IETF Logo Mail Archive

Re: [Privacy-pass] Detecting malicious registries/servers

Ben Schwartz <bemasc@google.com> Tue, 04 August 2020 13:44 UTC

Return-Path: <bemasc@google.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0953A0B74 for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 06:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hk8Ugxd8YYrW for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 06:44:51 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A258E3A0A5F for <privacy-pass@ietf.org>; Tue, 4 Aug 2020 06:44:50 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id f18so2240440wmc.0 for <privacy-pass@ietf.org>; Tue, 04 Aug 2020 06:44:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=luibdxb86z71VKq53lc9cGyO6awIiC56rhphmbAOa3E=; b=u6mmW4v4jqCJVipWK7MyZKTNc7dZO+HPYlIp6QN22iEXFGpwEPUZ5tPsEQSVUpffx8 ENxWOL1u52TUNwGn9gpEipkpLbN2I4F/n3485OT3rIEFfZLAqZAIJlWw72kAEyKzEhQM yYgXUTJWiFhHV2JTw2V8HY2OK8fp/ACdpdIiTaFZ4U8XRaHFdKTVU9R7f86RuMSR2t5x bKJC70+QHMP6eznu+KQOpgAgsimr1zcZum2dilkpY6qNwBVh9cAnKH0pyYozfSUrStRN GgUfi//m7Vpgf5q0GbfWItICTOlkMegtfrJWVx8XDvYP5zH10Zh7J2Db/2RQ/qVT2stw f8rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=luibdxb86z71VKq53lc9cGyO6awIiC56rhphmbAOa3E=; b=Otz5tjff/wJ6vMM5t5qHmX95NYSEASoWLP/4T66DOaUnCw19M0mOxcN3i04xw2QQ7x vibSxOP/e7yBiqLy47DzReZVCyz+EyfuP6eMKbH3/ENTxHxTNS0azFV4dy7Unl7D5Vgt niEreDHpbXefgdldW1E5Kc+04ht4QLC/1HcOpVRyB2uAQZ/guSR+76cb9k2/nMy4e0Re 589s7DYu7ysJvSh8R2O1NegtXdUhkyg71ZjQcZVWRHD/YTCoFYNP54bWdCdPqRPLkTd5 q/eVCMxfmQP73EHh8IGgwDIg2Qmq2KHke/lOEduiIShxSVL0Ri7Ps6ftW/xLkXV9AHpY MdWg==
X-Gm-Message-State: AOAM530zsbipAUrwz+SP++5kXmaL2eb8ltgIsw5tH/NNSXd9ckKaRjfJ tVqvZjIS3g6Jwb4GCZpAypKJHZ87pzKzY3Irv/p7ZNdZ
X-Google-Smtp-Source: ABdhPJwwGpbZLfLaFCytr6EgDBZkRnEkk04yliD/sNG++rbnFIRzj6Yi1NTrMrSFfwJclnhrPyzRVJkY83bwSdAlYRU=
X-Received: by 2002:a7b:c219:: with SMTP id x25mr4144595wmi.101.1596548688828; Tue, 04 Aug 2020 06:44:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAJoqpT+U9QAHqncX0Aj2yWRaNRBgqE4ZG4k7Yx7xHtevsQ8EVA@mail.gmail.com> <CAHbrMsD9RtVS+zLscxvDJrynzDsuogEpdWqvBJRJVg2czkC+xg@mail.gmail.com> <a54fe9678b294cc49835ca642a098ba1@uwaterloo.ca> <CANduzxDg2Rvy8j7kAsNJ9QaX6Qaa7EFT08WfjVHwoB3Up7+btA@mail.gmail.com> <456cf7d9a35d4ec38c12ca34b8119dc0@uwaterloo.ca>
In-Reply-To: <456cf7d9a35d4ec38c12ca34b8119dc0@uwaterloo.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 04 Aug 2020 09:44:37 -0400
Message-ID: <CAHbrMsAoFi5yKH1ctKgkQmFyR8ffmGA2Nj=Uu=M6zf9q7DnrGg@mail.gmail.com>
To: Chelsea Komlo <ckomlo@uwaterloo.ca>
Cc: Steven Valdez <svaldez@google.com>, Chelsea Komlo <chelsea.komlo@gmail.com>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007dd41f05ac0d753a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/BPm8CjLf3w4jgfSzjootpkR2WGo>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 13:44:52 -0000

On Tue, Aug 4, 2020 at 9:21 AM Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:

> Note the proposal I describe below **is not** intended to solve the
> unlinkable transport problem. It is a mechanism to detect when malicious
> registries/servers publish different keys to different users.
>
Do we have to assume an unlinkable transport anyway, in order for Privacy
Pass to work at all?  (It seems like the answer may be yes, at least with
respect to Verifiers.)

If we have an unlinkable transport, can a malicious+colluding registry
publish different keys to different users without generating a fatal
mismatch?  (This might depend on the details of our unlinkability
assumptions.)

Are you proposing a layered-defense model, where we require unlinkable
transport and also add defenses against a transport privacy break?

> Clearly Privacy Pass shouldn't try to provide an unlinkable transport;
> there are already existing tools for that, like Tor.
> ------------------------------
> *From:* Steven Valdez <svaldez@google.com>
> *Sent:* Tuesday, August 4, 2020 1:07:00 AM
> *To:* Chelsea Komlo
> *Cc:* Ben Schwartz; Chelsea Komlo; privacy-pass@ietf.org
> *Subject:* Re: [Privacy-pass] Detecting malicious registries/servers
>
> I don't think the Privacy Pass drafts can really solve the unlinkable
> communication problem, and shouldn't focus on it besides listing it as a
> requirement. Depending on the use case/caller, communicating with the
> Issuer/Redeemer in an unlinkable way could involve making completely
> disconnected TLS/HTTP connections, dropping all state (some sort of
> anonymous mode), changing request patterns so they can't be time
> correlated, etc.
>
> PrivacyPass can make the protocol robust against unlinkability based on
> the contents of protocol messages, but solving unlinkability based on the
> transport seems outside of the PrivacyPass scope, though listing the
> requirements that would be maintained could be useful for use cases built
> on top of Privacy Pass.
>
> On Mon, Aug 3, 2020 at 6:14 PM Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:
>
>> It seems there was a slight miscommunication with the point I was trying
>> to make during the meeting, so I'll clarify.
>>
>>
>> I am strongly in favor of making the protocol as robust as possible,
>> while being transparent about what risks cannot be mitigated in certain
>> settings (such as servers building a lookup table).
>>
>>
>> Placing the burden on implementations to figure out how to ensure the
>> primary use case of the protocol- unlinkability- is counterintuitive to me.
>>
>>
>>
>>
>> ------------------------------
>> *From:* Privacy-pass <privacy-pass-bounces@ietf.org> on behalf of Ben
>> Schwartz <bemasc=40google.com@dmarc.ietf.org>
>> *Sent:* Monday, August 3, 2020 9:59:59 AM
>> *To:* Chelsea Komlo
>> *Cc:* privacy-pass@ietf.org
>> *Subject:* Re: [Privacy-pass] Detecting malicious registries/servers
>>
>> I found your and Richard's comment during the meeting particularly
>> insightful on this point: we should clarify the assumptions Privacy Pass
>> has to make about the intrinsic identifiability of client requests.  For
>> example, if Privacy Pass necessarily assumes that the Client's connections
>> to Verifiers are unlinkable, then perhaps we can simply declare that the
>> Client's connections to Registries must be similarly unlinkable.
>>
>> The mechanism for ensuring that unlinkability might be out of scope for
>> us, but we would need to describe the requirements for it.
>>
>> On Mon, Aug 3, 2020 at 5:16 PM Chelsea Komlo <chelsea.komlo@gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> One question that has been raised is how clients can detect registry or
>>> server misbehavior. One particular concern is the possibility that
>>> registries or servers can perform targeted attacks by publishing different
>>> keys to specific users without detection (resulting in a small anonymity
>>> set).
>>>
>>> While client-side gossip protocols or use of anonymity networks give the
>>> client an option to detect such targeted attacks, these options are not
>>> necessarily generalizable.
>>>
>>> However, I think if we introduce the assumption that *at least one*
>>> registry is acting honestly, then this problem may be easier to solve.
>>>
>>> Registries just need to add an additional capability to query other
>>> registries on behalf of a client (if the client specifies this in their
>>> request). In doing so, they can act as a one-hop proxy for the client. If
>>> clients perform these requests periodically through a series of
>>> randomly-chosen registries, they should eventually be able to detect
>>> misbehavior, assuming one of the registries is acting honestly.
>>>
>>> Chris Wood pointed out to me that the above approach may have false
>>> positives when a server rotates their key, so adding some kind of
>>> "suspected" and "failed state" with retries might help get around such edge
>>> cases.
>>>
>>> Thanks,
>>> Chelsea
>>> --
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>>
>> --
>> Privacy-pass mailing list
>> Privacy-pass@ietf.org
>> https://www.ietf.org/mailman/listinfo/privacy-pass
>>
>
>
> --
>
> Steven Valdez |  Chrome Privacy Sandbox |  svaldez@google.com |
> 210-692-4742 <(210)%20692-4742>
>

v2.23.0 | Report a Bug | By Email