Securing anonymous website posts

Question

Can a website allow users to securely post anonymously, while still allowing these posts to be edited by the original author at a later time and preventing editing by other users?

In this context, 'securely post anonymously' means that an attacker with full physical server access after the fact (eg. government seizure) cannot determine which user authored a given anonymous post. I've been unable to find an algorithm that meets these requirements.

My first thoughts:

1. When any user logs in (regardless of anonymous activity), hash(password+salt 1) is used for user authentication as normal and hash(password+salt 2) is stored in memory on the server as an 'anonymous key' while the user is logged in (never written to storage).
2. When a user creates an anonymous post, hash(post ID + anonymous key) is stored as the 'ownership token' for the anonymous post.
3. When a user wants to edit an anonymous post, the system authenticates ownership by repeating the ownership token generation process and checking if the result matches the existing token.

Note that:

• An attacker cannot search for the author of an anonymous post without capturing the author's anonymous key from server memory while that user is logged in.
• Since post IDs are unique, each anonymous post will have a different ownership token even if they are created by the same user, so an attacker cannot determine which anonymous posts share an author.

Detriments to this algorithm:

• A user wishing to post anonymously must have a normal account on the system.
• A user's profile cannot link to their anonymous posts, as the system does not store this linkage. The user must remember and find the post via some other means and ask to edit, at which time the ownership check will be performed. This distinguishes this question from a similar question where profile linkability with anonymity was the goal.
• When changing a password, a user would need to either tell the server about all anonymous posts so that the ownership tokens can be updated, or loose edit access to those posts permanently.
• An attacker with admin access to the system while it is running would be able to log the anonymous keys of users as they log in and later use these to break anonymity of the ownership tokens.

Am I missing any big things that would make this insecure under the definition of 'securely post anonymously' above? Is there a better (simpler, more secure, or fewer detriments) system for this? Does any algorithm for something like this already exist?

Answer 1

First, there is no such thing as complete anonymous. At least once the user returns to edit the post it can be linked to the user (or its IP address) if your site gets monitored after the initial post. Apart from that this might work without the need of logins:

• Create some random token.
• Give the user the original token. It might be in the form of a link the user can bookmark as suggested in the other answer or you might just show the token so that they user can write it down.
• Hash the token (SHA-256 or something like this) and store the post using the hashed token as the key. Due to how cryptographic hashes work you can get from token to hash but not back. Thus the user can find and edit its post but no one else can. And since the token is random there are no user-associated information inside the token.
• The range of tokens should be large enough so that you can not find a valid post just by guessing a token or that you could brute force to find valid tokens. Since the token is only used to access a post for editing it (for display you use the hash) you might rate limit edits so that brute-forcing will be slowed down.
• It is also important to not store any kind of information which might be used to demask the user, that is no IP addresses, no cookies, no log files, maybe not even the exact time of the post.
• And of course you have a really good overall security of the site, because otherwise an attacker might have hacked into your system and watch everything. In this case all posts can be considered no longer anonymous. This also means enforcing HTTPS so that no attacker in the path to your server can sniff the traffic.

Answer 2

I suppose you could add something like the following to appear below an anonymous positing (only in the session of the editor, of course)

If you later want to edit this post, please use the following information:

postid = 123456, authentication = iufdhgoieroertz3147493532v

or use this link directly: http://example.com/anon-edit.php?postid=123456&auth=iufdhgoieroertz3147493532v

You may want to save this information and/or link locally in a safe place for later use. Please do that now because it will not be possible for you (or others) to reproduce this later. When you try to edit a post via the "Edit" button, you will be asked to enter the authentication code above. Note that each postid requires a differnet authentication code.

Of coures, the 123456 here is the internal id of the post and iufdhgoieroertz3147493532v is a unique random string stored with the post, but never output (except immediately after successful edit as written above).

An attacker cannot guess the authentication without access to the local storage the user chose, or access to the parameter value during transmission, or access to the posting database.

Some of this could be made more transparently with cookies and/or local storage, but people sufficiently interested in anonymity against government seizures may not be happy with cookies and local storage either.