Document LeakageJohn Maheswaran
Crypto-Book: integrating cryptographywith social networking• Initially investigated using Facebook as apublic key infrastr...
www.crypto-book.com
Crypto-Book• Crypto-Book: Whistle blowing through socialnetworks• A system to allow users to leak documentanonymously• Int...
Background• The internet facilitates wide scalewhistle blowing• Sites like WikiLeaks have receivedlarge amounts of press c...
The Problem• WikiLeaks faces two conflictingchallenges:– Want to preserve anonymity ofwhistle blowers– Need to verify cred...
Protecting anonymity is critical• Bradley Manning, an armyintelligence analyst issuspected of leaking sensitiveinformation...
Leak verification• Also need to verify leak credibility• Ideally would like to know leak comes from acredible source• Wiki...
Crypto-Book• Aims to solve the problems of preservinganonymity whilst verifying source credibility• The document can be ve...
Crypto-Book – system flow• User logs in with Facebook• Authenticates with Crypto-Book serversthrough OAuth protocol• Whist...
Crypto-Book• Public keys sent to user, along with user’sprivate key• User signs document using linkable ringsignature• Sig...
Crypto-Book• Publication server collates leaks andperiodically publishes blocks of them– Mitigates intersection attacks• P...
Example use case• President Levin says growing CS studentnumbers has increased costs and has meantthat the CS department i...
Example use case• Bryan Ford receives the memo and is outragedat the decision• To raise support against the plans, he want...
Example use case• However if he anonymously leaks the email,people might not believe the story• He decides to use Crypto-B...
Bryan wants to leak Levin’s memoCrypto-BookFacebookBryanlogs inOAuth authentication
Choosing the anonymity setCrypto-BookFacebookBryanselects otherpotential sources’ FBprofiles to formanonymity setAvi’s, Jo...
Bryan obtains keysCrypto-BookBryanAvi, Joan, Vladimirand Bryan’s publickeysBryan’s private keyGenerates key pair for each ...
Bryan signs and leaks memoBryan1. Creates a linkablering signature(LRS) using Avi,Joan, Vladimirand his own keys2. Signs L...
Design option• May be able to use Deniable AnonymousGroup Authentication (DAGA) instead oflinkable ring signatures to prov...
Memo sent to publication serverLeaked signed memoPublication serverPublication server waitsuntil it has several leakswith ...
Document is made publicMultiple leakeddocumentsPublication serverOnce many leaks have beenreceived, publication serverpubl...
Outcome• Yalies see Levin’s memo on WikiLeaks or linked tofrom Twitter• Linkable ring signature allows people to verify th...
SeeMail – the problem• Companies want to keep track of their sensitivedata• Want to mitigate data leaks, identify leak sou...
SeeMail• Idea is to track when emails are read andforwarded using email beacons• Email beacons are unique images and eacht...
SeeMail - www.seemail.me
SeeMail - www.seemail.me
Future work• Want to track IP addresses and geolocateusers• iPhones support display of iframes in emails– Hope to covertly...
Future work – Anti-SeeMail• SeeMail techniques may be misused byoppressive regimes to silence whistle blowers• Hope to loo...
Future work – Anti-SeeMail• Want to look at Anti-SeeMail for webbrowsers– Have a pool of anonymous browsers that fetchweb ...
Upcoming SlideShare
Loading in …5
×

Crypto-Book: Document leakage

7,242 views

Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Crypto-Book: Document leakage

  1. 1. Document LeakageJohn Maheswaran
  2. 2. Crypto-Book: integrating cryptographywith social networking• Initially investigated using Facebook as apublic key infrastructure• Implemented secure Facebook messagingusing public key cryptography• Later implemented secure Facebookmessaging using Boneh-Franklin identitybased encryption• Current and planned work investigates socialnetworking with anonymity networks
  3. 3. www.crypto-book.com
  4. 4. Crypto-Book• Crypto-Book: Whistle blowing through socialnetworks• A system to allow users to leak documentanonymously• Integrated with Facebook• Conscript other users without their consentinto a group of potential sources
  5. 5. Background• The internet facilitates wide scalewhistle blowing• Sites like WikiLeaks have receivedlarge amounts of press coverage• Major leaks include– Diplomatic cables– Iraq war documents and videos– Guantanamo Bay files
  6. 6. The Problem• WikiLeaks faces two conflictingchallenges:– Want to preserve anonymity ofwhistle blowers– Need to verify credibility of leaks
  7. 7. Protecting anonymity is critical• Bradley Manning, an armyintelligence analyst issuspected of leaking sensitiveinformation to WikiLeaks– Has been arrested and faces upto 52 years and could even facethe death penalty
  8. 8. Leak verification• Also need to verify leak credibility• Ideally would like to know leak comes from acredible source• WikiLeaks currently manually verifies leaksusing traditional journalistic methods
  9. 9. Crypto-Book• Aims to solve the problems of preservinganonymity whilst verifying source credibility• The document can be verified as coming fromone of N sources– but no one knows which one• Potential sources are linked to Facebookprofiles
  10. 10. Crypto-Book – system flow• User logs in with Facebook• Authenticates with Crypto-Book serversthrough OAuth protocol• Whistle blower selects a group of otherFacebook profiles who will form theanonymity set• Crypto-Book obtains public keys for eachperson– Identity based or generate 1 key for each person
  11. 11. Crypto-Book• Public keys sent to user, along with user’sprivate key• User signs document using linkable ringsignature• Signed document is sent through anonymitynetwork (Dissent or ToR)• Document is submitted to publication server
  12. 12. Crypto-Book• Publication server collates leaks andperiodically publishes blocks of them– Mitigates intersection attacks• Publication server submits signed leakeddocument to WikiLeaks, and links to thedocument through Twitter
  13. 13. Example use case• President Levin says growing CS studentnumbers has increased costs and has meantthat the CS department is no longereconomically viable• Levin decides that before he leaves office, hewill drastically downsize the CS department• Levin sends a confidential memo to all CSfaculty outlining the planned downsizing
  14. 14. Example use case• Bryan Ford receives the memo and is outragedat the decision• To raise support against the plans, he wants tomake the information public• He is worried if he forwards it to the Yale DailyNews, he may be indentified as the source andhe might not get tenure
  15. 15. Example use case• However if he anonymously leaks the email,people might not believe the story• He decides to use Crypto-Book to get theword out……
  16. 16. Bryan wants to leak Levin’s memoCrypto-BookFacebookBryanlogs inOAuth authentication
  17. 17. Choosing the anonymity setCrypto-BookFacebookBryanselects otherpotential sources’ FBprofiles to formanonymity setAvi’s, Joan’s andVladimir’s Facebookprofile IDs
  18. 18. Bryan obtains keysCrypto-BookBryanAvi, Joan, Vladimirand Bryan’s publickeysBryan’s private keyGenerates key pair for each userusing identity based or othergeneration scheme
  19. 19. Bryan signs and leaks memoBryan1. Creates a linkablering signature(LRS) using Avi,Joan, Vladimirand his own keys2. Signs Levin’smemo using LRS3. Submits signed documentto anonymity network
  20. 20. Design option• May be able to use Deniable AnonymousGroup Authentication (DAGA) instead oflinkable ring signatures to provide forwardanonymity– Even if someone later hacks Bryan’s Facebookaccount, they cannot identify him as the source ofthe leak
  21. 21. Memo sent to publication serverLeaked signed memoPublication serverPublication server waitsuntil it has several leakswith overlappinganonymity sets (tomitigate intersectionattacks)
  22. 22. Document is made publicMultiple leakeddocumentsPublication serverOnce many leaks have beenreceived, publication serverpublishes them
  23. 23. Outcome• Yalies see Levin’s memo on WikiLeaks or linked tofrom Twitter• Linkable ring signature allows people to verify theauthenticity of the leak– The memo came from either Vladimir, Bryan, Joan orAvi, so know the source is credible– But no one knows who exactly leaked it• Levin is annoyed that his memo was leaked, butcannot punish all four professors• In face of student protestation, Levin retracts hisplanned downsizing of the CS department
  24. 24. SeeMail – the problem• Companies want to keep track of their sensitivedata• Want to mitigate data leaks, identify leak sourcesand track who data is leaked to• Average cost of a data leak at between $90 and$305 per lost record [Forrester Research]– legal representation, PR expenditure, costs to havesystems externally audited, loss of reputation andmonitoring credit reports of consumers if financialinformation is leaked
  25. 25. SeeMail• Idea is to track when emails are read andforwarded using email beacons• Email beacons are unique images and eachtime one is loaded, it is logged
  26. 26. SeeMail - www.seemail.me
  27. 27. SeeMail - www.seemail.me
  28. 28. Future work• Want to track IP addresses and geolocateusers• iPhones support display of iframes in emails– Hope to covertly extract more information fromuser– May be able to use Java script side channel attacksto see what other apps the user is running– May be able to extract GPS location of user whenthey read the email– Eventually hope to perform user study to see whatproportion of iPhone users we can extract privateinformation from
  29. 29. Future work – Anti-SeeMail• SeeMail techniques may be misused byoppressive regimes to silence whistle blowers• Hope to look at ways to guard against emailtracking• Compare email objects with peers and cleanany potentially unsafe ones before leaking thedocument
  30. 30. Future work – Anti-SeeMail• Want to look at Anti-SeeMail for webbrowsers– Have a pool of anonymous browsers that fetchweb pages and compare them– Clean out any user specific parts such as webbugs, tracking scripts, targeted ads– Then display cleaned version to the end user

×