DOCSLIB.ORG

High-Bandwidth Anonymous Broadcast with Malicious Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
High-Bandwidth Anonymous Broadcast with Malicious Security Spectrum: High-Bandwidth Anonymous Broadcast with Malicious Security Zachary Newman Sacha Servan-Schreiber Srinivas Devadas MIT CSAIL MIT CSAIL MIT CSAIL [email protected] [email protected] [email protected] Abstract researchers, digital mass surveillance by U.S. government agencies [12]. Political philosophers debate [2, 23] the ethics We present Spectrum, a high-bandwidth, metadata-private of whistleblowing, but agree it often has a positive impact. file broadcasting system with malicious security guarantees. In Spectrum, a small number of publishers broadcast to many Motivation for this work. Whistleblowers take on great subscribers via two or more non-colluding servers. Sub- personal risks in bringing misdeeds to light. The luckiest scribers generate indistinguishable cover traffic, hiding which enjoy legal protections [80] or financial reward [81]. But users are publishers, for full metadata privacy. many face exile [12], incarceration [39,60,66], or risk their Spectrum builds on prior work that uses DC-nets for anony- lives [79]. More recently, political activist Alexei Navalny mous broadcast. Existing anonymous broadcast systems do was detained and sentenced to prison following the release not optimize for a setting where there are fewer publishers of documents accusing Russian president Vladimir Putin of compared to subscribers – a common situation in real-world corruption and embezzlement [72]. broadcasts. To prevent disruption by malicious clients sending To mitigate these risks, many whistleblowers turn to tech- malformed requests, we develop a blind authentication proto- nology to protect themselves [36]. Secure messaging apps col that allows servers to reject malicious requests. We also Signal [17] and SecureDrop [4] have proven to be an im- ensure security against malicious servers deviating from pro- portant resource to whistleblowers and journalists [31, 76]. tocol and potentially colluding with clients. Our techniques Encryption does its job, even against the NSA [83]—but it for providing malicious security are applicable to other sys- may not be enough to protect from powerful adversaries. tems for anonymous broadcast and may be of independent Since the Snowden revelations, governments and the press interest. have focused on metadata. The source, destination, and tim- We implement and evaluate Spectrum. Compared to ing of encrypted data can leak information about its contents. the state-of-the-art in cryptographic anonymous communi- Prosecutors used SFTP metadata in the case against Chelsea cation systems, Spectrum is 3–140× faster (and commensu- Manning [88]. Newer technology is still vulnerable: a federal rately cheaper). Deployed on two commodity servers, Spec- judge found Natalie Edwards guilty on evidence of metadata trum allows publishers to share 500 MB in 1h 24m with an from an encrypted messaging app [39]. To protect whistle- anonymity set of 10,000 (for a total cost of about $1.93). This blowers and protect against powerful adversaries, systems corresponds to an anonymous upload of a full-length 720p must be designed with metadata privacy in mind. documentary movie. Many academic and practical metadata-hiding systems pro- vide solutions to this problem for some applications. Tor [25] 1 Introduction boasts a distributed network of 6,000 nodes and 2 million daily active users (the only such system with wide usage). Free and democratic society depends on an informed public, Tor is fast enough for web browsing, but de-anonymization at- which sometimes depends on whistleblowers shedding light tacks identify users with a high success rate based on observed on misdeeds and corruption. Over the last century, whistle- traffic [5,8, 29, 37, 42, 55, 58]. Moreover, the effectiveness of blowers have exposed financial crimes and government cor- de-anonymization attacks increases with the size of the traffic ruption [50, 59, 67], risks to public health [30, 40], Russian pattern. Whistleblowers using Tor to upload large files can be interference in the 2016 U.S. presidential election [50, 60], more easily de-anonymized compared to casual web users for presidential misconduct [11, 32, 56, 71], war and human this reason. rights crimes [3, 26, 79], and, of note to computer security Some recent academic research systems [1,18,28, 43 –45, 1 47, 78, 82] address the problem of hiding metadata in anony- OK! OK! mous communication, providing precise security guarantees SA SB for both direct messaging and “Twitter”-like broadcast ap- Share plications. However, a limitation of all existing systems is Aggregation that they are designed for low-bandwidth content, incurring Verification Server A Server B Server A Server B impractical latencies with large messages (see Section6). Contributions. Spectrum is the first anonymous broadcast SA Secret Sharing SB SA SB system supporting high-bandwidth broadcasts with security + = against actively malicious clients and servers. We do so by Broadcast designing for the many-subscriber and few-publisher setting, which reflects the real-world usage of broadcast platforms. 0 0 0 Spectrum scales proportionally to the number of broadcasts in the system rather than the total number of users: the primary Figure 1: In Spectrum, users upload secret shares to the servers. bottleneck and cause for high-latency in prior work. Servers validate and combine these shares to recover the broadcast This paper contributes: message while hiding its provenance. 1. Design of Spectrum, a system for high-bandwidth metadata-private broadcasting with strong robustness and 2 Anonymous Broadcast privacy guarantees in a malicious security setting, 2. A general extension we call BlameGame that can be used to “upgrade” anonymous broadcasting protocols for se- In this section we describe high-level techniques for anony- curity against de-anonymization attacks from malicious mous broadcast. servers, 3. An open-source implementation of Spectrum which we The setting. In an anonymous broadcast, one or more users extensively evaluate and compare to existing anonymous (publishers) share a message (e.g., a file) in a manner that broadcasting and communication systems. prevents an adversary from learning its source, even with full view of the entire network. In Spectrum, passive users generate cover traffic (indistinguishable dummy messages) to Limitations. Spectrum shares some limitations with other increase the size of the anonymity set – the users who plau- metadata-private systems: sibly could have originated the broadcast message. We call 1. Spectrum provides anonymity among honest online users these passive users subscribers as we expect that most users and requires all users to contribute cover messages to a in the system that are not broadcasting are instead consuming broadcast (to perfectly hide network metadata). Thus, broadcasts. We will use the term client to mean the program subscribers must upload as much data as a publisher to via which a user communicates with servers. provide anonymity for the publisher. 2. Spectrum achieves peak performance with exactly two DC-nets. A Dining Cryptographer network (DC-net) [15] servers. Instantiating with more than two servers requires allows for anonymous broadcast. DC-nets commonly use using less (concretely) efficient cryptographic primitive: secret-sharing to obscure the source of data in the network. a seed-homomorphic PRG [7]. As in prior work [1, 18, 28], we instantiate a DC-net with two Other metadata-private systems (e.g., [1,18,19,43,45,47,78]) (or more) servers and many clients. also provide anonymity within the set of online users and sending fixed-size messages. Unfortunately, it is a necessary Toy Protocol. Consider a setting with two (non-colluding) cost to pay for strong privacy; if only one user uploads a servers ServerA and ServerB and two or more clients, where very large message, the network metadata alone is sufficient one of the clients wishes to share a file. In a two-server DC- to de-anonymize them. However, we show how to amortize net, the ith client samples a random bit string ri and sends one the practical impact of this limitation by only requiring secret share ri ⊕ mi to ServerA and secret share ri to ServerB. cover message per subscriber, even in the case of multiple Servers can recover mi by combining their respective shares: publishers simultaneously using the system (Section4). ⊕ ⊕ Paper organization. We formalize the setting and function- mi = (mi ri ) (ri ): ality in Section3. We describe the protocol in Section4. Section5 presents the implementation and evaluation. Sec- If exactly one of N clients shares a message mi = m while all tion6 surveys related work. other clients share mi = 0, the servers can recover m (without 2 learning which client sent mi = m) by aggregating: 3.1 Threat Model In Spectrum, an adversary may control an arbitrary subset ServerA ServerB (commutativity of xor) z }| { z}|{ z }| { of clients and servers. Only one of the servers needs to be MN MN MN MN honest (not colluding with the adversary) in order to guarantee ⊕ ⊕ ⊕ ⊕ m = ( ri m i ) r i = ( r i ri ) m i anonymity for all honest clients. On the other hand, all clients i i i i are completely untrusted by the servers and are assumed to = 0 ⊕ ::: ⊕ m ⊕ ::: ⊕ 0: | {z } deviate from protocol in arbitrary ways or collude with the origin of m is hidden adversary. Guarantees. If any subset of malicious clients deviate from This simple scheme protects client anonymity given that protocol, both anonymity and system availability must remain each server obtains a uniformly random value. Only the com- intact for all honest clients. bined shares reveal the resulting message. However, user can If a subset of corrupted servers arbitrarily deviate from undetectably disrupt the broadcast by non-zero shares. The protocol, anonymity for all honest clients is guaranteed but main challenge in metadata-private broadcasting is ensuring availability of the system as a whole is not. Likewise, all correctness in the presence of such disruptors [1,18,28,43]. other system failures may disrupt availability but must not Indeed, preventing disruption by malicious clients is the pri- cause deanonymization of any honest client.
Load more

Recommended publications
  • PRESS FREEDOM TRACKER MAY 2021 Press Freedoms in the United States 2020 a REVIEW of the U.S
    PRESS FREEDOMS in the United States 2020 A REVIEW OF THE U.S. PRESS FREEDOM TRACKER MAY 2021 Press Freedoms in the United States 2020 A REVIEW OF THE U.S. PRESS FREEDOM TRACKER By the Reporters Committee Senior Staff Attorney and Tracker Advisory Board Member Sarah Matthews, Editorial Coordinator Chris Young, and former Communications Intern Courtney Douglas TABLE OF CONTENTS Overview . 4 Prior Restraints . 20 Physical Attacks on Journalists . 8 Denials of Access . 21 Arrests of Journalists . 12 Chilling Statements . 25 Equipment Damage . 14 Conclusion . 27 Subpoenas and Legal Orders . 16 The Tracker data referenced herein is current as of May 3, 2021, the date of publication. Cover Photo: Julio Cortez/AP Report design by Michaela Potter | Wanderlust Productions ©2021 The Reporters Committee for Freedom of the Press About the Tracker and this Report In 2017, as the U.S. news media faced increasing hostility led by attacks from politicians, the Reporters Committee for Freedom of the Press joined with more than two dozen press freedom groups to launch the U.S. Press Freedom Tracker, a project aimed at documenting incidents impacting press freedom in the country. The Tracker’s advisory board, led by the Committee to Protect Journalists, includes the Reporters Committee, the Knight First Amendment Institute at Columbia University, Reporters Without Borders, Index on Censorship, and the Freedom of the Press Foundation, which also manages the day-to-day operation of the Tracker. The importance of the Tracker and its role documenting press freedoms in the U.S. came into sharp focus in 2020 –– only the fourth year of its existence –– when the country faced a wave of protests, and journalists covering those protests were arrested and attacked in record numbers.
    [Show full text]
  • Federal Cases Involving Unauthorized Disclosures to the News Media, 1778 to the Present
    Federal Cases Involving Unauthorized Disclosures to the News Media, 1778 to the Present Introduction and Methodology This chart attempts to comprehensively survey every federal case involving an effort by law enforcement, an executive branch agency, the courts, or Congress to formally investigate or prosecute someone for, or compel the disclosure of information about, the unauthorized disclosure of government information to the news media. In short, it is our attempt at an exhaustive list of “leak” cases. Please note that, in addition to the cases one would usually think of as “leaks” matters—that is, cases arising out of the disclosure of national defense information, such as those involving Daniel Ellsberg, Chelsea Manning, and Edward Snowden—we include cases where courts have ordered an investigation into grand jury leaks (e.g., BALCO, Taricani, and Walters), where Congress has formally investigated a leak (e.g., Nugent, Schorr, and Phelps/Totenberg), where the leak involved non-national security information (e.g., Agnew and Lacker), where the surveillance or targeting of reporters was conducted as part of domestic espionage activity (e.g., Project Mockingbird), and where a Privacy Act plaintiff who has had information leaked to the press about a pending investigation seeks a subpoena to uncover the source (e.g., Lee and Hatfill). This chart excludes cases involving purely internal unauthorized disclosure inquiries within the government (such as the Raj Rajaratnam inquiry at the SEC1), unless they involve the formal investigation of members of the news media. We include the two cases involving U.S. submarine-based surveillance (Operations Holystone and Ivy Bells), where senior officials actively discussed using the 1950 amendment to the Espionage Act regarding the publication of communications intelligence to prosecute the outlet.
    [Show full text]
  • Federal Cases Involving Unauthorized Disclosures to the News Media, 1778 to the Present
    Federal Cases Involving Unauthorized Disclosures to the News Media, 1778 to the Present Introduction and Methodology This chart attempts to comprehensively survey every federal case involving an effort by law enforcement, an executive branch agency, the courts, or Congress to formally investigate or prosecute someone for, or compel the disclosure of information about, the unauthorized disclosure of government information to the news media. In short, it is our attempt at an exhaustive list of “leak” cases. Please note that, in addition to the cases one would usually think of as “leaks” matters—that is, cases arising out of the disclosure of national defense information, such as those involving Daniel Ellsberg, Chelsea Manning, and Edward Snowden—we include cases where courts have ordered an investigation into grand jury leaks (e.g., BALCO, Taricani, and Walters), where Congress has formally investigated a leak (e.g., Nugent, Schorr, and Phelps/Totenberg), where the leak involved non-national security information (e.g., Agnew and Lacker), where the surveillance or targeting of reporters was conducted as part of domestic espionage activity (e.g., Project Mockingbird), and where a Privacy Act plaintiff who has had information leaked to the press about a pending investigation seeks a subpoena to uncover the source (e.g., Lee and Hatfill). This chart excludes cases involving purely internal unauthorized disclosure inquiries within the government (such as the Raj Rajaratnam inquiry at the SEC1), unless they involve the formal investigation of members of the news media. We include the two cases involving U.S. submarine-based surveillance (Operations Holystone and Ivy Bells), where senior officials actively discussed using the 1950 amendment to the Espionage Act regarding the publication of communications intelligence to prosecute the outlet.
    [Show full text]
  • Federal Cases Involving Unauthorized Disclosures to the News Media, 1844 to the Present
    Federal Cases Involving Unauthorized Disclosures to the News Media, 1844 to the Present Introduction and Methodology This chart attempts to comprehensively survey every federal case involving an effort by law enforcement, an executive branch agency, the courts, or Congress to formally investigate or prosecute someone for, or compel the disclosure of information about, the unauthorized disclosure of government information to the news media. In short, it is our attempt at an exhaustive list of “leak” cases. Please note that, in addition to the cases one would usually think of as “leaks” matters—that is, cases arising out of the disclosure of national defense information, such as those involving Daniel Ellsberg, Chelsea Manning, and Edward Snowden—we include cases where courts have ordered an investigation into grand jury leaks (e.g., BALCO, Taricani, and Walters), where Congress has formally investigated a leak (e.g., Nugent, Schorr, and Phelps/Totenberg), where the leak involved non-national security information (e.g., Agnew and Lacker), where the surveillance or targeting of reporters was conducted as part of domestic espionage activity (e.g., Project Mockingbird), and where a Privacy Act plaintiff who has had information leaked to the press about a pending investigation seeks a subpoena to uncover the source (e.g., Lee and Hatfill). This chart excludes cases involving purely internal unauthorized disclosure inquiries within the government (such as the Raj Rajaratnam inquiry at the SEC1), unless they involve the formal investigation of members of the news media. We include the two cases involving U.S. submarine-based surveillance (Operations Holystone and Ivy Bells), where senior officials actively discussed using the 1950 amendment to the Espionage Act regarding the publication of communications intelligence to prosecute the outlet.
    [Show full text]
  • Thời Điểm Trọng Đại Của Hoa Kỳ Cuộc Tấn Công Kéo Dài Hàng Thập Kỷ Của Cộng Sản Vào Hoa Kỳ Sắp Lên Đến Đỉnh Điểm
    04 — 10/12/2020 SỐ 25 | $2.00 10962 MAIN STREET, SUITE 101, VIETNAMESE EDITION EL MONTE, CA 91731-2922 WWW.ETVIET.COM SPENCER PLATT/GETTY IMAGES Đặc sắc Thưa Quý độc giả, Epoch Times là một kênh truyền thông độc lập phát triển nhanh nhất ở Mỹ. Chúng tôi không bị ảnh hưởng bởi bất kỳ chính phủ, tập đoàn hay các đảng phái chính trị nào. Được thành lập tại Hoa Kỳ vào năm 2000, Tập đoàn Epoch Times đã nhận được nhiều giải thưởng về nội dung và thiết kế của Hiệp hội Báo chí New York, Hiệp hội Nhà báo VĂN HÓA Chuyên nghiệp và Hiệp hội Thiết kế Tin tức. Lý Long Tường: Với 22 ngôn ngữ, Epoch Times là một kênh Vị Bạch mã Hoàng Tử truyền thông Mỹ độc lập theo nguyên tắc Sự Thật và Truyền Thống. Thông qua những đánh bại quân Mông bài báo trung thực, cung cấp sự thật và làm Cổ trên xứ Cao Ly sáng tỏ những vấn đề xã hội quan trọng, Đọc bài trang Epoch Times mong muốn gửi đến Quý độc 13 giả những giá trị nhân văn của sự chính trực, lương thiện, lòng trắc ẩn, hay những bài học quý giá từ lịch sử, đồng thời tôn vinh các giá trị phổ quát của nhân loại. Rất mong nhận được sự ủng hộ và đồng hành của Quý độc giả thông qua việc chia sẻ, lan tỏa các bài viết đến với cộng đồng. Epoch Times tin rằng đây là cách để chúng ta cùng kiến tạo tương lai, đi tới một đại kỷ nguyên Bức tượng George Washington trước Hội trường Liên bang ở mới huy hoàng và đẹp đẽ hơn.
    [Show full text]