Beruflich Dokumente
Kultur Dokumente
George Danezis
August 1, 2001
1 Intodu tion.
I started my PhD in Cambridge on the 1st of O
tober 2000 under the super-
vision of Dr R. Anderson. I have been working on the subje
t of anonymity,
as part of the Computer and Communi
ations Se
urity Group of the Computer
Laboratory. During the past year I have tried to explore the areas of anony-
mous
ommuni
ation
hannels, anonymous systems, and dene a threat model
for anonymity. At the same time and often in relation with the main subje
ts
as des
ribed previously I invested time in learning new pra
ti
al skills, su
h as
programming languages, tools and mathemati
al te
hniques. Sin
e anonymity
does not exist in a va
uum I also had to read a great deal of ba
kground lit-
erature not only about
omputer se
urity,
ryptography but also information
poli
y and e
onomi
s. I believe most of the work I have done will
ontribute
towards my Ph.D., and the skills I have gained will in
rease my produ
tivity
for the next stages of my resear
h.
3 Anonymous hannels.
I have read all the papers about the
lassi
mixes and DC networks [2,3,4,5,6℄. I
have also read most of the re
ent papers des
ribing modern proposals for mixing
networks su
h as Pra
ti
al Mix and Flash Mix [7,8,9℄, Hybrid Mix [10℄, SG-mix
[50℄ and other proposals relating to the infrastru
ture of mix networks [11,17℄. I
also
ontributed to the analysis of the se
urity of [17℄ by proposing a theoreti
al
atta
k at the Information Hiding Workshop 2001. Other more esoteri
proposals
for anonymous
ommuni
ations were usually either variations of mix networks
(su
h as onion routing) [15,16℄ or masqueraded D.C. networks (usually by using
addition modulo n instead of XOR) [12,13,14℄.
1
3.1 ChaÆn
h.
During Lent term I
ollaborated with Ri
hard Clayton and designed \ChaÆn
h"
a
ommuni
ation
hannel that provides its users with se
re
y and plausible
deniability. The design was inspired by Rivest's ChaÆng and Windowing [18℄
but was extended to be made eÆ
ient and pra
ti
al. As the original proposal
it only uses integrity primitives to oer
ondentiality but has also the feature
that the existen
e of some of the hidden information
an be plausibly denied.
Spe
ial
are has also been taken to make it resistant to legal atta
ks under
the RIP A
t in UK law. While designing it I read a great deal about
ipher
onstru
tion (espe
ially the use of permutations) and blo
k
iphers' modes of
operation as well as All-or-nothing En
ryption. We found that for some needs
Rivest's blo
k transform [19℄ was not optimal, and de
ided to
hoose a modied
key-less version of the BEAR
ipher instead [20℄.
I did implement an en
oder and de
oder for the ChaÆn
h system in the
JAVA language. I also learned C and implemented an en
oder for ChaÆn
h
that should work on any POSIX
ompliant platform. Now the proje
t has its
own web page [25℄ and I will be maintaining it in the future. An early paper
des
ribing ChaÆn
h (before any implementation is available) has been reje
ted
from the 9th USENIX Se
urity Symposium, but Ri
hard and I plan to rewrite
it now that we have the experien
e of implementing the system and submit it
to an appropriate
onferen
e.
3.2 MixMinion.
In the Easter term I drafted the requirements and spe
i
ation for the next gen-
eration of mixes, \MixMinion", to be the su
essors of MixMaster 3.0, whi
h
is the
urrently strongest and most widely deployed remailer system [21℄. This
work is still ongoing in
ollaboration with Roger Dingledine (Reputation Te
h-
nologies, MIT). The main aim of the proto
ol suite is to provide a
ommon
language for mixes, potentially implementing dierent te
hnologies, to inter op-
erate. While drafting the requirements I reviewed reports of previously deployed
systems and reports of atta
ks and abuse against them [22,23,24℄. I also had an
in depth look at how the
urrent MixMaster system and its infrastru
ture works,
and reviewed the
ryptographi
building blo
ks they are using. That has led
me to study the publi
key standards and blo
k
ipher modes in an attempt to
nd the appropriate building blo
ks for MixMinion. I studied in parti
ular the
PKCS#1,#7,ASN.1 [52,53,54℄ standards and the theoreti
al foundation of the
OAEP paddings [51℄. Some novel se
ondary ideas are also pursued. MixMin-
ion is designed to be friendly to
rypto pro
essors implementation, hardware
a
eleration and friendly to formal analysis [26℄ or evaluation [27℄. The require-
ments are now xed and the spe
i
ation is at an advan
ed stage. As soon as
the spe
i
ations are nalised and we are
ondent that the system preserves
the required se
urity properties we will make it publi
, start implementing it
and
ollaborate with others, in the
ontext of the nymIP eort [55℄, to further
improve it.
2
3.3 jsElGamal.
As a small s
ale proje
t, and in the line of \Ubiquitous Cryptography", I have
done an implementation of an ElGamal en
ryption and signature system in
JavaS
ript [28℄. This exer
ise's main aim is to use something that even a diskless
PC would have, su
h as a JavaS
ript enabled web browser, and transform it
into an end-to-end en
ryption and signature engine. It also taught me the use
of the JavaS
ript language, that I also used when working on other proje
ts.
ElGamal was
hosen be
ause there is no need to store any private keys, and
the publi
keys are generated extremely qui
kly when they are needed. The
main inspiration for su
h a system was my review of HushMail, whi
h provides
end-to-end en
ryption, using JAVA te
hnology. The signature
apability was
implemented to in
rease the
onden
e in postings made to independent media
enters, by being able to make sure that the two arti
les originated from the same
author. My next proje
t in that area should be to implement a
ryptographi
algorithm in the PostS
ript language so that printers, whi
h are at least as
ommon as web browsers,
an be used to verify signed messages.
4.1 Roman
e.
During Mi
haelmas term Ri
hard, Markus and I reviewed and reverse engi-
neered a few web sites that
laimed to provide some anonymity properties. The
ri
hest site, in term of atta
ks found and experien
e gained, was the student
run site roma
e.u
am.org, that provided an anonymous dating servi
e for Cam-
bridge students. Many atta
ks involving HTML, Java and JavaS
ript were found
against it. This exer
ise made me learn JavaS
ript and perl in order to write
atta
k and analysis s
ripts. Data
olle
ted by the a
tivities of the server were
also used to mount small traÆ
analysis exer
ises. It also provided a starting
point for reasoning about anonymity at a system level.
4.2 HushMail.
HushMail, whi
h was mentioned in the Houses of Parliament as being used by
dangerous subversives [29℄, has also attra
ted our attention. The sour
e
ode
is available and we modied it, to run it lo
ally and analyse the proto
ols it
uses. No major fault was found, but many unexpe
ted glit
hes were dis
overed:
some information is transmitted in
lear (su
h as subje
t lines, and sender ad-
dresses), and the key management is not as good it should be. I also analysed
the random number generation pro
edures and found out that the amount of
entropy gathered, although suÆ
ient for the task, is less than one might expe
t.
The randomness gathering is relying on the timing of the user interfa
e events
to gather randomness, but the event system is a pro
ess that is
alled at spe
i
intervals, whi
h quantises the timings. This produ
es mu
h poorer quality of
seed for the random number generators, than the \real" times would have. I
have also done some related resear
h into the generation of random web session
ookies produ
ed using time as a seed, and dis
overed that for some web sites
3
they
an be guessed and therefore sessions
an be hija
ked.
4.4 Gnutella.
After the legal trouble that Napster had, I got interested in de
entralised peer
to peer (p2p) networks and their robustness. I studied one of the most used and
simplest ones [33℄, Gnutella, whi
h performs a distributed sear
h for keywords.
I implemented my own Gnutella
lient in JAVA and used it to understand the
details of the proto
ols and dynami
s of the network. The main unreliability of
the network was the diÆ
ulty of
onne
ting and the unreliability of downloads.
It has been argued that these are intrinsi
problems of the network. I
ame to
the
ontroversial
on
lusion that this is not the
ase and most of the problems
ould be xed without
hanging the proto
ol at all, by just
hanging the param-
eters and heuristi
s the
lients use. I
ontributed to the debate on the Gnutella
Developers Forum [34℄ by a proposal for distributing the downloads a
ross many
ma
hines without
hanging the basi
proto
ols or requiring all
lients and ma-
hines on the network to have the same behaviour [35℄. In the
ontext of p2p
networks I also have read other proposals with stronger theoreti
al
laims su
h
as Freenet, the Strong Eternity Servi
e and Free Haven [35,36,37℄. I also did
some original resear
h, although it is still at an immature stage, on
ombining
some re
ent Private Information Retrieval proposals [38℄, based on
omplexity
theoreti
me
hanisms with he keyword sear
h fa
ilities of Gnutella. That would
allow users to send queries for sear
h and re
eive replies, in an eÆ
ient way,
without the server or anyone else being able to know the
ontent of the query
or the result.
4
4.5 Money Es
row.
In Mi
haelmas term I gave a talk on \Money Es
row" for the Tuesday Se
urity
Seminar series. During Lent term I
orre
ted and provided gures for the tran-
s
ript of the same talk I gave at the Cambridge Proto
ols Workshop 2000 that
will be in
luded in the pro
eedings [39℄.
A major part of my rst year work has been devoted to assessing the real world
threats to anonymity. The standard
ryptographi
threat model that assumes
an all powerful opponent, able to eavesdrop on all
ommuni
ations and modify
themas they wish, is useful for theoreti
al
onstru
tions, but in the area of
anonymity it often leads in pra
ti
e to very ineÆ
ient systems. In addition to
that, in many
ases the opponents are legitimate parti
ipants in the proto
ols
that try to
heat, and the anonymity provided makes it even more diÆ
ult to
dete
t them. For this reason tighter bounds on the te
hnologi
al
apabilities
of potential opponents, su
h as individuals, organizations, businesses or states,
have to be dened. In order to have an
omplete view, as mu
h as possible, of
the te
hnologi
al threats one must take into a
ount that they are not happening
in a va
uum. For this reason the so
ial, politi
al and e
onomi
motives behind
surveillan
e need to be resear
hed and understood as well.
5.1 Intelligen
e.
The most powerful opponent, in both te
hnologi
al and e
onomi
terms, that
any system
ould fa
e is a State. For this reason I have spent some time un-
derstanding the so
ial, legal and te
hnologi
al apparatus that states have in
their possession in order to
ondu
t surveillan
e. I have read the reports that
the European Parliament's S
ienti
and Te
hnologi
al Options assessment unit
(STOA) has produ
ed about the \E
helon" system and the potential for abuse
of e
onomi
intelligen
e [40℄. I also have read the re
ent report from the Eu-
ropean parliament
ommission on E
helon [42℄, and the interim study of 1997
that started the investigation [43℄. In order to better understand how intelli-
gen
e operates, from a slightly less hostile sour
e than the previous do
uments,
I have read the standard textbook \Intelligen
e power in pea
e and war" [44℄.
I also attended
onferen
es on legal and poli
y matters: The State and Internet
Se
urity Forum[45℄, and the
onferen
e organized by Liberty on Arti
le 8 of the
Human Rights A
t, the Right to Priva
y. As a result of an analysis of the Regu-
lation of Investigatory Powers A
t 2000, Ri
hard and I attempted to oer some
te
hnologi
al prote
tion against legal atta
ks by designing \ChaÆn
h" [25℄, to
use te
hniques that are outside the s
ope of the A
t, therefore questioning its
larity and ee
tiveness.
5.2 E
onomi
s.
At the same time as States are the greatest potential danger, in pra
ti
e more
ensorship and violations of priva
y are due to
opyright, patent and libel law
than state se
urity restri
tions. These
onstru
ts are fundamentally e
onomi
and in order to better understand their true nature I spent some time reading
5
about Information E
onomi
s [46℄. I have also spent some time reading, not so
orthodox views on
opyright, from the Free Software Foundation [47℄, or more
marginal e
onomi
and
ultural theories [48,49℄. This provided the ba
kground
for my work on peer-to-peer systems and more parti
ularly Gnutella.
6 Other.
6
7 Referen
es
7
17 Roger Dingledine, Mi
hael J. Freedman, David Hopwood, David Molnar. A
Reputation System to In
rease MIX-net Reliability. Pro
eedings, Infor-
mation Hiding Workshop, Mar 2001 (LNCS 2137).
18 R. L. Rivest, ChaÆng and winnowing:
ondentiality without en
ryption,
MIT Lab for Computer S
ien
e, http://theory.l
s.mit.edu/~rivest/
haffing.txt, Mar
h 18, 1998.
19 R. Rivest, \All-or-nothing en
ryption and the pa
kage transform." Fast
Software En
ryption '97, Springer-Verlag (1997).
20 R. Anderson, E. Biham, \Two Pra
ti
al and Provably Se
ure Blo
k Ciphers:
BEAR and LION", in Pro
eedings of the Third International Workshop
on Fast Software En
ryption, Cambridge, UK, 1996, pp.113-120.
21 MixMaster spe
i
ations. http://www.eskimo.
om/~rowdenw/
rypt/Mix/
22 Gul
u, C. and Tsudik, G. 1996. Mixing email with Babel. In Pro
eedings of
the 1996 Internet So
iety Symposium on Network and Distributed System
Se
urity (San Diego, CA, Feb.), 2{16.
23 Cottrell, L. 1994. Mixmaster and remailer atta
ks.
24 David Mazieres and M. Frans Kaashoek. The design and operation of an
e-mail pseudonym server. In 5th ACM Conferen
e on Computer and Com-
muni
ations Se
urity, 1998.
25 ChaÆn
h: Condentiality and Plausible Deniability against legal threats.
http://www.
l.
am.a
.uk/~gd216/
haffin
hHome.html .
26 Syverson, P. and Stubblebine, S. 1999. Group prin
ipals and the formaliza-
tion of anonymity. In Pro
eedings of the Conferen
e on Formal Methods
(Toulouse, Fran
e, Sept.), J. Wing, J. Wood
o
k, and J. Davies, Eds.
Springer-Verlag, New York, 814 { 833.
27 Prote
tion Proles for Remailer Mixes, Giovanni Ia
hello and Kai Rannen-
berg, Designing Priva
y Enhan
ing Te
hnologies, LNCS 2009, p. 181 .
28 Javas
ript
ryptography page. http://www.
l.
am.a
.uk/~gd216/ElGamal.
html .
29 http://www.parliament.the-stationery-offi
e.
o.uk/pa/
m200001/
mhansrd/
m010329/debtext/10329-10.htm#10329-10_head2 - 29 Mar 2001 : Col-
umn 1164 - 4.14 pm.
30 Ri
hard Clayton, George Danezis and Markus G. Kuhn, Real World Pat-
terns of Failure in Anonymity Systems, Ira S. Moskowitz (ed.): Informa-
tion Hiding 2001, LNCS 2137.
31 ZeroKnowledge, Freedom Network, http://www.freedom.net/
32 Safedoor, http://www.safedoor.
o.uk/
33 Gnutella proto
ols and white papers. http://gnutella.wego.
om/ .
8
34 The Gnutella Developers' Forum. http://groups.yahoo.
om/group/the_
gdf/
35 Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W. Hong. Freenet:
A Distributed Anonymous Information Storage and Retrieval System. In
Pro
. of the ICSI Workshop on Design Issues in Anonymity and Unob-
servability, Berkeley, CA, 2000. International Computer S
ien
e Institute.
36 Tonda Benes, The Strong Eternity servi
e, Ira S. Moskowitz (ed.): Informa-
tion Hiding 2001, LNCS 2137.
37 R.R. Dingledine, "The Free Haven Proje
t: Design and Deployment of an
Anonymous Se
ure Data Haven," M.Eng. thesis, Department of Ele
tri
al
Engineering and Computer S
ien
e, Massa
husetts Institute of Te
hnology
(2000). Available at http://www.freehaven.net/.
38 C. Ca
hin, S. Mi
ali, and M. Stadler. Computationally private information
retrieval with polylogarithmi
ommuni
ation. In Advan
es in Cryptology
- Euro
rypt '99, 1999.
39 G. Danezis, \Money Es
row". Trans
ript of talk given at the Cambridge
Se
urity Proto
ols Workshop 2000.
40 Development of surveillan
e te
hnology and risk of abuse of e
onomi
infor-
mation (Appraisal of te
hnologies of politi
al
ontrol)
(1) The per
eption of e
onomi
risks arising from the potential vulnerabil-
ity of ele
troni
ommer
ial media to inter
eption; Survey of opinions
of experts
Nikos Bogonikolos, Zeus E.E.I.G, Patras, Gree
e
Interim Study, Working do
ument for the STOA Panel, Workplan
1998 - 98/14/01, EN, May 1999, PE 168.184/Int.St./Part 1/4
(2) The legality of the inter
eption of ele
troni
ommuni
ations: A
on-
ise survey of the prin
ipal legal issues and instruments underinter-
national, European and national law
Chris Elliott, Surrey, UK
Final Study, Working do
ument for the STOA Panel, Workplan 1998
- 98/14/01, EN, April 1999, PE 168.184/part 2/4
(3) En
ryption and
ryptosystems in ele
troni
surveillan
e: A survey of
the te
hnology assessment issues
Fran
k Leprevost, Te
hnis
he Universitt Berlin, Germany
Final Study, Working do
ument for the STOA Panel, Workplan 1998
- 98/14/01, FR, April 1999, PE 168.184/part 3/4
(4) The state of the art in Communi
ations Intelligen
e (COMINT) of
automated pro
essing for intelligen
e purposes of inter
epted broad-
band multi-language leased or
ommon
arrier systems, and its appli-
ability to COMINT targeting and sele
tion, in
luding spee
h re
og-
nition
Dun
an Campbell, IPTV Ltd., Edinburgh, UK
Final Study, Working do
ument for the STOA Panel, Workplan 1998
- 98/14/01, EN, April 1999, PE 168.184/part 4/4
9
42 European Parliament, Temporary Committee on the ECHELON Inter
ep-
tion System. http://www.europarl.eu.int/temp
om/e
helon/pdf/pre
helon_
en.pdf
43 STOA, An appraisal of te
hnologies of politi
al
ontrol, Interim Study 1997.
http://
ryptome.org/stoa-atp
.htm .
44 Mi
hael Herman, Intelligen
e power in pea
e and war, Cambridge: Cam-
bridge University Press, 1996
45 Internet and State Se
urity Forum, http://www.sr
f.u
am.org/
ria/
onferen
e/
46 Carl Shapiro and Hal Varian, Information rules: a strategi
guide to the
network e
onomy. Boston, Mass.: Harvard Business S
hool, 1998.
47 Philosophy of the GNU Proje
t, http://www.gnu.org/philosophy/philosophy.
html .
48 Ernest Mandel, An Introdu
tion to Marxist E
onomi
Theory, Pathnder;
ISBN: 0873483154 .
49 Hakim Bey, The Temporary Autonomous Zone, Ontologi
al Anar
hy, Poeti
Terrorism, http://www.hermeti
.
om/bey/taz_
ont.html .
50 Kesdogan, Egner, and Bs
hkes. Stop and go mixes : Providing probabilisti
anonymity in an open system. In 1998 Information Hiding Workshop.
51 M. Bellare and P. Rogaway. Optimal asymmetri
en
ryption. In Advan
es
in Cryptology|Euro
rypt '94, pages 92-111, 1994.
52 PKCS #1 - RSA Cryptography Standard, ftp://ftp.rsase
urity.
om/
pub/pk
s/pk
s-1/pk
s-1v2-1d2.pdf .
53 PKCS #7 - Cryptographi
Message Syntax Standard, ftp://ftp.rsase
urity.
om/pub/pk
s/ps/pk
s-7.ps .
54 Burton S. Kaliski Jr. A Layman's Guide to a Subset of ASN.1, BER, and
DER.
55 The NymIP Eort, http://nymip.velvet.
om/
56 National Computer Se
urity Center: A Guide to Understanding Covert
Channel Analysis of Trusted Systems. NCSC-TG-030, Version 1 (Novem-
ber 1993)
10