SlideShare une entreprise Scribd logo

Where’s Wally? How to Privately Discover your Friends on the Internet

Panagiotis Papadopoulos
Panagiotis Papadopoulos

Internet friends who would like to connect with each other (e.g., VoIP, chat) use point-to-point communication applications such as Skype or WhatsApp. Apart from providing the necessary communication channel, these applications also facilitate contact discovery, where users upload their address-book and learn the network address of their friends. Although handy, this discovery process comes with a significant privacy cost: users are forced to reveal to the service provider every person they are socially connected with, even if they do not ever communicate with them through the app. In this paper, we show that it is possible to implement a scalable User Discovery service, without requiring any centralized entity that users have to blindly trust. Specifically, we distribute the maintenance of the users’ contact information, and allow their friends to query for it, just as they normally query the network for machine services. We implement our approach in PROUD: a distributed privacy-preserving User Discovery service, which capitalizes on DNS. The prevalence of DNS makes PROUD immediately applicable, able to scale to millions of users. Preliminary evaluation shows that PROUD provides competitive performance for all practical purposes, imposing an overhead of less than 0.3 sec per operation.

Sciences
1  sur  26
Télécharger pour lire hors ligne
Where’s Wally? How to Privately Discover your Friends on the Internet Panagiotis Papadopoulos University of Crete & FORTH-ICS, Greece Antonios A. Chariton University of Crete Elias Athanasopoulos University of Cyprus Evangelos P. Markatos FORTH-ICS
Real-time communication
The growth of real-time communication Source: visualcapitalist.com
How does it work? Step 1: User Discovery Alice wants to talk to Bob Central Directory Server
How does it work? Step 2: Point-to-point secure connection establishment Alice wants to talk to Bob Central Directory Server "No Woman, No Cry" "Hello Bob"
Hey! Wait a minute!
Mobile Instant Messaging (MIM) apps • All contemporary MIM applications leverage the phone’s address-book • Frequently checks for newly registered with the app friends
Privacy of the social graph Step 1: User Discovery Alice wants to talk to Bob Central Directory Server Bob +82-2-312-3456 Charlie +82-2-378-9012 David +82-2-334-5678 Alice is friend with Bob, Charlie and David But, I am not even a WhatsApp user! Bob Charlie David Charlie gets his telephone number and his social connection with Alice leaked to an app that he does not use!
The cost of “free” MIM apps (1/2) Contact list Tel. number Current IP Bob +82-2-312-3456 216.3.128.12 Charlie +82-2-378-9012 (not a WhatsApp user) David +82-2-334-5678 136.79.128.22 Alice’s friends: Cost: • Relinquish the privacy of your social graph App provider can - reconstruct a global social topology (i.e., who is socially associated with whom) - Infer interests, political beliefs, sexual preferences* Such user info can then be sold to advertisers or handed over to agencies * C. Jernigan and B. F. Mistree. Gaydar: Facebook friendships expose sexual orientation. First Monday, 14(10), 2009.
The cost of “free” MIM apps (2/2) Even if service provider is benign: • Concentration of important data lures attackers, resulting in data breaches • Bad design or bad maintenance may leak information (e.g., Skype’s famous user IP leak*) *R. Naraine, “Skype leaking user IP addresses, TCP ports”, https://www.zdnet.com/article/skype-leaking-user- ip-addresses-tcp-ports/, 2012
Is it possible to build a User Discovery service, without revealing the user’s social graph?
In this paper • We decouple the User Discovery operation from the communication app. • 1 User Discovery service to cover all related needs of user (VoIP app, file sharing app, etc.) • Users maintain their own User-to-IP mappings • Delegate trust among users (only friends can read these mappings) App 2 Directory Server App 1
Objectives • A key-value datastore • Existing system Immediately applicable • Scalable Support increased load • Distributed management No single maintaining entity
Don’t we use such a discovery system on the web too? How do you know the Network Address of www.cnn.com before fetching it? The DNS!
Our Approach: PROUD (PRivacy-preservation Of User Discovery)
Our Approach: PROUD • PROUD: a scalable privacy-preserving user discovery service 1. enables users to control their current network address without relying on any centralized infrastructure 2. allows users to find the network addresses of their friends without revealing their social associations. 3. Thus goals are: a. protect both data (user’s current IP address) b. and metadata (who queries for whom).
PROUD in a nutshell • Distributed directory service • One dead-drop (key-value) per friendship • Alice does not query for the entire address book but for the particular user’s dead-drop • Simple Set/Get operations • 2 non-colluding nodes Resolvers and Registration nodes
Dead-drop • DNS type TXT record • Index: o R: pseudorandom number generator (Periodic change -> Forward Secrecy to Alice’s queries) o SE: seed that Alice and Bob know üR(SE).example.com • Payload: a) EpubA(K): Session key b) EK(IPB): IP of Bob encrypted with the Session key c) SprivB(H(EK(IPBT))): Timestamped and Signed payload üEpubA(K) | EK(IPB) | SprivB(H(EK(IPBT)))
App 2 PROUD example "No Woman, No Cry" "Hello Bob" Set friendship dead-drop Get friendship dead-drop Authoritative Nameserver (Registration node) Local DNS Resolver (Resolver node)
Performance Evaluation
Performance Evaluation: Latency • Execution time per set friendship operations • Latency overhead <0.35 sec on average per operation due to cryptographic computations
Performance Evaluation: Scalability It takes <3.5 seconds and around 0.3 KBps for Bob to update a large address book of 500 users.
Conclusion • We decouple User Discovery from MIM applications • PROUD: a scalable privacy-preserving user discovery service • protects both üdata (user’s current IP address) üand metadata (who queries for whom). • Leverage existing DNS network • minimal bandwidth requirements • practically negligible latency to the user experience (<0.35sec/operation)
Backup slides
Users behind NAT? • NAT hole punching • Like what Skype was doing back in its p2p days • IPv6 • Current metrics put IPv6 at a minimum of 20% global adoption, and local uses (within a country) to over 50%. http://www.h-online.com/security/features/How-Skype-Co-get-round-firewalls-747197.htm
Client Server model vIn some apps, users may communicate through an intermediate server with their friends vUser Discovery is still needed: • In iMessage a user has to first retrieve friend’s public key from Apple’s Directory Server • In WhatsApp and Messenger, the client uploads at registration time ütheir public Identity key and üa batch of public One-Time Pre keys to a centralized server in order for any friend to initiate a secure conversation.

Recommandé

Latoya b powerpointskype1
Latoya b powerpointskype1Latoya b powerpointskype1
Latoya b powerpointskype1toysz
 
SDN for Reliable Process Protocol
SDN for Reliable Process ProtocolSDN for Reliable Process Protocol
SDN for Reliable Process ProtocolUS-Ignite
 
Mobile reporting for iPhone, Android and BlackBerry
Mobile reporting for iPhone, Android and BlackBerryMobile reporting for iPhone, Android and BlackBerry
Mobile reporting for iPhone, Android and BlackBerryJulia Thompson
 
Carrier pigeon presentation
Carrier pigeon presentationCarrier pigeon presentation
Carrier pigeon presentationZx MYS
 
Mobile messaging white paper (ReturnPath) - NOV11
Mobile messaging white paper (ReturnPath) - NOV11Mobile messaging white paper (ReturnPath) - NOV11
Mobile messaging white paper (ReturnPath) - NOV11Retelur Marketing
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015kingsBSD
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 

Recommandé

Latoya b powerpointskype1
Latoya b powerpointskype1Latoya b powerpointskype1
Latoya b powerpointskype1toysz
 
SDN for Reliable Process Protocol
SDN for Reliable Process ProtocolSDN for Reliable Process Protocol
SDN for Reliable Process ProtocolUS-Ignite
 
Mobile reporting for iPhone, Android and BlackBerry
Mobile reporting for iPhone, Android and BlackBerryMobile reporting for iPhone, Android and BlackBerry
Mobile reporting for iPhone, Android and BlackBerryJulia Thompson
 
Carrier pigeon presentation
Carrier pigeon presentationCarrier pigeon presentation
Carrier pigeon presentationZx MYS
 
Mobile messaging white paper (ReturnPath) - NOV11
Mobile messaging white paper (ReturnPath) - NOV11Mobile messaging white paper (ReturnPath) - NOV11
Mobile messaging white paper (ReturnPath) - NOV11Retelur Marketing
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015kingsBSD
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureTechWell
 
Baabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojosephBaabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojosephJijo Joseph
 
Basic Internet_Baabtra.com template
Basic Internet_Baabtra.com templateBasic Internet_Baabtra.com template
Basic Internet_Baabtra.com templateJijo Joseph
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected ProductsJordan Husney
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Giles Greenway
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Web APIs: The future of software
Web APIs: The future of softwareWeb APIs: The future of software
Web APIs: The future of softwareReuven Lerner
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Twilio Inc
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
2016 05 sanger
2016 05 sanger2016 05 sanger
2016 05 sangerChris Dwan
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitchGVNetworks
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
All About Internet Services
All About Internet ServicesAll About Internet Services
All About Internet ServicesVarun
 
Meetic Backend Mutation With Symfony
Meetic Backend Mutation With SymfonyMeetic Backend Mutation With Symfony
Meetic Backend Mutation With SymfonymeeticTech
 
Basic computers for DIU laptop project students
Basic computers for DIU laptop project studentsBasic computers for DIU laptop project students
Basic computers for DIU laptop project studentsAlauddin Azad
 
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWebSeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWebProcessOne
 
Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...Panagiotis Papadopoulos
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Panagiotis Papadopoulos
 

Contenu connexe

Similaire à Where’s Wally? How to Privately Discover your Friends on the Internet

Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureTechWell
 
Baabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojosephBaabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojosephJijo Joseph
 
Basic Internet_Baabtra.com template
Basic Internet_Baabtra.com templateBasic Internet_Baabtra.com template
Basic Internet_Baabtra.com templateJijo Joseph
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected ProductsJordan Husney
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Giles Greenway
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Web APIs: The future of software
Web APIs: The future of softwareWeb APIs: The future of software
Web APIs: The future of softwareReuven Lerner
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Twilio Inc
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
2016 05 sanger
2016 05 sanger2016 05 sanger
2016 05 sangerChris Dwan
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitchGVNetworks
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
All About Internet Services
All About Internet ServicesAll About Internet Services
All About Internet ServicesVarun
 
Meetic Backend Mutation With Symfony
Meetic Backend Mutation With SymfonyMeetic Backend Mutation With Symfony
Meetic Backend Mutation With SymfonymeeticTech
 
Basic computers for DIU laptop project students
Basic computers for DIU laptop project studentsBasic computers for DIU laptop project students
Basic computers for DIU laptop project studentsAlauddin Azad
 
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWebSeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWebProcessOne
 

Similaire à Where’s Wally? How to Privately Discover your Friends on the Internet (20)

Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not Secure
 
Baabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojosephBaabtra.com template_Basics about Internet_jijojoseph
Baabtra.com template_Basics about Internet_jijojoseph
 
Basic Internet_Baabtra.com template
Basic Internet_Baabtra.com templateBasic Internet_Baabtra.com template
Basic Internet_Baabtra.com template
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Web APIs: The future of software
Web APIs: The future of softwareWeb APIs: The future of software
Web APIs: The future of software
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
2016 05 sanger
2016 05 sanger2016 05 sanger
2016 05 sanger
 
GatelessVPN technology pitch
GatelessVPN technology pitchGatelessVPN technology pitch
GatelessVPN technology pitch
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
All About Internet Services
All About Internet ServicesAll About Internet Services
All About Internet Services
 
Meetic Backend Mutation With Symfony
Meetic Backend Mutation With SymfonyMeetic Backend Mutation With Symfony
Meetic Backend Mutation With Symfony
 
Basic computers for DIU laptop project students
Basic computers for DIU laptop project studentsBasic computers for DIU laptop project students
Basic computers for DIU laptop project students
 
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWebSeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
SeaBeyond 2011 ProcessOne - Diana Cheng: OneSocialWeb
 

Plus de Panagiotis Papadopoulos

Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...Panagiotis Papadopoulos
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Panagiotis Papadopoulos
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Panagiotis Papadopoulos
 
Is privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesIs privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesPanagiotis Papadopoulos
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
The Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsThe Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsPanagiotis Papadopoulos
 
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN sessionExclusive: How the (synced) Cookie Monster breached my encrypted VPN session
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN sessionPanagiotis Papadopoulos
 
0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password RemindersPanagiotis Papadopoulos
 
If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p... If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p...Panagiotis Papadopoulos
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionPanagiotis Papadopoulos
 
Cassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsCassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsPanagiotis Papadopoulos
 

Plus de Panagiotis Papadopoulos (11)

Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
 
Is privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesIs privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging services
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
 
The Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsThe Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser Views
 
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN sessionExclusive: How the (synced) Cookie Monster breached my encrypted VPN session
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
 
0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders
 
If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p... If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p...
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack Detection
 
Cassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsCassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and Limitations
 

Dernier

Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...ssifa0344
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 
Chromatin Structure | EUCHROMATIN | HETEROCHROMATIN
Chromatin Structure | EUCHROMATIN | HETEROCHROMATINChromatin Structure | EUCHROMATIN | HETEROCHROMATIN
Chromatin Structure | EUCHROMATIN | HETEROCHROMATINsankalpkumarsahoo174
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfrohankumarsinghrore1
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyfundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyDrAnita Sharma
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)PraveenaKalaiselvan1
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...anilsa9823
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )aarthirajkumar25
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 

Dernier (20)

Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 
Chromatin Structure | EUCHROMATIN | HETEROCHROMATIN
Chromatin Structure | EUCHROMATIN | HETEROCHROMATINChromatin Structure | EUCHROMATIN | HETEROCHROMATIN
Chromatin Structure | EUCHROMATIN | HETEROCHROMATIN
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyfundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 

Where’s Wally? How to Privately Discover your Friends on the Internet

  • 1. Where’s Wally? How to Privately Discover your Friends on the Internet Panagiotis Papadopoulos University of Crete & FORTH-ICS, Greece Antonios A. Chariton University of Crete Elias Athanasopoulos University of Cyprus Evangelos P. Markatos FORTH-ICS
  • 3. The growth of real-time communication Source: visualcapitalist.com
  • 4. How does it work? Step 1: User Discovery Alice wants to talk to Bob Central Directory Server
  • 5. How does it work? Step 2: Point-to-point secure connection establishment Alice wants to talk to Bob Central Directory Server "No Woman, No Cry" "Hello Bob"
  • 6. Hey! Wait a minute!
  • 7. Mobile Instant Messaging (MIM) apps • All contemporary MIM applications leverage the phone’s address-book • Frequently checks for newly registered with the app friends
  • 8. Privacy of the social graph Step 1: User Discovery Alice wants to talk to Bob Central Directory Server Bob +82-2-312-3456 Charlie +82-2-378-9012 David +82-2-334-5678 Alice is friend with Bob, Charlie and David But, I am not even a WhatsApp user! Bob Charlie David Charlie gets his telephone number and his social connection with Alice leaked to an app that he does not use!
  • 9. The cost of “free” MIM apps (1/2) Contact list Tel. number Current IP Bob +82-2-312-3456 216.3.128.12 Charlie +82-2-378-9012 (not a WhatsApp user) David +82-2-334-5678 136.79.128.22 Alice’s friends: Cost: • Relinquish the privacy of your social graph App provider can - reconstruct a global social topology (i.e., who is socially associated with whom) - Infer interests, political beliefs, sexual preferences* Such user info can then be sold to advertisers or handed over to agencies * C. Jernigan and B. F. Mistree. Gaydar: Facebook friendships expose sexual orientation. First Monday, 14(10), 2009.
  • 10. The cost of “free” MIM apps (2/2) Even if service provider is benign: • Concentration of important data lures attackers, resulting in data breaches • Bad design or bad maintenance may leak information (e.g., Skype’s famous user IP leak*) *R. Naraine, “Skype leaking user IP addresses, TCP ports”, https://www.zdnet.com/article/skype-leaking-user- ip-addresses-tcp-ports/, 2012
  • 11. Is it possible to build a User Discovery service, without revealing the user’s social graph?
  • 12. In this paper • We decouple the User Discovery operation from the communication app. • 1 User Discovery service to cover all related needs of user (VoIP app, file sharing app, etc.) • Users maintain their own User-to-IP mappings • Delegate trust among users (only friends can read these mappings) App 2 Directory Server App 1
  • 13. Objectives • A key-value datastore • Existing system Immediately applicable • Scalable Support increased load • Distributed management No single maintaining entity
  • 14. Don’t we use such a discovery system on the web too? How do you know the Network Address of www.cnn.com before fetching it? The DNS!
  • 16. Our Approach: PROUD • PROUD: a scalable privacy-preserving user discovery service 1. enables users to control their current network address without relying on any centralized infrastructure 2. allows users to find the network addresses of their friends without revealing their social associations. 3. Thus goals are: a. protect both data (user’s current IP address) b. and metadata (who queries for whom).
  • 17. PROUD in a nutshell • Distributed directory service • One dead-drop (key-value) per friendship • Alice does not query for the entire address book but for the particular user’s dead-drop • Simple Set/Get operations • 2 non-colluding nodes Resolvers and Registration nodes
  • 18. Dead-drop • DNS type TXT record • Index: o R: pseudorandom number generator (Periodic change -> Forward Secrecy to Alice’s queries) o SE: seed that Alice and Bob know üR(SE).example.com • Payload: a) EpubA(K): Session key b) EK(IPB): IP of Bob encrypted with the Session key c) SprivB(H(EK(IPBT))): Timestamped and Signed payload üEpubA(K) | EK(IPB) | SprivB(H(EK(IPBT)))
  • 19. App 2 PROUD example "No Woman, No Cry" "Hello Bob" Set friendship dead-drop Get friendship dead-drop Authoritative Nameserver (Registration node) Local DNS Resolver (Resolver node)
  • 21. Performance Evaluation: Latency • Execution time per set friendship operations • Latency overhead <0.35 sec on average per operation due to cryptographic computations
  • 22. Performance Evaluation: Scalability It takes <3.5 seconds and around 0.3 KBps for Bob to update a large address book of 500 users.
  • 23. Conclusion • We decouple User Discovery from MIM applications • PROUD: a scalable privacy-preserving user discovery service • protects both üdata (user’s current IP address) üand metadata (who queries for whom). • Leverage existing DNS network • minimal bandwidth requirements • practically negligible latency to the user experience (<0.35sec/operation)
  • 25. Users behind NAT? • NAT hole punching • Like what Skype was doing back in its p2p days • IPv6 • Current metrics put IPv6 at a minimum of 20% global adoption, and local uses (within a country) to over 50%. http://www.h-online.com/security/features/How-Skype-Co-get-round-firewalls-747197.htm
  • 26. Client Server model vIn some apps, users may communicate through an intermediate server with their friends vUser Discovery is still needed: • In iMessage a user has to first retrieve friend’s public key from Apple’s Directory Server • In WhatsApp and Messenger, the client uploads at registration time ütheir public Identity key and üa batch of public One-Time Pre keys to a centralized server in order for any friend to initiate a secure conversation.