encrypted messaging traceback for end-to-endtyagi/slides/tracing.pdfnirvan tyagi ian miers tom...
TRANSCRIPT
Traceback for End-to-End Encrypted Messaging
Nirvan Tyagi Ian Miers Tom Ristenpart
CCS 2019 1
Setting: End-to-end encrypted (E2EE) messaging
2
PlatformAlice Bob
Hello
Setting: End-to-end encrypted (E2EE) messaging
3
PlatformAlice Bob
Hello > 2 billion users
4
Problem: Viral forwarding of misinformation in E2EE messaging
5
Problem: Viral forwarding of misinformation in E2EE messaging
Content moderation for user-driven reports
6
User submits report Moderation decision based on content
Action taken on relevant parties
Content moderation for user-driven reports
7
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Content moderation for user-driven reports
8
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
Content moderation for user-driven reports
9
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
Report must provide enough information to execute the following steps
10
E2EE hides information useful for content moderation of misinformation
11
- Platform doesn’t see message content
Message content is encrypted!
E2EE hides information useful for content moderation of misinformation
12Message content is encrypted!
- Platform doesn’t see message content- Platform doesn’t see forwarding relationships
E2EE hides information useful for content moderation of misinformation
13
- Platform doesn’t see message content- Platform doesn’t see forwarding relationships
Message content is encrypted!
Forwarding traffic is muddled by other users and other messages
E2EE hides information useful for content moderation of misinformation
This work: Tracing in E2EE messaging
14
[TMR CCS’19]
User submits report Moderation decision based on content
Action taken on relevant parties
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
This work: Tracing in E2EE messaging
15
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality
[TMR CCS’19]
User submits report Moderation decision based on content
Action taken on relevant parties
Prior work: Abuse reporting in E2EE messaging
16
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
Prior work: Abuse reporting in E2EE messaging
17
!
User reports received message to platform
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
Prior work: Abuse reporting in E2EE messaging
18
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
!
User reports received message to platform
m
Prior work: Abuse reporting in E2EE messaging
19
!
User reports received message to platform
m
Platform learns message and sender, but nothing more about where message came from or where it reached
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
This work: Tracing in E2EE messaging
20
!
User reports received message to platform
[TMR CCS’19]
This work: Tracing in E2EE messaging
21
!
User reports received message to platform
- Two constructions for message tracing- Path traceback
[TMR CCS’19]
m
This work: Tracing in E2EE messaging
22
!
User reports received message to platform
- Two constructions for message tracing- Path traceback- Tree traceback
[TMR CCS’19]
m
23
Goal: Act like standard E2EE messaging before report
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)
24
Goal: Act like standard E2EE messaging before report
25
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
Goal: Act like standard E2EE messaging before report
26
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
m
m
m
User shouldn’t learn forwarding info of received messages
Goal: Act like standard E2EE messaging before report
27
m
m
User shouldn’t learn forwarding info of received messages
m ?
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
Goal: Act like standard E2EE messaging before report
28
Goal: Reveal limited information after report
Goal: Reveal limited information after report
29
!m
After reportPlatform view: message content and forward links of traceback target (e.g. path, tree)
Goal: Report consists of accurate information
30
!m
31
!m
Trace accountabilityAn honest user cannot be framed for an action they didn’t perform
Goal: Report consists of accurate information
32
!m
Trace accountabilityAn honest user cannot be framed for an action they didn’t perform
Goal: Report consists of accurate information
Malicious user can partition trace, but will be blamed as source
33
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
34
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
mE2EE channel
35
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
mE2EE channel
- E2EE channel that is decoupled from message tracing
36
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB
mE2EE channel
- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners
“tracing” key
37
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners
kAB
“tracing” key
38
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel kAB
kØ
“null pointer” key randomly generated
39
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
40
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
“encrypted pointer”
41
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
“encrypted pointer”PRF that is also CR
(e.g., HMAC)
42
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
43
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
idAB ctAB
Table stored on platform
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
idAB
kAB
44
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
idAB
45
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
idAB
46
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
kAB
idAB
idAB
47
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
F(kBC , m)
kAB
idAB
idAB
48
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
kAB
idAB
idAB
49
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)
kAB
idAB
idAB
50
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)F(kAB , m)
idAB
kAB
idAB
idAB
51
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)F(kAB , m)
idAB
Decrypt and dereference ctAB
kØ = Dec(kAB , ctAB)F(kØ , m) not in table
⇒ beginning of forward chain!
kAB
idAB
idAB
52
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Small and fast to compute!idAB
idAB
53
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext
kAB
idAB
idAB
54
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
After reportPlatform view: Learns keys only for rows of trace
kAB
Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext
ctAB
idBC ctBC
idAB
idAB
55
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Trace accountabilityPointer “dereferences” are bound to a messageidAB
idAB
56
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Trace accountabilityPointer “dereferences” are bound to a messageidAB
idAB
57
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!
Trace accountabilityPointer “dereferences” are bound to a message
k’ m’
idAB
idAB
58
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!k’ m’
Trace accountabilityPointer “dereferences” are bound to a message
To break accountability, F(k’ , m’) must collide with idBC
idAB
idAB
Trace accountabilityPointer “dereferences” are bound to a message
59
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!
See paper for security proofs!
k’ m’
To break accountability, F(k’ , m’) must collide with idBC
idAB
idAB
60
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
61
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
62
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformationNeed something more than path traceback!
63
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
64
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
“backward pointer”
65
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
“backward pointer”
“forward pointer”
66
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
Diane
idBD
…
“backward pointer”
“forward pointers”
67
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
Diane
idBD
…
“backward pointer”
“forward pointers”
See paper for full details of construction!(uses PRG and secret sharing)
68
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
https://github.com/nirvantyagi/tracing
69
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace
https://github.com/nirvantyagi/tracing
70
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace
- Platform storage- Stores < 100B / message- 1 billion messages / day ⇒ ~ 2TB / month
- Reasonable to store most recent time period sliding window
https://github.com/nirvantyagi/tracing
71
Deployment considerationsCan tracing be abused to silence socially valuable content?
Future work: Policy and implementation to limit abuse of tracing
User submits report Moderation decision based on content
Action taken on relevant parties
72
Deployment considerations
Future work: Policy and implementation to limit abuse of tracing
User submits report Moderation decision based on content
Action taken on relevant parties
Threshold number of reports?
Tracing ability is only granted after moderation decision on
content is complete?
Can tracing be abused to silence socially valuable content?
73
Conclusion
https://github.com/nirvantyagi/tracing
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality