Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for Anonymity Gergely Tóth Budapest University of Technology and.

Similar presentations


Presentation on theme: "Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for Anonymity Gergely Tóth Budapest University of Technology and."— Presentation transcript:

1 Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for Anonymity Gergely Tóth Budapest University of Technology and Economics Department of Measurement and Information Systems IWCIT’03

2 Gergely Tóth, 23 September 20032 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Contents Background: Onion-routing Model of the PROB-channel Source- and destination-hiding property MIN/MAX property Optimum

3 Gergely Tóth, 23 September 20033 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Research Background anonymous message transmission techniquesNeed for anonymous message transmission techniques –transparent –general-purpose –independent Research & planning is ongoing Theoretical analysis not complete

4 Gergely Tóth, 23 September 20034 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Classification of Techniques According to –behavior –behavior: passive & active techniques –delay –delay: real-time & non-deterministic systems –number of relaying nodes –number of relaying nodes: proxy & distributed systems –what adversaries can see –what adversaries can see: observable & unobservable systems –level of abstraction –level of abstraction: black-box models & finished implementations

5 Gergely Tóth, 23 September 20035 IWCIT’03, Gliwice, Poland, 22-23 September 2003 An Existing Approach — Onion-routing Distributed system Onion-structuredOnion-structured packets cannot be compromised even if some relaying nodes are compromisedAnonymity of the sender cannot be compromised even if some relaying nodes are compromised

6 Gergely Tóth, 23 September 20036 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Our Model — the PROB-channel PassivePassive: configuration is static (not affected by message distribution) Real-timeReal-time: there is a maximal delay ObservableObservable: an observer can eavesdrop on all connection channels Black-boxproxyBlack-box (  proxy): the observer cannot gain information from within the channel

7 Gergely Tóth, 23 September 20037 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Requirements for the Model Guaranteed transmission throughputGuaranteed transmission throughput –time between sending and delivery of messages has a defined maximum Measurable anonymityMeasurable anonymity –there should be an objective, theoretical measure for the anonymity provided Requirements for guaranteed anonymity levelRequirements for guaranteed anonymity level –should be defined

8 Gergely Tóth, 23 September 20038 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Example System Anonymous medical consulting systemAnonymous medical consulting system –patientsquestionsdoctors –patients ask questions the doctors questions in e-mail –answer on a public forum –answer on a public forum together with the question the question should not be linkable to the patient –aim: the question should not be linkable to the patient questions should not be linkable to patients patients should not be linkable to their questions

9 Gergely Tóth, 23 September 20039 IWCIT’03, Gliwice, Poland, 22-23 September 2003 PROB-channel I. Senders messagesrecipientsSenders (patients) send encrypted messages (questions ) to recipients (doctors) transformingdelayingThe channel delivers the messages after transforming and delaying them

10 Gergely Tóth, 23 September 200310 IWCIT’03, Gliwice, Poland, 22-23 September 2003 PROB-channel II. Message delay in the channel: probability variable –is a probability variable (  ) message and time invariant –is message and time invariant distribution –has a known distribution f(  )

11 Gergely Tóth, 23 September 200311 IWCIT’03, Gliwice, Poland, 22-23 September 2003 The Observer Passive observerPassive observer: –cannot delete, alter or delay messages –cannot create new messages KnowsKnows: –parameters and environment of the channel –time of sending and receipt of messages link messages to sendersAim: link messages to senders (who asked the questions)

12 Gergely Tóth, 23 September 200312 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Confidence of the Observer How can it be computedHow can it be computed: –for each sender –for each message –by knowing the history of the system  with what probability a certain sender sent a certain message:

13 Gergely Tóth, 23 September 200313 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Global Back-tracing Search for the most probable match among all the possible matches AdvantageAdvantage: finds out the links (if possible) DisadvantageDisadvantage: slow (exponential) –under some circumstances even for about 30 messages unfeasible for today’s computers

14 Gergely Tóth, 23 September 200314 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Local Back-tracing Confidence of the observer calculated for each delivered message independently AdvantageAdvantage: fast (polynomial) DisadvantageDisadvantage: some links are not detected

15 Gergely Tóth, 23 September 200315 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Conclusion for Behavior of Observer Global back-tracingGlobal back-tracing would provide best results unfeasible –for practical user unfeasible Local back-tracingLocal back-tracing is polynomial used in the practice –can be used in the practice –for following conclusions local back-tracing is assumed

16 Gergely Tóth, 23 September 200316 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Source-hiding Property Source-hiding propertySource-hiding property with parameter   Measure for sender-anonymity The observer cannot link any message to a sender with a probability greater than .

17 Gergely Tóth, 23 September 200317 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Destination-hiding Property Destination-hiding propertyDestination-hiding property with parameter   Measure for recipient-anonymity The observer cannot link any sender to a message with a probability greater than .

18 Gergely Tóth, 23 September 200318 IWCIT’03, Gliwice, Poland, 22-23 September 2003 MIN/MAX Property I. MIN/MAX property  min,  maxMIN/MAX property with parameters  min,  max rules  Senders don’t send messages at their own consideration, they have to follow rules. No sender sends message within  min time and all senders send a message in  max time.

19 Gergely Tóth, 23 September 200319 IWCIT’03, Gliwice, Poland, 22-23 September 2003 MIN/MAX Property II. Upper limitUpper limit can be given to the confidence of the observer: –message invariant –depends only on the parameters of the channel and on  min,  max

20 Gergely Tóth, 23 September 200320 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Problem canSource-hiding property can be guaranteed –oblige senders to send messages according to rules –MIN/MAX property cannotDestination-hiding property cannot be guaranteed –recipients cannot be obliged to receive messages according to rules

21 Gergely Tóth, 23 September 200321 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Optimum randomlyThe observer can only choose randomly from the possible senders Uniform distributionUniform distribution for the delay With MIN/MAX property independent from actual message distribution:

22 Gergely Tóth, 23 September 200322 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Global Optimum With MIN/MAX property if  min =  max all the sendersThe observer has to choose randomly from all the senders No additional informationNo additional information is gained with the observation

23 Gergely Tóth, 23 September 200323 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Conclusions PROB-channelModel of the PROB-channel Confidence of the observer Source-hiding propertySource-hiding property –measure for sender-anonymity Destination-hiding propertyDestination-hiding property –measure for recipient anonymity MIN/MAX propertyMIN/MAX property –method for limiting confidence of the observer

24 Gergely Tóth, 23 September 200324 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Research Plans Open the black-box channelOpen the black-box channel –move to a distributed system (graph consisting of nodes) –messages can be created and dropped Active adversaryActive adversary –can drop messages –can block messages –can delay or reorder messages


Download ppt "Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for Anonymity Gergely Tóth Budapest University of Technology and."

Similar presentations


Ads by Google