anon-pass: practical anonymous subscriptions
DESCRIPTION
Anon-Pass: Practical Anonymous Subscriptions. Michael Z. Lee † , Alan M. Dunn † , Jonathan Katz * , Brent Waters † , Emmett Witchel † † University of Texas at Austin * University of Maryland. Media Subscriptions. Unlimited access subscriptions. Let’s build a service. X. ♫♪♬ ♩. ♫ ♪♩♬. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/1.jpg)
May 20, 2013
Anon-Pass:Practical Anonymous SubscriptionsMichael Z. Lee†, Alan M. Dunn†,Jonathan Katz*, Brent Waters†, Emmett Witchel†
† University of Texas at Austin* University of Maryland
![Page 2: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/2.jpg)
-2-
Media Subscriptions
Unlimited access subscriptions
![Page 3: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/3.jpg)
-3-
♪
Let’s build a service
♫♪♩♬♫♪♩♬
♬♪♫♩♪♩♬ ♫♪♩♬
♫♪♩♬
♫ ♪♩♬♫♪ ♩♬♫
♪♬♩
♫♪♫♩♪♩1234…
2345…
1234…
Sharing Resistance(admission control)
X
![Page 4: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/4.jpg)
-4-
They are collecting information about you.
![Page 5: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/5.jpg)
-5-
Song 1
time
Song 2
Anonymous Media
1234… 8720…
Accesses can’t be correlated
Unlinkability
![Page 6: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/6.jpg)
-6-
Linked accesses could
deanonymize users
The Netflix Prize dataset[Narayanan, Shmatikov 2008]
Social networks[Narayanan, Shmatikov 2009]
Access patterns for enough timecould help deanonymize clients
![Page 7: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/7.jpg)
-7-
But even if tokens are unlinkable…
♫♪♩♬♫♪♩♬
♬♪♫♩♪♩♬ ♫♪♩♬
♫♪♩♬
♫ ♪♩♬♫♪ ♩♬♫
♪♬♩
1234…128.83.122.105141.212.15.125
8720…37.130.227.133128.83.122.105
We assume clients are usinga network anonymity service
![Page 8: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/8.jpg)
-8-
AnonymousMusic Service
♫♪♩♬♫♪♩♬
♬♪♫♩♪♩♬ ♫♪♩♬
♫♪♩♬
♫ ♪♩♬♫♪ ♩♬♫
♪♬♩
8720…1234…
Straw Man
♪
♩7964…
1910…8739…
2372…
♫
3141…
Unlinkabilitybut not sharing resistance
![Page 9: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/9.jpg)
-9-
How do we get both?
Unlinkable Serial Transactions [Syverson et al. 1997]Sharing resistance, unlinkability
Anonymous Blacklisting Systems [Tsang et al. 2008]Sharing resistance, unlinkability
but needs unbounded storage
but computationally expensive
![Page 10: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/10.jpg)
-10-
And also be practical?
Unlinkable Serial Transactions [Syverson et al. 1997]Sharing resistance, unlinkability
Anonymous Blacklisting Systems [Tsang et al. 2008]Sharing resistance, unlinkability
but needs unbounded storage
but computationally expensiveAnon-Pass
Sharing resistance, unlinkability, and efficiencyExample: over 12,000 concurrent clients
![Page 11: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/11.jpg)
-11-
How?How is Anon-Pass built?
How is Anon-Pass used?
How does Anon-Pass perform?
![Page 12: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/12.jpg)
-12-
How is it built?
t–1 t t+1 t+2time
Split up time into epochsEach user has a unique token
Each epoch allows a new, unpredictable token
for an epoch
1234…
![Page 13: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/13.jpg)
-13-
t–1 t t+1 t+2time
Each user has a unique token for an epoch
Each epoch allows a new, unpredictable token
PRF (t)PRF
How is it built?Split up time into epochs
Use a pseudorandom function (PRF)
<-1234…
![Page 14: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/14.jpg)
-14-
High LevelProtocols
RegisterGet a blinded signature on a secret
LoginProve the token used the signed secret(in zero knowledge)
![Page 15: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/15.jpg)
-15-
Song 1 Song 2
AnonymousMusic Service
t–1 t t+1 t+2time
PRF (t) PRF (t+2)1234… 8720…
![Page 16: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/16.jpg)
-16-
t–1 t t+1 t+2time
AnonymousMusic Service
But songs don’t always fit in one epoch
1234… 8720…5629…PRF (t)PRF (t+1)PRF (t+2)
Song 1
![Page 17: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/17.jpg)
-17-
t–1 t t+1 t+2time
Conditional Linkability
AnonymousMusic Service
But songs don’t always fit in one epochAnd these accesses are implicitly linked
1234… 8720…5629…
![Page 18: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/18.jpg)
-18-
Accesses can be implicitly linked
The service knows when thesame song is repeatedly accessed
Client is implicitly linkedwhile accessing the same media
And unlinkability coststhe service provider
(and therefore harms the system)
Baby+ 0sBaby+15sBaby+30sBaby+45sBaby+60sBaby+75sBaby+90s….
![Page 19: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/19.jpg)
-19-
Re-Up
Prove the current token andthe next token are linked
Trades unlinkability for efficiency
But the client already lost unlinkabilitywhile accessing the same media
Our way of gettingconditional linkability
![Page 20: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/20.jpg)
-20-
Re-Up is more efficient
Login proves you should be allowed access
Login takes 10 expensive operations
Re-Up proves you logged in before
Re-Up takes only 2
![Page 21: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/21.jpg)
-21-
Using Login and Re-Up
t–1 t t+1 t+2time
A client must Login to start a new songAnd Re-Up to continue playing the same song
To be unlinkable again, the client must waituntil the next epoch
Re-Up Re-Up
![Page 22: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/22.jpg)
-22-
Epoch Lengths:Long vs. Short
A short epoch means less time to be unlinkableAnd less delay between client actions
Happy ClientsA long epoch means fewer client requests
And lower server loadHappy Server
Choosing an epoch length depends on the service(e.g., 15 seconds for music, 5 minutes for movies)
![Page 23: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/23.jpg)
-23-
Re-Up helps balance this
tensionShort epochs means less waitbetween unlinkable actions
Re-Up instead of Loginreduces server load
![Page 24: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/24.jpg)
-24-
And Anon-Pass is formally proven
Formal proof of security holds underthe DDHI assumption
Stated and proved in the paper
Formal proof of soundness holds underthe LRSW assumption
![Page 25: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/25.jpg)
-25-
How?How is Anon-Pass built?
How is Anon-Pass used?
How does Anon-Pass perform?
![Page 26: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/26.jpg)
-26-
Anonymous Music StreamingMusic download over normal HTTP
Unlimited-use Subway PassNYC’s “unlimited” pass
Account ProxyMultiplex accounts to news sites
15 second epoch
6 minute epoch
1 minute epoch
How could it be used?
![Page 27: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/27.jpg)
-27-
System Architecture
Client Applicatio
n
subscription servicemy laptop
ApplicationServer♪
![Page 28: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/28.jpg)
-28-
System Architecturesubscription servicemy laptop
Authentication Server
User Agent
Client Applicatio
n
ApplicationServer♪
![Page 29: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/29.jpg)
-29-
System Architecturesubscription servicemy laptop
Gateway
ApplicationServer♪Client
Application
User Agent
Authentication Server
3rd partyservice
![Page 30: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/30.jpg)
-30-
User AgentPurpose: minimize changes to client applications
Job: Create Login and Re-Up requests Keep the user secret secure
Modified VLC to anonymously stream (54 LoC)No modifications to support browsers
![Page 31: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/31.jpg)
-31-
AuthenticationServer
Purpose: enforce sharing resistance
Job: Verify tokens and token uniqueness Record active tokens
Runs on the service or as a 3rd party
![Page 32: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/32.jpg)
-32-
GatewayPurpose: enforce access control with minimal change to existing services
Job: Prevent unauthorized access and responses Remove verification from the critical path
Runs on the service as a front end server
![Page 33: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/33.jpg)
-33-
How?How is Anon-Pass built?
How is Anon-Pass used?
How does Anon-Pass perform?
![Page 34: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/34.jpg)
-34-
Evaluation Environment
quad-core 2.66 GHz Intel Core 2 CPU8GB RAM
1 Gbps network
An HTC Evo 3D to evaluatethe anonymous subway pass
10 client machine to evaluatethe streaming music service
![Page 35: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/35.jpg)
-35-
Login Re-up0123456789
10
Crypto Costm
illise
cond
s
7.8x Faster
Other Verify
![Page 36: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/36.jpg)
-36-
Music ServiceScaling
Used 10 client machines
HTTP server to stream music15 second epoch
Add clients until we run out of resources
![Page 37: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/37.jpg)
-37-
Music ServiceScaling
% C
PU
Steady8,000 Clients
6,00
0 Cl
ient
s
12,000 Clients
Login Only vs. Anon-Pass
Time
Anon-Pass Login Only
![Page 38: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/38.jpg)
-38-
AnonymousSubway Pass
Problem: Need to rate limit between swipes
t t+1
But sharing is still possible…A long epoch can simulate that timeout
![Page 39: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/39.jpg)
-39-
AnonymousSubway Pass
Solution: Login and Re-Up at the same timeAccesses during later epochs are linkable
t–1 t t+1 t+2time
X
![Page 40: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/40.jpg)
-40-
AnonymousSubway Pass
Implemented as anAndroid application
Clients Login and Re-Up twice (18 minute NYC policy)
Takes only 0.2 seconds(on an HTC Evo 3D)
![Page 41: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/41.jpg)
-41-
Anon-PassPractical – efficient enough to scale
Flexible – works with different services
Deployable – minimizes service changes
![Page 42: Anon-Pass: Practical Anonymous Subscriptions](https://reader035.vdocuments.site/reader035/viewer/2022062302/56816777550346895ddc730a/html5/thumbnails/42.jpg)
-42-