Strengthening Anonymous Communication via Passive Participation
Anonymous communication networks (ACNs) are basic building blocks for obtaining or exchanging data in a privacy-preserving manner. ACNs suffer from a bootstrapping problem: having few users leads to a small anonymity set, which renders the ACN unattrac- tive. We propose a system, CoverUp, that tackles the bootstrapping problem for ACNs. The key idea is to draw in non-ACN users from a collaborating website to connect to an ACN after an informed consent via a JavaScript snippet, thereby triggering them to passively participate (as passive participants). CoverUp implements a privacy-preserving broadcast with a downlink rate of 10 to 50 Kbit/s that renders the traffic of these passive participants indistinguishable from active participants. If this broadcast is accessed via an ACN with a constant-rate traffic pattern, CoverUp contributes active participants with legitimate-looking traffic, thus helping in bootstrapping the ACN. To protect active participants from potentially incriminating broadcast-data, an additional application is needed to extract any information from CoverUp’s broadcast. The indistin- guishability guarantee of CoverUp for broadcasts holds against global network-level attackers that control ev- erything except for the user’s machine. In addition, as long as active participants do not change their surfing behavior on these websites due to CoverUp, they hide their participation time, i.e., do not leak the time at which they listen to the broadcast, which counters intersection and statistical disclosure attacks. As passive participation raises ethical and legal concerns for the collaborating websites and the participants, we discuss these concerns and describe how they can be addressed.
We extend CoverUp to bi-directional point-to-point communication (e.g., messengers) with an up- and downlink rate of 10 to 50 Kbit/s. Bi-directional CoverUp can offer users of ACNs with constant-rate traffic an additional entry point that hides their participation time (as above). The indistinguishability for bi-directional CoverUp requires the integrity of the JavaScript snippet, for which we introduce a trusted party. We give evidence that with a latency of 3 seconds (including the random delays) the timing leakage is undetectable, even after a year of continual observation. As long as the timing leakage is undetected, bi-directional CoverUp achieves the same properties as for broadcasts against network-level attackers that control everything except for the user’s machine and the trusted party.
Back to top
This prototype implementation demonstrates both Message Feed (uni-directional) and Chat (bi-directional channel). The Message Feed works both with Mozilla Firefox and Chromium (or Google Chrome). However, the bi-directional channel (the messenger) works with Chromium only.
To get the prototype working, follow these steps:
"Settings → Extensions".
Use drag-and-drop to install the extension file (click on the extension file "secure_ext.crx" in your file browser, keep the mouse button pressed down, and drag it to the Chromium extension window where you release the button).Now a data packets is downloaded. For this demo, we set the parameters according to the specification in our technical report. The iframe waits a random amount of seconds uniformly distributed in [1,5] seconds, before it dispatches the first request. After this, it requests periodically data again uniformly distributed in [1,5] seconds. To read the feed or to use the bidirectional channel, you need to start the external application:
Now we provide step by step instructions to run CoverUp external application. We divided the instructions into three sections: Message Feed, Messenger and Interavtive Browsing.
Back to top
After clicking "Select", a file dialog may appear if the you have more than one Chrome profile in your system. In such case choose the one which is currently active. You will see a file prowser like this:
Both the chat application in interactive browsing depend on the Chromium browser extension. The communication between the application and the extension is executed via native messaging. This requires some initial setup: First, restart the External Java Application in the mode BROWSER_NATIVE_MESSAGE instead of BROWSER_CHROME. Second, install the required NativeMessaging files. To automate this process go to settings → Native Messaging Setup. On Windows, this will prompt you to select the python.exe file. On Linux, you need python installed (and accessible in a directory listed in the corresponding $PATH environment vaiable) which should be a part of the default configuration of most Linux distributions.
Go to the menu bar at the top, select "Cool stuff" → "Messenger"
Selecting the "Messenger" will open the chatting window.
To set up the chatting, we need to first understand how the chatting infrastructure works. Open the file APP_DATA which is located where the NinjaPumpkin<platform>.jar is located. Navigate to the "chat" directory. "KeyFile.key" is already generated by the application which is your credential containing your public address, public key and private key. Keep this file secure. Without this file any chat directed to you would be irrecoverable. Provide the public key to the people to who want to send messages to you. "PkList.txt" is a empty file where you have to provide the public keys of the people you want to chat with. "LOGS" contains older chat in plain text as a backup.
This is a snapshot of "pkList.txt". The public keys generated by the CoverUp application are encoded in Base64 format. You can add a new public key by putting it into the text field named "remote public key" and press the button "Add Remote PK". Alternatively you can add a new public key in the file "pkList.txt", each in a new line.
This is a snapshot of your key file in JSON format. address is your public address, sk and pk are your private and public key respectively. Keep this file as a backup in a separate location. You should give the pk to the people whom you want to chat with.
Now go to the chat application, there is a drop down menu which lists all the public keys in your list including unlisted public keys where you received at least one chat. Switch to different addresses to record chat.
Select an address, write in the text box located at the bottom, when you write, the app will also track how much you are writing (marked on the top). Currently we send 512 characters in chat outgoing packets.
Hit the dispatch button. In case the browser extension is not running it will show you an error message.
First Press the button "Dump Table" button at the main window (2nd from the right most button). This will save a copy of the fountain table on the CoverUp application's local storage for interactive browsing purpose. Then go to the top menu button "Cool Stuff → Covert Browsing. For Mac OS/X users a separate jar file is provided for the interactive browsing (download from Here)
A new window will open which will invoke a native instance of the default web browser of the operating system you are using.
Click the button "Load Covert site Tree" which will load the the covert site map (over view of the interactive website delivered by CoverUp server in a tree like data structure). The root node of the tree will appear (ROOT) on the panel right below the previously mentioned button.
Clicking on "ROOT" will expand the entire tree. In the test version we only kept 9 documents under the main directory which forms a single level tree. Note that on the first instance all the nodes will be colored as red which denotes that there are no interactive data available on the local storage of the CoverUp application installation.
Clicking on one of the nodes (marked in red) will add to the list of request to be dispatched. Which is shown on the top right corner(highlighted).
You can also modify your selection of web pages by clicking the "Modify" button. Which will bring a new window where you can delete a web page request by clicking on it and select the "Delete" button.
After that press the "Dispatch" button which will communicate with the Chrome CoverUp extension and send the selected web page request. In case the chrome extension is not running, it may send an error message shown in the screen-shot.
When you start receiving interactive browsing data, you will see some of the red nodes turned black on the next startup of the browsing window. One such example is shown in the screen-shot.
Clicking on the node will render the page.