Adds figures

DecentAC.tex

@@ -1,4 +1,4 @@
-\citet{PPACforPubFS} analysed two dichotomous models of communication.
+\citet{PPACinPubFS} analysed two dichotomous models of communication.
 The first was the pull model, where the recipients fetch (i.e.\ pull) new 
 messages from the sender.
 A suitable analogy would be that of magazines published through sales in 
@@ -9,7 +9,7 @@
 mailbox shortly after publication.
 This is the model of the communication described in \cref{GroupProperties}, 
 i.e.\ the communication model for email.
-\citeauthor{PPACforPubFS} found that achieving privacy in the pull model is 
+\citeauthor{PPACinPubFS} found that achieving privacy in the pull model is 
 technically easier than in the push model.
 In fact, achieving strong privacy in the push model is very
 difficult. %TODO: explain why

Makefile

@@ -45,6 +45,10 @@ protesting.pdf: be.bib
 protesting.pdf: mpc.bib
 protesting.pdf: stats.bib
 protesting.pdf: adhocnets.bib
+protesting.pdf: hr.bib
+
+protesting.pdf: FullMeshNetwork.eps
+FullMeshNetwork.eps: FullMeshNetwork.svg
 
 wc: ${SRC}
 todo: ${SRC}

OTPKX.tex

@@ -1,45 +1,62 @@
-\citet{OTPKX} argue that if the adversary controls the entire network, then the
-approach to deniability taken by \ac{OTR} and Signal does not suffice.
-The problem is that the adversary can record a transcript of all communications
+\textcite{OTPKX} argue that if the adversary controls the entire network, then 
+the approach to deniability taken by \ac{OTR} and Signal does not suffice.
+The problem is that Eve can record a transcript of all communications
 that have taken place.
-We know that the \ac{NSA} did exactly that~\cite{XKeyscore}, and specifically 
-saved ciphertexts for later when the decryption key might be available.
-%~\cite{NSAsavesCiphertexts}.
-In this setting it does not matter if anyone can generate a false transcript of
-a conversation between Alice and Bob, the regime knows exactly what Alice has 
-sent and Bob received and vice versa.
-The argument of \ac{OTR}-like schemes is that Alice and Bob have the possibility 
-to deny anything about the conversation since it cannot be decrypted.
+We know that the \ac{NSA} did exactly that~\cite{XKeyscore} --- and more 
+specifically, saved ciphertexts for later when the decryption key might be 
+available.
+In this setting it does not matter if anyone can generate a false transcript of 
+a conversation between Alice and Bob, because Eve knows exactly what Alice has 
+sent, what Bob has received and vice versa.
+The argument of this class of protocol is that Alice and Bob have the 
+possibility to deny anything about the conversation since it cannot be 
+decrypted.
+This seems extra problematic when even the free countries in the world suggest 
+that there must be ways to break this 
+encryption~\cite{BackDoorEncryption}\footnote{%
+  We refer the reader to the text by \textcite{KeysUnderDoormats} for further 
+  reasons for why this is a bad idea.
+}.
 
 There are more than one way to approach this problem.
 The first approach would be to use an anonymizing service, such as 
 Tor~\cite{Tor}.
-This way, the regime would not know that Alice communicates with Bob, only that
+This way, Eve would not know that Alice communicates with Bob, only that
 Alice communicates with someone.
-However, for all low-latency solutions, when the entry point and exit from the 
-anonymizing network are both controlled by the adversary, then the adversary 
-can perform a correlation attack and essentially render the anonymization 
-service useless~\cite{SystemsForAnonymousCommunication}.
-This is in fact the case if the regime controls the nation-wide network while 
-critics of the regime, all located in the country, want to communicate in 
-real-time.
-To make this attack more difficult for the regime's surveillance
-agency, the system must 
-introduce random delays in our communication. %TODO: explain why
-And despite all this, the regime can still ask Alice to decrypt the 
-conversations --- either she complies or claims she do not know the key.
+However, Alice and Bob are located in the same country and Eve controls the 
+nationwide network.
+For all low-latency anonymizing networks (such as Tor) where the entry point 
+and exit are controlled by Eve, Eve can perform a time-correlation 
+attack\footnote{%
+  This means that Eve records the time of when each message enters the network 
+  (entry distribution) and the time when each message exits the network (exit 
+  distribution).
+  Due to the low-latency property, these distributions will be related and Eve 
+  can infer to whom Alice sent her message.
+} and essentially render the anonymization service 
+useless~\cite{SystemsForAnonymousCommunication}.
+To make this attack more difficult for Eve, the system must introduce random 
+delays in our communication\footnote{%
+  The delays must transform the exit distribution to a distribution more 
+  similar to the uniform distribution, then Eve's statistical analysis will 
+  become more difficult.
+}.
+(We will return to this topic in \cref{MessageDistribution}.)
+But despite all this, Eve can still ask Alice to decrypt the conversations, 
+either she complies or claims that she does not know the key.
 
 The second approach would be to ensure deniability even against this strong 
 adversary.
 This would not hide who communicates with whom, as in our first approach, but 
 it provides deniability for the conversations.
-The scheme suggested by \citet{OTPKX} makes use of one practical instance of 
+The scheme suggested by \textcite{OTPKX} makes use of one practical instance of 
 deniable encryption~\cite{DeniableEncryption}.
-They construct a scheme where Alice and Bob can create \enquote{false 
-witnesses} for their conversation.
-Basically Alice can create a decryption key such that when used to decrypt the 
-ciphertext recorded by the regime from the network it will decrypt to 
-a plaintext of Alice's choice.
-This way she can \enquote{prove} her innocence.
-However, the question whether the regime would actually accept such 
-a \enquote{proof}, knowing it can equally well be false, remains open.
+They construct a scheme where Alice and Bob can create \enquote{false proofs} 
+for their conversation.
+In essence, Eve records all traffic.
+When she approaches Alice and asks her to provide a key to decrypt the recorded 
+traffic, Alice can create a decryption key such that when Eve decrypts the 
+recorded traffic will receive a plaintext of Alice's choice.
+This way Alice can \enquote{prove her innocence}.
+However, the question whether Eve would actually accept such a \enquote{proof}, 
+knowing it might equally well be false, remains open.

PairwiseComm.tex

@@ -1,132 +1,156 @@
-We will now focus on the communication.
-Specifically we will focus on communication between pairs of people, e.g.\ 
-Alice talking to Bob.
+We will now focus on communication between pairs of people, e.g.\ Alice talking 
+to Bob.
 \citeauthor{otr2004} designed a secure protocol for two-people communication, 
 the \ac{OTR} protocol.
-They desired an electronic equivalent of face-to-face conversations, i.e.\ that 
-they leave no proofs of any kind behind:
-if Alice and Bob have had a conversation, Bob cannot go to Eve afterwards and 
-prove anything about what Alice has said --- the same as in a face-to-face 
-conversation.
+This protocol was used as the base and has now been replaced by the Signal 
+protocol\footnote{%
+  The protocol used in popular messaging apps such as Signal and WhatsApp.
+}.
+\citeauthor{otr2004} desired an electronic equivalent of face-to-face 
+conversations, i.e.\ a protocol which yield no binding proofs:
+if Alice and Bob have had a conversation, Bob cannot prove anything to Eve 
+about what Alice has said --- the same as in a face-to-face conversation.
 This property is not true for email or most centralized communication
 services.
-%TODO: one reviewer says to revise language, but it's not clear where
-%around here.
 
-\subsubsection{Standard Email}
+\subsubsection{Email and Centralized Services}
+
+The standard email system does not provide any confidentiality or 
+integrity.
+A suitable analogy would be that of a postcard.
+Alice writes her message to Bob on a postcard without any envelope, i.e.\ her 
+message and Bob's address are visible on it\footnote{%
+  She must write her full return address on it too.
+}.
+This means that the postman can read everything.
+Furthermore, most postmen use transparent sacks\footnote{%
+  Some postmen have started using non-transparent sacks, so those postcards can 
+  only be read by the staff in the post-office.
+} to carry the postcards, so everyone along the way can also read the sender's 
+and recipient's address and the contents.
+This means that Eve can read the contents of these messages too.
 
-The standard email system does not provide any security.
-A suitable analogy would be that each message is a postcard, i.e.\ it has no 
-envelope, so the content and address are visible on it.
-This means that the postman can read the cards' contents, their recipients' and
-senders' addresses.
-(Yes, unlike real postcards these also include the sender's address.)
-Furthermore, most postmen use transparent sacks to carry the postcards, so 
-everyone along the way can also read the sender's and recipient's address and 
-the contents.
-However, some postmen have started using non-transparent sacks, i.e.\ encrypted 
-connections between the servers, so those postcards can only be read by the 
-staff in the post-office. %TODO reviewer question: no confidentiality
-                          %at all?
+Thus the email system provides no confidentiality: both the server used for 
+sending and the server used for receiving and storing the email can read the 
+contents in plain text.
+If these servers do not use an encrypted connection, which is not mandatory, 
+each network operator along the route can also read (and make a copy of) each 
+email --- in plain text.
+In 2013, \textcite{Fibretap} published that \ac{GCHQ} did exactly this on 
+a worldwide scale.
+Clearly, this is undesirable for Alice and Bob, since Eve can do exactly this 
+too.
 
-Thus the email system provides no confidentiality: each email server can read 
-the messages, each network operator along the transport route can also read 
-(and make a copy of) each email.
-However, it is actually worse than that, because the email system provides no 
-integrity either.
-This means that the postman, or anyone along the way, can do arbitrary 
-modifications to the messages without anyone noticing the difference.
-We can safely say that we cannot rely on the email system for neither security 
-nor privacy when planning a protest.
+It is actually worse than that: the email system provides no integrity either.
+This means that the postman, or Eve\footnote{%
+  Or any network operator along the way.
+}, can do arbitrary modifications to the messages without anyone noticing the 
+difference.
+This means that Eve can modify Alice's messages to Bob and Bob will not notice.
 
 When using a centralized communications service, such as Facebook, the
 level of security and privacy we can achieve is that the postman
 carries non-transparent sacks.  The business model of most such
-services is to read peoples postcards to better profile their
-interests and thus deliver better suiting advertising.  Here, third
-parties such as advertisers or surveillance entities cannot directly
-see who is communicating with whom.  They can only see that something
-goes to and from the service.  However, all information is available
+services is to read people's postcards to better profile their
+interests and thus deliver better suiting advertising.
+In this case, Eve can cannot directly see who is communicating with whom.
+She can only see that something goes to and from the service.
+However, all information is available
 internally to the service.  This means that there are ways of learning
-this, for example through PRISM~\cite{Prism} of the
-\ac{NSA}.%TODO: explain how %TODO address this question even more:
-         %Which kind of third parties are these, when compared to the
-         %case of e-mail? Advertisers? Or other parties? And
-         %canadvertisers read the content in e-mail systems? Google
-         %lets them advertise on keywords, but not read the mail
-         %itself for instance. Or hackers? 
+this.
+One approach was illustrated by \acg{NSA} PRISM programme~\cite{Prism}, where 
+the \ac{NSA} could systematically fetch user data from the major centralized 
+services (Facebook, Google, Microsoft and Yahoo among others) and could query 
+this data at their own discretion.
+This might not work for governments like China, since these services are 
+located outside China.
+But because they are centralized, they are easy to censor.
+This forces Alice and Bob to use services which are located in China where this 
+type of attack is possible.
+%TODO address this question even more:
+%Which kind of third parties are these, when compared to the
+%case of e-mail? Advertisers? Or other parties? And
+%can advertisers read the content in e-mail systems? Google
+%lets them advertise on keywords, but not read the mail
+%itself for instance. Or hackers? 
 %TODO: other reviewer: annotate, give context.
 
 \subsubsection{Secure Email and Text Messaging}
 
-Secure email works by employing cryptography:  encrypting the contents of the 
-postcard, thus providing confidentiality, and then adding a digital signature to 
-prevent modifications.
-Thus the recipient is the only one who can read the message and the recipient 
-can also verify that the message has not been modified along the way.
-To make key management easy, most schemes use public-key cryptography.
-This means that we have two keys, one which is public and another which is kept
-private.
-For encryption, the public key can transform a message to a ciphertext, i.e.\ 
-a random-looking text string.
-The private key can be used to transform the ciphertext back to the message.
-Given only the public key, it is \enquote{impossible} to find the private key.
-For signatures, we can use the private key to compute a signature of a message 
-and then send the message and its signature.
-The recipient can then use the public key to verify the signature of the 
-message.
-This signature depends on the entire message, so it is impossible to move 
-a signature to another message --- unlike signatures on paper.
-And since it is impossible to find the private key given only the public key, 
-no one can create fake signatures.
+Alice and Bob can add a layer of confidentiality and integrity on top of any 
+insecure communication system.
+Secure email works by employing cryptography: Alice encrypts the contents of 
+the postcard (confidentiality) and then adds a digital signature to prevent 
+modifications (integrity).
+This requires that Alice and Bob verify each others keys before any 
+communication --- to avoid being tricked by Eve.
+Now Bob is the only one who can read Alice's message and he can also verify 
+that the message is indeed from Alice and has not been modified along the way.
+
+%To make key management easy, most schemes use public-key cryptography.
+%This means that we have two keys, one which is public and another which is kept
+%private.
+%For encryption, the public key can transform a message to a ciphertext, i.e.\ 
+%a random-looking text string.
+%The private key can be used to transform the ciphertext back to the message.
+%Given only the public key, it is \enquote{impossible} to find the private key.
+%For signatures, we can use the private key to compute a signature of a message 
+%and then send the message and its signature.
+%The recipient can then use the public key to verify the signature of the 
+%message.
+%This signature depends on the entire message, so it is impossible to move 
+%a signature to another message --- unlike signatures on paper.
+%And since it is impossible to find the private key given only the public key, 
+%no one can create fake signatures.
 
 One problem with this approach to secure email is that the sender and recipient
 are still in the clear, anyone can read them.
-So the content is hidden, but the meta-data is not.
+The content is hidden, but the meta-data is not.
+This allows Eve to infer the social graph, by monitoring who is communicating 
+with whom.
 
-Another problem is that the digital signatures used provides a property called 
+Another problem is that the digital signatures provide a property called 
 non-repudiation.
 Say that Alice securely sent an email to Bob, if Eve would compromise Bob's 
 private key, as many government agencies can, then she would learn that Alice 
 --- and no one else --- has sent that message to Bob.
 Bob might even give the message and his key to Eve voluntarily or under threat.
 This is exactly the property that \citeauthor{otr2004} wanted to remove with 
 \ac{OTR}.
-They can do this by leveraging the interactive nature of \ac{IM} and changing 
-the digital signatures to shared-key \acp{MAC}.
-Shared-key means that Alice and Bob share the same key for generating and 
-verifying \iac{MAC}.
-This means that Bob can generate valid \acp{MAC} for any message and show to 
+They do this by using the interactive nature of \ac{IM} and changing the 
+digital signatures to shared-key \acp{MAC}.
+Shared-key means that Alice and Bob share the same key\footnote{%
+  Unlike with digital signatures, where Alice has a public and a private key.
+  She creates signatures using her private key and Bob can verify these 
+  signatures using her public key.
+} for generating and verifying \iac{MAC}.
+This means that Bob can generate a valid \ac{MAC} for any message and show to 
 Eve, thus he cannot prove to Eve what Alice has said --- since he could have 
 created this \enquote{proof} himself.
-In addition, Alice and Bob do not use the same \ac{MAC} key throughout their 
-conversation, then continuously exchange new keys, one for each message.
 However, in this situation, Eve still has only two candidates as the author of 
 the message: Alice and Bob, since they both have access to the shared keys.
-To remedy this problem Alice and Bob publishes the \ac{MAC} keys after use, 
-i.e.\ when they no longer need them.
+%In addition, Alice and Bob do not use the same \ac{MA} key throughout their 
+%conversation, they continuously exchange new keys, one for each message.
+To remedy this problem Alice and Bob uses a new \ac{MA} key for each 
+message.
+When a message has been confirmed as received they publish the \ac{MA} key for 
+that message, i.e.\ when they no longer need them.
 This gives \enquote{everyone} the possibility of generating messages that 
 verifies under Alice and Bob's key, so now Alice and Bob can argue that someone 
-(Eve included) could have modified the ciphertext.
+else (Eve included) could have modified the ciphertext.
+(We will return to this in \cref{WhenAdversaryControlsNetwork}.)
 
-The \ac{OTR} protocol became widely spread after the 2013 revelations about the
-mass surveillance of the \ac{NSA} and \ac{GCHQ}, many derivatives of the 
-protocol emerged in smartphone apps.
-Among the most wide-spread derivatives of \ac{OTR} is Signal (formerly 
-TextSecure)~\cite{SignalApp}\footnote{%
-  TextSecure actually existed before the Snowden revelations, but has seen more
-  wide-spread use after.
-}.
-The Signal protocol has, unlike many other of the derivatives, been formally 
-analysed and proven that it indeed provides its claimed security 
-properties~\cite{TextSecureAnalysis}.
-One improvement over \ac{OTR} is the deniability.
+\textcite{SignalApp} (formerly TextSecure) improved some properties of \ac{OTR} 
+in the Signal protocol, which has been formally analysed by 
+\textcite{TextSecureAnalysis,SignalProtocolAnalysis}.
+The main change from \ac{OTR} is that Signal uses deniable authentication.
 In Signal the authentication is set up in such a way that any person knowing 
-the public key of Alice and Bob can generate a fake transcript of 
+the public keys of Alice and Bob can generate a fake transcript of 
 a conversation.
-This results in that Eve has many more candidates for the authors of 
+The result is that Eve has many more candidates for the authorship of 
 a conversation.
 
 \subsubsection{When the Adversary Controls the Network}
+\label{WhenAdversaryControlsNetwork}
 
 \input{OTPKX.tex}