IETF Logo Mail Archive

Re: [Privacy-pass] Detecting malicious registries/servers

Chelsea Komlo <ckomlo@uwaterloo.ca> Tue, 04 August 2020 14:19 UTC

Return-Path: <ckomlo@uwaterloo.ca>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0631F3A0917 for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 07:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uwaterloo.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbgBou3juRD4 for <privacy-pass@ietfa.amsl.com>; Tue, 4 Aug 2020 07:19:02 -0700 (PDT)
Received: from phage7.uwaterloo.ca (phage7.uwaterloo.ca [129.97.128.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2B563A0907 for <privacy-pass@ietf.org>; Tue, 4 Aug 2020 07:19:01 -0700 (PDT)
Received: from pps.filterd (phage7.uwaterloo.ca [127.0.0.1]) by phage7.uwaterloo.ca (8.16.0.42/8.16.0.42) with SMTP id 074EEsaa005681; Tue, 4 Aug 2020 10:18:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwaterloo.ca; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=default; bh=GjPa6k56Fbayp/Weh5L2AyAXsObCIQWcZ2DHrMKK8Bc=; b=fF6VVrRJbuZ3vVJXo1v4tjdvk1dE0k31KW8CR0/sDLLcCVL/oBbScFfVb9v2BIhBqw/Q MyO+Lbv+L6B7kFQIsSjtU92orEQDzdO1aGbwedQ5VdL5/set5+m3pQR3FmLonE8cWBWw n2TxdUv3OUnECm630XlGKGREhtnCecTiXKw=
Received: from connhm03.connect.uwaterloo.ca (connhm03.connect.uwaterloo.ca [172.16.137.67]) by phage7.uwaterloo.ca with ESMTP id 32pem86dhh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Tue, 04 Aug 2020 10:18:58 -0400
Received: from connhm02.connect.uwaterloo.ca (172.16.137.66) by connhm03.connect.uwaterloo.ca (172.16.137.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Tue, 4 Aug 2020 10:18:58 -0400
Received: from connhm02.connect.uwaterloo.ca ([fe80::dcfc:7fe1:3d27:382b]) by connhm02.connect.uwaterloo.ca ([fe80::dcfc:7fe1:3d27:382b%18]) with mapi id 15.01.1913.010; Tue, 4 Aug 2020 10:18:58 -0400
From: Chelsea Komlo <ckomlo@uwaterloo.ca>
To: Steven Valdez <svaldez@google.com>, Ben Schwartz <bemasc@google.com>
CC: Chelsea Komlo <chelsea.komlo@gmail.com>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Thread-Topic: [Privacy-pass] Detecting malicious registries/servers
Thread-Index: AQHWadtPDlQdKaELq0qF74YGGyZJ1qknMjOA//++Iq2AAT9JAP//vSY2gABNXYCAAAKbgP//vj50
Date: Tue, 04 Aug 2020 14:18:58 +0000
Message-ID: <dc21a02f093f4ae0ad3c873d1ff039f6@uwaterloo.ca>
References: <CAJoqpT+U9QAHqncX0Aj2yWRaNRBgqE4ZG4k7Yx7xHtevsQ8EVA@mail.gmail.com> <CAHbrMsD9RtVS+zLscxvDJrynzDsuogEpdWqvBJRJVg2czkC+xg@mail.gmail.com> <a54fe9678b294cc49835ca642a098ba1@uwaterloo.ca> <CANduzxDg2Rvy8j7kAsNJ9QaX6Qaa7EFT08WfjVHwoB3Up7+btA@mail.gmail.com> <456cf7d9a35d4ec38c12ca34b8119dc0@uwaterloo.ca> <CAHbrMsAoFi5yKH1ctKgkQmFyR8ffmGA2Nj=Uu=M6zf9q7DnrGg@mail.gmail.com>, <CANduzxBMA2qtBC8VBvUymHfFRKzeLb7ab1FL5eLBDCpobpQ2nw@mail.gmail.com>
In-Reply-To: <CANduzxBMA2qtBC8VBvUymHfFRKzeLb7ab1FL5eLBDCpobpQ2nw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [184.167.121.104]
Content-Type: multipart/alternative; boundary="_000_dc21a02f093f4ae0ad3c873d1ff039f6uwaterlooca_"
MIME-Version: 1.0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 impostorscore=0 clxscore=1011 bulkscore=0 spamscore=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008040107
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/Wk1AOGi39mBf3mXP8kQnF-BpAso>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 14:19:05 -0000

It is fair to recommend use of an unlinkable transport, as this ensures building a lookup table for tokens/IP addresses will not result in useful information to the verifier. This transport could be as strong as Tor or as weak as a VPN/proxy [1].


The scenario I described below--where a malicious registry/issuer publishes different keys to different users to create a smaller anonymity set--is completely independent to the transport used. Clients need some mechanism to verify the keys they are given are the same as all other clients, as this ensures their tokens are cryptographically indistinguishable to the verifier.


[1] https://github.com/bslassey/ip-blindness

________________________________
From: Steven Valdez <svaldez@google.com>
Sent: Tuesday, August 4, 2020 1:53:57 AM
To: Ben Schwartz
Cc: Chelsea Komlo; Chelsea Komlo; privacy-pass@ietf.org
Subject: Re: [Privacy-pass] Detecting malicious registries/servers

There at the very least needs to be an unlinkable transport between issuer/verifier connections, since otherwise you have immediate linkability there.

This may not be a hard requirement for communication with the registry, if we have some sort of KT/CT approach where all the registries would need to be colluding in order to provide a false view to specific clients. Though it seems useful to still recommend that registry interactions happen on an unlinkable transport in addition to any additional protections we might have for split views/different keys.

On Tue, Aug 4, 2020 at 9:44 AM Ben Schwartz <bemasc@google.com<mailto:bemasc@google.com>> wrote:
On Tue, Aug 4, 2020 at 9:21 AM Chelsea Komlo <ckomlo@uwaterloo.ca<mailto:ckomlo@uwaterloo.ca>> wrote:

Note the proposal I describe below **is not** intended to solve the unlinkable transport problem. It is a mechanism to detect when malicious registries/servers publish different keys to different users.

Do we have to assume an unlinkable transport anyway, in order for Privacy Pass to work at all?  (It seems like the answer may be yes, at least with respect to Verifiers.)

If we have an unlinkable transport, can a malicious+colluding registry publish different keys to different users without generating a fatal mismatch?  (This might depend on the details of our unlinkability assumptions.)

Are you proposing a layered-defense model, where we require unlinkable transport and also add defenses against a transport privacy break?

Clearly Privacy Pass shouldn't try to provide an unlinkable transport; there are already existing tools for that, like Tor.

________________________________
From: Steven Valdez <svaldez@google.com<mailto:svaldez@google.com>>
Sent: Tuesday, August 4, 2020 1:07:00 AM
To: Chelsea Komlo
Cc: Ben Schwartz; Chelsea Komlo; privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers

I don't think the Privacy Pass drafts can really solve the unlinkable communication problem, and shouldn't focus on it besides listing it as a requirement. Depending on the use case/caller, communicating with the Issuer/Redeemer in an unlinkable way could involve making completely disconnected TLS/HTTP connections, dropping all state (some sort of anonymous mode), changing request patterns so they can't be time correlated, etc.

PrivacyPass can make the protocol robust against unlinkability based on the contents of protocol messages, but solving unlinkability based on the transport seems outside of the PrivacyPass scope, though listing the requirements that would be maintained could be useful for use cases built on top of Privacy Pass.

On Mon, Aug 3, 2020 at 6:14 PM Chelsea Komlo <ckomlo@uwaterloo.ca<mailto:ckomlo@uwaterloo.ca>> wrote:

It seems there was a slight miscommunication with the point I was trying to make during the meeting, so I'll clarify.


I am strongly in favor of making the protocol as robust as possible, while being transparent about what risks cannot be mitigated in certain settings (such as servers building a lookup table).


Placing the burden on implementations to figure out how to ensure the primary use case of the protocol- unlinkability- is counterintuitive to me.




________________________________
From: Privacy-pass <privacy-pass-bounces@ietf.org<mailto:privacy-pass-bounces@ietf.org>> on behalf of Ben Schwartz <bemasc=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>>
Sent: Monday, August 3, 2020 9:59:59 AM
To: Chelsea Komlo
Cc: privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers

I found your and Richard's comment during the meeting particularly insightful on this point: we should clarify the assumptions Privacy Pass has to make about the intrinsic identifiability of client requests.  For example, if Privacy Pass necessarily assumes that the Client's connections to Verifiers are unlinkable, then perhaps we can simply declare that the Client's connections to Registries must be similarly unlinkable.

The mechanism for ensuring that unlinkability might be out of scope for us, but we would need to describe the requirements for it.

On Mon, Aug 3, 2020 at 5:16 PM Chelsea Komlo <chelsea.komlo@gmail.com<mailto:chelsea.komlo@gmail.com>> wrote:
Hi all,

One question that has been raised is how clients can detect registry or server misbehavior. One particular concern is the possibility that registries or servers can perform targeted attacks by publishing different keys to specific users without detection (resulting in a small anonymity set).

While client-side gossip protocols or use of anonymity networks give the client an option to detect such targeted attacks, these options are not necessarily generalizable.

However, I think if we introduce the assumption that *at least one* registry is acting honestly, then this problem may be easier to solve.

Registries just need to add an additional capability to query other registries on behalf of a client (if the client specifies this in their request). In doing so, they can act as a one-hop proxy for the client. If clients perform these requests periodically through a series of randomly-chosen registries, they should eventually be able to detect misbehavior, assuming one of the registries is acting honestly.

Chris Wood pointed out to me that the above approach may have false positives when a server rotates their key, so adding some kind of "suspected" and "failed state" with retries might help get around such edge cases.

Thanks,
Chelsea
--
Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass
--
Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass


--

Steven Valdez |  Chrome Privacy Sandbox |        svaldez@google.com<mailto:svaldez@google.com> |         210-692-4742<tel:(210)%20692-4742>


--

Steven Valdez |  Chrome Privacy Sandbox |        svaldez@google.com<mailto:svaldez@google.com> |         210-692-4742

v2.23.0 | Report a Bug | By Email