interpolation is Homomorphism w.r.t. +
Addition of the parts  Addition of the secrets
Share refreshing
1.)
2.)
3.)
Choose random polynomial q‘ for S‘ = 0
Distribute the n parts (i, q‘(i))
Everyone adds his “new” part to his “old” part
 “new” random polynomial q+q‘ with “old” secret S
• Repeat this, so that anyone chooses the random polynomial once
• Use verifiable secret sharing, so that anyone can test that polynomials
are generated correctly.
38
Protection Goals: Definitions
Confidentiality ensures that nobody apart from the communicants can discover the content of the
communication.
Hiding ensures the confidentiality of the transfer of confidential user data. This means that nobody
apart from the communicants can discover the existence of confidential communication.
Anonymity ensures that a user can use a resource or service without disclosing his/her identity.
Not even the communicants can discover the identity of each other.
Unobservability ensures that a user can use a resource or service without others being able to
observe that the resource or service is being used. Parties not involved in the communication can
observe neither the sending nor the receiving of messages.
Integrity ensures that modifications of communicated content (including the sender’s name, if one
is provided) are detected by the recipient(s).
Accountability ensures that sender and recipients of information cannot successfully deny having
sent or received the information. This means that communication takes place in a provable way.
Availability ensures that communicated messages are available when the user wants to use them.
Reachability ensures that a peer entity (user, machine, etc.) either can or cannot be contacted
depending on user interests.
Legal enforceability ensures that a user can be held liable to fulfill his/her legal responsibilities
within a reasonable period of time.
39
Correlations between protection goals
Confidentiality
+
Anonymity
+
Hiding
Unobservability
–
Integrity
Accountability
Reachability
Availability
Legal Enforceability
implies
+
strengthens
–
weakens
40
Observability of users in switched networks
radio
countermeasure encryption
• link encryption
television
videophone
network termination
phone
interceptor
internet
possible
attackers
telephone exchange
• operator
• manufacturer (Trojan horse)
• employee
41
Observability of users in switched networks
radio
countermeasure encryption
• end-to-end encryption
television
videophone
phone
internet
network termination
interceptor
possible
attackers
telephone exchange
• operator
• manufacturer (Trojan horse)
• employee
42
Observability of users in switched networks
radio
countermeasure encryption
• link encryption
television
videophone
• end-to-end encryption
network termination
phone
interceptor
internet
possible
attackers
telephone exchange
• operator
• manufacturer (Trojan horse)
• employee
communication partner
Problem: traffic data
who with whom?
data on interests: Who? What?
when? how long?
Aim: “protect” traffic data (and so data on interests, too)
how much information?
so that they couldn’t be captured.
43
Observability of users in broadcast networks
(Examples: bus-, radio networks)
radio
television
videophone
phone
interceptor
internet
possible
attackers
any station gets
• all bits
• analogue signals
(distance, bearing)
44
Reality or fiction?
Since about 1990 reality
Video-8 tape
5 Gbyte
= 3 * all census data of 1987 in Germany
memory costs < 25 EUR
100 Video-8 tapes (or in 2014: 1 hard drive disk with 500
GByte for ≈ 35 EUR) store
all telephone calls of one year:
Who with whom ?
When ?
How long ?
From where ?
45
Excerpt from: 1984
With the development of television,
and the technical advance which
made it possible to receive and transmit
simultaneously on the same instrument,
private life came to an end.
George Orwell, 1948
Examples of changes w.r.t.
anonymity and privacy
Broadcast allows recipient anonymity — it is not detectable who
is interested in which programme and information
46/48
Examples of changes w.r.t.
anonymity and privacy
Internet-Radio, IPTV, Video on Demand etc.
support profiling
47/48
Anonymous plain old letter post is substituted
by „surveillanceable“
e-Mails
Remark: Plain old letter post has shown its dangers,
but nobody demands full traceability of them …
48/48
The massmedia „newspaper“ will be personalised
by means of Web, elektronic paper and print on demand
49/48
Datenschutz für die Cloud?
[http://www.apple.com/icloud/]
51
Mechanisms to protect traffic data
Protection outside the network
Public terminals
– use is cumbersome
Temporally decoupled processing
– communications with real time properties
Local selection
– transmission performance of the network
– paying for services with fees
Protection inside the network
52
Attacker (-model)
Questions:
• How widely distributed ? (stations, lines)
• observing / modifying ?
• How much computing capacity ? (computationally
unrestricted, computationally restricted)
Realistic protection goals/attacker models: 53
Technical solution possible?
===T===Gate===
Soziale Netze – Web 2.0
56
Attacker (-model)
Questions:
• How widely distributed ? (stations, lines)
• observing / modifying ?
• How much computing capacity ? (computationally
unrestricted, computationally restricted)
Unobservability of an event E
For attacker holds for all his observations B: 0 < P(E|B) < 1
perfect: P(E) = P(E|B)
Anonymity of an entity
Unlinkability of events
if necessary: partitioning in classes
57
Protection of the recipient: Broadcast
A. Pfitzmann, M. Waidner 1985
Performance?
more capable transmission system
Addressing
explicit addresses:
implicit addresses:
(if possible: switch channels)
routing
attribute for the station of the addressee
invisible
visible
<==>
encryption system
example: pseudo random number (generator),
associative memory to detect
address distribution
public address
private address
invisible
very costly, but necessary
to establish contact
costly
visible
should not be used
change after use
implicit
address
58
BitMessage (J. Warren, 2012)
• messaging system based on
– broadcast
– implicit invisible private addresses
• python based clients at: bitmessage.org
• address: Hash(public encryption key, public signature test key)
• messages:
– encrypted using Elliptic Curve Cryptography
– digitally signed
– additionally: proof of work
Anti-SPAM
• broadcast of messages:
– P2P-based overly structure
– store-and-forward like
– pull-based
59
Equivalence of Encryption Systems and Implicit Addressing
invisible public address <==> asymmetric encryption system
invisible private address <==> symmetric encryption system
60
Broadcast vs. Queries
broadcaster
message 1
message 2
message 3
message 4
...
broadcast of separate
messages to all recipients
message service
message 1
message 2
message 3
message 4
...
everybody can query all
messages
61
Example for message service
David A. Cooper, Kenneth P. Birman 1995
Efficiency improvements: A. Pfitzmann 2001
message service
message 1
message 2
message 3
message 4
memory cells
5 servers available, all contain the same
messages in equal
order
generated by
bit position
servers
corresponds to
themselves when memory cell
starting circulation
pseudo
?x = 1001
 13
random
?y = 1100
short
?z´ =
0101**
invert bit
of the
?z = 0111
user
memory cell
0
of interest
query vectors
query multiple memory cells
!y
?y
!x
?x
XOR
1
3
server, which gets the long query vector,
starts circulation
?z
!z
servers add responses, which are encrypted
with (pseudo-) one-time pads
3 servers used for superposed querying
response of the message service:
!x = message 1 XOR message 4
!y = message 1 XOR message 2
!z = message 2 XOR message 3
XOR padx
XOR pady
XOR message 4
XOR padz
== pad
padxx XOR
XOR pad
padyy XOR
XOR message
message 32 XOR
XOR pad
message
3 XOR padz
z
from this follows by local superposition of the pads
!x XOR !y XOR !z => message 3 XOR message 2
(equal to the content
sum of of
thethe
wanted
(**)(*)
wanted
memory cells)
cell)
Private Message Service
Replicated Database
User is interested in D[2]:
Index within Request-Vector = 1234
Set Vector = 0100
D[1]: 1101101
S1
cS1(1011)
D[3]: 0101110
D[4]: 1010101
Chose random Vector (S1) = 1011
Chose random Vector (S2) = 0110
Calculate Vector (S3) = 1001
Calculations: XOR
D[2]: 1100110
D[1]: 1101101
cS2(0110)
S2
D[2]: 1100110
D[3]: 0101110
D[4]: 1010101
cS3(1001)
D[1]: 1101101
S3
D[2]: 1100110
D[3]: 0101110
D[4]: 1010101
Private Message Service
Replicated Database
S1
D[1]: 1101101
D[2]:
D[3]: 0101110
D[4]: 1010101
Sum 0010110
S2
D[1]:
D[2]: 1100110
D[3]: 0101110
D[4]:
Sum 1001000
User is interested in D[2]:
Index within Request-Vector = 1234
Set Vector = 0100
Chose random Vector (S1) = 1011
Chose random Vector (S2) = 0110
Calculate Vector (S3) = 1001
Server calculates XOR
of the requested records
Answer of S1: 0010110
S2: 1001000
S3: 0111000
Sum is D[2]: 1100110
Note: Encryption between Server and Client
necessary!
S3
D[1]: 1101101
D[2]:
D[3]:
D[4]: 1010101
Sum 0111000
64
Example for message service
David A. Cooper, Kenneth P. Birman 1995
Efficiency improvements: A. Pfitzmann 2001
message service
message 1
message 2
message 3
message 4
5 servers available, all contain the same
messages in equal
order
memory cells
generated by
bit position
servers
corresponds to
themselves when memory cell
starting circulation
pseudo
?x = 1001

random
?y = 1100
short
?z´ = 0101
invert bit
of the
memory cell
of interest
XOR
1
3
**
?z = 0111
!y
?y
!x
?x
1
3
server, which gets the long query vector,
starts circulation
?z
!z
servers add responses, which are encrypted
with (pseudo-) one-time pads
3 servers used for superposed querying
response of the message service:
!x = message 1 XOR message 4
!y = message 1 XOR message 2
!z = message 2 XOR message 3
XOR padx
XOR pady
XOR message 4
XOR padz
== pad
padxx XOR
XOR pad
padyy XOR
XOR message
message 32 XOR
XOR pad
message
3 XOR padz
z
user
0
query vectors
query multiple memory cells
from this follows by local superposition of the pads
!x XOR !y XOR !z => message 3 XOR message 2
(equal to the content
sum of of
thethe
wanted
(**)(*)
wanted
memory cells)
cell)
65
“Query and superpose” instead of “broadcast”
re-writable memory cell = implicit address
re-writing = addition mod 2 (enables to read many cells in one step)
channels trivially realizable
Purposes of implicit addresses
Broadcast: Efficiency (evaluation of implicit address should be faster than processing the whole message)
Query and superpose: Medium Access Control; Efficiency (should reduce number of
messages to be read)
fixed memory cell = visible implicit address
implementation: fixed query vectors for servers 0
1
Number of addresses linear in the expense (of superposing).
Improvement: Set of re-writable memory cells = implicit address
Message m is stored in a set of a memory cells by choosing a–1 values randomly
and choosing the value of the ath cell such that the sum of all a cells is m.
For overall n memory cells, there are now 2n–1 usable implicit addresses,
but due to overlaps of them, they cannot be used independently.
If collisions occur due to overlap, try retransmit after randomly chosen time intervals.
Any set of cells as well as any set of sets of cells can be queried in one step.
66
Invisible implicit addresses using “query and superpose” (1)
hopping between memory cells = invisible implicit address
Idea:
User who wants to use invisible implicit address at time t
reads the values from reserved memory cells at time t-1.
These values identify the memory cell to be used at time t.
Impl.: • Address owner gives each server s a PBGs.
• Each server s replaces at each time step t the content of its
reserved memory cell SAdr with PBGs(t):
SAdr := PBGs (t)
• User queries via MIXes  PBG s(t) . (possible in one step.)
user employs
S
s
s
PBG
(t )
s
• Address owner generates
S
s
PBG (t )
s
for message. 1
1
 PBG s(t) and reads using “query and superpose”
s
before and after the writing of messages, calculates difference.
Improvement: for all his invisible implicit addresses together: 1
2 (if ≤ 1 msg)
Address is in so far invisible, that at each point of time only a very little fraction of
all possible combinations of the cells SAdr are readable.
67
Invisible implicit addresses using “query and superpose” (2)
hopping between memory cells = invisible implicit address
can be extended to
hopping between sets of memory cells = invisible implicit address
68
Fault tolerance (and countering modifying attacks)
What if server (intentionally) does
1. not respond or
2. delivers wrong response?
1. Submit the same query vector to another server.
2. Messages should be authenticated so the user can
check their integrity and thereby detect whether at
least one server did deliver a wrong response. If so,
use a disjoint set of servers or lay traps by sending
the same query vector to many servers and
checking their responses by comparison.
69
Protection of the sender
Dummy messages
• don’t protect against addressee of meaningful messages
• make the protection of the recipient more inefficient
Unobservability of neighboring lines and stations as
well as digital signal regeneration
example: RING-network
70
Proof of anonymity for a RING access method
Flow of the message frame around the ring
A. Pfitzmann 1983 - 1985
.........................................................
attacker
station 1
station 2
empty
M. 1
time
empty
M. 2
M. n
M. 1
M. 1
...
M. 1
M. 2
M. 2
...
M. 2
... ... ...
empty
.......
...
M. n
...
alternatives: 123...
Digital signal
regeneration:
The analogue
characteristics of bits are
independent of their true
sender.
...
empty
.....
attacker
M. 3
...
...
M. 3
.......
The idea
of physical unobservability
empty
and digital signal regeneration
can be adapted to other topologies,
n+1
i.e. tree-shaped CATV networks;
It reappears in another context in Crowds, GNUnet, etc.
empty
71
Crowds (Reiter, Rubin, 1998)
Blender
Ⓐ Registrierung Jondo
Ⓑ Bestätigung; Liste der registrierten Jondos
① HTTP-Anfrage
➏
Nutzer B
➎
➌
• Ziel: Senderanonymität für
Web-Zugriffe
• Verbindungsverschlüsselung
zwischen Teilnehmern
• HTTP-Anfragen /-Antworten
erfolgen unverschlüsselt
• Nutzer treffen lokal zufällig
Weiterleitungsentscheidung
➊ HTTP-Antwort
⑤
Nutzer C
⑥
Web-Server I
④
Nutzer A
➋
Web-Server II
②
③
➍
Nutzer E
Nutzer D
Web-Server III
72
GNUnet (gnunet.org, 2001)
③
① Request h ( h ( h ( B ) ) )
for block B
④
➋
User D
User C
User B
➍
②
➊ encrypted block
➌
User E
User A
User F
⑤
User G
Benc=Eh(B)(B)
⑥
User H
Link encrypted communication between two adjoining GNUnet users
Indirecting of a request (sender address will be rewritten)
Forwarding of a request (original sender address is preserved)
Response to user according to the given sender address
73
Fault tolerance of the RING-network
Requirement
For each possible error, anonymity has to be guaranteed.
Problem
Anonymity: little global information
Fault tolerance: much global information
Principles
Fault tolerance through weaker anonymity in a single operational mode
(anonymity-mode)
Fault tolerance through a special operational mode (fault tolerancemode)
74
Braided RING
Si+1
L i-1i+1
L ii+1
L ii+1
Si-1
L i-1i
Si-1
Si
Two RINGs operating if
no faults
Si+1
L i-1i+1
L i-1i+1
Line used
Si
Reconfiguration of the outer
RING if a station fails
Line not used
Line used to transmit
half of the messages
Si+1
L i-1i+1
L i-1i+1
Si+1
L ii+1
Si-1
L i-1i
Si
Reconfiguration of the inner
RING if an outer line fails
L ii+1
Si-1
L i-1i
Si
Reconfiguration of the outer
RING if an outer and inner line
fails
75
Modifying attacks
modifying attacks at
covered in
RINGnetwork
by attacker
model
sender anonymity
extend the access method
recipient anonymity
service delivery
publish input and output
if dispute: reconfiguration
76
Superposed sending (DC-network)
.....
...
D. Chaum 1985 for finite fields
A. Pfitzmann 1990 for abelian groups
station 1
M1 3A781
K12 2DE92
+
K13 4265B
.....
...
station 2
M2
00000
99B6E
-K12 E327E
4AE41
+
K23 67CD3
.....
...
anonymous
access
67EE2
station 3
M3
00000
-K13 CEAB5
3A781
+
= M1 ++ M2 + M3
+
.....
...
-K23 A943D
User station
Pseudo-random bit-stream generator
+
Modulo- 16-Adder
Anonymity of the sender
If stations are connected by keys the value of which is completely unknown to the
attacker, tapping all lines does not give him any information about the sender.
Dinning Cryptographers
77
[D. Chaum: „Security without identification: transaction
systems to make big brother obsolete“,
Communications of the ACM, Volume 28, Issue 10, Oct. 1985]
Dinning Cryptographers
78
[D. Chaum: „Security without identification: transaction
systems to make big brother obsolete“,
Communications of the ACM, Volume 28, Issue 10, Oct. 1985]
DC-Net – Superposed Sending
Chaum, 1988
Key Graph
A
C
B
Note: In
this
example
“sum”
means XOR
True Message from A
Key with B
Key with C
Sum
00110101
00101011
00110110
00101000
A sends 00101000
Empty Message from B
Key with A
Key with C
Sum
00000000
00101011
01101111
01000100
B sends 01000100
Empty Message from C
Key with A
Key with B
Sum
00000000
00110110
01101111
01011001
C sends 01011001
Sum = True Message from A 00110101
79
80
Superposed sending (DC-network)
.....
...
D. Chaum 1985 for finite fields
A. Pfitzmann 1990 for abelian groups
station 1
M1 3A781
K12 2DE92
+
K13 4265B
.....
...
station 2
M2
00000
99B6E
-K12 E327E
4AE41
+
K23 67CD3
.....
...
anonymous
access
67EE2
station 3
M3
00000
-K13 CEAB5
3A781
+
= M1 ++ M2 + M3
+
.....
...
-K23 A943D
User station
Pseudo-random bit-stream generator
+
Modulo- 16-Adder
Anonymity of the sender
If stations are connected by keys the value of which is completely unknown to the
attacker, tapping all lines does not give him any information about the sender.
81
Three distinct topologies
station 1
key topology
independent of the others
station 3
station 2
+
superposition topology
transmission topology
dependent on
each other
82
Reservation scheme
S1
0 1 0 0 0
S2
0 1 0 0 0
S3
0 0 0 0 0
S4
0 1 0 1 0
S5
0 0 1 0 0
T5
T4
0 3 1 1 0
reservation frame
only different to “1” if
“+”  “ + ”
message frame
≥ one
roundtrip
delay
time
83
Superposed receiving
Whoever knows the sum of n characters and n-1 of these n characters,
can calculate the n-th character.
pairwise superposed receiving (reservation scheme: n=2)
Two stations send simultaneously.
Each subtracts their characters from the sum to receive the character sent by the other station.
==> Duplex channel in the bandwidth of a simplex channel
global superposed receiving (direct transmission: n≥2 )
Result of a collision is stored, so that if n messages collide, only
n-1 have to be sent again.
Collision resolution algorithm using the mean of messages:
≤ 2S –1 station
addition mod 2L
S
0 ... 0
counter
S-1
message
overflow area for addition of messages
L
0 ... 0
1
overflow area for addition of counters
84
Pairwise superposed receiving
S2
S1
X
Y
without superposed receiving
S1
S2
(X+Y)-X = Y
(X+Y)-Y = X
X+Y
with pairwise superposed receiving
85
Global superposed receiving
S1
7
1
7
1
S2 15
S3 4
1
15
1
1
4
1
S4
1
1
1
1
S5
5
1
5
1
32
5
22
2
1
4
1
5
1
4
7
1
15
1
15
1
1
1
5
1

=6
10
3

=3
1
≥ one roundtrip delay

= 11
1
9
2
7
1

=4
4
1
5
1
Collision resolution algorithm with mean calculation and superposed receiving
86
Global superposed receiving (2 messages equal)
S1
7
1
7
1
S2 15
S3 4
1
15
1
1
4
1
S4
1
1
1
1
S5
4
1
4
1
31
5
22
2
1
4
1
4
1
4
1
4
1
4
1
4
1
7
1
15
1
15
1
1

=6
9
3

=3
1
≥ one roundtrip delay

= 11
1
8
2
7
1

=4
8
2
4
1
4
1
Collision resolution algorithm with mean calculation and superposed receiving
87
Superposition topology for minimal delay
tree of XOR gates to superpose
the output of the user stations
tree of repeaters to amplify the
output to the user stations
1
=1
=1
1
1
=1
=1
m
m
1
1
=1
=1
1
=1
1
log2 m
log2 m
88
Suitable coding for superposed sending
L
local superposition
mod 2L
1 11
add
carry
L
000
0 0 0
... 1 1 1
111
information unit
000
111
...
...
0 0 0
1 1 1
11 0
&
binary transmission
L
full
adder
local
superposition
result
key
1 11
L
L
local superposition
000
111
mod 2L
111
000
0 0 0
... 1 1 1
111
information unit
000
111
...
key
...
add
carry
L
0 0 0
1 1 1
global superposition mod 2L
...
0 0 0
1 1 1
...
0 0 0
1 1 1
110
000
111
&
full
adder
local
superposition
result
...
add
carry
110
&
full
adder
global
superposition
result
89
Analogy between Vernam cipher and superposed sending
Vernam cipher
01
K 10
M 00
11
01
10
+
00
+ 11
01
K+M=CM=C-K
00
M1 11
K 01
10
abelian group
M1 + K = O1
+
01
+
01
-K 10
M2 - K = O2
+
90
Proof of sender anonymity: proposition and start of induction
Proposition:
If stations Si are connected by uniform randomly distributed
keys Kj which are unknown to the attacker , by observing all
the Oi , the attacker only finds out  M i about the Mi.
i
Proof:
m=1, trivial
step m-1  m
91
Proof of sender anonymity: induction step
S1
minimal
connectedness:
only connected
by one key
Sm
K
O m = Mm + K
S2
SL
...
..
OL = ML – K + ...
Sm-1
Attacker observes O1, O2, ...Om.
For each combination of messages M '1, M '2, ... M 'm
m
with  M ' i 
i 1
m

i 1
Oi there is exactly one compatible combination of keys : K ' := Om-M 'm
The other keys are defined as in the induction assumption,
where the output of SL is taken as OL + K '.
92
Information-theoretic anonymity in spite of modifying attacks
Problems:
1) The attacker sends messages only to some users. If he gets
an answer, the addressee was among these users.
2) To be able to punish a modifying attack at service delivery,
corrupted messages have to be investigated. But this may not
apply to meaningful messages of users truthful to the protocol.
DC+-net to protect the recipient even against modifying attacks:
if broadcast error then uniformly distributed modification of keys
at station i at time t
broadcast character
key between station
i and j at time t
t 1
(skew-)
field
Kijt = a ij 
t

t k
bi j

k
Ci
k=1
k=t-s
For practical reasons:
Each station has to send within each s successive points in time a
random message and observe, whether the broadcast is “correct“.
93
95
Modifying attacks
Modifying attacks at
sender anonymity
recipient anonymity
service delivery
attacker sends message character ≠ 0,
if the others send their message character as well
 no transmission of meaningful information
To be able to punish a modifying attack at service delivery, corrupted
messages have to be investigated. But this may not apply to
meaningful messages of users truthful to the protocol.
96
Protection of the sender: anonymous trap protocol
frame length  s
n number of
users
1 2
...
reservation blobs
2n
1 2
2n
...
collision free messages
• Each user can cause investigating the reservation blobs directly after their
sending if the sending of his reservation blobs did not work.
• Each user can authorize investigating of his “collision-free” random
message, by opening the corresponding reservation blob.
97
Blob := committing to 0 or 1, without revealing the value committed to
1) The user committing the value
2) The others should not get any information
must not be able to change it, but
about the value.
he must be able to reveal it.
In a “digital” world you can get exactly one property without assumptions,
the other then requires a complexity-theoretic assumption.
Example:
Given a prime number p and the prime factors of p -1, as well as a generator  of Z*p
y
(multiplicative group mod p). Using y everybody can calculate  mod p.
The inverse can not be done efficiently!
1?
s  Z*p randomly chosen
2?
u
Let 2 be the smallest number that does not divide p -1
x := sb  y mod p
x
commit
y
open
y := y1, b, y2 with 0 ≤ y ≤ p-2 and |y2| = u -1
x :=  y mod p
x
commit
y
open
(so user cannot compute e such that s  e)
with 0 ≤ y ≤ p-2
98
Blobs based on factoring assumption
1?
2?
verifier
prover
verifier
prover
n := p • q
n := p • q
s := t 2 mod n
n, s
s  QRn
s
s  QRn , ( n ) =1
n, s
n=p• q, s  QRn
commit
x:= y2 sb mod n
x:= y2 sb mod n
x
x
open
y
y
99
Blobs based on asymmetric encryption system
2?
encrypt b with asymmetric encryption
system (recall: public encryption
key and ciphertext together
uniquely determine the plaintext)
• has to be probabilistic – otherwise
trying all possible values is easy
• communicating the random
number used to probabilistically
encrypt b means opening the blob
• computationally unrestricted
attackers can calculate b (since
they can break any asymmetric
encryption system anyway)
100
Checking the behavior of the stations
To check a station it has to be known:
• All keys with others
• The output of the station
• All the global superposing results received by the station
• At what time the station may send message characters according to
the access protocol
(Can be determined using the global superposition results of the last rounds;
These results can be calculated using the outputs of all stations.)
•
•
•
calculated
message characters
compare
•
known = known to all stations truthful to the protocol
101
Modifying attacks in the reservation phase
Collisions in the reservation phase
• cannot be avoided completely
• therefore they must not be treated as attack
Problem: Attacker A could await the output of the users
truthful to the protocol and than A could choose his own
message so that a collision is generated.
Solution: Each station
1. defines its output using a Blob at first, then
2. awaits the Blobs of all other stations, and finally
3. reveals its own Blob’s content.
102
Fault tolerance: 2 modes of operation
A-mode
anonymous transmission of
messages using
superposed sending
F-mode
sender and recipient
are not protected
fault detection
fault
localization
error recovery of the
PRGs, initialization of the
access protocol
taking defective
components out
of operation
103
Fault tolerance: sender-partitioned DC-network
DCDCDCDCDCnetwork network network network network
1
2
3
4
5
station 1
station 2
station 3
station 4
station 5
station 6
station 7
station 8
station 9
station 10
write and read access to the DC-network
read access to the DC-network
widest possible
spread of a fault of
station 3
... of a fault of
station 5
104
Protection of the communication relation: MIX-network
D.Chaum 1981 for electronic mail
c1 (z4,c2(z1,M1))
c1 (z5,c2(z2,M2))
c1 (z6,c2(z3,M3))
MIX1 batches, discards repeats,
d1(c1(zi,Mi)) = (zi,Mi)
c2 (z3,M3)
c2 (z1,M1)
c2 (z2,M2)
MIX2 batches, discards repeats,
d2(c2(zi,Mi)) = (zi,Mi)
M2
M3
M1
The Mix protocol
Idea: Provide unlinkability between incoming and outgoing messages
Mix 1
Mix 2
A Mix collects messages, changes their coding and forwards them in a different
order.
If all Mixes work together,
they can reveal the way of a given messages.
105/42
106
Protection of the communication relation: MIX-network
D.Chaum 1981 for electronic mail
c1 (z4,c2(z1,M1))
c1 (z5,c2(z2,M2))
c1 (z6,c2(z3,M3))
MIX1 batches, discards repeats,
d1(c1(zi,Mi)) = (zi,Mi)
c2 (z3,M3)
c2 (z1,M1)
c2 (z2,M2)
MIX2 batches, discards repeats,
d2(c2(zi,Mi)) = (zi,Mi)
M2
M3
M1
107
Basic functions of a MIX
input
messages
MIX
min
discard repeats
max
1 HDD
access
10 ms
50 ms
do nothing
0 ms
test
dig. sig.
100 ms
asym. encr.
special HW
asym. encr.
SW
re-encrypt (decrypt or encrypt)
1 ms
100 ms
change order
1 ns
10 µ s
11,000001
ms
250,01
ms
buffer
current
input batch
sufficiently many messages
from sufficiently many senders?
If needed: insert dummy messages
output
messages
all input messages
which were or will
be re-encrypted
using the same
key
108
Properties of MIXes
MIXes should be
designed
produced
operated
maintained ...
Messages of the same length
buffer
batch-wise
re-encrypt
change order
Each message processed only once!
inside each batch
between the batches
sym. encryption system only for
first
last
MIX
asym. encryption system required
for MIXes in the middle
independently
109
Possibilities and limits of re-encryption
Aim: (without dummy traffic)
Communication relation can be revealed only by:
• all other senders and recipients together
or
• all MIXes together which were passed through
against the will of the sender or the recipient.
Conclusions:
1. Re-encryption: never decryption directly after encryption
Reason: to decrypt the encryption the corresponding key is needed;
 before and after the encoding of the message it is the same
 re-encryption is irrelevant
2. Maximal protection:
MIXes are passed through simultaneously and therefore in the
same order
110
Maximal protection
Pass through MIXes in the same order
MIX 1
..
.
MIX i
..
.
MIX n
111
Re-encryption scheme for sender anonymity
...
S
MIX1
MIX2
MIX3
MIX4
MIXn
MIXn+1
MIX5
R
cR
dR
c5 k5
d5 k 5
c4 k4
d4 k 4
c3 k3
Mn+1
... Mn
d3 k 3
c2 k2
d2 k 2
c1 k1
d1 k 1
encryption
decryption
transfer
in direct re-encryption scheme for sender anonymity
Mn+1 = cn+1 (M)
Mi
= ci (zi, Ai+1, Mi+1) for i = n,..,1
Mi = ci (ki, Ai+1); ki (Mi+1)
112
Indirect re-encryption scheme for recipient anonymity
MIX0
MIXm
S
MIX1
MIX2
MIX3
MIX4
d5 k 5
Hm+1 = e
Hj
MIX5
= cj (kj, Aj+1, Hj+1)
for j = m,..,0
d3 k 3
d2 k 2
d1 k 1
d4 k 4
8 H6
7 H5
message header
H
4 H2
ds ks 3 H1
unobservable transfer
k 1 4 I2
Ij = kj-1 (Ij-1)
for j = 2,.., m+1
encryption
decryption
observable
transfer
c4 k4
c2 k2
c1 k1
k1
k2
k3
1
ks
message content I
k 2 5 I3
I1 = k0 (I)
c5 k5
cs ks
2
k s 3 I1
R
c3 k3
6 H4
5 H3
MIXm+1
6 I4
k3
k 4 7 I5
k4
k 5 8 I6
k5
9
114
Indirect re-encryption scheme for
sender and recipient anonymity
S
MIX1
MIX2
MIX3
MIX4
MIX5
d5 k 5
ds k s
3
3
c3 k3
d4 k 4
message header
c2 k2
d2 k 2
d3 k 3
8
7
6
k3
6
k4 7
k5
5
for sender anonymity
ks
k4
8
k1 4
for recipient anonymity
encryption
unobservable transfer
c4 k4
1
5
message content
k2
c5 k5
cs ks
2
3rd party, to hold the anonymous
c 1 k 1 d1 k 1 4
pickup using return addresses for anonymous query
delivery using
recipient anonymity scheme,
initiated using sender anonymity scheme sender anonymity scheme
ks
k3
k2
k1
R
decryption
observable
transfer
k5
9
115
Indirect re-encryption scheme maintaining message length
blocks with
random contents
Hj
Mj
1
2
... m+2-j m+3-j m+4-j ... m+1
3
blocks with
message contents
m+2
m+3 ...
b
Zj-1
kj (Hj+1)
encrypt or
decrypt
decrypt
in kj encoded
kj, Aj+1
Hj+1
Zj
Mj+1
1
2
... m+1-j m+2-j m+3-j ...
decrypt with dj
Hm+1 = [e]
= [cj (kj, Aj+1)], kj (Hj+1)
m+1
blocks with
random contents
kj+1 (Hj+2)
Hj
m
for j = m,..,1
m+2
m+3 ...
b
blocks with
message contents
re-encrypt with kj
Indirect re-encryption scheme maintaining message length
for special symmetric encryption systems
Hj
Mj
1
2
blocks with
message contents
3
... m+2-j m+3-j m+4-j ... b+1-j
blocks with
random contents
b+2-j
b+3-j ...
b
Zj-1
kj (Hj+1)
kj, Aj+1
Hj+1
Zj
Mj+1
1
2
... m+1-j m+2-j m+3-j ... b-j
kj+1 (Hj+2)
blocks with
message contents
decrypt with dj
b+1-j
b+2-j ... b-1
blocks with
random contents
re-encrypt with kj
if k -1(k(M)) = M
and k(k -1(M)) = M
b
116
117
Minimally message expanding
re-encryption scheme maintaining message length
Hj
message contents
Mj
1
bj
1
b
Ij
kj, Aj+1, Cj
Mj+1
random contents
nj
b
message contents
Hj+1
decrypt with dj
Zj
re-encrypt with kj
if k -1(k(M)) = M
and k(k -1(M)) = M
bj-nj
random contents
118
Breaking the direct RSA-implementation of MIXes (1)
Implementation of MIXes using RSA without redundancy predicate and with
contiguous bit strings (David Chaum, 1981) is insecure:
|z|=b
c
(z,M)
attacker
observes,
chooses factor f
and generates
c c
(z,M) • f
|M|=B
MIX
... ((x,y)c)d
...
= x,y (mod n)
outputs y
M
M•f
attacker multiplies M
with factor f and
compares
Unlinkability, if many factors f are possible.
2b•2B ≤ n-1 hold always and normally b << B.
If the random bit strings are the most significant bits, it holds
(z,M) = z•2B+M
and
(z,M)•f  (z•2B + M)•f  z•2B•f + M•f.
119
Breaking the direct RSA-implementation of MIXes (2)
Let the identifiers z‘ and M‘ be defined by
(z,M)•f

z‘•2B + M‘

z•2B•f + M•f

z‘•2B + M‘

2B• (z•f - z‘)

M‘ - M•f

z•f - z‘

(M‘ - M•f) • (2B)-1
(1)
If the attacker chooses f ≤ 2b, it holds
–2b < z•f - z‘ < 22b
(2)
The attacker replaces in (1) M and M‘ by all output-message pairs of the
batch and tests (2).
(2) holds, if b<<B, very probably only for one pair (P1,P2). P1 is output
message to (z,M)c, P2 to (z,M)c•f c.
If (2) holds for several pairs, the attack is repeated with another factor.
120
Fault tolerance in MIX-networks (1)
S
MIX6
MIX7
MIX8
MIX9
MIX10
MIX1
MIX2
MIX3
MIX4
MIX5
MIX11
MIX12
MIX13
MIX14
MIX15
R
2 alternative routes via disjoint MIXes
S
MIX1‘
MIX2‘
MIX3‘
MIX4‘
MIX5‘
MIX1
MIX2
MIX3
MIX4
MIX5
MIX1‘‘
MIX2‘‘
MIX3‘‘
MIX4‘‘
MIX5‘‘
MIXi‘ or MIXi‘‘ can substitute MIXi
R
coordination protocol
121
Fault tolerance in MIX-networks (2)
coordination protocol
S
MIX1
MIX2
MIX3
MIX4
MIX5
dE
cE
k5
c5 k5
c4 k4
c3 k3
c2 k2
c1 k1
R
k2
d1 k 1
k3
d2 k 2
k4
d3 k 3
d5 k 5
d4 k 4
encryption
decryption
transfer
In each step, one MIX can be skipped
122
Complexity of the basic methods
unobservability of
neighboring lines and
stations as well as digital
signal regeneration
RING-network
DC-network
computationally restricted
w.r.t. service delivery
attacker
model
expense
per user
physically
limited
O(n)
(  n2 )
transmission
computationally restricted
• cryptographically strong
• well analyzed
O(n)
n
( 2 )
transmission
O(k•n)
key
MIX-network
computationally restricted
not even well analyzed
asymmetric encryption
systems are known
which are secure against
adaptive active attacks
O(k), practically: ≈ 1
transmission on the
last mile
... in the core network
O(k2), practically: ≈ k
n = number of users
k = connectedness key graph of DC-networks respectively number of MIXes
123
Encryption in layer models
In the OSI model it holds:
Layer n doesn’t have to look at Data
Units (DUs) of layer n+1 to perform its
service. So layer n+1 can deliver
(n+1)-DUs encrypted to layer n.
For packet-oriented services, the layer
n typically furnishes the (n+1)-DUs with
a n-header and possibly with an ntrailer, too, and delivers this as n-DU to
layer n-1. This can also be done
encrypted again.
(n+1)-DU
layer n+1
encryption
n-DU
layer n
n-header
ntrailer
encryption
and so on.
All encryptions are independent with
respect to both the encryption systems
and the keys.
(n-1)-DU
layer n-1
124
Arranging it into the OSI layers (1)
user station
exchange
exchange
user station
OSI layers
7 application
6 presentation
5 session
4 transport
end-to-end
encryption
end-to-end
encryption
3 network
2 data link
1 physical
0 medium
link encryption
link encryption
link encryption
link encryption
125
Arranging it into the OSI layers (2)
OSI layers
broadcast
query
MIX-network
DC-network
RINGnetwork
anonymous
access
anonymous
access
7 application
6 presentation
5 session
4 transport
3 network
implicit
implicit
addressing
addressing
query and
superpose
broadcast
buffer and
re-encrypt
2 data link
1 physical
superpose keys
and messages
channel
selection
0 medium
ring
has to preserve anonymity against the communication partner
has to preserve anonymity
digital signal
regeneration
end-to-end encryption
realizable without consideration of anonymity
128
Solution for the ISDN: telephone MIXes
Aims: ISDN services on ISDN transmission system
2 independent 64-kbit/s duplex channels on a 144-kbit/s subscriber line
hardly any additional delay on established channels
establish a channel within 3 s
no additional traffic on the long distance network
Network structure
long distance network
••
•
R
••
•
network
termination
64+64+16=144 kbit/s
duplex
MIX1
••• MIX
legacy LE
G
m
local exchange
LE(R)
••
•
••
•
local exchange
LE(G)
129
Solution for the ISDN: telephone MIXes (1989)
Aims: ISDN services on ISDN transmission system
2 independent 64-kbit/s duplex channels on a 144-kbit/s subscriber line
hardly any additional delay on established channels
establish a channel within 3 s
no additional traffic on the long distance network
Network structure
long distance network
••
•
R
••
•
network
termination
64+64+16=144 kbit/s
duplex
MIX1
••• MIX
m
local exchange
LE(R)
MIX‘m’
••• MIX‘
1
local exchange
LE(G)
••
•
G
••
•
130
Time-slice channels (1)
station R
S0
MIXes(R) LE(R)
LE(G)
MIXes(G)
TS-setup: x
TS-setup: y
TR-setup: x
TR-setup: y
query and superpose
instead of broadcast
call request: cG(k, sR, and sG)
y
TS
S1
TR
x
TR
TS
TS-setup: PBG(sG,1)
TS-setup: PBG(sR,1)
TR-setup: PBG(sR,1)
TR-setup: PBG(sG,1)
station G
131
Time-slice channels (2)
PBG(sG,1)
S2
k(dial tone, data)
PBG(sR,1)
TS-setup: PBG(sG,2)
TS-setup: PBG(sR,2)
TR-setup: PBG(sR,2)
TR-setup: PBG(sG,2)
PBG(sG,2)
S3
PBG(sR,2)
This setup of receiving channels
is a very flexible scheme for
recipient anonymity.
k(data)
132
Connection configuration later (1)
station R
S0
MIXes(R) LE(R)
LE(G)
MIXes(G)
TS-setup: x
TS-setup: PBG(sP,0)
TR-setup: x
TR-setup: PBG(sQ,0)
call request: cG(k, sR, and sG)
from P
TS
S1
PBG(sQ,0) TR
to P
TR
x
TS
TS-setup: PBG(sG,1)
TS-setup: PBG(sP,1)
TR-setup: PBG(sR,1)
TR-setup: PBG(sQ,1)
station G
133
Connection configuration later (2)
throw away
S2
St-1
replace
PBG(sR,1)
from P
PBG(sQ,1)
to P
TS-setup: PBG(sG,2)
TS-setup: PBG(sP,2)
TR-setup: PBG(sR,2)
TR-setup: PBG(sQ,2)
TS-setup: PBG(sG,t-1)
TS-setup: PBG(sR,t-1)
TR-setup: PBG(sR,t-1)
TR-setup: PBG(sG,t-1)
PBG(sG,t-1)
St
PBG(sR,t-1)
k(dial tone, data)
134
Query and superpose to receive the call requests
station R
MIXes(R)
LE(R)
LE(G)
MIXes(G)
station G
query and superpose
call request: cG(k, sR, and sG)
instead of broadcast
Query and superpose:
• Each station has to query in each time slice (else the anonymity set degenerates)
• Each station should inquiry all its implicit addresses at each query.
(possible both for visible and invisible addresses without additional expense)
–> The size of the anonymity set is no longer limited by the transmission capacity on
the user line, but only by the addition performance of the message servers.
135
Radio networks (1)
Difference to wired networks
• Bandwidth of transmission remains scarce
• The current place of the user is also to be protected
Assumptions
• Mobile user station is always identifiable and locatable if
the station sends.
not
commendable
• Mobile user station is not identifiable and locatable if the
station only (passively) receives.
Which measures are applicable?
+ end-to-end encryption
+ link encryption
- dummy messages, unobservability of neighboring lines and stations as
well digital signal regeneration, superposed sending
 all measures to protect traffic data and data on interests have to be handled
in the wired part of the communication network
not
applicable
136
Radio networks (2)
+ MIXes
user U
1
LE
user U
2
3
4
7
user V
if the coding in
the radio network
is different or
computing power
for encryption is
missing
8
MIXes
5
6
+ Broadcast the call request in the whole radio network, only then the mobile station
answers. After this the transmission proceeds in one radio cell only.
+ Filter + Generation of visible implicit addresses + Restrict the region
+ Keep the user and SIM anonymous towards the mobile station used.
137
No movement profiles in radio networks
GSM/UMTS – cellular mobile networks
data base
... ....
5
• roaming information
in central data bases
HLR
VLR1
net
4
B
3
2
• operators of the network can
1
record the information
B
VLR1
C
VLR1
D
VLR2
...
...
A
Alternative concept
• Maintenance of the roaming information
in a domain of trust
8
3
net
7
2
B
- at home (HPC)
- at trustworthy organizations
• Protection of the communication relationship
using MIXes
1
4
6
MIXes
5
138
Operatorship of the network components
user station
terminal
equipment
wish
End-to-end encryption
Implicit addressing
MIXes
Message service
needed domain of
trust of the user:
no Trojan horse
network termination
all functions important for the
service quality of others
needed domain of trust
MIX,
Server of the network operator:
correct realization
RING-network
transmission and
access protocol
Superposed sending
key generation
and superposition,
access protocol
Problems here are easier than at switching centers:
1. Network terminations are less complex
2. … cannot be changed quickly (hardware,
no remote maintenance)
transmission
MIXes, Servers: technically easier; organizationally
w.r.t. confidence more problematic
Superposed sending: technically more expensive;
organizationally easier
139
Conclusions & Outlook (1)
Using the network
transactions between anonymous partners
explicit proof of identity is possible at any time
Protection of traffic data
and data on interests requires
appropriate network structure
keep options
consider early enough
Networks offering anonymity can be operated in a “trace
users mode” without huge losses in performance,
the converse is not true!
140
Conclusions & Outlook (2)
Trustworthy data protection in general or only at individual
payment for interested persons?
• Concerning traffic data, the latter is technically inefficient.
• The latter has the contrary effect (suspicion).
• Everyone should be able to afford fundamental rights!
141
Electronic Banking
Motivation
• Banking using paper forms – premium version
Customer gets the completely personalized forms from the bank
in which only the value has to be filled in. No signature!
Electronic banking – usual version
Customer gets card and PIN, TAN from his/her bank.
http://www.cl.cam.ac.uk/research/security/banking/
Upcoming / Current
Customer gets chip card from Bank with
or
key for MAC
key pair for digital signature
• Map exercise of US secret services: observe the citizens of the USSR (1971, Foy 75)
Main part (Everything a little bit more precise)
• Payment system is secure ...
MAC, digital signature
payment system using digital signatures
• Pseudonyms
(person identifier  role-relationship pseudonyms)
142
Security properties of digital payment systems
digital
(integrity, availability)
Payment system is secure if
• user can transfer the rights received,
via communication network
immaterial, digital
• user can loose a right only if he is willing to,
• if a user who is willing to pay uniquely denotes another user as recipient,
only this entity receives the right,
• user can prove transfers of rights to a third party if necessary
(receipt problem), and
• the users cannot increase their rights even if they collaborate.,
without the committer being identified.
Problem: messages can be copied perfectly
Solution: witness accepts only the first (copy of a) message
143
Pseudonyms
person pseudonyms
public
person
pseudonym
phone
number
non-public
person
pseudonym
account
number
anonymousperson
pseudonym
biometric, DNA
(as long as
no register)
examples
role pseudonyms
businessrelationship
pseudonym
pen name
transaction
pseudonym
one-time
password
Scalability concerning the protection
Anonymity
144
Pseudonyms: Linkability in detail
Distinction between:
1. Initial linking between the
pseudonym and its holder
2. Linkability due to the use of
the pseudonym across
different contexts
145
Pseudonyms: Initial linking to holder
Public pseudonym:
The linking between pseudonym and its holder may be publicly
known from the very beginning.
Phone number with its owner listed in public directories
Initially non-public pseudonym:
The linking between pseudonym and its holder may be known
by certain parties (trustees for identity), but is not public at least
initially.
Bank account with bank as trustee for identity,
Credit card number ...
Initially unlinked pseudonym:
The linking between pseudonym and its holder is – at least
initially – not known to anybody (except the holder).
Biometric characteristics; DNA (as long as no registers)
146
Pseudonyms: Use across different contexts => partial order
number of an identity card,
social security number,
bank account
pen name,
employee
identity card number
customer number
contract number
one-time password, TAN,
one-time use public-key pair
A  B stands for “B enables stronger unlinkability than A”
147
Notations: transfer of a signed message from X to Y
functional notation
graphical notation
signing
the message M:
sA(M)
X
M, sA(M)
Y
test the
signature:
tA (M, sA(M)) ?
¬

sender
X
document
M
pA
¬

recipient
Y
Authenticated anonymous declarations between
business partners that can be de-anonymized
trusted
third party A
trusted
third party B


confirmation
identification
document
for
identification
know
pG(X,g)
pG‘(Y,g)
pA
pG(X,g)
confirmation
document
¬

pG‘(Y,g)
for
pG(X,g)
user X
know
pG‘(Y,g)
¬

pB
user Y
Generalization:
X  B1  B2  ...  Bn  Y
B‘1  B‘2  ...  B‘m
error / attack tolerance (cf. MIXes)
148
Authenticated anonymous declarations between
business partners that can be de-anonymized
trusted
third party B
trusted
third party A

trustees for identities

confirmation
identification
document
for
identification
know
pG(X,g)
pG‘(Y,g)
pA
pG(X,g)
confirmation
document
¬

pG‘(Y,g)
for
pG(X,g)
user X
know
pG‘(Y,g)
¬

pB
user Y
Generalization:
X  B1  B2  ...  Bn  Y
B‘1  B‘2  ...  B‘m
error / attack tolerance (cf. MIXes)
149
Security for completely anonymous business partners
using active trustee who can check the goods

trustee T
[3]
delivery
to
trustee
[1]
order
merchant is
pL(Y,g)
+
„money“ for
merchant
[4]
delivery to
customer
[2]
order of the
customer
(money is
deposited)
pL(Y,g)
pT
pK(X,g)
checked by T
[5]
pT
¬
money

¬

pT
customer X
merchant Y
150
Security for completely anonymous business partners
using active trustee who can not check the goods

trustee T
[3]
delivery
to
trustee
[4.1]
wait
[1]
order
delivery is
pL(Y,g)
+
„money“ for
distributor
[4]
delivery to
customer
[2]
order of the
customer
(money is
deposited)
pL(Y,g)
pT
pK(X,g)
checked by T
[5]
pT
¬
money

¬

pT
customer X
merchant Y
151
Security for completely anonymous business partners
using active trustee who can (not) check the goods

trustee for values
trustee T
[3]
delivery
to
trustee
([4.1]
wait)
[1]
order
delivery is
pL(Y,g)
+
„money“ for
distributor
[4]
delivery to
customer
[2]
order of the
customer
(money is
deposited)
pL(Y,g)
pT
pK(X,g)
checked by T
[5]
pT
¬
money

¬

pT
customer X
merchant Y
152
153
Anonymously transferable standard values
current owner:
digital pseudonym
value number: vn
former owners
digital pseudonym 1, transfer order 1
digital pseudonym 2, transfer order 2
digital pseudonym 3, transfer order 3
10 $
.....
Anonymously transferable standard value
Bitcoin – a decentral payment system
154
[Satoshi Nakamoto: Bitcoin: A Peer-to-Peer Electronic Cash System. 2008]
• Key feature: Bitcoin transfer between pseudonyms (Bitcoin
addresses)
• Bitcoin pseudonym ≡ public key of ECDSA
• Sender signs transfer
• Double spending protection:
– Bitcoin network keeps history of all transactions
– Transactions have timestamps  only oldest is valid
• Bitcoin network works as “distributed time server”
– Binding of transaction and timestamp: „proof-of-work“:
• search for z: Hash(Transaction, Timestamp, z) = 00000… (0|1)* < w
• w adjusted over timer
• https://www.blockchain.info
155
Basic scheme of a secure and anonymous
digital payment system
authentication
of ownership
pZB(X,t)
owns
the right
pB

[2]
transfer
order of
the payer
transfer the
right to
pEB(Y,t)
witness B
[3]
authentication
by the witness
pEB(Y,t) owns
the right, got
from pZB(X,t)
pB
pZB(X,t)
PEB
[1]
choice of
pseudonyms
PZB
pE(Y,t)  pEB(Y,t)
PZ

pZ(X,t)  pZB(X,t)
payer X
pZ(X,t)
¬
pE(Y,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t) .
pZ(X,t)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
PE
156
Transformation of the authentication by the witness
authentication
of ownership
pZB(X,t)
owns
the right
pB

[2]
transfer
order of
the payer
transfer the
right to
pEB(Y,t)
witness B
[3]
authentication
by the witness
pEB(Y,t) owns
the right, got
from pZB(X,t)
[3]
pEB(Y,t)
pB
pZB(X,t)
pZB(X,t)
[1]
choice of
pseudonyms
pB
pE(Y,t)  pEB(Y,t)

pZ(X,t)  pZB(X,t)
payer X
pZ(X,t)
¬
pE(Y,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t) .
pZ(X,t)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
[6]
pZ
B(Y,t+1)
owns
the right
pB
Transformation of the authentication by the witness:
Simplified Steps
[4]
EUR 10
pB

[1]
witness B
EUR 10
[0]
pB
EUR 10
[3]
¬

recipient Z
EUR 10
¬
pB

payer Y
[2]
EUR 10
pB
157
158
Transformation of the authentication by the witness
authentication
of ownership
pZB(X,t)
owns
the right
pB

[2]
transfer
order of
the payer
transfer the
right to
pEB(Y,t)
[3]
authentication
by the witness
pEB(Y,t) owns
the right, got
from pZB(X,t)
witness B
[3]
pB
pZB(X,t)
[1]
choice of
pseudonyms
EUR 10
pB
[1]
pE(Y,t)  pEB(Y,t)

pZ(X,t)  pZB(X,t)
payer X
pZ(X,t)
¬
pE(Y,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t) .
pZ(X,t)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
[6]
pZ
B(Y,t+1)
owns
the right
pB
159
The next round: Y in the role payer to recipient Z
authentication
of ownership
[2]
transfer
pZB(Y,t+1) owns
order of
the right
the payer
pB
transfer the
right to
pEB(Y,t)

witness B
[3]
authentication
by the witness
pEB(Z,t+1) owns
the right, got
from pZB(Y,t+1)
[ 2 new ]
pEB(Z,t+1)
pZB(Y,t+1)
pB
pZB(X,t)
[1]
choice of
pseudonyms
pE(Z,t+1)  pEB(Z,t+1)
¬

payer Y
[0]
pZB(Y,t+1)
owns
the right
pB
pZ(Y,t+1)  pZB(Y,t+1)
pE(Z,t+1) pZ(Y,t+1)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Z,t+1) .
pZ(Y,t+1)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(Y,t+1).
pE(Z,t+1)

recipient Z
160
Signature system for signing blindly
random number
t
key
generation
key for testing of
signature, publicly known
s
blinded text
text
x
random number‘
z‘
text with signature
and test result
x, s(x),
“pass” or
“fail”
blind
z‘(x)
blinded text with
signature
unblind
and test
z‘(x), s(z‘(x))
signing
key for signing,
kept secret
161
RSA as digital signature system
with collision-resistant hash function h
security
parameter
l
random number
key generation:
p,q prime numbers
n := p•q
t with gcd(t, (p-1)(q-1)) = 1
s  t -1 mod (p-1)(q-1)
t, n
key for testing of
signature, publicly
known
s, n
text with signature
and test result
x, (h(x))s
mod n,
“pass” or
“fail”
test:
h(1. comp.) 
(2. comp.)t
mod n ?
key for signing,
kept secret
signing:
text with signature
x, (h(x))
mod n
s
(h(•))s mod n
text
x
162
One time convertible authentication
Recipient
Issuer (i.e. witness)
choose pseudonym
RSA test key t,n, publicly known
p
(test key of arbitrary sign. system)
Collision-resistant hash function h
p,h(p)
choose r  R Zn*
(p,h(p))•r t
(p,h(p))s•r
multiply with
r -1
get
(p,h(p))s
((p,h(p))•rt )s
163
Secure device: 1st possibility
authentication
of ownership
pZB(X,t)
owns
the right
transfer the
right to
pEB(Y,t)
pB

[2]
transfer
order of
the payer
witness B
as secure device
[3]
authentication
by the witness
pEB(Y,t) owns
the right, got
from pZB(X,t)
pB
pZB(X,t)
[1]
choice of
pseudonyms
pE(Y,t)  pEB(Y,t)

pZ(X,t)  pZB(X,t)
payer X
pZ(X,t)
¬
pE(Y,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t).
pZ(X,t)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
164
Secure device: 2nd possibility
authentication
of ownership
pZB(X,t)
owns
the right

[2]
transfer
order of
the payer
transfer the
right to
pEB(Y,t)
pB
pZB(X,t)
[3]
authentication
by the witness
pEB(Y,t) owns
the right, got
from pZB(X,t)
witness B
pB
sym. encryption system suffices
[1]
choice of
pseudonyms
pE(Y,t)  pEB(Y,t)

pZ(X,t)  pZB(X,t)
payer X
pZ(X,t)
¬
pE(Y,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t).
pZ(X,t)
¬
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
165
Secure and anonymous digit. payment system with accounts
pK(X)
pout(X,t)
[1.1]
pin(Y,t)
pK(Y)
with accounts
[1.2]
[7]
[8]
authentication
of ownership
pZB(X,t) owns
the right
pB
[2]
transfer
order of the
payer

transfer the
right to
pEB(Y,t)
witness B
pZB(X,t)
[3]
authentication
by the witness
pEB(Y,t) owns the
right, got
from pZB(X,t)
pB
[1.3]
pout(X,t)
pZB(X,t)
[6]
pEB(Y,t)
pin(Y,t)
[1]
choice of
pseudonyms
¬

payer X
pE(Y,t)  pEB(Y,t)
¬
pZ(X,t)  pZB(X,t)
pE(Y,t)
pZ(X,t)
[5]
authentication
for the
recipient
have transferred
the right to
pE(Y,t).
pZ(X,t)
[4]
receipt
for the
payer
have got the
right from
pZ(X,t).
pE(Y,t)

recipient Y
166
Offline payment system
Payment systems with security by Deanonymizability
k
I
ri
C
security parameter
identity of the entity giving out the banknote
randomly chosen (1  i  k)
commitment scheme with information theoretic secrecy
blindly signed banknote:
sBank(C(r1), C(r1  I), C(r2), C(r2  I), ..., C(rk), C(rk  I)),
recipient decides, whether he wants to get revealed ri or ri  I.
(one-time pad preserves anonymity.)
Hand-over to two honest recipients:
probability (  i : bank gets to know ri and ri  i) ≥ 1-e-c•k
(original owner identifiable)
168
Personal identifier
845 authorizes A: ___
A notifies 845: ___
845 pays B €
B certifies 845: ___
C pays 845 €
Role pseudonyms
(business-relationship and transaction pseudonyms)
762 authorizes A: __
A notifies 762: ___
451 pays B €
B certifies 451: ___
B certifies 314: ___
C pays 314 €
169
Identitätsmanagement
• Herkömmliche Umsetzung: eine Identität pro Nutzer
Telefonnummer
Steuerklasse
Kontonummer
E-Mail
Führerschein
Name
Alter
Adresse
Wesentliches Problem: Verkettbarkeit von Datensätzen
Datenschutzgerechtes
Identitätsmanagement
 Mehrere Teil-Identitäten pro Nutzer
Telefonnummer
p1
Name
E-Mail
p2
Führerschein
p5
p3
Alter
p4
Steuerklasse
Kontonummer
Name
Alter
Kontonummer
Name
Adresse
E-Mail
 Verwaltung unter Kontrolle des Nutzers
171
Techniken - Pseudonyme
•
Diensterbringung erfordert oft
nur wenige Daten
•
Angabe der erforderlichen Daten unter
Pseudonym verhindert unnötige
Verkettbarkeit zu anderen Daten des
Nutzers
•
verschiedene Aktionen sind bei
Verwendung unterschiedlicher
Pseudonyme initial nicht verkettbar
Beispiel: Autovermietung
benötigtes Datum:
• Besitz eines gültigen Führerscheins für das gewünschte Auto
p1
p2
172
Anonyme Credentials
 Credential = Beglaubigung von
Nutzereigenschaften (z.B. „Nutzer hat
Fahrerlaubnis“)
 Ablauf:
 Organisation stellt Credential aus
 Nutzer zeigt Credential gegenüber
Dienstleister vor
 Eigenschaften:
 Nutzer kann Credential unter
verschiedenen Pseudonymen
verwenden (umrechnen)
 Bei Verwendung des gleichen
Credentials unter
verschiedenen Pseudonymen
kann der Dienstleister und
Ausstellerorganisation nicht
feststellen, ob es der gleiche
Nutzer war.
Organisation
Credentialtypen
veröffentlichen
Credential
ausstellen
Nutzer
Credential
vorzeigen
Dienstleister
173
Techniken – Zertifikate in Form
von Anonymen Credentials
Zertifikatausstellende
Organisation
Nutzer A
hat
Führerschein
Diensteanbieter
habe
Führerschein
Nutzer A
Nutzer B
:
Nutzer X
habe
Führerschein
habe
Führerschein
habe
Führerschein
174
FUNKTIONEN DES NEUEN
ELEKTRONISCHEN
PERSONALAUSWEISE (nPA)
175
Neu: Chip im Inneren der Ausweiskarte
 drahtlose Kommunikation
mittels RFID Technologie
176
Neue Funktionen des nPA
 Chip speichert (fälschungssicher) die auf dem Ausweis
aufgedruckten Informationen
 optional: Fingerabdrücke
 Chip ermöglicht einen authentischen Informationsaustausch
zwischen Ausweis(inhaber) und Diensteanbieter im Internet
 Ausweis(inhaber) wird über ein dienstspezifisches
Pseudonym (wieder)erkannt
 Chip ermöglicht sicheres Speichern von digitalen Zertifikaten
und das digitale Signieren elektronischer Dokumente
 Signaturzertifikate müssen wie bisher von privaten
Anbietern gekauft werden
177
Gesicherte Kommunikation zwischen
Ausweis und Diensteanbieter
Internet
Nutzer
Diensteanbieter
 Diensteanbieter überträgt Berechtigungszertifikat
 enthält, welche Daten angefragt werden
178
Ablauf für Erteilung
eines Berechtigungszertifikats
 im Antrag sind anzugeben:
 Informationen über den Anbieter
 welche Daten ausgelesen werden
 zu welchen Zwecken die Daten
ausgelesen werden
 Datenschutzbeauftragter/
Datenschutzaussichtsbehörde
[http://www.personalausweisportal.de]
179
Gesicherte Kommunikation zwischen
Ausweis und Diensteanbieter
Internet
Nutzer
Diensteanbieter
 Diensteanbieter überträgt Berechtigungszertifikat
 enthält, welche Daten angefragt werden
 Nutzer entscheidet, ob er Daten für angegebene Zwecke übertragen möchte
 Bestätigung mittels 6-stelliger PIN
 Risiko: Eingabe der PIN im Rechner bei einfachem Lesegerät (ohne
Tastatur & Display)
180
Datenschutzfreundliche Funktionen
 Pseudonymfunktion
 Erzeugung eines pro Anbieter und Ausweis eindeutigen, zufälligen
Pseudonyms
 Sinn:
 sichere Wiedererkennung
– ersetzt selbstgewähltes Login/Paßwort
 Verhinderung von Mehrfachanmeldung bei Diensten
 Umsetzung:
 Pseudonym=
f
(Ausweisgeheimnis, Anbieterkennzeichen)
 Anmerkung: Ausweisgeheimnis läßt sich nicht aus Pseudonym und
Anbieterkennzeichen zurückberechnen
 Alters- und Wohnortbestätigung
 übermittelt wird lediglich „Ja“/“Nein“-Entscheidung bezüglich
angefragtem Vergleichsdatum
 Beispiel: über 18? wohnt in Sachen?
 keine vollständige Anschrifts- / Altersübermittlung
181
Aktuelle Anwendungen
 Liste aktuell nutzbarer Anwendungen:
 http://www.ccepa.de/onlineanwendungen
 Deutsche Rentenversicherung
 Einsicht Rentenkonto
 Beratungstermin vereinbaren
 HUK24, CosmosDirekt, Schufa
 Neukundenregistrierung / Anmelden
 Punkteauskunft aus dem Verkehrszentralregister (VZR)
182
184
Cryptography and the
impossibility of its legal regulation
•
•
•
•
Cryptography (you already know)
Steganography
Proposals to regulate cryptography
Technical limits of regulating cryptography
– Secure digital signatures  Secure encryption
– Key Escrow encryption without permanent surveillance  Encryption
without Key Escrow
– Symmetric authentication  Encryption
– Multimedia communication  Steganography
– Keys for communication and secret signature keys can be replaced at
any time  Key Escrow to backup keys is nonsense
• Proposals to regulate cryptography harm the good guys only
185
Steganography
key
key
cover*
cover
emb
secret
message
embedding
stegotext
sender
extracting
recipient
attacker
emb
secret
message
186
Steganography
key
key
cover*
cover
emb
secret
message
Domain of trust
embedding
stegotext
sender
extracting
recipient
attacker
Area of attack
emb
secret
message
Domain of trust
187
Steganography
Steganography: Secrecy of secrecy
key
key
cover*
cover
emb
secret
message
embedding
stegotext
sender
extracting
recipient
attacker
no changes
• exactly the same
• cannot be detected
• as much as possible
emb
secret
message
188
Steganography
Steganography: Watermarking and Fingerprinting
key
key
cover*
cover
emb
copyright
inform.
embedding
stegotext
sender
extracting
recipient
attacker
possibly severe changes
• correlation is enough
• some 100 bit are enough
emb*
co?yr?ght
?nfo??.
189
Proposals to regulate cryptography ?
• Would you regulate
cryptography
to help fight crime ?
• If so: How ?
190
Proposals to regulate cryptography !
• Outlaw encryption
• Outlaw encryption – with the
exception of small key lengths
• Outlaw encryption – with the
exception of Key Escrow or
Key Recovery systems
• Publish public encryption keys
only within PKI if corresponding
secret key is escrowed
• Obligation to hand over decryption
key to law enforcement during
legal investigation
191
Secure digital signatures —> Secure encryption
CA
3. sCA(A,tA)
1. tA
A
generates (sA,tA)
generates (cA,dA)
2. t of A
sA(A,cA)
cA(secret message)
B
test CA-certificate
test A-certificate
A does not need a certificate for cA issues by CA
192
Key Escrow encryption without permanent surveillance
kesc(A,cA)
A
cA(secret message)
—> Encryption without Key Escrow
B
193
Key Escrow encryption without permanent surveillance
kesc(A,cA)
A
kesc(cA(secret message))
B
employ Key Escrow additionally
to keep your encryption without Key Escrow secret
194
Key Escrow encryption without permanent surveillance
kesc(A,cA)
A
kesc(cA(kAB), kAB(secret message))
hybrid encryption can be used
B
195
Key Escrow encryption without permanent surveillance
kesc(A,kAB)
A
kesc(kAB(secret message))
B
if surveillance is not done or even cannot be done
retroactively, symmetric encryption alone does the job
196
Symmetric authentication  Encryption
S end er A
E mp fä n ge r B
Kenn t k AB
Kenn t k AB
Z u übe rt ra gen sei N a chr ic ht
b 1 , ... b n
m it b i  {0 , 1 }
falsely authenticated messages
B e re c hne t
M A C 1 := code (k AB ,b 1 ) ... M AC n := code (k AB ,b n )
S ei a 1 , ... a n d ie bi tw ei se i nver ti ert e Nach ri ch t.
Wäh lt zu fällig MA C ' 1 ... M A C' n mit
M A C' 1 ° c ode( k AB ,a 1 ) ... M AC' n ° c ode( k AB ,a n )
form
Übe rt rä gt
(d ie Meng e nk lamm ern bedeu ten „zu fälli ge R eihen folge“ )
{( b 1 , M A C 1 ), (a 1 , M A C' 1 )} ...
{( b n , M A C n ), (a n , M A C' n )}
––––––––––––––––––>
P rob ie rt, ob
{M A C 1 = cod e (k AB ,b 1 ) ode r
intermingle
M A C' 1 = cod e (k AB ,a 1 )}
und em pfäng t den pas senden We
separate
Ronald L. Rivest: Chaffing and Winnowing: Confidentiality
without Encryption; MIT Lab for Computer Science, March 22,
1998; http://theory.lcs.mit.edu/~rivest/chaffing.txt
rt b 1
...
prob ier t, ob
{M A C n = code (k AB ,b n ) ode r
M A C' n = code (k AB ,a n )}
und em pfäng t den pas senden We
rt b n
Symmetric authentication  Encryption
S end er A
E mp fä n ge r B
Kenn t k AB
Kenn t k AB
Z u übe rt ra gen sei N a chr ic ht
b 1 , ... b n
m it b i  {0 , 1 }
B e re c hne t
M A C 1 := code (k AB ,b 1 ) ... M AC n := code (k AB ,b n )
Übe rt rä g t
(1, b 1 , M A C 1 ), ... (n , b n , M A C n )
––––––>
K o m plem ent ge n er ier e r
falsely authenticated messages
Hö rt d ie Nach ri ch t b 1 , ... b n ab .
B il de t a 1 , ... a n , di e b it we is e inve rti erte Na c hr ich t.
Wäh lt zu fällig MA C ' 1 ... M A C' n und m is ch t in
den Nach ri ch tens tr o m von S ende r A
an d ie pa sse nden St ell en
(1, a 1 , M A C' 1 ), ... (n , a n , M A C' n )
Übe rt rä g t d ie M isc hung
––––o–––––––––––––––>
––––––>
A bh örer
kann a i und b i ni c ht un tersch e id e n
form and intermingle
without knowing the key
separate
no rm ales Au then ti ka ti onsp ro toko ll
Ignor iert N ach ric hten mit fals che r S equen z nr .
Igno ri er t Nach ri ch ten m it fa lsche r A uth e n tik at .
gib t d ie üb rigb leib e nden w e ite r
em p fangen w ird mi t g rößt e r Wah rsc he inl ic hk.
b 1 , ... b n
197
198
Key exchange for steganography ?
Exchanging keys outside the communication network is easy
for small closed groups, in particular it is easy for criminals
and terrorists.
Large open groups need a method of key exchange which
works without transmitting suspicious messages within the
communication network – asymmetric encryption cannot be
used directly for key exchange.
Solution:
Diffie-Hellman Public-Key Agreement
Uses public keys of a commonly used digital signature
systems (DSS, developed and standardized by NSA and
NIST, USA)
199
Key exchange without message exchange
Diffie-Hellman Public-Key Agreement
secret:
x
y
public:
gx
gy
(gy)
x
=
gyx =
gxy =
(gx)
y
200
Key exchange for steganography !
Diffie-Hellman Public-Key Agreement
secret:
x
y
public:
gx
gy
(gy)
x
=
f(C, gyx)
gyx =
gxy =
key
C
emb
secret
message
y
f(S, gxy)
=
key
cover
(gx)
cover*
S
embedding
stegotext
sender
extracting
recipient
attacker
emb
secret
message
201
Summary
Digital Signatures
Key Escrow without
permanent surveillance
Multimedia
communication
Encryption
Key exchange,
multiple encryption
Steganography
Cryptoregulation ignores technical constraints
202
Loosing secret keys
Communication
CA
Authentication: generate new one(s) and exchange using CA
Encryption: generate new one(s) and exchange
Authenticate/encrypt and transmit message(s)
once more
A
B
Exchanging
new keys is
more efficient
and more
secure than
Key Recovery
—>
Key Recovery
for communication is
nonsense
Dig. Signature: already generated digital signatures can still be tested;
generate new key-pair for new digital signatures and, if you like, let
certify your new public key
Long-term storage
Symmetric Authentication
Encryption
Key Recovery
makes sense
203
Key Recovery – for which keys ?
protecting
communication
Encryption
symmetric
Authen- (MACs)
tication
asymmetric
(dig. signature)
long-term storage
Key
Key
Recovery
Recovery
functionally
useful
unnecessary,
but additional security risk
204
Proposals to regulate cryptography harm the good guys only
• Outlaw encryption
 Steganography
• Outlaw encryption – with the
exception of small key lengths
 In addition
steganography
• Outlaw encryption – with the
exception of Key Escrow or
Key Recovery systems
 Use Key Escrow or
Key Recovery system
for bootstrap
• Publish public encryption keys
only within PKI if corresponding
secret key is escrowed
 Run PKI for your
public encryption keys
yourself
• Obligation to hand over decryption
key to law enforcement during
legal investigation
 Calculate one-timepad accordingly
205
(Im-)Possibility to regulate
anonymous/pseudonymous communication
• Explicit techniques (you already know the theory)
• Workarounds
(Im-)Possibility to regulate
anonymous/pseudonymous communication
Anon-Proxies
MIXes
Cascade: AN.ON
P2P: TOR
All this exists abroad without regulation – as long as
we do not have a global home policy
206
(Im-)Possibility to regulate
anonymous/pseudonymous communication
But even domestic:
Public phones,
Prepaid phones,
open unprotected WLANs,
insecure Bluetooth mobile phones,
...
Data retention is nearly nonsense,
since „criminals“ will use workarounds, cf. above
207