一般來說,加密簽名的消息是同時提供了不可否認性;也就是說,發送者在收到消息後不能否認發送了消息。西蒂姆(Citum)使用的是公鑰驗證器,它保證了可推諉性。任何收件人都可以偽造一個看起來就像聲稱的發件人所產生的信息,所以收件人不能讓第三方相信該信息確實是由發件人產生而不是由收件人偽造的。但是,收件人仍然可以防止第三方偽造。原因是,要進行這種偽造,需要收件人的私鑰。由於收件人自己會知道他是否使用了自己的私密金鑰來進行偽造,所以他可以肯定沒有第三者偽造訊息。
In general, cryptographically signed messages provide non-repudiation; i.e. the sender cannot deny having sent the message after it has been received. Citium uses public-key authenticators instead, which guarantee deniability. Any recipient can forge a message that will look just like it was actually generated by the purported sender, so the recipient cannot convince a third party that the message was really generated by the sender and not forged by the recipient. However, the recipient is still protected against forgeries by third parties. The reason is that in order to perform such a forgery, the private key of the recipient is needed. Since the recipient himself will know whether or not he has used his own private key for such a forgery, he can be sure that no third party could have forged the message.
不可否認性 是一個在資訊安全中廣泛使用的法律概念。它指的是任何訊息服務系統中,接訊者有充分的理由相信該訊息是由已知的發件人創建的(驗證性),並且該消息在傳輸過程中未發生更改(完整性)。換句話說,不可否認性使得系統用戶很難成功地抵賴消息的信息來自何者/何處、以及消息的真實性。留意,西蒂姆(Citum)不服務此需求。
Non-repudiation is a legal concept that is widely used in information security. It refers to any service, which gives a recipient a very strong reason to believe that the message was created by a known sender (authentication) and that the message was not altered in transit (integrity). In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity of that message. Note, Citium is not built for this.
實用價值
Practicality
從現實操作來說,很多人都希望獲得可推諉性的溝通辦法,尤其是那些雖然溝通內容合情合理但卻未必能倖免於被法庭傳召或被司法機構強迫作證的溝通內容,例如新聞記者與吹哨人之間的溝通內容,或高壓政權中的社運分子與律師之間的溝通內容。 西蒂姆(Citum)允許否認溝通過的信息曾存在過于任何的存儲介質,和允許模棱兩可化溝通過的信息。
當溝通雙方希望在一個帶有可推諉性訊息安全功能的系統上對話,發件人需要能夠合理地推諉他發送過的訊息,稱之為「發件人可推諉的方案」;預期收件人需要能夠合理地推諉他是被指定的預期收件人,稱之為「收件人可推諉的方案」。
In practice, deniable communication has been sought by users whose legitimate activities may not always be protected from subpoenas or legal coercion, e.g., journalists and whistleblowers, or lawyers and activists in repressive regimes. Citium allows for denying the existence of messages on any storage medium, and for equivocating those messages.
When two parties want to communicate on a system with deniability as one of the main infosec features, the sender of a message want to plausibly deny that he or she has sent that message, i.e., sender-deniable scheme; the intended recipient of a message wants to plausibly deny that he or she has received that message, i.e., receiver-deniable scheme.
將脅迫防範於未然
Preempt Coercion
西蒂姆(Citum)可否認性的設計原則不是要「說服」脅迫者溝通雙方繳出來的通話記錄都是真實的。 因為眾所周知通話記錄很容易被偽造。相反,我們的目標是 將脅迫防範於未然,讓脅逼者理解到在西蒂姆(Citum)上的通信記錄是枉費心機的。只要溝通雙方堅持按原定的措辭去說明溝通的辦法在西蒂姆(Citum)進行,讓脅逼者理解西蒂姆(Citum)的系統原理後,則不可能被脅逼者找到真實的溝通信息。
The purpose of deniability is not at all to “convince” the coercer that any surrendered transcript is real; indeed, it is common knowledge that transcript can easily be faked. Instead, the goal is to preempt coercion in the first place by making it useless. Parties who “stick to their stories” explaining to the coercer how Citium works can never be pinned down to the real message.
西蒂姆(Citum)中的「可推諉性」是通過三個訊息安全機制實現的:
Deniability in Citium is achieved through three InfoSec mechanisms:
- 無需准入許可
Permissionless - 可推諉驗證
Deniable Authentication - 分身馬甲帳號
Sockpuppetry
無需准入或許可 ✓
Permissionless ✓
西蒂姆(Citum)作為一個免費的、開源代碼的、完全去中心化的、無需准入許可的區塊鏈系統 的好處是 抗审查。沒人可被阻止在西蒂姆(Citum)上架設節點。節點的運營商,例如OTS即時聊天工具提供商(IMSP),可以向通過其西蒂姆(Citum)節點訪問的用戶宣傳自己的資料(例如,商業廣告內容)。發件人可以自由選擇IMSP的服務節點去中繼信息給預期收件人。任何兩個用戶(例如Alice和Bob)都可以隨時通過任何西蒂姆(Citum)的IMSP進行安全和可推諉的通訊而無需徵詢任何其他人的許可。但當然,任何一個西蒂姆(Citum)服務節點都有權拒絕服務或拒絕中繼涉嫌濫用服務的節點。完全取決於每個參與者的自由自決。無論從哪個網絡層面查看西蒂姆(Citum)的數據,所有數據看起來都是雷同的。沒有第三者(尤其是機器智能)可以確認數據是否被偽造或篡改了,因為每個人都可以偽造和篡改其他人的數據。簡而言之,除非另有明確證據說明,否則 所有數據均假定為未知來源(被偽造了)且不可信(被篡改過)。
The main benefit of Citium being a free, open-source, fully decentralized, permissionless blockchain is censorship-resistance. No one can be banned from running nodes. Operators of nodes (e.g. OTS Instant Messenger System Provider (IMSP)) may advertise their own material (e.g. commercial content) to the users who access Citium through their nodes. A sender is free to choose which IMSP’s service node to help relay his/her message to the intended recipient. Any two users (e.g. Alice & Bob) who decide to communicate securely and deniably may hop on any service nodes of Citium at any time without the need to ask for anyone else’s permission. But of course, service nodes are entitled not to serve or not to relay from questionably abusive nodes. It all depends on the self-determination of each participant. No matter from which network communication layer that one looks at Citium, all data look similar. No third party, especially machine intelligence, can tell if data has been forged or tampered with because everyone can forge or tamper with everyone else’s data. In principle, all data are assumed unknown origin (forged) and untrustworthy (tampered) until proven otherwise.
授權性 | Authorization ✓
西蒂姆(Citum)採取了 全網P2P關係模型,所以並沒更高或更低的服務權限之別。每個節點都有同等的權利和義務。所以,訊息安全漏洞,例如是 橫向權限提升 和 縱向權限提升,在西蒂姆(Citum)中都不可能存在。
Since Citium adopts a network-wide peer-to-peer (P2P) relationship model, there is no higher or lower privilege to access service. Every node is equal in rights and responsibilities. Thus, infosec exploits, such as horizontal privilege escalation and vertical privilege escalation, are impossible to exist in Citium.
從西蒂姆(Citum)世界觀: 為了打消惡意方窺探數據或抓住數據為把柄的念頭,西蒂姆(Citum)認為最佳的保安辦法就是公開地允許任何人都可以參與偽造和篡改數據,那麼便沒有任何一方能夠分辨數據真偽和是否有被偽造或篡改過的可能。
Citium’s Worldview: In order to discourage malicious parties from snooping data or holding data as evidence against others, Citium believes that the best security practice is to openly permit everyone to forge and tamper with data so that no party can possibly differentiate genuine from forged or tampered data.
可推諉身份驗證性 ✓
Deniable Authentication ✓
西蒂姆(Citum)採用了「可推諉驗證性」的機制。當兩個用戶(例如Alice和Bob)決定通過西蒂姆(Citum)通訊,他們必須首先成為西蒂姆(Citum)中彼此認證的用戶(“聯絡人”),具體辦法是通過 頻外秘鑰驗證(OOBA),防範了一切日後可能在西蒂姆(Citum)體系內發生的中間人攻擊。添加聯絡人這個認證行為也是唯一次時機他們倆(Alice和Bob)可以彼此確認身份。因為在此之後,即使在他們倆通信過程中,任何人都無法無可辯駁地證明他們兩個的聯絡人關係。
Citium uses deniable authentication mechanism. When two users (e.g. Alice and Bob) decide to communicate through Citium with each other, they have to become each other’s authenticated users (“Contacts”) in Citium from the outset — i.e. performing an out-of-band key authentication/verification, which eliminates all future possibility of man-in-the-middle attack (MITM) on Citium. This is the only moment in the authentication lifecycle that the two users know for sure that the communicating counterparty (Alice or Bob) is whom they believe to be. But after that, as ironic as it may sound, no one, not even the two users themselves, can irrefutably prove their authenticated Contact relationship even during the course of their communication.
儘管有上述特殊性,傳統而論的用戶身份驗證(即,毫無疑問地能明確辨識用戶)的功能是依然被保留了的,因為西蒂姆(Citum)的世界中的身份驗證不再僅由用戶帳戶作准,而是由每條密碼簽名的消息限制,因為任何兩個聯絡人(例如Alice) 和Bob彼此溝通,從一開始就已經完成頻外密鑰驗證(OOBA)。 驗證後,任何第三方都無法欺騙攻擊在Alice和Bob之間發送的郵件。 儘管Citium的「無需准入許可性」確實允許欺騙攻擊,但是可能出乎很多人意料之外,Bob自始至終可以正確識別從一開始就已通過身份驗證的Alice發送的加密限制消息,儘管許多其他用戶冒充Alice,並且Alice始終可以確定只有一個真實的Bob可以正確解密她發送的消息,儘管許多其他用戶都可以冒充Bob去試圖解密消息。
Despite what has just been said, the traditional sense of user authentication (i.e. irrefutably identifying a user) is still preserved because authentication in the Citium universe is no longer bounded by user account alone but by every cryptographically signed message. Any two communicating parties (i.e. the Contacts: Alice & Bob) who communicate with each other must perform out-of-band key authentication/verification (OOBA) from the outset. Once verified, messages sent between Alice and Bob cannot be spoofed by any third party. Although the permissionless nature of Citium dictates that no conventional measure (e.g., anti-spam techniques) is in place to prevent spoofing attack and phishing, perhaps counterintuitively to many, Citium is a pristine environment (i.e. spoof-free & spam-free) from the perspectives of Alice and Bob. Bob always can correctly identify the cryptographically bounded message sent from Alice whom he has authenticated from the outset in spite of many other users pretending to be Alice, and Alice can always be certain that only the one true Bob can correctly decrypt the messages she sends in spite of many other users pretending to be Bob trying to decrypt the message.
頻外秘鑰驗證
Out-of-Band Key Verification
如果 Alice 和 Bob 要成為聯絡人之前必須有一方首先發起頻外秘鑰驗證(OOBA)。假設 Alice 是「聯絡發起人」, Alice 向 Bob 發起 OOBA,她必須向 Bob 發送一個明文的 「好友邀請代碼」(FIC),如下所示:
In order for Alice and Bob to become Contacts, one has to initiate an out-of-band key authentication/verification (OOBA). Suppose Alice is the Contacts Initiator. Alice initiates an OOBA with Bob by sending Bob a Friend Invitation Code (FIC), which is a plaintext that looks like this:
{"MSG":"Hi, I'm Alice. This is a Friend Invitation Code (FIC). it is valid for 24 hours. ","APPNAME":"SEMAIL","NICKNAME":"e99bbbe885a6e6b8ace8a9a6","TID":"322","HOST":"68747470733a2f2f7777772e70616e676f3132332e6f7267","MAJOR":"03c86ebf41b02f379823173aafd7bd873efb9b59e06375dac7793342db8b3d9ee7","MINOR":"02307396c7f6ac576544991285b016283fbe2e08f5013f41cf984734ed2bfc814e","SIGNATURE":"304402204ddf9ae16a14dfc70c94c83eb6735419e4e8eb2019853c54336c9af84d425c480220394b6181eccb2df743f78f848f6f2ba9f153e6d5b2a3322e646f4f320666c85531"}
MSG 是友好的可讀文本,方便任何看到此消息的人了解其內容所屬意義。 APPNAME 默認為 “SEMAIL”,而它是一個標示與其他同樣使用了「安全數據傳輸協議」(SDTP)的應用兼容性。 NICKNAME 是 Alice 希望在該 FIC 中彰顯的個人暱稱的密文。TID 是 Alice 的服務節點用以辨識 Alice 的代號。 HOST 是Alice服務節點的主機或IP地址的密文。 MAJOR 和 MINOR ** 是兩個公鑰,MAJOR** 是給服務節點用於認證 Alice 的;而 MINOR 則試過用於授權他人留信息給 Alice 的。 SIGNATURE 是上述信息的數字簽名以確保它們的其完整性。
MSG is a friendly readable text for anyone who sees this message to know what it is about. APPNAME is “SEMAIL” by default. It signals compatibility with other services that use Safe Data Transfer Protocol (SDTP). NICKNAME is the ciphertext of the nickname that Alice wants to be known by whoever adds her through this FIC. TID is Alice’s corresponding identifier issued by her service node. HOST is the cyphertext of the host or IP address of Alice’s service node. MAJOR and MINOR are the two public keys. MAJOR the service node to authenticate Alice, and MINOR is used to authorize others to post her messages. SIGNATURE is the digital signature for all the above information to ensure their integrity.
可推諉性
Deniability
從西蒂姆(Citum)的聯絡人機制來說,Alice 可以只把 FIC 發給了 Bob,但她也可以發給其他人的,例如 Charlie 和 Chuck。只有 Alice 她自己才能完全確鑿地知道是否 Bob 一個人接收過 FIC 或其他都有接收過。換言之, Alice 甚至可能曾經把該 FIC 公開發佈過,相當於任何人都可以獲取該 FIC 然後留言給 Alice。
In the Citium Contacts mechanism, Alice can send the FIC not only to Bob but also to other people, such as Charlie and Chuck. Only Alice herself knows for sure if it is Bob being the only one who has received the FIC or not. In other words, Alice could have publicly displayed the FIC, so that anyone could have it and post messages to Alice.
| 聯絡發起人 Contacts Initiator |
應邀聯絡人 Contacts Invitee |
| Alice | Bob |
| Alice | Charlie |
| Alice | Chuck |
| Alice | 隨機陌生人D a random person D |
| Alice | 隨機陌生人E a random person E |
| Alice | 隨機陌生人F a random person F |
| Alice | … |
| Alice | … |
| Alice | … |
由此可見,無人能證明她的聯絡人中哪位是 Alice 自始至終都認識的,而不是一些隨機陌生人試圖留言給她。如此一來,Alice 便可以合理地推諉她與任何信息的關係。
As you can see, no one could prove irrefutably that which of her Contacts was someone that she has known personally instead of some random person trying to post messages to her. Therefore, Alice can plausibly deny her relationship with any message.
為求用戶體驗和使用便捷性,默認的「好友邀請代碼」(FIC)身份驗證邏輯做了檢測機制,只要有一個好友接受身份驗證了之後,該 FIC 就作廢了。所以在西蒂姆(Citum)中,大家都可能有看到過有一條「等待對方授權」的系統信息。該系統信息代表兩次試圖身份驗證均未成功。如果 Bob 見到了這種情況,有兩種可能:1、Charlie、Chuck或一個隨機陌生人使用了;2、網絡出問題了。因為西蒂姆(Citum)的客戶端代碼開源的,任何人都可以修改 Citium IM 的、相關一對一的 FIC 身份認證限制的代碼。可推諉性依然成立。
To enhance user experience and simplicity, the default Friend Invitation Code (FIC) authentication has a detection mechanism. As long as a friend accepts the out-of-band verification, the FIC is invalidated. You may see a system message popped up in Citium Instant Messenger saying “Awaiting authorization from the communicating party”. This message indicates that two attempts to authenticate were unsuccessful. If Bob sees this, there are two possibilities: 1. Charlie, Chuck or some random person has used the FIC; 2. There is a problem with the network. However, since CIM is open-source, anyone can modify this one-to-one authentication restriction of FIC. Deniability still holds.
分身馬甲帳號
Sockpuppetry
分身馬甲帳號(Sockpuppets)是一個 反監控的軟件對策 / software measure of countersurveillance。在西蒂姆(Citum)中,分身馬甲帳號 的機制註定了 任何用戶都可以偽裝成其他用戶,就連用戶帳戶的暱稱也並非獨一無二性的!不論從哪個角度來看,沒人能確定哪個賬戶屬於誰的。西蒂姆(Citum)的「分身馬甲帳號」機制規定 一個用戶賬戶不可以與另一位用戶賬戶直接溝通,而只能通過西蒂姆(Citum)中的「分身馬甲帳號」間接溝通。所有用戶賬號都是「分身馬甲帳號」,而每個帳號都貌似是一個反監控的誘餌。一個賬戶在替持賬用戶通訊或僅僅只是在替其他用戶扮演「分身馬甲帳號」去通訊(替其他賬戶通過 無差別網樹多點傳送(IMTM)溝通),除了持賬用戶本人之外,任何其他人都無從推敲亦無法證明。
Sockpuppet is a software measures of countersurveillance. In Citium, sockpuppetry dictates that anyone can pretend to be someone else. The user account nickname is non-exclusive! No user knows for sure which account belongs to whom no matter from which perspective one looks. Sockpuppetry dictates that a user cannot communicate directly to another user but only indirectly through the sea of sockpuppet user accounts in Citium. All accounts are sockpuppets and everyone looks like an anti-surveillance decoy. An account can be communicating on behalf of the account holder or simply just sockpuppeting (communicating on behalf of other accounts by indiscriminate mesh-tree multicast (IMTM)). No one else can scrutinize or prove which account is communicating on behalf of whom except for the account holder him/herself.
再更進一步增強可推諉性,所有西蒂姆(Citum)節點上的數據生命週期都被限制了長度。舉例,身處在用戶移動節點上的密文碎片是默認在24小時後 自焚 的。當事人可以直接告訴脅迫者,系統早已按照公佈的時間表故意抹掉自己的信息,因此不能交出信息。
To further maximize deniability, all data have limited life expectancy on Citium nodes. For example, cryptographically split multiple slices of ciphertext sitting on users’ mobile nodes are set to self-destruct countdown of 24 hours. The parties can just tell the coercer that they deliberately erased their message according to a published schedule, and therefore cannot surrender them.