IETF Logo Mail Archive

Re: [Privacy-pass] Detecting malicious registries/servers

Alex Davidson <adavidson@cloudflare.com> Mon, 10 August 2020 16:41 UTC

Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0BA3A09E1 for <privacy-pass@ietfa.amsl.com>; Mon, 10 Aug 2020 09:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hGGtCcUTTCv for <privacy-pass@ietfa.amsl.com>; Mon, 10 Aug 2020 09:41:27 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 630863A09AC for <privacy-pass@ietf.org>; Mon, 10 Aug 2020 09:41:27 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id r2so8805185wrs.8 for <privacy-pass@ietf.org>; Mon, 10 Aug 2020 09:41:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=TmFYJBzI+Q61YFiX8YWDwJC0Vmx8TnSwBB+NCGf0hcE=; b=urIMcL4nxgR3oxW3j7T/1WOcY4bu7OHJ4FN9QBsSF4bDAXyFfGqTZ3uw3sf4PetVtG kv/G8KmQP4vTMuS0lH0+b4YIOrOn4DZREGuBG5A4+520yNT6RpGWXMe4yTKVMZzfL9PC X60paoIcucVgcbWsCDvs4KicSFsPNVs6va9PQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=TmFYJBzI+Q61YFiX8YWDwJC0Vmx8TnSwBB+NCGf0hcE=; b=g7mdEjqv/pAOEWMJAJ8nQJWm0DlFEiD0ID71btxabvxrOCu+IrFhymaMBpJPNGsLyG Zit/hUuA6SFeJcvzuSz8AYr5D3jZ8A6HRlhy5KuC8JOfVYkbmcz9jVYTYJ3jwUzUVwYN wGORMLppE8EvqLjj2WkcXTXQIkhCQp4ea9kgm37nxmEwS61KXu9zixDcQ7xBCSasHNSq E1kSRK5MzxADKENIEkUSERMsOSbNQ8SsZRp9Ms73ILHDIQ//vYf1smkehZBrqNmOv/H5 8LGCff+lwwtvA0Z5n56wylPhPILB5JOp8cwVXxUYxdnx2Z7nz5E1xYztwiSaO69yZPTP awLg==
X-Gm-Message-State: AOAM531Eu4UvW0n6YRvwiKfmbK0aLBEOE+Dx4z4+LJ3xNVKkmd6YTHVj GzkzdB+Z0S4/mUPoDzsdojAKww==
X-Google-Smtp-Source: ABdhPJwG3qeAGnwSAlav7XvuM1NNZTRHBqkAP72maKO0pnWle2G4bsGbJX7apjNV4pg30sE5/PqbPg==
X-Received: by 2002:a5d:6a4a:: with SMTP id t10mr2390798wrw.360.1597077685832; Mon, 10 Aug 2020 09:41:25 -0700 (PDT)
Received: from ?IPv6:2001:8a0:7ac8:f600:4183:ccb1:a4d:46d2? ([2001:8a0:7ac8:f600:4183:ccb1:a4d:46d2]) by smtp.gmail.com with ESMTPSA id z11sm20763043wrw.93.2020.08.10.09.41.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Aug 2020 09:41:25 -0700 (PDT)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <E7A49BFE-5D45-46AA-9300-E8DFF641639C@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_67F30274-FF71-4595-BC80-9B11B827377E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Mon, 10 Aug 2020 17:41:16 +0100
In-Reply-To: <dc21a02f093f4ae0ad3c873d1ff039f6@uwaterloo.ca>
Cc: Steven Valdez <svaldez@google.com>, Ben Schwartz <bemasc@google.com>, Chelsea Komlo <chelsea.komlo@gmail.com>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
To: Chelsea Komlo <ckomlo@uwaterloo.ca>
References: <CAJoqpT+U9QAHqncX0Aj2yWRaNRBgqE4ZG4k7Yx7xHtevsQ8EVA@mail.gmail.com> <CAHbrMsD9RtVS+zLscxvDJrynzDsuogEpdWqvBJRJVg2czkC+xg@mail.gmail.com> <a54fe9678b294cc49835ca642a098ba1@uwaterloo.ca> <CANduzxDg2Rvy8j7kAsNJ9QaX6Qaa7EFT08WfjVHwoB3Up7+btA@mail.gmail.com> <456cf7d9a35d4ec38c12ca34b8119dc0@uwaterloo.ca> <CAHbrMsAoFi5yKH1ctKgkQmFyR8ffmGA2Nj=Uu=M6zf9q7DnrGg@mail.gmail.com> <CANduzxBMA2qtBC8VBvUymHfFRKzeLb7ab1FL5eLBDCpobpQ2nw@mail.gmail.com> <dc21a02f093f4ae0ad3c873d1ff039f6@uwaterloo.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/nL1oZZfSUD8YvgQuRGhBJLuO1Rs>
Subject: Re: [Privacy-pass] Detecting malicious registries/servers
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 16:41:30 -0000

Hi all,

I think this proposal makes sense as a general framework that we can recommend for auditing a server's key material. We’re currently (& deliberately) quite vague about how registries operate and do not define anything about how they interoperate, but I could see this recommendation added to the architecture doc as part of a general set of recommendations for auditing server misbehaviour. 

For instance, in Section 4 we could add a new subsection that covers auditing procedures for key material in registries, and describe this mechanism as a potential way of doing that. We could then update Section 7.3 to refer to this advice when describing potential methods for checking that the server is not fragmenting its key material for different clients. Would this make sense? 

Note, if we wanted to be more specific about this recommendation (or anything else) then we would probably have to go into more detail on the construction of the key management ecosystem itself. My opinion is that specifying the key management framework beyond what we currently have is beyond the scope of the WG, and thus something that we probably want to avoid. But I’m happy to hear differing opinions on this.

Thanks,
Alex

> On 4 Aug 2020, at 15:18, Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:
> 
> It is fair to recommend use of an unlinkable transport, as this ensures building a lookup table for tokens/IP addresses will not result in useful information to the verifier. This transport could be as strong as Tor or as weak as a VPN/proxy [1].
> 
> The scenario I described below--where a malicious registry/issuer publishes different keys to different users to create a smaller anonymity set--is completely independent to the transport used. Clients need some mechanism to verify the keys they are given are the same as all other clients, as this ensures their tokens are cryptographically indistinguishable to the verifier. 
> 
> [1] https://github.com/bslassey/ip-blindness <https://github.com/bslassey/ip-blindness>
> From: Steven Valdez <svaldez@google.com>
> Sent: Tuesday, August 4, 2020 1:53:57 AM
> To: Ben Schwartz
> Cc: Chelsea Komlo; Chelsea Komlo; privacy-pass@ietf.org
> Subject: Re: [Privacy-pass] Detecting malicious registries/servers
>  
> There at the very least needs to be an unlinkable transport between issuer/verifier connections, since otherwise you have immediate linkability there.
> 
> This may not be a hard requirement for communication with the registry, if we have some sort of KT/CT approach where all the registries would need to be colluding in order to provide a false view to specific clients. Though it seems useful to still recommend that registry interactions happen on an unlinkable transport in addition to any additional protections we might have for split views/different keys.
> 
> On Tue, Aug 4, 2020 at 9:44 AM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote:
> On Tue, Aug 4, 2020 at 9:21 AM Chelsea Komlo <ckomlo@uwaterloo.ca <mailto:ckomlo@uwaterloo.ca>> wrote:
> Note the proposal I describe below **is not** intended to solve the unlinkable transport problem. It is a mechanism to detect when malicious registries/servers publish different keys to different users.
> Do we have to assume an unlinkable transport anyway, in order for Privacy Pass to work at all?  (It seems like the answer may be yes, at least with respect to Verifiers.)
> 
> If we have an unlinkable transport, can a malicious+colluding registry publish different keys to different users without generating a fatal mismatch?  (This might depend on the details of our unlinkability assumptions.)
> 
> Are you proposing a layered-defense model, where we require unlinkable transport and also add defenses against a transport privacy break?
> Clearly Privacy Pass shouldn't try to provide an unlinkable transport; there are already existing tools for that, like Tor.  
> From: Steven Valdez <svaldez@google.com <mailto:svaldez@google.com>>
> Sent: Tuesday, August 4, 2020 1:07:00 AM
> To: Chelsea Komlo
> Cc: Ben Schwartz; Chelsea Komlo; privacy-pass@ietf.org <mailto:privacy-pass@ietf..org>
> Subject: Re: [Privacy-pass] Detecting malicious registries/servers
>  
> I don't think the Privacy Pass drafts can really solve the unlinkable communication problem, and shouldn't focus on it besides listing it as a requirement. Depending on the use case/caller, communicating with the Issuer/Redeemer in an unlinkable way could involve making completely disconnected TLS/HTTP connections, dropping all state (some sort of anonymous mode), changing request patterns so they can't be time correlated, etc.
> 
> PrivacyPass can make the protocol robust against unlinkability based on the contents of protocol messages, but solving unlinkability based on the transport seems outside of the PrivacyPass scope, though listing the requirements that would be maintained could be useful for use cases built on top of Privacy Pass.
> 
> On Mon, Aug 3, 2020 at 6:14 PM Chelsea Komlo <ckomlo@uwaterloo.ca <mailto:ckomlo@uwaterloo.ca>> wrote:
> It seems there was a slight miscommunication with the point I was trying to make during the meeting, so I'll clarify. 
> 
> I am strongly in favor of making the protocol as robust as possible, while being transparent about what risks cannot be mitigated in certain settings (such as servers building a lookup table). 
> 
> Placing the burden on implementations to figure out how to ensure the primary use case of the protocol- unlinkability- is counterintuitive to me. 
> 
> 
> 
> From: Privacy-pass <privacy-pass-bounces@ietf.org <mailto:privacy-pass-bounces@ietf.org>> on behalf of Ben Schwartz <bemasc=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>>
> Sent: Monday, August 3, 2020 9:59:59 AM
> To: Chelsea Komlo
> Cc: privacy-pass@ietf.org <mailto:privacy-pass@ietf.org>
> Subject: Re: [Privacy-pass] Detecting malicious registries/servers
>  
> I found your and Richard's comment during the meeting particularly insightful on this point: we should clarify the assumptions Privacy Pass has to make about the intrinsic identifiability of client requests.  For example, if Privacy Pass necessarily assumes that the Client's connections to Verifiers are unlinkable, then perhaps we can simply declare that the Client's connections to Registries must be similarly unlinkable.
> 
> The mechanism for ensuring that unlinkability might be out of scope for us, but we would need to describe the requirements for it.
> 
> On Mon, Aug 3, 2020 at 5:16 PM Chelsea Komlo <chelsea.komlo@gmail.com <mailto:chelsea.komlo@gmail.com>> wrote:
> Hi all,
> 
> One question that has been raised is how clients can detect registry or server misbehavior. One particular concern is the possibility that registries or servers can perform targeted attacks by publishing different keys to specific users without detection (resulting in a small anonymity set). 
> 
> While client-side gossip protocols or use of anonymity networks give the client an option to detect such targeted attacks, these options are not necessarily generalizable. 
> 
> However, I think if we introduce the assumption that *at least one* registry is acting honestly, then this problem may be easier to solve. 
> 
> Registries just need to add an additional capability to query other registries on behalf of a client (if the client specifies this in their request). In doing so, they can act as a one-hop proxy for the client. If clients perform these requests periodically through a series of randomly-chosen registries, they should eventually be able to detect misbehavior, assuming one of the registries is acting honestly.  
> 
> Chris Wood pointed out to me that the above approach may have false positives when a server rotates their key, so adding some kind of "suspected" and "failed state" with retries might help get around such edge cases. 
> 
> Thanks,
> Chelsea
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
> https://www.ietf.org/mailman/listinfo/privacy-pass <https://www.ietf.org/mailman/listinfo/privacy-pass>
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org <mailto:Privacy-pass@ietf.org>
> https://www.ietf.org/mailman/listinfo/privacy-pass <https://www.ietf.org/mailman/listinfo/privacy-pass>
> 
> 
> -- 
> 
> Steven Valdez |	 Chrome Privacy Sandbox |	 svaldez@google.com <mailto:svaldez@google.com> |	 210-692-4742 <tel:(210)%20692-4742>
> 
> -- 
> 
> Steven Valdez |	 Chrome Privacy Sandbox |	 svaldez@google.com <mailto:svaldez@google.com> |	 210-692-4742
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email