First Year Report

George Danezis

August 1, 2001

1 Intodu tion.

I started my PhD in Cambridge on the 1st of O tober 2000 under the super-
vision of Dr R. Anderson. I have been working on the subje t of anonymity,
as part of the Computer and Communi ations Se urity Group of the Computer
Laboratory. During the past year I have tried to explore the areas of anony-
mous ommuni ation hannels, anonymous systems, and dene a threat model
for anonymity. At the same time and often in relation with the main subje ts
as des ribed previously I invested time in learning new pra ti al skills, su h as
programming languages, tools and mathemati al te hniques. Sin e anonymity
does not exist in a va uum I also had to read a great deal of ba kground lit-
erature not only about omputer se urity, ryptography but also information
poli y and e onomi s. I believe most of the work I have done will ontribute
towards my Ph.D., and the skills I have gained will in rease my produ tivity
for the next stages of my resear h.

2 Ba kground work on anonymity.

I have ompiled and a tively maintain a bibliography of most of the s ienti

papers relating to anonymity [1℄. The ategories in lude Mixing and Dining
Cryptographer's networks (D.C.), anonymous au tions, anonymous ele tions,
anonymous ash, et . Many resear hers inside and outside Cambridge have
used it for their work.

3 Anonymous hannels.

I have read all the papers about the lassi mixes and DC networks [2,3,4,5,6℄. I
have also read most of the re ent papers des ribing modern proposals for mixing
networks su h as Pra ti al Mix and Flash Mix [7,8,9℄, Hybrid Mix [10℄, SG-mix
[50℄ and other proposals relating to the infrastru ture of mix networks [11,17℄. I
also ontributed to the analysis of the se urity of [17℄ by proposing a theoreti al
atta k at the Information Hiding Workshop 2001. Other more esoteri proposals
for anonymous ommuni ations were usually either variations of mix networks
(su h as onion routing) [15,16℄ or masqueraded D.C. networks (usually by using
addition modulo n instead of XOR) [12,13,14℄.

1
3.1 ChaÆn h.
During Lent term I ollaborated with Ri hard Clayton and designed \ChaÆn h"
a ommuni ation hannel that provides its users with se re y and plausible
deniability. The design was inspired by Rivest's ChaÆng and Windowing [18℄
but was extended to be made eÆ ient and pra ti al. As the original proposal
it only uses integrity primitives to oer ondentiality but has also the feature
that the existen e of some of the hidden information an be plausibly denied.
Spe ial are has also been taken to make it resistant to legal atta ks under
the RIP A t in UK law. While designing it I read a great deal about ipher
onstru tion (espe ially the use of permutations) and blo k iphers' modes of
operation as well as All-or-nothing En ryption. We found that for some needs
Rivest's blo k transform [19℄ was not optimal, and de ided to hoose a modied
key-less version of the BEAR ipher instead [20℄.
I did implement an en oder and de oder for the ChaÆn h system in the
JAVA language. I also learned C and implemented an en oder for ChaÆn h
that should work on any POSIX ompliant platform. Now the proje t has its
own web page [25℄ and I will be maintaining it in the future. An early paper
des ribing ChaÆn h (before any implementation is available) has been reje ted
from the 9th USENIX Se urity Symposium, but Ri hard and I plan to rewrite
it now that we have the experien e of implementing the system and submit it
to an appropriate onferen e.

3.2 MixMinion.
In the Easter term I drafted the requirements and spe i ation for the next gen-
eration of mixes, \MixMinion", to be the su essors of MixMaster 3.0, whi h
is the urrently strongest and most widely deployed remailer system [21℄. This
work is still ongoing in ollaboration with Roger Dingledine (Reputation Te h-
nologies, MIT). The main aim of the proto ol suite is to provide a ommon
language for mixes, potentially implementing dierent te hnologies, to inter op-
erate. While drafting the requirements I reviewed reports of previously deployed
systems and reports of atta ks and abuse against them [22,23,24℄. I also had an
in depth look at how the urrent MixMaster system and its infrastru ture works,
and reviewed the ryptographi building blo ks they are using. That has led
me to study the publi key standards and blo k ipher modes in an attempt to
nd the appropriate building blo ks for MixMinion. I studied in parti ular the
PKCS#1,#7,ASN.1 [52,53,54℄ standards and the theoreti al foundation of the
OAEP paddings [51℄. Some novel se ondary ideas are also pursued. MixMin-
ion is designed to be friendly to rypto pro essors implementation, hardware
a eleration and friendly to formal analysis [26℄ or evaluation [27℄. The require-
ments are now xed and the spe i ation is at an advan ed stage. As soon as
the spe i ations are nalised and we are ondent that the system preserves
the required se urity properties we will make it publi , start implementing it
and ollaborate with others, in the ontext of the nymIP eort [55℄, to further
improve it.

2
3.3 jsElGamal.
As a small s ale proje t, and in the line of \Ubiquitous Cryptography", I have
done an implementation of an ElGamal en ryption and signature system in
JavaS ript [28℄. This exer ise's main aim is to use something that even a diskless
PC would have, su h as a JavaS ript enabled web browser, and transform it
into an end-to-end en ryption and signature engine. It also taught me the use
of the JavaS ript language, that I also used when working on other proje ts.
ElGamal was hosen be ause there is no need to store any private keys, and
the publi keys are generated extremely qui kly when they are needed. The
main inspiration for su h a system was my review of HushMail, whi h provides
end-to-end en ryption, using JAVA te hnology. The signature apability was
implemented to in rease the onden e in postings made to independent media
enters, by being able to make sure that the two arti les originated from the same
author. My next proje t in that area should be to implement a ryptographi
algorithm in the PostS ript language so that printers, whi h are at least as
ommon as web browsers, an be used to verify signed messages.

4 Beyond anonymity hannels: Anonymity sys-

tems.

4.1 Roman e.
During Mi haelmas term Ri hard, Markus and I reviewed and reverse engi-
neered a few web sites that laimed to provide some anonymity properties. The
ri hest site, in term of atta ks found and experien e gained, was the student
run site roma e.u am.org, that provided an anonymous dating servi e for Cam-
bridge students. Many atta ks involving HTML, Java and JavaS ript were found
against it. This exer ise made me learn JavaS ript and perl in order to write
atta k and analysis s ripts. Data olle ted by the a tivities of the server were
also used to mount small traÆ analysis exer ises. It also provided a starting
point for reasoning about anonymity at a system level.

4.2 HushMail.
HushMail, whi h was mentioned in the Houses of Parliament as being used by
dangerous subversives [29℄, has also attra ted our attention. The sour e ode
is available and we modied it, to run it lo ally and analyse the proto ols it
uses. No major fault was found, but many unexpe ted glit hes were dis overed:
some information is transmitted in lear (su h as subje t lines, and sender ad-
dresses), and the key management is not as good it should be. I also analysed
the random number generation pro edures and found out that the amount of
entropy gathered, although suÆ ient for the task, is less than one might expe t.
The randomness gathering is relying on the timing of the user interfa e events
to gather randomness, but the event system is a pro ess that is alled at spe i
intervals, whi h quantises the timings. This produ es mu h poorer quality of
seed for the random number generators, than the \real" times would have. I
have also done some related resear h into the generation of random web session
ookies produ ed using time as a seed, and dis overed that for some web sites

3
they an be guessed and therefore sessions an be hija ked.

4.3 Anonymity se urity poli y.

The analysis of Roman e and HushMail, but also other systems [31,32℄, gave me
an insight into more general properties and system features that might be used
to prote t or atta k the anonymity of users. This has me to the formulation of
a se urity poli y model to prote t anonymity properties. The model is based
on tagging information ows as belonging to dierent pseudonyms and restri t-
ing these ows depending on how they ould be used to link the pseudonyms
belonging to the same individual. Publi and plausible information ows are
permitted, while any other ows should be appropriately ltered. The obje tive
of the atta ker is to indu e information from one pseudonym to ow to another
pseudonym in order to establish a link between them. The model is inspired
by the de ision theory and statisti s ourse of the mathemati al tripos, that I
took on Mi haelmas term. One of this model's novelties, although some related
ideas an be found in the literature before [27℄, is to reason about illi it informa-
tion ows ae ting the unlinkability of pseudonyms in terms of overt hannels,
therefore making it possible to re y le a lot of the literature on this subje t and
using it to atta k and prote t anonymity properties of systems [56℄. As it is
often the ase with high level information ow based models it is not possible
in the general ase to he k it at a system level, but it is still a useful tool to
reason and help engineer systems and proto ols. Our analysis of the Roman e
site and HushMail along with some preliminary thoughts on the se urity poli y
model for anonymity were the subje t of a talk and a refereed publi ation at
the Information Hiding Workshop 2001 in Pittsburgh [30℄.

4.4 Gnutella.
After the legal trouble that Napster had, I got interested in de entralised peer
to peer (p2p) networks and their robustness. I studied one of the most used and
simplest ones [33℄, Gnutella, whi h performs a distributed sear h for keywords.
I implemented my own Gnutella lient in JAVA and used it to understand the
details of the proto ols and dynami s of the network. The main unreliability of
the network was the diÆ ulty of onne ting and the unreliability of downloads.
It has been argued that these are intrinsi problems of the network. I ame to
the ontroversial on lusion that this is not the ase and most of the problems
ould be xed without hanging the proto ol at all, by just hanging the param-
eters and heuristi s the lients use. I ontributed to the debate on the Gnutella
Developers Forum [34℄ by a proposal for distributing the downloads a ross many
ma hines without hanging the basi proto ols or requiring all lients and ma-
hines on the network to have the same behaviour [35℄. In the ontext of p2p
networks I also have read other proposals with stronger theoreti al laims su h
as Freenet, the Strong Eternity Servi e and Free Haven [35,36,37℄. I also did
some original resear h, although it is still at an immature stage, on ombining
some re ent Private Information Retrieval proposals [38℄, based on omplexity
theoreti me hanisms with he keyword sear h fa ilities of Gnutella. That would
allow users to send queries for sear h and re eive replies, in an eÆ ient way,
without the server or anyone else being able to know the ontent of the query
or the result.

4
4.5 Money Es row.
In Mi haelmas term I gave a talk on \Money Es row" for the Tuesday Se urity
Seminar series. During Lent term I orre ted and provided gures for the tran-
s ript of the same talk I gave at the Cambridge Proto ols Workshop 2000 that
will be in luded in the pro eedings [39℄.

5 Threat Model of anonymity.

A major part of my rst year work has been devoted to assessing the real world
threats to anonymity. The standard ryptographi threat model that assumes
an all powerful opponent, able to eavesdrop on all ommuni ations and modify
themas they wish, is useful for theoreti al onstru tions, but in the area of
anonymity it often leads in pra ti e to very ineÆ ient systems. In addition to
that, in many ases the opponents are legitimate parti ipants in the proto ols
that try to heat, and the anonymity provided makes it even more diÆ ult to
dete t them. For this reason tighter bounds on the te hnologi al apabilities
of potential opponents, su h as individuals, organizations, businesses or states,
have to be dened. In order to have an omplete view, as mu h as possible, of
the te hnologi al threats one must take into a ount that they are not happening
in a va uum. For this reason the so ial, politi al and e onomi motives behind
surveillan e need to be resear hed and understood as well.

5.1 Intelligen e.
The most powerful opponent, in both te hnologi al and e onomi terms, that
any system ould fa e is a State. For this reason I have spent some time un-
derstanding the so ial, legal and te hnologi al apparatus that states have in
their possession in order to ondu t surveillan e. I have read the reports that
the European Parliament's S ienti and Te hnologi al Options assessment unit
(STOA) has produ ed about the \E helon" system and the potential for abuse
of e onomi intelligen e [40℄. I also have read the re ent report from the Eu-
ropean parliament ommission on E helon [42℄, and the interim study of 1997
that started the investigation [43℄. In order to better understand how intelli-
gen e operates, from a slightly less hostile sour e than the previous do uments,
I have read the standard textbook \Intelligen e power in pea e and war" [44℄.
I also attended onferen es on legal and poli y matters: The State and Internet
Se urity Forum[45℄, and the onferen e organized by Liberty on Arti le 8 of the
Human Rights A t, the Right to Priva y. As a result of an analysis of the Regu-
lation of Investigatory Powers A t 2000, Ri hard and I attempted to oer some
te hnologi al prote tion against legal atta ks by designing \ChaÆn h" [25℄, to
use te hniques that are outside the s ope of the A t, therefore questioning its
larity and ee tiveness.

5.2 E onomi s.
At the same time as States are the greatest potential danger, in pra ti e more
ensorship and violations of priva y are due to opyright, patent and libel law
than state se urity restri tions. These onstru ts are fundamentally e onomi
and in order to better understand their true nature I spent some time reading

5
about Information E onomi s [46℄. I have also spent some time reading, not so
orthodox views on opyright, from the Free Software Foundation [47℄, or more
marginal e onomi and ultural theories [48,49℄. This provided the ba kground
for my work on peer-to-peer systems and more parti ularly Gnutella.

6 Other.

6.1 Tea hing.

During Mi haelmas and Lent term a spent some time supervising undergradu-
ate students. I have supervised Con urrent Systems (IB), Introdu tion to Se u-
rity(IB), Se urity(II), Software Engineering I (IA), Further Java(IB). I greatly
enjoyed tea hing but I tried to keep the subje ts as lose as possible to my
resear h interests.

6
7 Referen es

1 Anonymous and Pseudonymous ommuni ations and systems Bibliography -

http://www. l. am.a .uk/~gd216/anonymity.html .
2 D.Chaum, (1981), Untra eable ele troni mail, return addresses, and digital
pseudonyms, Communi ations of the ACM, Vol. 24, No. 2, February, pp.
84{88.
3 Ptzmann, A. and Ptzmann, B. How to break the dire t RSA-implementation
of mixes. Advan es in Cryptology|Euro rypt '89 , 373{381.
4 D. Chaum, The Dining Cryptographers Problem: Un onditional Sender and
Re ipient Untra eability, Journal of Cryptology , 1/1, 1988, pp. 65-75.
5 Mi hael Waidner and Birgit Ptzmann. The dining ryptographers in the
dis o: Un onditional sender and re ipient untra eability with omputa-
tionally se ure servi eability. In Euro rypt '89, volume Le ture Notes in
Computer S ien e of 434. Springer-Verlag, 1990.
6 Mi hael Waidner and Birgit Ptzmann. Un onditional sender and re ipient
untra eability in spite of a tive atta ks|some remarks. Te hni al report,
Fakultat fur Informatik, Universitat Karlsruhe, 1989.
7 M. Jakobsson. Flash mixing. In PODC '99, pages 83-89. ACM, 1999.
8 M. Jakobsson. A pra ti al mix. In K. Nyberg, editor, Euro rypt '98, pages
448-461. Springer-Verlag, 1998. LNCS no. 1403.
9 Masashi Mitomo and Kaoru Kurosawa, Atta k for Flash MIX, T. Okamoto
(Ed.): Advan es in Cryptology - Asia rypt 2000, LNCS 1976, p. 192 .
10 Miyako Ohkubo and Masayuki Abe, A Length-Invariant Hybrid Mix, T.
Okamoto (Ed.): Advan es in Cryptology - Asia rypt 2000, LNCS 1976, p.
178 .
11 The Disadvantages of Free MIX Routes and how to Over ome Them, Oliver
Berthold, Andreas Ptzmann, and Ronny Standtke LNCS 2009, p. 30 .
12 H. Kiku hi, A. Fujioka, K. Seo, Anonymous Communi ation Using Se ret
Sharing S heme, In Pro . of the 1998 Symposium on Cryptography and
Information Se urity , SCIS 98-5.3.F, Jan 1998
13 H. Kiku hi, Sender and Re ipient Anonymous Communi ation without Pub-
li Key En ryption, In IPSJ SIG Notes, 98-CSEC-1, pp.41-46, May 1998
14 Anonymity without ryptography, Dahlia Malkhi and Elan Pavlov.
15 Towards an Analysis of Onion Routing Se urity, Paul Syverson, Gene Tsudik,
Mi hael Reed, and Carl Landwehr, LNCS 2009, p. 96 .
16 Web MIXes: A System for Anonymous and Unobservable Internet A ess,
Oliver Berthold, Hannes Federrath, and Stefan K?psell, LNCS 2009, p.
115 .

7
17 Roger Dingledine, Mi hael J. Freedman, David Hopwood, David Molnar. A
Reputation System to In rease MIX-net Reliability. Pro eedings, Infor-
mation Hiding Workshop, Mar 2001 (LNCS 2137).
18 R. L. Rivest, ChaÆng and winnowing: ondentiality without en ryption,
MIT Lab for Computer S ien e, http://theory.l s.mit.edu/~rivest/
haffing.txt, Mar h 18, 1998.
19 R. Rivest, \All-or-nothing en ryption and the pa kage transform." Fast
Software En ryption '97, Springer-Verlag (1997).
20 R. Anderson, E. Biham, \Two Pra ti al and Provably Se ure Blo k Ciphers:
BEAR and LION", in Pro eedings of the Third International Workshop
on Fast Software En ryption, Cambridge, UK, 1996, pp.113-120.
21 MixMaster spe i ations. http://www.eskimo. om/~rowdenw/ rypt/Mix/
22 Gul u, C. and Tsudik, G. 1996. Mixing email with Babel. In Pro eedings of
the 1996 Internet So iety Symposium on Network and Distributed System
Se urity (San Diego, CA, Feb.), 2{16.
23 Cottrell, L. 1994. Mixmaster and remailer atta ks.
24 David Mazieres and M. Frans Kaashoek. The design and operation of an
e-mail pseudonym server. In 5th ACM Conferen e on Computer and Com-
muni ations Se urity, 1998.
25 ChaÆn h: Condentiality and Plausible Deniability against legal threats.
http://www. l. am.a .uk/~gd216/ haffin hHome.html .
26 Syverson, P. and Stubblebine, S. 1999. Group prin ipals and the formaliza-
tion of anonymity. In Pro eedings of the Conferen e on Formal Methods
(Toulouse, Fran e, Sept.), J. Wing, J. Wood o k, and J. Davies, Eds.
Springer-Verlag, New York, 814 { 833.
27 Prote tion Proles for Remailer Mixes, Giovanni Ia hello and Kai Rannen-
berg, Designing Priva y Enhan ing Te hnologies, LNCS 2009, p. 181 .
28 Javas ript ryptography page. http://www. l. am.a .uk/~gd216/ElGamal.
html .
29 http://www.parliament.the-stationery-offi e. o.uk/pa/ m200001/ mhansrd/
m010329/debtext/10329-10.htm#10329-10_head2 - 29 Mar 2001 : Col-
umn 1164 - 4.14 pm.
30 Ri hard Clayton, George Danezis and Markus G. Kuhn, Real World Pat-
terns of Failure in Anonymity Systems, Ira S. Moskowitz (ed.): Informa-
tion Hiding 2001, LNCS 2137.
31 ZeroKnowledge, Freedom Network, http://www.freedom.net/
32 Safedoor, http://www.safedoor. o.uk/
33 Gnutella proto ols and white papers. http://gnutella.wego. om/ .

8
34 The Gnutella Developers' Forum. http://groups.yahoo. om/group/the_
gdf/
35 Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W. Hong. Freenet:
A Distributed Anonymous Information Storage and Retrieval System. In
Pro . of the ICSI Workshop on Design Issues in Anonymity and Unob-
servability, Berkeley, CA, 2000. International Computer S ien e Institute.
36 Tonda Benes, The Strong Eternity servi e, Ira S. Moskowitz (ed.): Informa-
tion Hiding 2001, LNCS 2137.
37 R.R. Dingledine, "The Free Haven Proje t: Design and Deployment of an
Anonymous Se ure Data Haven," M.Eng. thesis, Department of Ele tri al
Engineering and Computer S ien e, Massa husetts Institute of Te hnology
(2000). Available at http://www.freehaven.net/.
38 C. Ca hin, S. Mi ali, and M. Stadler. Computationally private information
retrieval with polylogarithmi ommuni ation. In Advan es in Cryptology
- Euro rypt '99, 1999.
39 G. Danezis, \Money Es row". Trans ript of talk given at the Cambridge
Se urity Proto ols Workshop 2000.
40 Development of surveillan e te hnology and risk of abuse of e onomi infor-
mation (Appraisal of te hnologies of politi al ontrol)
(1) The per eption of e onomi risks arising from the potential vulnerabil-
ity of ele troni ommer ial media to inter eption; Survey of opinions
of experts
Nikos Bogonikolos, Zeus E.E.I.G, Patras, Gree e
Interim Study, Working do ument for the STOA Panel, Workplan
1998 - 98/14/01, EN, May 1999, PE 168.184/Int.St./Part 1/4
(2) The legality of the inter eption of ele troni ommuni ations: A on-
ise survey of the prin ipal legal issues and instruments underinter-
national, European and national law
Chris Elliott, Surrey, UK
Final Study, Working do ument for the STOA Panel, Workplan 1998
- 98/14/01, EN, April 1999, PE 168.184/part 2/4
(3) En ryption and ryptosystems in ele troni surveillan e: A survey of
the te hnology assessment issues
Fran k Leprevost, Te hnis he Universitt Berlin, Germany
Final Study, Working do ument for the STOA Panel, Workplan 1998
- 98/14/01, FR, April 1999, PE 168.184/part 3/4
(4) The state of the art in Communi ations Intelligen e (COMINT) of
automated pro essing for intelligen e purposes of inter epted broad-
band multi-language leased or ommon arrier systems, and its appli-
ability to COMINT targeting and sele tion, in luding spee h re og-
nition
Dun an Campbell, IPTV Ltd., Edinburgh, UK
Final Study, Working do ument for the STOA Panel, Workplan 1998
- 98/14/01, EN, April 1999, PE 168.184/part 4/4

9
42 European Parliament, Temporary Committee on the ECHELON Inter ep-
tion System. http://www.europarl.eu.int/temp om/e helon/pdf/pre helon_
en.pdf
43 STOA, An appraisal of te hnologies of politi al ontrol, Interim Study 1997.
http:// ryptome.org/stoa-atp .htm .
44 Mi hael Herman, Intelligen e power in pea e and war, Cambridge: Cam-
bridge University Press, 1996
45 Internet and State Se urity Forum, http://www.sr f.u am.org/ ria/ onferen e/
46 Carl Shapiro and Hal Varian, Information rules: a strategi guide to the
network e onomy. Boston, Mass.: Harvard Business S hool, 1998.
47 Philosophy of the GNU Proje t, http://www.gnu.org/philosophy/philosophy.
html .
48 Ernest Mandel, An Introdu tion to Marxist E onomi Theory, Pathnder;
ISBN: 0873483154 .
49 Hakim Bey, The Temporary Autonomous Zone, Ontologi al Anar hy, Poeti
Terrorism, http://www.hermeti . om/bey/taz_ ont.html .
50 Kesdogan, Egner, and Bs hkes. Stop and go mixes : Providing probabilisti
anonymity in an open system. In 1998 Information Hiding Workshop.
51 M. Bellare and P. Rogaway. Optimal asymmetri en ryption. In Advan es
in Cryptology|Euro rypt '94, pages 92-111, 1994.
52 PKCS #1 - RSA Cryptography Standard, ftp://ftp.rsase urity. om/
pub/pk s/pk s-1/pk s-1v2-1d2.pdf .
53 PKCS #7 - Cryptographi Message Syntax Standard, ftp://ftp.rsase urity.
om/pub/pk s/ps/pk s-7.ps .
54 Burton S. Kaliski Jr. A Layman's Guide to a Subset of ASN.1, BER, and
DER.
55 The NymIP Eort, http://nymip.velvet. om/
56 National Computer Se urity Center: A Guide to Understanding Covert
Channel Analysis of Trusted Systems. NCSC-TG-030, Version 1 (Novem-
ber 1993)

10