Showing papers by "George Danezis published in 2007"

Denial of service or denial of security

Abstract: We consider the effect attackers who disrupt anonymous communications have on the security of traditional high- and low-latency anonymous communication systems, as well as on the Hydra-Onion and Cashmere systems that aim to offer reliable mixing, and Salsa, a peer-to-peer anonymous communication network. We show that denial of service (DoS) lowers anonymity as messages need to get retransmitted to be delivered, presenting more opportunities for attack. We uncover a fundamental limit on the security of mix networks, showing that they cannot tolerate a majority of nodes being malicious. Cashmere, Hydra-Onion, and Salsa security is also badly affected by DoS attackers. Our results are backed by probabilistic modeling and extensive simulations and are of direct applicability to deployed anonymity systems.

Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity

Abstract: We consider the eect attackers who disrupt anonymous communications have on the security of traditional high- and low-latency anonymous communication systems, as well as on the Hydra-Onion and Cashmere systems that aim to oer reliable mixing, and Salsa, a peer-to-peer anonymous communication network. We show that denial of service (DoS) lowers anonymity as messages need to get retransmitted to be delivered, presenting more opportunities for attack. We uncover a fundamental limit on the security of mix networks, showing that they cannot tolerate a majority of nodes being malicious. Cashmere, Hydra-Onion, and Salsa security is also badly aected by DoS attackers. Our results are backed by probabilistic modeling and extensive simulations and are of direct applicability to deployed anonymity systems.

Pripayd: privacy friendly pay-as-you-drive insurance

Abstract: Pay-As-You-Drive insurance systems are establishing themselves as the future of car insurance. However, their current implementations entail a serious privacy invasion. We present PriPAYD where the premium calculations are performed locally in the vehicle, and only aggregate data arrivesto the insurance company, without leaking location information. Our system is built on top of well understood security techniques that ensure its correct functioning. We discuss the viability of PriPAYD in terms of cost, security and easeof certification.

Two-sided statistical disclosure attack

Abstract: We introduce a new traffic analysis attack: the Two-sided Statistical Disclosure Attack, that tries to uncover the receivers of messages sent through an anonymizing network supporting anonymous replies. We provide an abstract model of an anonymity system with users that reply to messages. Based on this model, we propose a linear approximation describing the likely receivers of sent messages. Using simulations, we evaluate the new attack given different traffic characteristics and we show that it is superior to previous attacks when replies are routed in the system.

Introducing Traffic Analysis

Abstract: In the Second World War, traffic analysis was used by the British at Bletchley Park to assess the size of Germany’s air-force, and Japanese traffic analysis countermeasures contributed to the surprise of their 1941 attack on Pearl Harbour. Nowadays, Google uses the incidence of links to assess the relative importance of web pages, credit card companies examine transactions to spot fraudulent patterns of spending, and amateur plane-spotters revealed the CIA’s ‘extraordinary rendition’ programme. Diffie and Landau, in their book on wiretapping, went so far as to say that “traffic analysis, not cryptanalysis, is the backbone of communications intelligence” [1]. However, until recently the topic has been neglected by Computer Science academics. A rich literature discusses how to secure the confidentiality, integrity and availability of communication content, but very little work has considered the information leaked from communications ‘traffic data’ and how these compromises might be minimised. Traffic data records the time and duration of a communication, and traffic analysis examines this data to determine the detailed shape of the communication streams, the identities of the parties communicating, and what can be established about their locations. The data may even be sketchy or incomplete – simply knowing what ‘typical’ communication patterns look like can be used to infer information about a particular observed communication. Civilian infrastructures, on which state and economic actors are increasingly reliant, are ever more vulnerable to traffic analysis: wireless and GSM telephony are replacing traditional systems, routing is transparent and protocols are overlaid over others – giving plenty of opportunity to observe, and take advantage of the traffic data. Concretely, an attacker can make use of this

Does additional information always reduce anonymity

Abstract: We discuss information-theoretic anonymity metrics, that use entropy over the distribution of all possible recipients to quantify anonymity We identify a common misconception: the entropy of the distribution describing the potentialreceivers does not always decrease given more informationWe show the relation of these a-posteriori distributions with the Shannon conditional entropy, which is an average overall possible observations

Breaking four mix-related schemes based on Universal Re-encryption

Abstract: Universal Re-encryption allows El-Gamal ciphertexts to be re-encrypted without knowledge of their corresponding public keys. This has made it an enticing building block for anonymous communications protocols. In this work we analyze four schemes related to mix networks that make use of Universal Re-encryption and find serious weaknesses in all of them. Universal Re-encryption of signatures is open to existential forgery; two-mix schemes can be fully compromised by a passive adversary observing a single message close to the sender; the fourth scheme, the rWonGoo anonymous channel, turns out to be less secure than the original Crowds scheme, on which it is based. Our attacks make extensive use of unintended “services” provided by the network nodes acting as decryption and re-routing oracles. Finally, our attacks against rWonGoo demonstrate that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.

Efficient negative databases from cryptographic hash functions

Abstract: A negative database is a privacy-preserving storage system that allows to efficiently test if an entry is present, but makes it hard to enumerate all encoded entries. We improve significantly over previous work presented at ISC 2006 by Esponda et al. [9], by showing constructions for negative databases reducible to the security of well understood primitives, such as cryptographic hash functions or the hardness of the Discrete-Logarithm problem. Our constructions require only O(m) storage in the number m of entries in the database, and linear query time (compared to O(l ċ m) storage and O(l ċ m) query time, where l is a security parameter.) Our claims are supported by both proofs of security and experimental performance measurements.

Space-efficient private search with applications to rateless codes

Abstract: Private keyword search is a technique that allows for searching and retrieving documents matching certain keywords without revealing the search criteria. We improve the space efficiency of the Ostrovsky et al. Private Search [9] scheme, by describing methods that require considerably shorter buffers for returning the results of the search. Our basic decoding scheme recursive extraction, requires buffers of length less than twice the number of returned results and is still simple and highly efficient. Our extended decoding schemes rely on solving systems of simultaneous equations, and in special cases can uncover documents in buffers that are close to 95% full. Finally we note the similarity between our decoding techniques and the ones used to decode rateless codes, and show how such codes can be extracted from encrypted documents.

Space-efficient private search with applications to rateless codes

Abstract: Private keyword search is a technique that allows for searching and retrieving documents matching certain keywords without revealing the search criteria. We improve the space efficiency of the Ostrovsky et al. Private Search [9] scheme, by describing methods that require considerably shorter buffers for returning the results of the search. Our basic decoding scheme recursive extraction, requires buffers of length less than twice the number of returned results and is still simple and highly efficient. Our extended decoding schemes rely on solving systems of simultaneous equations, and in special cases can uncover documents in buffers that are close to 95% full. Finally we note the similarity between our decoding techniques and the ones used to decode rateless codes, and show how such codes can be extracted from encrypted documents. © IFCA/Springer-Verlag Berlin Heidelberg 2007.

Efficient Negative Databases from Cryptographic Hash Functions

Abstract: A negative database is a privacy-preserving storage system that allows to efficiently test if an entry is present, but makes it hard to enumerate all encoded entries We improve significantly over previous work presented at ISC 2006 by Esponda et al [9], by showing constructions for negative databases reducible to the security of well understood primitives, such as cryptographic hash functions or the hardness of the Discrete-Logarithm problem Our constructions require only O(m) storage in the number m of entries in the database, and linear query time (compared to O(l ċ m) storage and O(l ċ m) query time, where l is a security parameter) Our claims are supported by both proofs of security and experimental performance measurements

Two-Sided Statistical Disclosure Attack

Abstract: We introduce a new traffic analysis attack: the Two-sided Statistical Disclosure Attack, that tries to uncover the receivers of messages sent through an anonymizing network supporting anonymous replies. We provide an abstract model of an anonymity system with users that reply to messages. Based on this model, we propose a linear approximation describing the likely receivers of sent messages. Using simulations, we evaluate the new attack given different traffic characteristics and we show that it is superior to previous attacks when replies are routed in the system.

The dining freemasons (security protocols for secret societies)

Abstract: We continue the popular theme of offline security by considering how computer security might be applied to the challenges presented in running a secret society. We discuss membership testing problems and solutions, set in the context of security authentication protocols, and present new building blocks which could be used to generate secret society protocols more robustly and generically, including the lie channel and the compulsory arbitrary decision model. © Springer-Verlag Berlin Heidelberg 2007.

Private yet abuse resistant open publishing

Abstract: We present the problem of abusive, off-topic or repetitive postings on open publishing websites, and the difficulties associated with filtering them out. We propose a scheme that extracts enough information to allow for filtering, based on users being embedded in a social network. Our system maintains the privacy of the poster, and does not require full identification to work well. We present a concrete realization using constructions based on discrete logarithms, and a sketch of how our scheme could be implemented in a centralized fashion.