From 0f79b193b97e36fa99d40aa7462b913a37e299c5 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Thu, 13 Apr 2017 14:14:22 +0200 Subject: [PATCH 01/15] Fixes typo in refkey for PPACinPubFS --- DecentAC.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DecentAC.tex b/DecentAC.tex index ee398b6..9197bcc 100644 --- a/DecentAC.tex +++ b/DecentAC.tex @@ -1,4 +1,4 @@ -\citet{PPACforPubFS} analysed two dichotomous models of communication. +\citet{PPACinPubFS} analysed two dichotomous models of communication. The first was the pull model, where the recipients fetch (i.e.\ pull) new messages from the sender. A suitable analogy would be that of magazines published through sales in @@ -9,7 +9,7 @@ mailbox shortly after publication. This is the model of the communication described in \cref{GroupProperties}, i.e.\ the communication model for email. -\citeauthor{PPACforPubFS} found that achieving privacy in the pull model is +\citeauthor{PPACinPubFS} found that achieving privacy in the pull model is technically easier than in the push model. In fact, achieving strong privacy in the push model is very difficult. %TODO: explain why From 8840085c7de86337db681efc9529bf31e5203d11 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Thu, 13 Apr 2017 20:40:20 +0200 Subject: [PATCH 02/15] [before] Starts edit, adds refs to attacks on activists --- Makefile | 1 + before.tex | 21 ++++++++++++++++----- libbib | 2 +- protesting.tex | 1 + techlimits.tex | 1 + 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 68e1334..690c56e 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ protesting.pdf: be.bib protesting.pdf: mpc.bib protesting.pdf: stats.bib protesting.pdf: adhocnets.bib +protesting.pdf: hr.bib wc: ${SRC} todo: ${SRC} diff --git a/before.tex b/before.tex index 7538eaf..c9a68a2 100644 --- a/before.tex +++ b/before.tex @@ -5,15 +5,26 @@ \section{Before a Protest} There are many trade-offs to consider, both for Alice the organizer and the potential co-organizers and participants. +As we discussed in \cref{TechnicalLimitations}, it is difficult for Alice to +protect herself against double agents. +Both Citizen Lab~\cite{NilePhish} and Amnesty International~\cite{Kingphish} +have documented examples of attempts of such attacks. +The goal we have in mind is to reduce the damage that can be done if such an +attack is successful. + \paragraph{Participation} -We assume that Alice wants to protest in a collective manner (not alone). -She will have to find interested people with whom she can co-organize the event -and, later on, also to participate in the protest itself. +% TODO: Do we even cover finding other people with similar interests? +% That's more what recommender systems like Gossple does, which we don't cover. + +We assume that Alice does not want to protest alone. +She must find people who are interested and with whom she can co-organize the +event. +She must also find and inform people to participate in the protest itself. Finding people with similar interests can be a difficult task in general, doing -so when the interests can lead to stigma or are not legally accepted can be much more -difficult --- if not impossible. +so when the interests can lead to stigma or are not legally accepted can be +much more difficult --- if not impossible. For example, diversity of sexuality and gender identity are denied and even severely punished in some totalitarian regimes. If Alice wants to arrange a protest for those rights, she might be very diff --git a/libbib b/libbib index baed832..f14592c 160000 --- a/libbib +++ b/libbib @@ -1 +1 @@ -Subproject commit baed832722a6e8c8c5997f6f5e28f600802e3282 +Subproject commit f14592ccc5e222f6d3457dfa8128ad4fa67b62b6 diff --git a/protesting.tex b/protesting.tex index 02df558..ea4287c 100644 --- a/protesting.tex +++ b/protesting.tex @@ -50,6 +50,7 @@ \addbibresource{mpc.bib} \addbibresource{stats.bib} \addbibresource{adhocnets.bib} +\addbibresource{hr.bib} \let\noparencite\cite% \let\cite\parencite% diff --git a/techlimits.tex b/techlimits.tex index 085e74c..cc29a6c 100644 --- a/techlimits.tex +++ b/techlimits.tex @@ -1,4 +1,5 @@ \section{Technical limitations} +\label{TechnicalLimitations} We can only do so much with technology, and, of course, there are some limitations to what technical solutions can achieve. From 142630d57cc5a52042bbf5843f8f02cde789c6cc Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Fri, 14 Apr 2017 12:36:41 +0200 Subject: [PATCH 03/15] Edits the before section - Renames to before a demonstration. - Removes part of participation, we do not cover that anyway --- that's more recommender systems. --- before.tex | 120 ++++++++++++++++------------------------------------- 1 file changed, 36 insertions(+), 84 deletions(-) diff --git a/before.tex b/before.tex index c9a68a2..cd60ec3 100644 --- a/before.tex +++ b/before.tex @@ -1,105 +1,57 @@ -\section{Before a Protest} +\section{Before a Demonstration} \label{BeforeProtest} -Organizing a protest in a privacy-preserving manner does not come for free. -There are many trade-offs to consider, both for Alice the organizer and the -potential co-organizers and participants. +Alice is an activist in an authoritarian regime and she want to organize +a demonstration. +This means that the regime wants to stop Alice while she prepares the +demonstration. +Consequently, Alice wants to do all preparations in such a way that she +minimizes the risk of interference. +In this section we will focus on two aspects: the communication between the +activists and their agreement on the details of the demonstration event. + As we discussed in \cref{TechnicalLimitations}, it is difficult for Alice to protect herself against double agents. -Both Citizen Lab~\cite{NilePhish} and Amnesty International~\cite{Kingphish} -have documented examples of attempts of such attacks. -The goal we have in mind is to reduce the damage that can be done if such an -attack is successful. - -\paragraph{Participation} - -% TODO: Do we even cover finding other people with similar interests? -% That's more what recommender systems like Gossple does, which we don't cover. - -We assume that Alice does not want to protest alone. -She must find people who are interested and with whom she can co-organize the -event. -She must also find and inform people to participate in the protest itself. - -Finding people with similar interests can be a difficult task in general, doing -so when the interests can lead to stigma or are not legally accepted can be -much more difficult --- if not impossible. -For example, diversity of sexuality and gender identity are denied and even -severely punished in some totalitarian regimes. -If Alice wants to arrange a protest for those rights, she might be very -reluctant to reveal such ideas. -The plausible severe consequences for Alice to find a co-organizer, Bob, who -deliberately supports and reports to the government of the regime such -circumstance may oblige Alice to censor herself. - -In \cref{UserSearch} we discuss a technical solution that can make the task of -finding co-organizers and potentially interested participants in -a privacy-preserving manner for all parties. -However, there is no technology nor solution to ensure that Bob is not lying to -Alice about his interests. -Therefore, we will use the term \enquote{expressed interest} when referring to -the common interest Bob has revealed to Alice. +The goal in this section is to reduce the damage of infiltration attacks. +If the regime's agents compromise Alice's device, they can monitor everything +she does, and we do not protect against that. \paragraph{Communication} -Alice and the other co-organizers will have to communicate with each other. -Moreover, Alice and the co-organizers will want to spread the word about the -protest to other potential participants. - +Alice and her co-organizers will have to communicate with each other. A trivial solution to the communication problem is the traditional face-to-face meeting --- with the trade-off that the invited attendants should be able to meet at the same time in the same place. -If the requirement for synchronous communication is not that strict, then we -need a way to communicate the outcome of the meeting to those who did not -attend. -% -%The physical communication can be supplemented using some sort of channel that -%provides both off-line and real-time communication capabilities, and guarantees -%the identity of each party using the channel. -% -Thus we assume that Alice will also want to communicate with Bob by means of -a secure channel to avoid any non-verified third party, for example the -governmental intelligence agency, to eavesdrop on her conversations. -Such two-parties secure communications we discuss in \cref{Communicating}, -while in the case of more than two participants we describe in -\cref{Discussions}. +This is not always easy to achieve, so Alice wants to complement this by +electronic communications. +Thus Alice wants to communicate with Bob by means of a secure channel to +prevent the regime's agents from eavesdropping on their conversations. + +There are several tools that we will discuss related to this. +First, in \cref{UserSearch}, we will discuss how Alice and Bob can find each +other in \iac{DOSN}. +Then we discuss two-party secure communications in \cref{Communicating}. +There is also the case where Alice wants to talk to more people than just Bob, +and this case is discussed in \cref{Discussions}. \paragraph{Agreement} Alice and the co-organizers must agree on a time and place to hold the -protest. -This can also be extended to interested participants. -For example, the organizers may be interested in having assurances on how many -invited participants are really committed to attend the event in such a way -that they do not reveal the details about the protest, such as the location, to -those have not committed to attend. +demonstration. +This can also be extended to including interested participants. +For example, the organizers might be interested in estimating how many invited +participants are really committed to attend the event, but in such a way that +they do not reveal the details --- which the regime can use to thwart it --- +such as the location and any identities. At the same time, the participants who have committed to attend may want to have assurances that they will be told the details of the protest if they express their commitment to the organizers. -This type of property can be interesting to use in combination with -a reputation system. -This way we can limit the extent of the regime's possible Sybil attacks. -In \cref{Scheduling} we discuss some aspects related to the scheduling of the -event in a privacy-preserving manner. - -%\paragraph{Authentication} -% -%Alice, Bob and the remaining participants have to rely on some credentials that -%to authenticate themselves to be able to use most of the technical means to -%participate, communicate, and agree. -%How these credentials are assigned securely to each identity depends on the -%design. -%However, each participant should be responsible for safely storing its -%credentials and possibly its data. -%For example, Alice can choose to store her credentials in her smartphone, -%however, should this device get lost --- or stolen --- she may pose a risk to -%herself, and possibly to others, particularly if she is of interest to the -%regime's surveillance agents~\cite[cf.][]{AppleVsFBI,iPhoneBackdoor}. -% -%We discuss in \cref{passwd} how to protect the credentials and the data linked -%to it in our decentralized scenario. +We discuss some aspects of this problem in \cref{Scheduling}. +The main issue here is trust. +And as pointed out in \cref{SybilAttacks}, this is a notoriously difficult +problem in electronic systems. \subsection{Searching for Your Friends} \label{UserSearch} @@ -116,7 +68,7 @@ \subsection{Holding Discussions} \input{discussions.tex} -\subsection{Scheduling a Protest} +\subsection{Scheduling an Event} \label{Scheduling} %For the scheduling of a protest, there are in turn several problems that must From 9b308f568485842bd742f65367725d0b7bbb36d5 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Fri, 14 Apr 2017 20:15:40 +0200 Subject: [PATCH 04/15] Edits user search and things related --- UserSearch.tex | 73 +++++++++++++++++++++++++++----------------------- before.tex | 18 +++++-------- 2 files changed, 46 insertions(+), 45 deletions(-) diff --git a/UserSearch.tex b/UserSearch.tex index add2ee4..b88e09b 100644 --- a/UserSearch.tex +++ b/UserSearch.tex @@ -1,52 +1,57 @@ -So the challenge is to protect user data from malicious adversaries but -at the same time making users findable for other legitimate users. -To distinguish between these two cases, we assume (at least in the -context of social networks) that legitimate users -possess more information about a target user than the adversary. -Then a knowledge threshold can be enforced using cryptographic techniques, to -guarantee that a user can only be found if the party searching for her -can present enough details about her (\enquote{find me if you know enough about +For Alice and Bob to be able to communicate, they must have a way to set-up +their secure communication. +The particular instance we will cover here is how Alice can find Bob's profile +in \iac{DOSN}, yet prevent the regime from also finding it. + +Let us assume that Alice knows more about Bob than the regime does. +Then a knowledge threshold can be enforced using cryptographic techniques, +i.e.\ to guarantee that Bob can only be found if the party searching for him +can present enough details about him (\enquote{find me if you know enough about me}). -Two protocols' implementations are presented by \citet{ThresholdUserSearch} -that have different advantages and disadvantages. +\Textcite{ThresholdUserSearch} presents two protocols that have different +advantages and disadvantages. Neither of them relies on any central repository of user data. This avoids the biggest risk to user data: the leakage of a central database -with sensitive information about a large number of -people. Practically, the protocols can be implemented in a completely -decentralized way using a \iac{DHT}, which is a standard component of +with sensitive information about a large number of people. +Practically, the protocols can be implemented in a completely decentralized way +using \iac{DHT}, which is a standard component of decentralized systems to store, locate, and retrieve data. -The proposed protocols allow users to register their identifiers (e.g.\ -links to their profile pages, e-mail addresses or other contact -information) and specify the required knowledge that is needed to find -this information (e.g.\ name, city, workplace and date of birth). -One implementation guarantees this knowledge-threshold by encoding the -storage location of the registered user identifiers using the required -knowledge attributes. +The proposed protocols allow Alice and Bob to register their identifiers, e.g.\ +links to their profile pages, e-mail addresses or other contact information. +They can also specify the required knowledge that is needed to find this data, +e.g.\ name, city, workplace and date of birth. +One protocol guarantees this knowledge-threshold by encoding the storage +location of Bob's identifier using the required knowledge attributes. Only users that know these attributes can construct a valid lookup request for -the \ac{DHT} that will return the desired user identifier. -The other protocol stores user identifiers encrypted in the \ac{DHT} and uses -threshold secret-sharing techniques to guarantee that no user with less than -the required number of attributes can decrypt a stored identifier. +the \ac{DHT} that will return Bob's identifier. +The other protocol stores Bob's identifier encrypted in the \ac{DHT} and uses +threshold secret-sharing techniques\footnote{% + This is a cryptographic technique where a secret value is split in \(n\) + shares. + Without at least \(t\leq n\) of these shares, the secret cannot be + reconstructed. +} to guarantee that no user with less than the required number of attributes +can decrypt a stored identifier. Neither protocol can provide perfect protection. In the worst-case of a targeted attack, an adversary with profound background -knowledge about the target user will likely succeed. -For example, we cannot protect the user identifier if the adversary knows as -many attributes about the target user as legitimate users do. -At the same time, both schemes protect the users fairly well from large-scale -crawling attacks as the search space of all possible attribute combinations is -too large to brute-force and the protocols transform the registered user data -in such a way that inferences from the publicly stored data are infeasible. +knowledge about Bob will likely succeed. +For example, we cannot protect Bob's identifier if the adversary knows as many +attributes about him as Alice does. +At the same time, both protocols protect Bob fairly well from large-scale +crawling attacks, as the search space of all possible attribute combinations is +too large and the protocols transform the registered user data in such a way +that inferences from the publicly stored data are infeasible. Even if the adversary focuses her effort to only crawl the data of a specified -subset of the user-base (e.g.\ all persons working at a specific organization), +subset of the user-base, e.g.\ all persons working at a specific organization, the proposed protocols offer good protection. The knowledge-threshold is an individual user parameter, so users that consider themselves to be more exposed to risks can choose a higher -knowledge-threshold to increase their protection at the cost of a lower -usability, as a higher threshold makes it harder for other legitimate +knowledge-threshold to increase their protection at the cost of lower +usability --- as a higher threshold makes it harder for other legitimate users to find them. In that sense, the presented protocols allow users to individually balance their findability and privacy requirements. diff --git a/before.tex b/before.tex index cd60ec3..cd8822a 100644 --- a/before.tex +++ b/before.tex @@ -10,16 +10,9 @@ \section{Before a Demonstration} In this section we will focus on two aspects: the communication between the activists and their agreement on the details of the demonstration event. - -As we discussed in \cref{TechnicalLimitations}, it is difficult for Alice to -protect herself against double agents. -The goal in this section is to reduce the damage of infiltration attacks. -If the regime's agents compromise Alice's device, they can monitor everything -she does, and we do not protect against that. - \paragraph{Communication} -Alice and her co-organizers will have to communicate with each other. +Alice and her co-organizers must communicate with each other. A trivial solution to the communication problem is the traditional face-to-face meeting --- with the trade-off that the invited attendants should be able to meet at the same time in the same place. @@ -28,10 +21,13 @@ \section{Before a Demonstration} Thus Alice wants to communicate with Bob by means of a secure channel to prevent the regime's agents from eavesdropping on their conversations. +Secure communication can be divided into two problems: bootstrapping and the +actual communication. There are several tools that we will discuss related to this. -First, in \cref{UserSearch}, we will discuss how Alice and Bob can find each -other in \iac{DOSN}. -Then we discuss two-party secure communications in \cref{Communicating}. +In \cref{UserSearch}, we will discuss how Alice and Bob can find each other in +\iac{DOSN}, this relates to the bootstrapping problem. +Then we discuss security and privacy properties of the communication problem, +we focus on two-party secure communications in \cref{Communicating}. There is also the case where Alice wants to talk to more people than just Bob, and this case is discussed in \cref{Discussions}. From 2da860d3331817338204ff01883158f16cf2839a Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Fri, 14 Apr 2017 20:17:37 +0200 Subject: [PATCH 05/15] Correct spelling of Tor The Tor Project officially spells it Tor. I suppose it's what happens when they outgrow the original acronym. --- intro.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intro.tex b/intro.tex index 11e9af5..e4513d6 100644 --- a/intro.tex +++ b/intro.tex @@ -49,7 +49,7 @@ \section{Introduction} While we acknowledge the benefits of such technological advances like \acp{OSN}, we also point out the costs to personal privacy and advocate for the need to develop \acp{PET} that can co-exist with -these technologies. A prominent example is TOR~\cite{Tor}, a routing +these technologies. A prominent example is Tor~\cite{Tor}, a routing mechanism for online anonymity and censorship resistance. Decentralized solutions try to achieve provider independence and, in some cases, they also offer censorship From 619d15b7803c289dd13e499e708f3166e4b80d21 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Fri, 14 Apr 2017 20:18:50 +0200 Subject: [PATCH 06/15] Minor edit related to event invitations --- before.tex | 4 ---- 1 file changed, 4 deletions(-) diff --git a/before.tex b/before.tex index cd8822a..f5ae209 100644 --- a/before.tex +++ b/before.tex @@ -43,11 +43,7 @@ \section{Before a Demonstration} At the same time, the participants who have committed to attend may want to have assurances that they will be told the details of the protest if they express their commitment to the organizers. - We discuss some aspects of this problem in \cref{Scheduling}. -The main issue here is trust. -And as pointed out in \cref{SybilAttacks}, this is a notoriously difficult -problem in electronic systems. \subsection{Searching for Your Friends} \label{UserSearch} From 61a302a1cd7dc8723b279edd159605e92427ae82 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Sun, 16 Apr 2017 20:43:50 +0200 Subject: [PATCH 07/15] WIP on editing PairwiseComm.tex --- PairwiseComm.tex | 108 +++++++++++++++++++++++++++-------------------- protesting.tex | 18 ++++++++ 2 files changed, 81 insertions(+), 45 deletions(-) diff --git a/PairwiseComm.tex b/PairwiseComm.tex index c8d0dd7..13a330f 100644 --- a/PairwiseComm.tex +++ b/PairwiseComm.tex @@ -1,60 +1,78 @@ -We will now focus on the communication. -Specifically we will focus on communication between pairs of people, e.g.\ -Alice talking to Bob. +We will now focus on communication between pairs of people, e.g.\ Alice talking +to Bob. \citeauthor{otr2004} designed a secure protocol for two-people communication, the \ac{OTR} protocol. -They desired an electronic equivalent of face-to-face conversations, i.e.\ that -they leave no proofs of any kind behind: -if Alice and Bob have had a conversation, Bob cannot go to Eve afterwards and -prove anything about what Alice has said --- the same as in a face-to-face -conversation. +This protocol was used as the base and has now been replaced by the Signal +protocol\footnote{% + The protocol used in popular messaging apps such as Signal and WhatsApp. +}. +\citeauthor{otr2004} desired an electronic equivalent of face-to-face +conversations, i.e.\ a protocol which yield no binding proofs: +if Alice and Bob have had a conversation, Bob cannot prove anything to Eve +about what Alice has said --- the same as in a face-to-face conversation. This property is not true for email or most centralized communication services. -%TODO: one reviewer says to revise language, but it's not clear where -%around here. -\subsubsection{Standard Email} +\subsubsection{Email and Centralized Services} + +The standard email system does not provide any confidentiality or +integrity. +A suitable analogy would be that of a postcard. +Alice writes her message to Bob on a postcard without any envelope, i.e.\ her +message and Bob's address are visible on it\footnote{% + She must write her full return address on it too. +}. +This means that the postman can read everything. +Furthermore, most postmen use transparent sacks\footnote{% + Some postmen have started using non-transparent sacks, so those postcards can + only be read by the staff in the post-office. +} to carry the postcards, so everyone along the way can also read the sender's +and recipient's address and the contents. +This means that Eve can read the contents of these messages too. -The standard email system does not provide any security. -A suitable analogy would be that each message is a postcard, i.e.\ it has no -envelope, so the content and address are visible on it. -This means that the postman can read the cards' contents, their recipients' and -senders' addresses. -(Yes, unlike real postcards these also include the sender's address.) -Furthermore, most postmen use transparent sacks to carry the postcards, so -everyone along the way can also read the sender's and recipient's address and -the contents. -However, some postmen have started using non-transparent sacks, i.e.\ encrypted -connections between the servers, so those postcards can only be read by the -staff in the post-office. %TODO reviewer question: no confidentiality - %at all? +Thus the email system provides no confidentiality: both the server used for +sending and the server used for receiving and storing the email can read the +contents in plain text. +If these servers do not use an encrypted connection, which is not mandatory, +each network operator along the route can also read (and make a copy of) each +email --- in plain text. +In 2013, \textcite{Fibretap} published that \ac{GCHQ} did exactly this on +a worldwide scale. +Clearly, this is undesirable for Alice and Bob, since Eve can do exactly this +too. -Thus the email system provides no confidentiality: each email server can read -the messages, each network operator along the transport route can also read -(and make a copy of) each email. -However, it is actually worse than that, because the email system provides no -integrity either. -This means that the postman, or anyone along the way, can do arbitrary -modifications to the messages without anyone noticing the difference. -We can safely say that we cannot rely on the email system for neither security -nor privacy when planning a protest. +It is actually worse than that: the email system provides no integrity either. +This means that the postman, or Eve\footnote{% + Or any network operator along the way. +}, can do arbitrary modifications to the messages without anyone noticing the +difference. +This means that Eve can modify Alice's messages to Bob and Bob will not notice. When using a centralized communications service, such as Facebook, the level of security and privacy we can achieve is that the postman carries non-transparent sacks. The business model of most such -services is to read peoples postcards to better profile their -interests and thus deliver better suiting advertising. Here, third -parties such as advertisers or surveillance entities cannot directly -see who is communicating with whom. They can only see that something -goes to and from the service. However, all information is available +services is to read people's postcards to better profile their +interests and thus deliver better suiting advertising. +In this case, Eve can cannot directly see who is communicating with whom. +She can only see that something goes to and from the service. +However, all information is available internally to the service. This means that there are ways of learning -this, for example through PRISM~\cite{Prism} of the -\ac{NSA}.%TODO: explain how %TODO address this question even more: - %Which kind of third parties are these, when compared to the - %case of e-mail? Advertisers? Or other parties? And - %canadvertisers read the content in e-mail systems? Google - %lets them advertise on keywords, but not read the mail - %itself for instance. Or hackers? +this. +One approach was illustrated by \acg{NSA} PRISM programme~\cite{Prism}, where +the \ac{NSA} could systematically fetch user data from the major centralized +services (Facebook, Google, Microsoft, Yahoo etc.) and could query this data at +their own discretion. +This might not work for governments like China, since these services are +located outside China. +Since they are centralized, they are easy to censor. +This forces services to be located inside China where this type of access is +possible. +%TODO address this question even more: +%Which kind of third parties are these, when compared to the +%case of e-mail? Advertisers? Or other parties? And +%can advertisers read the content in e-mail systems? Google +%lets them advertise on keywords, but not read the mail +%itself for instance. Or hackers? %TODO: other reviewer: annotate, give context. \subsubsection{Secure Email and Text Messaging} diff --git a/protesting.tex b/protesting.tex index ea4287c..ed3a8e4 100644 --- a/protesting.tex +++ b/protesting.tex @@ -60,6 +60,24 @@ group-citation = true, group-cite-cmd = {\noparencite}, } +\ProvideAcroEnding{possessive}{'s}{'s} +\ExplSyntaxOn +\NewAcroCommand \acg +{ + \acro_possessive: + \acro_use:n {#1} +} +\NewAcroCommand \acsg +{ + \acro_possessive: + \acro_short:n {#1} +} +\NewAcroCommand \aclg +{ + \acro_possessive: + \acro_long:n {#1} +} +\ExplSyntaxOff \usepackage[binary-units]{siunitx} From 1ba307106e74ed9c6db48f7b02968a196b650ff3 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 11:42:41 +0200 Subject: [PATCH 08/15] Improves comments on PRISM and centralized systems --- PairwiseComm.tex | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/PairwiseComm.tex b/PairwiseComm.tex index 13a330f..1525565 100644 --- a/PairwiseComm.tex +++ b/PairwiseComm.tex @@ -60,13 +60,13 @@ \subsubsection{Email and Centralized Services} this. One approach was illustrated by \acg{NSA} PRISM programme~\cite{Prism}, where the \ac{NSA} could systematically fetch user data from the major centralized -services (Facebook, Google, Microsoft, Yahoo etc.) and could query this data at -their own discretion. +services (Facebook, Google, Microsoft and Yahoo among others) and could query +this data at their own discretion. This might not work for governments like China, since these services are located outside China. -Since they are centralized, they are easy to censor. -This forces services to be located inside China where this type of access is -possible. +But because they are centralized, they are easy to censor. +This forces Alice and Bob to use services which are located in China where this +type of attack is possible. %TODO address this question even more: %Which kind of third parties are these, when compared to the %case of e-mail? Advertisers? Or other parties? And From 49e509c388f657426e4f30aa70590d21cef9279e Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 14:22:25 +0200 Subject: [PATCH 09/15] Edits secure email and text-messaging --- PairwiseComm.tex | 98 +++++++++++++++++++++++++----------------------- libbib | 2 +- 2 files changed, 53 insertions(+), 47 deletions(-) diff --git a/PairwiseComm.tex b/PairwiseComm.tex index 1525565..261b342 100644 --- a/PairwiseComm.tex +++ b/PairwiseComm.tex @@ -77,32 +77,39 @@ \subsubsection{Email and Centralized Services} \subsubsection{Secure Email and Text Messaging} -Secure email works by employing cryptography: encrypting the contents of the -postcard, thus providing confidentiality, and then adding a digital signature to -prevent modifications. -Thus the recipient is the only one who can read the message and the recipient -can also verify that the message has not been modified along the way. -To make key management easy, most schemes use public-key cryptography. -This means that we have two keys, one which is public and another which is kept -private. -For encryption, the public key can transform a message to a ciphertext, i.e.\ -a random-looking text string. -The private key can be used to transform the ciphertext back to the message. -Given only the public key, it is \enquote{impossible} to find the private key. -For signatures, we can use the private key to compute a signature of a message -and then send the message and its signature. -The recipient can then use the public key to verify the signature of the -message. -This signature depends on the entire message, so it is impossible to move -a signature to another message --- unlike signatures on paper. -And since it is impossible to find the private key given only the public key, -no one can create fake signatures. +Alice and Bob can add a layer of confidentiality and integrity on top of any +insecure communication system. +Secure email works by employing cryptography: Alice encrypts the contents of +the postcard (confidentiality) and then adds a digital signature to prevent +modifications (integrity). +This requires that Alice and Bob verify each others keys before any +communication --- to avoid being tricked by Eve. +Now Bob is the only one who can read Alice's message and he can also verify +that the message is indeed from Alice and has not been modified along the way. + +%To make key management easy, most schemes use public-key cryptography. +%This means that we have two keys, one which is public and another which is kept +%private. +%For encryption, the public key can transform a message to a ciphertext, i.e.\ +%a random-looking text string. +%The private key can be used to transform the ciphertext back to the message. +%Given only the public key, it is \enquote{impossible} to find the private key. +%For signatures, we can use the private key to compute a signature of a message +%and then send the message and its signature. +%The recipient can then use the public key to verify the signature of the +%message. +%This signature depends on the entire message, so it is impossible to move +%a signature to another message --- unlike signatures on paper. +%And since it is impossible to find the private key given only the public key, +%no one can create fake signatures. One problem with this approach to secure email is that the sender and recipient are still in the clear, anyone can read them. -So the content is hidden, but the meta-data is not. +The content is hidden, but the meta-data is not. +This allows Eve to infer the social graph, by monitoring who is communicating +with whom. -Another problem is that the digital signatures used provides a property called +Another problem is that the digital signatures provide a property called non-repudiation. Say that Alice securely sent an email to Bob, if Eve would compromise Bob's private key, as many government agencies can, then she would learn that Alice @@ -110,41 +117,40 @@ \subsubsection{Secure Email and Text Messaging} Bob might even give the message and his key to Eve voluntarily or under threat. This is exactly the property that \citeauthor{otr2004} wanted to remove with \ac{OTR}. -They can do this by leveraging the interactive nature of \ac{IM} and changing -the digital signatures to shared-key \acp{MAC}. -Shared-key means that Alice and Bob share the same key for generating and -verifying \iac{MAC}. -This means that Bob can generate valid \acp{MAC} for any message and show to +They do this by using the interactive nature of \ac{IM} and changing the +digital signatures to shared-key \acp{MAC}. +Shared-key means that Alice and Bob share the same key\footnote{% + Unlike with digital signatures, where Alice has a public and a private key. + She creates signatures using her private key and Bob can verify these + signatures using her public key. +} for generating and verifying \iac{MAC}. +This means that Bob can generate a valid \ac{MAC} for any message and show to Eve, thus he cannot prove to Eve what Alice has said --- since he could have created this \enquote{proof} himself. -In addition, Alice and Bob do not use the same \ac{MAC} key throughout their -conversation, then continuously exchange new keys, one for each message. However, in this situation, Eve still has only two candidates as the author of the message: Alice and Bob, since they both have access to the shared keys. -To remedy this problem Alice and Bob publishes the \ac{MAC} keys after use, -i.e.\ when they no longer need them. +%In addition, Alice and Bob do not use the same \ac{MA} key throughout their +%conversation, they continuously exchange new keys, one for each message. +To remedy this problem Alice and Bob uses a new \ac{MA} key for each +message. +When a message has been confirmed as received they publish the \ac{MA} key for +that message, i.e.\ when they no longer need them. This gives \enquote{everyone} the possibility of generating messages that verifies under Alice and Bob's key, so now Alice and Bob can argue that someone -(Eve included) could have modified the ciphertext. +else (Eve included) could have modified the ciphertext. +(We will return to this in \cref{WhenAdversaryControlsNetwork}.) -The \ac{OTR} protocol became widely spread after the 2013 revelations about the -mass surveillance of the \ac{NSA} and \ac{GCHQ}, many derivatives of the -protocol emerged in smartphone apps. -Among the most wide-spread derivatives of \ac{OTR} is Signal (formerly -TextSecure)~\cite{SignalApp}\footnote{% - TextSecure actually existed before the Snowden revelations, but has seen more - wide-spread use after. -}. -The Signal protocol has, unlike many other of the derivatives, been formally -analysed and proven that it indeed provides its claimed security -properties~\cite{TextSecureAnalysis}. -One improvement over \ac{OTR} is the deniability. +\textcite{SignalApp} (formerly TextSecure) improved some properties of \ac{OTR} +in the Signal protocol, which has been formally analysed by +\textcite{TextSecureAnalysis,SignalProtocolAnalysis}. +The main change from \ac{OTR} is that Signal uses deniable authentication. In Signal the authentication is set up in such a way that any person knowing -the public key of Alice and Bob can generate a fake transcript of +the public keys of Alice and Bob can generate a fake transcript of a conversation. -This results in that Eve has many more candidates for the authors of +The result is that Eve has many more candidates for the authorship of a conversation. \subsubsection{When the Adversary Controls the Network} +\label{WhenAdversaryControlsNetwork} \input{OTPKX.tex} diff --git a/libbib b/libbib index f14592c..0328d4c 160000 --- a/libbib +++ b/libbib @@ -1 +1 @@ -Subproject commit f14592ccc5e222f6d3457dfa8128ad4fa67b62b6 +Subproject commit 0328d4c4dc2999e82ef1f8dfd67a018b74821a7f From 1025905eb43ca8bb75fdb050d9305b60aeb732ef Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 14:45:03 +0200 Subject: [PATCH 10/15] Updates libbib: Signal URLs --- libbib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbib b/libbib index 0328d4c..77030a2 160000 --- a/libbib +++ b/libbib @@ -1 +1 @@ -Subproject commit 0328d4c4dc2999e82ef1f8dfd67a018b74821a7f +Subproject commit 77030a21b9b89e568530347247903ccc80352cce From ec5bef776cf2be9d0d5202a63b9a457f5b0c3ce3 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 16:10:39 +0200 Subject: [PATCH 11/15] Edits OTPKX --- OTPKX.tex | 83 +++++++++++++++++++++++++++++-------------------- discussions.tex | 1 + libbib | 2 +- 3 files changed, 52 insertions(+), 34 deletions(-) diff --git a/OTPKX.tex b/OTPKX.tex index f63967a..b245bb3 100644 --- a/OTPKX.tex +++ b/OTPKX.tex @@ -1,45 +1,62 @@ -\citet{OTPKX} argue that if the adversary controls the entire network, then the -approach to deniability taken by \ac{OTR} and Signal does not suffice. -The problem is that the adversary can record a transcript of all communications +\textcite{OTPKX} argue that if the adversary controls the entire network, then +the approach to deniability taken by \ac{OTR} and Signal does not suffice. +The problem is that Eve can record a transcript of all communications that have taken place. -We know that the \ac{NSA} did exactly that~\cite{XKeyscore}, and specifically -saved ciphertexts for later when the decryption key might be available. -%~\cite{NSAsavesCiphertexts}. -In this setting it does not matter if anyone can generate a false transcript of -a conversation between Alice and Bob, the regime knows exactly what Alice has -sent and Bob received and vice versa. -The argument of \ac{OTR}-like schemes is that Alice and Bob have the possibility -to deny anything about the conversation since it cannot be decrypted. +We know that the \ac{NSA} did exactly that~\cite{XKeyscore} --- and more +specifically, saved ciphertexts for later when the decryption key might be +available. +In this setting it does not matter if anyone can generate a false transcript of +a conversation between Alice and Bob, because Eve knows exactly what Alice has +sent, what Bob has received and vice versa. +The argument of this class of protocol is that Alice and Bob have the +possibility to deny anything about the conversation since it cannot be +decrypted. +This seems extra problematic when even the free countries in the world suggest +that there must be ways to break this +encryption~\cite{BackDoorEncryption}\footnote{% + We refer the reader to the text by \textcite{KeysUnderDoormats} for further + reasons for why this is a bad idea. +}. There are more than one way to approach this problem. The first approach would be to use an anonymizing service, such as Tor~\cite{Tor}. -This way, the regime would not know that Alice communicates with Bob, only that +This way, Eve would not know that Alice communicates with Bob, only that Alice communicates with someone. -However, for all low-latency solutions, when the entry point and exit from the -anonymizing network are both controlled by the adversary, then the adversary -can perform a correlation attack and essentially render the anonymization -service useless~\cite{SystemsForAnonymousCommunication}. -This is in fact the case if the regime controls the nation-wide network while -critics of the regime, all located in the country, want to communicate in -real-time. -To make this attack more difficult for the regime's surveillance -agency, the system must -introduce random delays in our communication. %TODO: explain why -And despite all this, the regime can still ask Alice to decrypt the -conversations --- either she complies or claims she do not know the key. +However, Alice and Bob are located in the same country and Eve controls the +nationwide network. +For all low-latency anonymizing networks (such as Tor) where the entry point +and exit are controlled by Eve, Eve can perform a time-correlation +attack\footnote{% + This means that Eve records the time of when each message enters the network + (entry distribution) and the time when each message exits the network (exit + distribution). + Due to the low-latency property, these distributions will be related and Eve + can infer to whom Alice sent her message. +} and essentially render the anonymization service +useless~\cite{SystemsForAnonymousCommunication}. +To make this attack more difficult for Eve, the system must introduce random +delays in our communication\footnote{% + The delays must transform the exit distribution to a distribution more + similar to the uniform distribution, then Eve's statistical analysis will + become more difficult. +}. +(We will return to this topic in \cref{MessageDistribution}.) +But despite all this, Eve can still ask Alice to decrypt the conversations, +either she complies or claims that she does not know the key. The second approach would be to ensure deniability even against this strong adversary. This would not hide who communicates with whom, as in our first approach, but it provides deniability for the conversations. -The scheme suggested by \citet{OTPKX} makes use of one practical instance of +The scheme suggested by \textcite{OTPKX} makes use of one practical instance of deniable encryption~\cite{DeniableEncryption}. -They construct a scheme where Alice and Bob can create \enquote{false -witnesses} for their conversation. -Basically Alice can create a decryption key such that when used to decrypt the -ciphertext recorded by the regime from the network it will decrypt to -a plaintext of Alice's choice. -This way she can \enquote{prove} her innocence. -However, the question whether the regime would actually accept such -a \enquote{proof}, knowing it can equally well be false, remains open. +They construct a scheme where Alice and Bob can create \enquote{false proofs} +for their conversation. +In essence, Eve records all traffic. +When she approaches Alice and asks her to provide a key to decrypt the recorded +traffic, Alice can create a decryption key such that when Eve decrypts the +recorded traffic will receive a plaintext of Alice's choice. +This way Alice can \enquote{prove her innocence}. +However, the question whether Eve would actually accept such a \enquote{proof}, +knowing it might equally well be false, remains open. diff --git a/discussions.tex b/discussions.tex index 2400932..84914db 100644 --- a/discussions.tex +++ b/discussions.tex @@ -65,6 +65,7 @@ \subsubsection{Group Communication Properties} everyone and still Bob could try to frame her. \subsubsection{Message Distribution} +\label{MessageDistribution} \input{DecentAC.tex} diff --git a/libbib b/libbib index 77030a2..f1e9f47 160000 --- a/libbib +++ b/libbib @@ -1 +1 @@ -Subproject commit 77030a21b9b89e568530347247903ccc80352cce +Subproject commit f1e9f47097bc57187f15a288fb13fc8db9c426fa From e8fbf4026d85739594a3beb95c6f5c8a21c9509c Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 17:15:10 +0200 Subject: [PATCH 12/15] Changes from two-party to one-to-one communication --- before.tex | 2 +- discussions.tex | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/before.tex b/before.tex index f5ae209..c37ba73 100644 --- a/before.tex +++ b/before.tex @@ -27,7 +27,7 @@ \section{Before a Demonstration} In \cref{UserSearch}, we will discuss how Alice and Bob can find each other in \iac{DOSN}, this relates to the bootstrapping problem. Then we discuss security and privacy properties of the communication problem, -we focus on two-party secure communications in \cref{Communicating}. +we focus on one-to-one secure communications in \cref{Communicating}. There is also the case where Alice wants to talk to more people than just Bob, and this case is discussed in \cref{Discussions}. diff --git a/discussions.tex b/discussions.tex index 84914db..14ee44e 100644 --- a/discussions.tex +++ b/discussions.tex @@ -1,12 +1,12 @@ -So far we have treated only two-party conversations, i.e.\ Alice and Bob +So far we have treated only one-to-one conversations, i.e.\ Alice and Bob talking to each other. However, there are usually more than two people organizing a protest, and so we need to hold discussions with more than only two people at a time. In this situation there are two approaches to solving the communication: simultaneous pair-wise communication between all participants or true group communication. -Furthermore, how the messages are distributed is also important, because the -adversary can learn who the participants are. +Furthermore, how the messages are distributed is also important, because Eve +can learn who the participants are. \subsubsection{Group Communication Properties} \label{GroupProperties} From af859048025cfe1dbb6a8e1533ac5fc70b9f9526 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 17:54:27 +0200 Subject: [PATCH 13/15] Clarifies pairwise with one-to-one --- discussions.tex | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/discussions.tex b/discussions.tex index 14ee44e..bb59b5c 100644 --- a/discussions.tex +++ b/discussions.tex @@ -3,16 +3,16 @@ However, there are usually more than two people organizing a protest, and so we need to hold discussions with more than only two people at a time. In this situation there are two approaches to solving the communication: -simultaneous pair-wise communication between all participants or true group -communication. +simultaneous pairwise (one-to-one) communication between all participants or +multicast communication. Furthermore, how the messages are distributed is also important, because Eve -can learn who the participants are. +might be able to learn who the participants are. \subsubsection{Group Communication Properties} \label{GroupProperties} -When a group uses pair-wise communication, every member of the group will set -up a pair-wise channel to each other member of the group. +When a group uses pairwise communication, every member of the group will set up +a one-to-one channel to each other member of the group. Each pair-wise channel is as described above, in \cref{Communicating}. Then for every message Alice wants to send to the group she has to send it to every participant. From 85a3869a21d802ceff03b1a8e26bc085df0fe888 Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 17:55:55 +0200 Subject: [PATCH 14/15] Adds figure of full-mesh network This also updates the makefiles submodule to use the automatic conversion from SVG to EPS figures. --- Makefile | 3 +++ discussions.tex | 8 ++++++++ makefiles | 2 +- protesting.tex | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 690c56e..4b6eb1c 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,9 @@ protesting.pdf: stats.bib protesting.pdf: adhocnets.bib protesting.pdf: hr.bib +protesting.pdf: FullMeshNetwork.eps +FullMeshNetwork.eps: FullMeshNetwork.svg + wc: ${SRC} todo: ${SRC} diff --git a/discussions.tex b/discussions.tex index bb59b5c..5748ba9 100644 --- a/discussions.tex +++ b/discussions.tex @@ -13,6 +13,14 @@ \subsubsection{Group Communication Properties} When a group uses pairwise communication, every member of the group will set up a one-to-one channel to each other member of the group. +(Illustrated in \cref{fig:FullMeshNetwork}). +\begin{figure} + \centering + \includegraphics[width=0.3\textwidth]{FullMeshNetwork.eps} + \caption{% + A full-mesh network with six nodes. + } +\end{figure} Each pair-wise channel is as described above, in \cref{Communicating}. Then for every message Alice wants to send to the group she has to send it to every participant. diff --git a/makefiles b/makefiles index 68abd13..cd90c6a 160000 --- a/makefiles +++ b/makefiles @@ -1 +1 @@ -Subproject commit 68abd133639608f59a319d26eb154c979a563a57 +Subproject commit cd90c6a33866f74abf316aeafaecc7553a55642a diff --git a/protesting.tex b/protesting.tex index ed3a8e4..397c6f4 100644 --- a/protesting.tex +++ b/protesting.tex @@ -5,6 +5,8 @@ %\usepackage[defblank]{paralist} \usepackage[hyphens]{url} \usepackage{hyperref} +\usepackage{graphicx} +\usepackage{subfig} \usepackage[inline]{enumitem} \newlist{properties}{enumerate}{5} From d5e3c658dcfc6de5118044b2e1e02b9fd82b008a Mon Sep 17 00:00:00 2001 From: Daniel Bosk Date: Mon, 17 Apr 2017 18:06:51 +0200 Subject: [PATCH 15/15] Changes from subfig to subcaption package --- protesting.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protesting.tex b/protesting.tex index 397c6f4..68c7105 100644 --- a/protesting.tex +++ b/protesting.tex @@ -6,7 +6,7 @@ \usepackage[hyphens]{url} \usepackage{hyperref} \usepackage{graphicx} -\usepackage{subfig} +\usepackage{subcaption} \usepackage[inline]{enumitem} \newlist{properties}{enumerate}{5}