Measuring Anonymity Revisited
description
Transcript of Measuring Anonymity Revisited
Gergely Tóth, 5 November 2004 1Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Measuring Anonymity RevisitedMeasuring Anonymity RevisitedGergely Tóth
Zoltán Hornák
Ferenc Vajda
Budapest University of Technology and Economics
Department of Measurement and Information Systems
Nordsec 2004
Gergely Tóth, 5 November 2004 2Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Outline
• Our research group
• Anonymity in general
• Anonymous communication
• Measuring anonymity– past and present approaches– our suggestion
• Summary and future plans
Gergely Tóth, 5 November 2004 3Nordsec 2004, Helsinki, Finland, 4-5 November 2004
SEARCH-LAB at BUTE DMIS
• Budapest University of Technology and Economics (BUTEBUTE)
• Department of Measurement and Information Systems (DMISDMIS)
• Security Evaluation Analysis and Research Laboratory (SEARCH-LABSEARCH-LAB)
• Core focus: Security in mobile networksSecurity in mobile networks• Current research areas: DRM, Biometrics & DRM, Biometrics &
AnonymityAnonymity
Gergely Tóth, 5 November 2004 4Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Summary of the Presentation & Paper
• Anonymous communicationAnonymous communication is needed for several real-world scenarios
• Different implementations provide different levels of anonymity
• A theoretical, objective metricmetric is needed to be able to compare them
• After analyzing past approaches, we present our suggestion
Gergely Tóth, 5 November 2004 5Nordsec 2004, Helsinki, Finland, 4-5 November 2004
IntroductionIntroduction
Gergely Tóth, 5 November 2004 6Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Anonymity in General
• Anonymity means hiding the identityhiding the identity– actions are performed by subjects– aim is to hide the identity of these subjects
from any possible adversary
• Possible anonymity scenariosanonymity scenarios– hide the identity of the voter during e-voting– hide the identity of the buyer during e-payment– hide the identity of the sender of e-mails
Gergely Tóth, 5 November 2004 7Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Anonymous Communication
• Several layers in the anonymity architecture with different functions
• Focus of the presentation & paper: anonymous communicationanonymous communication– systems that deliver messages so that they
cannot be traced back to their sources– several such systems have been designed– aim is now to define metrics to be
able to compare them
Gergely Tóth, 5 November 2004 8Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Need for Measuring Anonymity
• Different systemsDifferent systems– algorithms – network topologies– adversary models
• Anonymity provided has to be measured– objective, theoreticallyobjective, theoretically based metrics– should be easy to understandeasy to understand by laymen– users should be able to definedefine
their required anonymity leveltheir required anonymity level
Gergely Tóth, 5 November 2004 9Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Anonymous Anonymous CommunicationCommunication
Gergely Tóth, 5 November 2004 10Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Model of Anonymous Communication
anonymousmessage
transmission system
i i
sent message
delivered message
sent by thesender sl
delivered to therecipient rl
• Anonymous message transmissionAnonymous message transmission system– senders send encrypted messages to
recipients through a channel– the channel alters, delays and reorders
messages before delivery– an adversaryadversary tries to back-trace delivered
messages to their senders
Gergely Tóth, 5 November 2004 11Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Anonymity Terminology
• “Anonymity is the state of being not identifiable within a set of subjects, the anonymity setanonymity set”
• Sender anonymitySender anonymity means that– a particular message is not linkable to any
sender and– to a particular sender no message is
linkable.
Gergely Tóth, 5 November 2004 12Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Different Realizations
• During the evolution of science several schemes have been proposed and implemented– batch systems: MIXes– continuous-time systems– peer-to-peer systems– systems with provable anonymity, such as DC
networks
• Let’s see some examples
Gergely Tóth, 5 November 2004 13Nordsec 2004, Helsinki, Finland, 4-5 November 2004
MIXes I – Batched Operation
• MIXes are network relays to make back-tracing messages to their senders hard
• For this they bufferbuffer incoming messages and randomly reorderrandomly reorder them upon delivery
MIX
Gergely Tóth, 5 November 2004 14Nordsec 2004, Helsinki, Finland, 4-5 November 2004
MIXes II – the MIX Network
• They are furthermore organized in networksnetworks• There, special, onion-like messagesonion-like messages are
created and propagated
M
to Y
to MIX3
to MIX2 MIX1 MIX2 MIX3
from
sender
to
recipient
to MIX2
to MIX3
to MIX3 to Y
to Y
M to Y
M
Gergely Tóth, 5 November 2004 15Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Continuous Time Systems
• MIXes did batching, in most cases they do not guarantee real-time delivery
• On the other hand continuous-time systems process messages individuallyprocess messages individually– message delay () in the channel is a
probability variable with a given densityprobability variable with a given density f()– delay is not dependent on the actual message
distribution
Gergely Tóth, 5 November 2004 16Nordsec 2004, Helsinki, Finland, 4-5 November 2004
PROB-channel & SG-MIX
• Two recent continuous-time systems:
– SG-MIXSG-MIX (Stop-and-go MIX): exponential density function for non real-time scenarios
– PROB-channelPROB-channel: uniform distribution with definite maximum for real-time use-cases
f( )
max
fmax
f( )
Gergely Tóth, 5 November 2004 17Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Challenge
• The challenge:– with the evolution of science, newer and newer newer and newer
systemssystems are constructed– different known systems are organized into organized into
networks of various topologiesnetworks of various topologies
• Which architecture is better?– a theoretical metricmetric is needed to objectively
compare different systems– measuring should be
easy to understandeasy to understand
Gergely Tóth, 5 November 2004 18Nordsec 2004, Helsinki, Finland, 4-5 November 2004
More Complex Systems and Networks
f( )
f( )
max
fmax
MIX
MIXMIX
MIX
MIX
f( )
f( )
max
fmax
MIXMIX MIX
Gergely Tóth, 5 November 2004 19Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Measuring Measuring AnonymityAnonymity
Gergely Tóth, 5 November 2004 20Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Attempt #1 – Anonymity Set Size
• Size of the anonymity set– the first attempt to quantity the level of
anonymity– the bigger the anonymity set, the greater
the level of anonymity– easy to calculate– easy to understand
• you are anonymous as if one had to pick randomly from 500 equal possibilities
Gergely Tóth, 5 November 2004 21Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Problem with Anonymity Set Size
• In some simple cases anonymity set size works well (e.g. for simple MIXes)
• However a closer look reveals– in the anonymity set subjects have different different
probabilitiesprobabilities, i.e. one is more likely to be the actual sender than the other according to the knowledge of the adversary
– simply the size of the anonymity set is not definite enough
Gergely Tóth, 5 November 2004 22Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Attempt #2 – Entropy
• The probabilities of the different subjects have to be considered
• For this purpose in the information theoryinformation theory a fundamental construction had been defined: entropyentropy
• The improved approach: use the entropy of the probability distribution for quantifying anonymity
Gergely Tóth, 5 November 2004 23Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Entropy – Definitions
• Determine the probabilitiesprobabilities for a sender being the originator for a message
• The anonymity setanonymity set:
• Simple entropySimple entropy measure:
• Normalized entropyNormalized entropy measure:
lks sSPPkl
)(,
l
klklks
ss PPS ,2, log
)0()(| , klk sll Pss
||log2 k
k
k
Sd
Gergely Tóth, 5 November 2004 24Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Problems with Entropy
• Entropy-based metrics aim to quantify the amount of information that is needed to totally breaktotally break anonymity
• Problem: non-desirable systemsnon-desirable systems with arbitrarily high entropy exist
– both for simple entropy and
– for normalized entropy.
Gergely Tóth, 5 November 2004 25Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Example
• 20 senders, uniform distribution, P=5%
• 101 senders, non-uniform distribution– for one sender P=50%– for all the other 100 senders P=0.5%
• For both cases entropy is the sameentropy is the sameS=4.3219 bits
• However, it is clear, that the two systems don’t achieve the same don’t achieve the same level of anonymitylevel of anonymity
Gergely Tóth, 5 November 2004 26Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Problems with Entropy – continued
• In the paper for both simple and normalized entropy degenerate cases were shown– such measures neglect the local aspectlocal aspect of
anonymity• the adversary does not necessarily want to totally does not necessarily want to totally
compromise all messagescompromise all messages• aim could be to locally guess forlocally guess for some messages some messages
with a better probability than anticipatedwith a better probability than anticipated
• Also easy understandability suffers
Gergely Tóth, 5 November 2004 27Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Our Suggestion – Maximal Probability
• Use the maximal probabilitymaximal probability as a measure
• If the above holds, a system is called source-hiding with parameter source-hiding with parameter – this approach is easy-to-understand
• =10% means that regardless what the adversary does, he won’t be able to compromise any of your messages with a probability greater than 10%
kls
P ,
Gergely Tóth, 5 November 2004 28Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Maximal Probability – continued
• Source-hiding property– it can be converted back to the entropy-based
metrics• for both simple and normalized entropy equations
were given
– considers the local aspect of anonymitylocal aspect of anonymity• for no messages can the threshold be exceeded
– for some systems source-hiding property can source-hiding property can be set as a requirementbe set as a requirement
Gergely Tóth, 5 November 2004 29Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Summary & FutureSummary & Future
Gergely Tóth, 5 November 2004 30Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Summary
• The field of anonymous communication is rapidly evolving
• In order to be able to objectively compare different systems, a theoretical metric is needed
• Our suggestion is to use the maximal probability from the probability distribution of the adversary to measure the achieved level of anonymity
Gergely Tóth, 5 November 2004 31Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Research Plans
• For some scenarios the level of anonymity can be calculated– there are constructions where the anonymity anonymity
has to be analyzed furtherhas to be analyzed further– it has to be evaluated, how the combination of combination of
different systemsdifferent systems behaves
• Systems are needed, where the level of anonymity can be set as a requirement (QoSQoS)
Gergely Tóth, 5 November 2004 32Nordsec 2004, Helsinki, Finland, 4-5 November 2004
Thank you for your attention
Gergely TóthBudapest University of Technology and Economics
Department of Measurement and Information Systems