Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anonymity "Attacks" by Malicious Server #57

Open
felixlinker opened this issue Oct 8, 2024 · 1 comment
Open

Anonymity "Attacks" by Malicious Server #57

felixlinker opened this issue Oct 8, 2024 · 1 comment

Comments

@felixlinker
Copy link

felixlinker commented Oct 8, 2024
edited
Loading

Hi everyone,

During discussions with @lumaier today, I thought of a new "attack" against anonymity by a malicious server. I deliberately put "attack" in quotes because I think that you did not plan to provide security guarntees in the scenario that I am about to describe. The "attack" rather puts concrete limits to SecureDrop's security guarantees.

Scenario is the following. A source submits a ciphertext to server. This will include the ciphertext $c$, the encryption public-key $g^r$, and the fetching shared-secret $g^{fr}$. The server wants to learn who this ciphertext is intended for. What the server can now do is the following.

The server wants to test whether ciphertext $c$ was intended for the journalist with fetching key $g^{f'}$. Someone starts the message fetching protocol. The server samples two IDs $id_1$ and $id_2$. Then the server encrypts...

  • ... $id_1$ under $g^{fr}$ and sends the requesting party the corresponding ciphertext and $g^r$.
  • ... $id_2$ under $g^{xf'}$ for a fresh key $x$ and sends the requesting party the corresponding ciphertext and $g^x$.

If the server receives a request for both $id_1$ and $id_2$ it learns that $c$ was intended for the journalist identified by fetching key $g^{f'}$ (i.e., $f' = f$). I believe that this "attack" should scale very easily by submitting multiple IDs in style of $id_1$ and not just one.

As I said, I expect that you did not expect anonymity guarantees to hold when the server does not follow the message fetching protocol. Feel free to close this issue immediately! I just wanted to share our findings with you. Luca will certainly include this "attack" in his thesis, so you will find it documented elsewhere!
@lumaier
Copy link
Contributor

lumaier commented Oct 10, 2024

Maybe adding to it, that when linked to issue #56 (i.e., all parties should send the same number of messages), SecureDrop should enforce that all parties send $k+1$ messages (i.e., to all $k$ journalist and itself). This way, there is always a ciphertext intended for one of the journalists and one ciphertext for a source (for which the server doesn't know the fetching key).

With that, this attack is no issue. The server learns that a ciphertext is intended for a certain journalist. But its a priori knowledge was "one of the ciphertexts is intended for this journalist". Knowing which ciphertext should not be a problem...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@felixlinker @lumaier