IETF Logo Mail Archive

Re: [Privacy-pass] Detecting malicious registries/servers

Steven Valdez <svaldez@google.com> Tue, 04 August 2020 13:54 UTC

Return-Path: <svaldez@google.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2BB33A0B75 for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 06:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1DZaFX6mLBy for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 06:54:10 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27E83A07E7 for <privacy-pass@ietf.org>; Tue, 4 Aug 2020 06:54:10 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id j7so19999536oij.9 for <privacy-pass@ietf.org>; Tue, 04 Aug 2020 06:54:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6Ricvvv8HVumpKlPe2ATdQ5IeMrt7Q5zQdiVnGPMM2U=; b=gI6m81A7AUyXZHlgzolnZLtI4yFsixbQyyD/ksMxkOaN22KafgqYdSUuYmZ4wHdVTH 5pm6tqNszFDINKoZ0D+EdU/CkCzyrcPN6Aexu/UOsaixOxW5m4rfpojxsmhthD4a2Xy7 r34KchbvQTvJlmCrfSB+DiuDmU9aChxj5UAnm3mjP0o012OhTm7tL8L+e7UAoUt+/IfX uYDHv6YrrP58T/+yeSBc/jukrWM2TA0IHRA0MZA/mWQ+DKQJKWzWzdRvmEXs1L7MRNRY 5sYd6WQe7Sy0XJ0HXc7bb6accJ8TesZJ7jFh1TAR/gy6sgTxQBhXJ12tWLWxxTLjVeNc A7QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6Ricvvv8HVumpKlPe2ATdQ5IeMrt7Q5zQdiVnGPMM2U=; b=hKl352gVV2xRF/BB/Q2P5NBZlIUeJl9Vny4KDh89Rs7nmTaPLpBjLu72cGOb87Rezr BGMjWhaOHMNqd7oD5iHeKsirsbBfD7tPJHyZNqbFLU6DrQGvNPAYKwaPdUkS0WDapVFG mfwOGCneym0vp4KpGbLs6RaMJt67cgJsH2jG32yiNMH8cv1hS6tZTbwGHemaz2CC1wyz 2yZ9mJUcsNMfy0iXCmTqI4/8QqxpDNldHAtIAWI1/sjutn1kMstQJrh2Iy/R+r3zp079 rEAKA6CIt3KJyjHmlns82BjaGpv1StJm+rXql4fApi5tfw/BTpOwyciFW/vfls56I5MR cYcA==
X-Gm-Message-State: AOAM5326pmelDgb9HNApoCBN97tHzn9Suw7VXygwxhq3wL1noWlVeN4E FQ0iwRqubu9k9FJB9TiPCrvEbyuj6Xzh8BDKb73Nqw==
X-Google-Smtp-Source: ABdhPJzbsYzJENHP93kolN5kE5oMEZa66SpMjxldMLU2jsZ8DqTK0/G2zwNstEwyBVn1MlvXpMSgKu5jHSWp4pU6QIM=
X-Received: by 2002:a05:6808:82:: with SMTP id s2mr3467088oic.11.1596549249761; Tue, 04 Aug 2020 06:54:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAJoqpT+U9QAHqncX0Aj2yWRaNRBgqE4ZG4k7Yx7xHtevsQ8EVA@mail.gmail.com> <CAHbrMsD9RtVS+zLscxvDJrynzDsuogEpdWqvBJRJVg2czkC+xg@mail.gmail.com> <a54fe9678b294cc49835ca642a098ba1@uwaterloo.ca> <CANduzxDg2Rvy8j7kAsNJ9QaX6Qaa7EFT08WfjVHwoB3Up7+btA@mail.gmail.com> <456cf7d9a35d4ec38c12ca34b8119dc0@uwaterloo.ca> <CAHbrMsAoFi5yKH1ctKgkQmFyR8ffmGA2Nj=Uu=M6zf9q7DnrGg@mail.gmail.com>
In-Reply-To: <CAHbrMsAoFi5yKH1ctKgkQmFyR8ffmGA2Nj=Uu=M6zf9q7DnrGg@mail.gmail.com>
From: Steven Valdez <svaldez@google.com>
Date: Tue, 04 Aug 2020 09:53:57 -0400
Message-ID: <CANduzxBMA2qtBC8VBvUymHfFRKzeLb7ab1FL5eLBDCpobpQ2nw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: Chelsea Komlo <ckomlo@uwaterloo.ca>, Chelsea Komlo <chelsea.komlo@gmail.com>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6718505ac0d96e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/6v_vovKZdOQskfk2Ye55kO0OL1U>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 13:54:13 -0000

There at the very least needs to be an unlinkable transport between
issuer/verifier connections, since otherwise you have immediate linkability
there.

This may not be a hard requirement for communication with the registry, if
we have some sort of KT/CT approach where all the registries would need to
be colluding in order to provide a false view to specific clients. Though
it seems useful to still recommend that registry interactions happen on an
unlinkable transport in addition to any additional protections we might
have for split views/different keys.

On Tue, Aug 4, 2020 at 9:44 AM Ben Schwartz <bemasc@google.com> wrote:

> On Tue, Aug 4, 2020 at 9:21 AM Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:
>
>> Note the proposal I describe below **is not** intended to solve the
>> unlinkable transport problem. It is a mechanism to detect when malicious
>> registries/servers publish different keys to different users.
>>
> Do we have to assume an unlinkable transport anyway, in order for Privacy
> Pass to work at all?  (It seems like the answer may be yes, at least with
> respect to Verifiers.)
>
> If we have an unlinkable transport, can a malicious+colluding registry
> publish different keys to different users without generating a fatal
> mismatch?  (This might depend on the details of our unlinkability
> assumptions.)
>
> Are you proposing a layered-defense model, where we require unlinkable
> transport and also add defenses against a transport privacy break?
>
>> Clearly Privacy Pass shouldn't try to provide an unlinkable transport;
>> there are already existing tools for that, like Tor.
>> ------------------------------
>> *From:* Steven Valdez <svaldez@google.com>
>> *Sent:* Tuesday, August 4, 2020 1:07:00 AM
>> *To:* Chelsea Komlo
>> *Cc:* Ben Schwartz; Chelsea Komlo; privacy-pass@ietf.org
>> *Subject:* Re: [Privacy-pass] Detecting malicious registries/servers
>>
>> I don't think the Privacy Pass drafts can really solve the unlinkable
>> communication problem, and shouldn't focus on it besides listing it as a
>> requirement. Depending on the use case/caller, communicating with the
>> Issuer/Redeemer in an unlinkable way could involve making completely
>> disconnected TLS/HTTP connections, dropping all state (some sort of
>> anonymous mode), changing request patterns so they can't be time
>> correlated, etc.
>>
>> PrivacyPass can make the protocol robust against unlinkability based on
>> the contents of protocol messages, but solving unlinkability based on the
>> transport seems outside of the PrivacyPass scope, though listing the
>> requirements that would be maintained could be useful for use cases built
>> on top of Privacy Pass.
>>
>> On Mon, Aug 3, 2020 at 6:14 PM Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:
>>
>>> It seems there was a slight miscommunication with the point I was trying
>>> to make during the meeting, so I'll clarify.
>>>
>>>
>>> I am strongly in favor of making the protocol as robust as possible,
>>> while being transparent about what risks cannot be mitigated in certain
>>> settings (such as servers building a lookup table).
>>>
>>>
>>> Placing the burden on implementations to figure out how to ensure the
>>> primary use case of the protocol- unlinkability- is counterintuitive to me.
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Privacy-pass <privacy-pass-bounces@ietf.org> on behalf of Ben
>>> Schwartz <bemasc=40google.com@dmarc.ietf.org>
>>> *Sent:* Monday, August 3, 2020 9:59:59 AM
>>> *To:* Chelsea Komlo
>>> *Cc:* privacy-pass@ietf.org
>>> *Subject:* Re: [Privacy-pass] Detecting malicious registries/servers
>>>
>>> I found your and Richard's comment during the meeting particularly
>>> insightful on this point: we should clarify the assumptions Privacy Pass
>>> has to make about the intrinsic identifiability of client requests.  For
>>> example, if Privacy Pass necessarily assumes that the Client's connections
>>> to Verifiers are unlinkable, then perhaps we can simply declare that the
>>> Client's connections to Registries must be similarly unlinkable.
>>>
>>> The mechanism for ensuring that unlinkability might be out of scope for
>>> us, but we would need to describe the requirements for it.
>>>
>>> On Mon, Aug 3, 2020 at 5:16 PM Chelsea Komlo <chelsea.komlo@gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> One question that has been raised is how clients can detect registry or
>>>> server misbehavior. One particular concern is the possibility that
>>>> registries or servers can perform targeted attacks by publishing different
>>>> keys to specific users without detection (resulting in a small anonymity
>>>> set).
>>>>
>>>> While client-side gossip protocols or use of anonymity networks give
>>>> the client an option to detect such targeted attacks, these options are not
>>>> necessarily generalizable.
>>>>
>>>> However, I think if we introduce the assumption that *at least one*
>>>> registry is acting honestly, then this problem may be easier to solve.
>>>>
>>>> Registries just need to add an additional capability to query other
>>>> registries on behalf of a client (if the client specifies this in their
>>>> request). In doing so, they can act as a one-hop proxy for the client. If
>>>> clients perform these requests periodically through a series of
>>>> randomly-chosen registries, they should eventually be able to detect
>>>> misbehavior, assuming one of the registries is acting honestly.
>>>>
>>>> Chris Wood pointed out to me that the above approach may have false
>>>> positives when a server rotates their key, so adding some kind of
>>>> "suspected" and "failed state" with retries might help get around such edge
>>>> cases.
>>>>
>>>> Thanks,
>>>> Chelsea
>>>> --
>>>> Privacy-pass mailing list
>>>> Privacy-pass@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>>
>>> --
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>
>>
>>
>> --
>>
>> Steven Valdez |  Chrome Privacy Sandbox |  svaldez@google.com |
>> 210-692-4742 <(210)%20692-4742>
>>
>

-- 

Steven Valdez |  Chrome Privacy Sandbox |  svaldez@google.com |
 210-692-4742

v2.23.0 | Report a Bug | By Email