Crypto-Book: Document leakage

Uploaded on


More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Document LeakageJohn Maheswaran
  • 2. Crypto-Book: integrating cryptographywith social networking• Initially investigated using Facebook as apublic key infrastructure• Implemented secure Facebook messagingusing public key cryptography• Later implemented secure Facebookmessaging using Boneh-Franklin identitybased encryption• Current and planned work investigates socialnetworking with anonymity networks
  • 3.
  • 4. Crypto-Book• Crypto-Book: Whistle blowing through socialnetworks• A system to allow users to leak documentanonymously• Integrated with Facebook• Conscript other users without their consentinto a group of potential sources
  • 5. Background• The internet facilitates wide scalewhistle blowing• Sites like WikiLeaks have receivedlarge amounts of press coverage• Major leaks include– Diplomatic cables– Iraq war documents and videos– Guantanamo Bay files
  • 6. The Problem• WikiLeaks faces two conflictingchallenges:– Want to preserve anonymity ofwhistle blowers– Need to verify credibility of leaks
  • 7. Protecting anonymity is critical• Bradley Manning, an armyintelligence analyst issuspected of leaking sensitiveinformation to WikiLeaks– Has been arrested and faces upto 52 years and could even facethe death penalty
  • 8. Leak verification• Also need to verify leak credibility• Ideally would like to know leak comes from acredible source• WikiLeaks currently manually verifies leaksusing traditional journalistic methods
  • 9. Crypto-Book• Aims to solve the problems of preservinganonymity whilst verifying source credibility• The document can be verified as coming fromone of N sources– but no one knows which one• Potential sources are linked to Facebookprofiles
  • 10. Crypto-Book – system flow• User logs in with Facebook• Authenticates with Crypto-Book serversthrough OAuth protocol• Whistle blower selects a group of otherFacebook profiles who will form theanonymity set• Crypto-Book obtains public keys for eachperson– Identity based or generate 1 key for each person
  • 11. Crypto-Book• Public keys sent to user, along with user’sprivate key• User signs document using linkable ringsignature• Signed document is sent through anonymitynetwork (Dissent or ToR)• Document is submitted to publication server
  • 12. Crypto-Book• Publication server collates leaks andperiodically publishes blocks of them– Mitigates intersection attacks• Publication server submits signed leakeddocument to WikiLeaks, and links to thedocument through Twitter
  • 13. Example use case• President Levin says growing CS studentnumbers has increased costs and has meantthat the CS department is no longereconomically viable• Levin decides that before he leaves office, hewill drastically downsize the CS department• Levin sends a confidential memo to all CSfaculty outlining the planned downsizing
  • 14. Example use case• Bryan Ford receives the memo and is outragedat the decision• To raise support against the plans, he wants tomake the information public• He is worried if he forwards it to the Yale DailyNews, he may be indentified as the source andhe might not get tenure
  • 15. Example use case• However if he anonymously leaks the email,people might not believe the story• He decides to use Crypto-Book to get theword out……
  • 16. Bryan wants to leak Levin’s memoCrypto-BookFacebookBryanlogs inOAuth authentication
  • 17. Choosing the anonymity setCrypto-BookFacebookBryanselects otherpotential sources’ FBprofiles to formanonymity setAvi’s, Joan’s andVladimir’s Facebookprofile IDs
  • 18. Bryan obtains keysCrypto-BookBryanAvi, Joan, Vladimirand Bryan’s publickeysBryan’s private keyGenerates key pair for each userusing identity based or othergeneration scheme
  • 19. Bryan signs and leaks memoBryan1. Creates a linkablering signature(LRS) using Avi,Joan, Vladimirand his own keys2. Signs Levin’smemo using LRS3. Submits signed documentto anonymity network
  • 20. Design option• May be able to use Deniable AnonymousGroup Authentication (DAGA) instead oflinkable ring signatures to provide forwardanonymity– Even if someone later hacks Bryan’s Facebookaccount, they cannot identify him as the source ofthe leak
  • 21. Memo sent to publication serverLeaked signed memoPublication serverPublication server waitsuntil it has several leakswith overlappinganonymity sets (tomitigate intersectionattacks)
  • 22. Document is made publicMultiple leakeddocumentsPublication serverOnce many leaks have beenreceived, publication serverpublishes them
  • 23. Outcome• Yalies see Levin’s memo on WikiLeaks or linked tofrom Twitter• Linkable ring signature allows people to verify theauthenticity of the leak– The memo came from either Vladimir, Bryan, Joan orAvi, so know the source is credible– But no one knows who exactly leaked it• Levin is annoyed that his memo was leaked, butcannot punish all four professors• In face of student protestation, Levin retracts hisplanned downsizing of the CS department
  • 24. SeeMail – the problem• Companies want to keep track of their sensitivedata• Want to mitigate data leaks, identify leak sourcesand track who data is leaked to• Average cost of a data leak at between $90 and$305 per lost record [Forrester Research]– legal representation, PR expenditure, costs to havesystems externally audited, loss of reputation andmonitoring credit reports of consumers if financialinformation is leaked
  • 25. SeeMail• Idea is to track when emails are read andforwarded using email beacons• Email beacons are unique images and eachtime one is loaded, it is logged
  • 26. SeeMail -
  • 27. SeeMail -
  • 28. Future work• Want to track IP addresses and geolocateusers• iPhones support display of iframes in emails– Hope to covertly extract more information fromuser– May be able to use Java script side channel attacksto see what other apps the user is running– May be able to extract GPS location of user whenthey read the email– Eventually hope to perform user study to see whatproportion of iPhone users we can extract privateinformation from
  • 29. Future work – Anti-SeeMail• SeeMail techniques may be misused byoppressive regimes to silence whistle blowers• Hope to look at ways to guard against emailtracking• Compare email objects with peers and cleanany potentially unsafe ones before leaking thedocument
  • 30. Future work – Anti-SeeMail• Want to look at Anti-SeeMail for webbrowsers– Have a pool of anonymous browsers that fetchweb pages and compare them– Clean out any user specific parts such as webbugs, tracking scripts, targeted ads– Then display cleaned version to the end user