Transcript Document

Untraceable Electronic Mail,
Return Addresses, and
Digital Pseudonyms
David Chaum
CACM Vol. 24 No. 2
February 1981
Presented by: Adam Lee
1/24/2006
Motivation
 Many uses for anonymous communication
channels




Elections
Anonymous crime tips
Whistle-blowing
Etc.
 Standard mail offers some guarantees of
anonymity; why not email too?
Contributions
 Cryptographic protocols to support an
anonymous email system
 Keep sender anonymous w.r.t. both the receiver
and other parties in the network
 Allow receiver to reply to sender without revealing
sender’s identity
 Protocol can also be used to form
anonymous and verifiable rosters
 E.g., for an electronic election
Historical Perspective, 1979
 Cryptography had been around for millennia
 Usually required the use of shared secrets
 Paradigm shift: late 1970s
 Diffie & Hellman, “New Directions in Cryptography”
(1976)
 RSA cryptosystem (1977)
 Rapid advancements allow for the sharing of
keys (secrets) between strangers
Notation
 Keys in public-key cryptosystem
 Public key: K
 Private key: K-1
 Encryption of x with K denoted by K(x)
 Keys are inverses
 i.e., K-1(K(x)) = K(K-1(x)) = x
Operations
 To prevent certain attacks, Chaum advocates
random padding before encryption
 i.e., use K(R, x) where R is a random string rather
than K(x) to encrypt x
 When signing, first pad with some known
constant
 i.e., K-1(C, y) where C is a known constant
Chaum’s Assumptions
 Can’t break the cryptosystem
 Anyone can observe all links in the system
 The so-called “global passive adversary”
 Anyone can inject, replay, remove, or modify
messages
 Dolev-Yao active attacker model (which they didn’t
publish about until 1983)
Sending Anonymous Mail
 Rather than sending mail directly to the
recipient, send mail to a mix
 Principle: Try to reduce correspondence
between input- and output-sets
 Fool global passive adversaries
 What about keeping the message private?
The Crypto!
 Players (and their public keys)
 Mixes (Kn)
 Recipient, A (Ka)
 One mix protocol
 Sender -> Mix: K1(R1, Ka(R0, M), A)
 Mix -> A: Ka(R0, M)
 Use of public key crypto hides message from
mix and nosy parties on the Internet
Cascade Mix Example
 Protocol
 Sender -> Mix n: Kn(Rn, Kn-1(Rn-1, …, K1(R1,
Ka(R0, M), A) … An-2)An-1)
 Mix n -> Mix n-1: Kn-1(Rn-1, …, K1(R1, Ka(R0, M), A)
… An-2)
 …
 Mix 2 -> Mix 1: K1(R1, Ka(R0, M), A)
 Mix 1 -> A: Ka(R0, M)
 As long as (n-1) mixes remain
uncompromised, the anonymity properties of
the message are preserved!
Observations
 At each step in the cascade, the current mix
 Peels off one layer of encryption
 Discovers a forwarding address
 Passes message along
 So, each mix only knows where a message
came from and where its going
 Note similarities between onion routing,
Crowds, etc…
Return to Sender
 This is all fine and good for one way email
(anonymous threats and the like), but how
can we arrange responses?
 Embed an untraceable return address!
 Format: K1(R1, AX), KX
 AX is X’s return address, KX is a temporary public
key for X
Example
 Protocol:




X -> Mix: K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
Mix -> Y: KY(R0, M1), K1(R1, AX), KX
Y -> Mix: K1(R1, AX), Kx(R2, M2)
Mix -> X: R1(Kx(R2, M2))
 Note 1: R1 used to alter forwarded message
to prevent I/O correspondence
 Note 2: Return addresses can be cascaded
just like messages.
 Note 3: Responses clearly different from
initial messages
Possible Attack (not in paper)
 Note that K1(R1, AX) and KX aren’t
bound
 A malicious mix can read reply
messages by carrying out a man in the
middle attack
 With email, lots of times, replies contain
the original message!
Attack Example
 X -> Mix:
K1(R1, KY(R0, M1), AY), K1(R1, AX), KX
 Mix -> Y: KY(R0, M1), K1(R1, AX), KX’
 Note substituted ephemeral public key KX’
 Y -> Mix: K1(R1, AX), Kx’(R2, M2)
 Mix can unpack this message, read M2,
and reencrypt using KX
 Mix -> X: R1(Kx(R2, M2))
A Simple Solution
 To prevent the previously mentioned attack, we
need only change the first message of the
protocol
 X -> Mix:
K1(R1, KY(R0, KX, M1), AY), K1(R1, AX), KX
 This allows Y to verify that the mix didn’t change
KX, since the mix can’t alter anything encrypted
with KY
Anonymous Elections
 Form a roster of pseudonyms by
sending anonymous emails through a
mix-net
 Output list in a public location
 Only entities on the list can take actions
in the system
Recommendations for an
Untraceable Mail System
 To hide number of messages sent, each
participant sends same number of messages
per interval (some are dummies)
 Cover traffic!
 To hide number of messages received, must
check all messages, not just known good
messages
 Messages should all be same size
 Prevent I/O correlation
Implementing an Advanced
Mix
 A mix with all of the following properties can
be implemented using the techniques
presented in this paper
 Overview
 Break message into fixed size blocks
 Each mix “pops” the first block, adds a block of
junk to the end
 Decrypt removed block to yield a key R which is
used to encrypt each block in the new message
Discussion Questions
 Why wasn’t Chaum’s mix network ever
implemented?
 How should we characterize
advancements in anonymous email
over the years? Technological?
Responses to better understanding of
threats?
Discussion Questions (cont.)
 This article explains how anonymous
rosters can be used for electronic
voting. Did Chaum oversimplify the
problem, or do current systems ignore
his work in this area?
 What do people think of the notion of
certified mail and receipts?