Design and implement mechanism for applying authorship to reports

ooni / probe

OONI Probe network measurement tool for detecting internet censorship

https://ooni.org/install

BSD 3-Clause "New" or "Revised" License

762 stars 142 forks source link

Design and implement mechanism for applying authorship to reports #438

Open hellais opened 8 years ago

hellais commented 8 years ago

Currently control baseline measurements are distinguished only based on the ASN. This is very weak, because even without malicious intentions users of ooni-probe could mistakenly have their reports classified as control, while they are not controls run by us.

It seems like we could go about doing this in various different ways.

The report header and the report measurements could be signed by the user of ooni-probe and the data pipeline could validate the reports that are coming from the ID of the control (I say only that since we probably don't want to validate all reports).
The report could be authenticated at a collector level and the data pipeline just trusts the collector to submit it good data.

As a requirement to make the overall CPU load not increase it would be good to implement at the same time or around the same time also submission of reports to the collectors using JSON to avoid the serialisation/deserialisation step currently required by the data pipeline.

ghost commented 8 years ago

One approach to getting around this issue would be to ask the user to supply additional information for search queries such that the level of entropy present in the search is sufficient to allow for authorship to be measured.

I feel like you are touching on multiple issues here, it looks like you're talking about proof of authorship, as well as proof that the collectors are passing valid data.

hellais commented 8 years ago

After discussing the design I had in mind for this with @bassosimone I came up with the following scheme:

The probe generates a ECDSA key pair and uses the public key fingerprint as the "probe identifier".
When communicating to a collector the probe will take the value that the collector randomly generates (report_id) and a nonce they generate and produces a signature for report_id + nonce (where + is the string concatenation). This signature is appended to a report and is proof of the fact that the probe possesses the public key with the given fingerprint.

anadahz commented 8 years ago

This signature is appended to a report and is proof of the fact that the probe possesses the public key with the given fingerprint. @hellais I guess here you meant the private key of the given fingerprint?

Regarding the probe identifier are we going to have a list of known good public key fingerprint or how are we going to handle the "legit" public keys?

hellais commented 8 years ago

Yeah I meant proof of ownership of the private key of course.

I am thinking that what can be done is twofold:

1) We can store a list of known good public that are those, for example, of the partners.

2) We can look at historical data and assume that keys that have for a long time been contributing good stable measurements are OK and not rogue, while ones that appear as new ones should be trusted "less".

hellais commented 6 years ago

Possibly we could also do this by means of having a "channel" or "account" that is mapped to a group or organisation that runs a campaign.