ebook img

Characterising Anonymity Systems PDF

188 Pages·2009·1.45 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Characterising Anonymity Systems

Characterising Anonymity Systems Joss Wright This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy. The University of York Heslington York YO10 5DD Department of Computer Science November 2007 2 For Emily Abstract Privacy is a value shared by most human societies. The work presented here is inspired by this value and is concerned with methods by which it may be achieved. In a world where we increasingly make use of information systems amenable to surveillance, privacy is no longer an inherent assumption; it has becomes a property that must be explicitly designed. In this thesis we examine the background and motivation for privacy and how this goal may be achieved by use of systems that provide anonymity. We examinetheunderlyingfeaturesofsuchsystems, thevarietyofstrategiesthat may be employed to achieve this aim, and the limitations of these methods. We employ a definition of anonymity based on various applications of random choice to introduce unpredictability into the sequences of observable events created by the exchange of messages between actors in communicating systems. This leads to a characterisation of anonymity systems according to the fundamental mechanism that they employ to maximise this unpre- dictability. The characterisation that we propose leads us to identify four fundamen- talanonymitystrategies, correspondingtoknownmechanismsthatintroduce randomness in communicating processes. These strategies form a classifica- tion applicable to all anonymity systems, which allows us to consider in iso- lation the separate strategies for achieving anonymity. Taking this approach we show that each fundamental strategy is individually sufficient to provide anonymity to communicating entities. We analyse the anonymity strategies identified in the model through a simulation-based approach, and employ an information theoretic quantifi- cation to compare the anonymity provided by each type of system. The fundamental strategies are simulated both individually and as part of larger networks,andarecomparedwithrespecttotheeffectivenessofeachapproach in confusing an observer’s ability to link communicating actors. Finally, we demonstrate that combining strategies in a single system can improve anon- ymity beyond that of individual strategies. Ourresultsshowtherelativeeffectivenessofarangeofanonymitysystems 3 4 at their most fundamental level, and make use of a quantification method that is applicable to any anonymity system based on the communication of messages between actors. Contents I Introduction 17 1 Introduction 19 1.1 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.2 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.2.1 Names and Identity . . . . . . . . . . . . . . . . . . . . 23 1.2.2 Etymology . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.2.3 Pseudonymity . . . . . . . . . . . . . . . . . . . . . . . 26 1.2.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . 27 1.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2 Basic Concepts 31 2.1 Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.2 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.3 Anonymity Definitions . . . . . . . . . . . . . . . . . . . . . . 33 2.4 Identifiability . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.4.1 Cardinality . . . . . . . . . . . . . . . . . . . . . . . . 34 2.4.2 Certainty . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.4.3 Sufficient Anonymity . . . . . . . . . . . . . . . . . . . 35 2.5 Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.5.1 Anonymised Party . . . . . . . . . . . . . . . . . . . . 35 2.5.2 Connection . . . . . . . . . . . . . . . . . . . . . . . . 36 2.5.3 Distribution of data . . . . . . . . . . . . . . . . . . . . 36 2.5.4 Participant Relations . . . . . . . . . . . . . . . . . . . 37 2.5.5 Revocability . . . . . . . . . . . . . . . . . . . . . . . . 37 2.6 Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.6.1 Internal/External . . . . . . . . . . . . . . . . . . . . . 38 2.6.2 Static/Adaptive . . . . . . . . . . . . . . . . . . . . . . 38 2.6.3 Active/Passive . . . . . . . . . . . . . . . . . . . . . . 39 2.6.4 Local/Global . . . . . . . . . . . . . . . . . . . . . . . 39 2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 5 6 CONTENTS 3 Anonymity Systems 41 3.1 Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.1.1 Basic properties . . . . . . . . . . . . . . . . . . . . . . 42 3.1.2 Threshold Mixes . . . . . . . . . . . . . . . . . . . . . 43 3.1.3 Timed Mixes . . . . . . . . . . . . . . . . . . . . . . . 44 3.1.4 Continuous Mixes . . . . . . . . . . . . . . . . . . . . . 44 3.1.5 Mix Networks and Mix Cascades . . . . . . . . . . . . 45 3.1.6 Mix Networks . . . . . . . . . . . . . . . . . . . . . . . 45 3.1.7 Mix Cascades . . . . . . . . . . . . . . . . . . . . . . . 46 3.1.8 Hybrid Approaches . . . . . . . . . . . . . . . . . . . . 46 3.1.9 Synchronous and Asynchronous Batching . . . . . . . . 47 3.2 Attacks on mix systems . . . . . . . . . . . . . . . . . . . . . 47 3.2.1 Passive Attacks . . . . . . . . . . . . . . . . . . . . . . 47 3.2.2 Active Attacks . . . . . . . . . . . . . . . . . . . . . . 48 3.2.3 Denial of Service Attacks . . . . . . . . . . . . . . . . . 49 3.3 Dummy Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.4 Other Technologies . . . . . . . . . . . . . . . . . . . . . . . . 50 3.4.1 Dining Cryptographer Networks . . . . . . . . . . . . . 50 3.4.2 Onion Routing . . . . . . . . . . . . . . . . . . . . . . 51 3.4.3 Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3.5 Deployed Anonymity Systems . . . . . . . . . . . . . . . . . . 53 3.5.1 Remailers . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.5.2 Freenet . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.5.3 JAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.5.4 PipeNet . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.5.5 Tor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 II Simulation 59 4 Anonymity Mechanisms 61 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.2 Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.3 Spurious Events . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.4 Pull Technologies . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.5 Internal Randomness . . . . . . . . . . . . . . . . . . . . . . . 64 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 CONTENTS 7 5 Analysis Methods 67 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.2 Shannon Entropy . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2.1 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2.2 Conditional Entropy . . . . . . . . . . . . . . . . . . . 70 5.2.3 Experimental Factors . . . . . . . . . . . . . . . . . . . 72 5.3 Building the probability distribution . . . . . . . . . . . . . . 75 5.3.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . 75 5.4 Result Significance Testing . . . . . . . . . . . . . . . . . . . . 79 5.4.1 Null hypothesis testing . . . . . . . . . . . . . . . . . . 79 5.4.2 Statistical tests for homogeneity . . . . . . . . . . . . . 80 5.4.3 Details of the Kolmogorov-Smirnov Test . . . . . . . . 82 5.4.4 Example Application . . . . . . . . . . . . . . . . . . . 85 5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 6 Simulation 91 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.2 Quantification Approach . . . . . . . . . . . . . . . . . . . . . 91 6.3 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.4 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.5 Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 6.5.1 Network Scheduling and Routing . . . . . . . . . . . . 94 6.5.2 Input format . . . . . . . . . . . . . . . . . . . . . . . 95 6.5.3 Output format . . . . . . . . . . . . . . . . . . . . . . 96 6.6 Implementation Details . . . . . . . . . . . . . . . . . . . . . . 97 6.6.1 Language choices . . . . . . . . . . . . . . . . . . . . . 100 6.6.2 Environment . . . . . . . . . . . . . . . . . . . . . . . 100 6.6.3 Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 6.6.4 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.6.5 Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 6.7 Processing of Results . . . . . . . . . . . . . . . . . . . . . . . 110 6.7.1 Choice of pairings . . . . . . . . . . . . . . . . . . . . . 111 6.7.2 Basic Operation . . . . . . . . . . . . . . . . . . . . . . 111 6.7.3 Specific considerations for the Drop strategy . . . . . 112 6.8 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . 113 6.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 7 Analysis of Simulation Results 117 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 7.2 Control Experiments . . . . . . . . . . . . . . . . . . . . . . . 118 7.2.1 Multiple Hops . . . . . . . . . . . . . . . . . . . . . . . 119 8 CONTENTS 7.2.2 Entropy of output pairings . . . . . . . . . . . . . . . . 123 7.3 Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 7.4 Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.5 Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.6 Drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 7.7 Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7.8 Combined Systems . . . . . . . . . . . . . . . . . . . . . . . . 138 7.9 Mix and Flood . . . . . . . . . . . . . . . . . . . . . . . . . 139 7.10 Crowds and Flood . . . . . . . . . . . . . . . . . . . . . . . . 139 7.10.1 Enforce hops . . . . . . . . . . . . . . . . . . . . . . . 141 7.10.2 Isolate Crowds nodes . . . . . . . . . . . . . . . . . . . 142 7.10.3 No enforcement of path . . . . . . . . . . . . . . . . . . 142 7.10.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 7.11 Crowds and Mix . . . . . . . . . . . . . . . . . . . . . . . . . 143 7.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 7.12.1 Multiple Nodes . . . . . . . . . . . . . . . . . . . . . . 148 III Conclusions 151 8 Conclusions 153 8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 8.2 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 8.3 Methods of Providing Anonymity . . . . . . . . . . . . . . . . 154 8.4 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 8.4.1 Individual Strategies . . . . . . . . . . . . . . . . . . . 155 8.4.2 Network Effects . . . . . . . . . . . . . . . . . . . . . . 156 8.4.3 Combination of Strategies . . . . . . . . . . . . . . . . 156 8.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 8.5.1 Formal Modelling . . . . . . . . . . . . . . . . . . . . . 157 8.5.2 Data Independence . . . . . . . . . . . . . . . . . . . . 157 8.5.3 Attacker Models . . . . . . . . . . . . . . . . . . . . . 157 8.5.4 Improved Quantification . . . . . . . . . . . . . . . . . 158 8.5.5 Detailed Modelling . . . . . . . . . . . . . . . . . . . . 159 8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 IV Appendices 161 A Results 163 A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 CONTENTS 9 A.2 Single Strategy Networks . . . . . . . . . . . . . . . . . . . . . 163 A.2.1 Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 A.2.2 Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 A.2.3 Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 A.2.4 Drop . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 A.2.5 Four Nodes . . . . . . . . . . . . . . . . . . . . . . . . 165 A.2.6 Four Nodes – All Hops . . . . . . . . . . . . . . . . . . 167 A.2.7 Four Nodes – All Hops . . . . . . . . . . . . . . . . . . 169 A.2.8 Four Nodes – All Hops . . . . . . . . . . . . . . . . . . 170 A.2.9 Four Nodes – All Hops . . . . . . . . . . . . . . . . . . 172 A.2.10 Crowds-style . . . . . . . . . . . . . . . . . . . . . . . . 172 A.3 Mixed Strategy Networks . . . . . . . . . . . . . . . . . . . . . 173 A.3.1 Mix with Flood . . . . . . . . . . . . . . . . . . . . . 173 A.3.2 Crowds with Flood . . . . . . . . . . . . . . . . . . . 173 A.3.3 Crowds with Mix . . . . . . . . . . . . . . . . . . . . . 174 A.4 Statistical Significance Tests . . . . . . . . . . . . . . . . . . . 174 A.4.1 Single Mix . . . . . . . . . . . . . . . . . . . . . . . . . 175 A.4.2 Four Mixes, 1 Hop . . . . . . . . . . . . . . . . . . . . 175 A.4.3 Four Mixes, 2 Hop . . . . . . . . . . . . . . . . . . . . 176 A.4.4 Four Mixes, 3 Hop . . . . . . . . . . . . . . . . . . . . 176 A.4.5 Four Mixes, 4 Hop . . . . . . . . . . . . . . . . . . . . 177 A.4.6 Single Flood . . . . . . . . . . . . . . . . . . . . . . . . 177 A.4.7 Four Flood, 1 Hop . . . . . . . . . . . . . . . . . . . . 177 A.4.8 Four Flood, 2 Hop . . . . . . . . . . . . . . . . . . . . 178 A.4.9 Four Flood, 3 Hop . . . . . . . . . . . . . . . . . . . . 178 A.4.10 Four Flood, 4 Hop . . . . . . . . . . . . . . . . . . . . 178 A.4.11 Single Hide . . . . . . . . . . . . . . . . . . . . . . . . 179 A.4.12 Four Hide, 1 Hop . . . . . . . . . . . . . . . . . . . . . 179 A.4.13 Four Hide, 2 Hop . . . . . . . . . . . . . . . . . . . . . 179 A.4.14 Four Hide, 3 Hop . . . . . . . . . . . . . . . . . . . . . 180 A.4.15 Four Hide, 4 Hop . . . . . . . . . . . . . . . . . . . . . 180 A.4.16 Four Crowds . . . . . . . . . . . . . . . . . . . . . . . . 180 A.4.17 Mix / Flood . . . . . . . . . . . . . . . . . . . . . . . . 180 A.4.18 Crowds / Flood . . . . . . . . . . . . . . . . . . . . . . 181 A.4.19 Crowds / Mix . . . . . . . . . . . . . . . . . . . . . . . 181 Bibliography 182 10 CONTENTS

Description:
6.4 EBNF grammar for the simulation engine input file . 96 .. its related properties, as well as briefly detailing concrete examples of appli-.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.