Anonymity Lecture Notes1


Download 156.89 Kb.
Date conversion02.06.2018
Size156.89 Kb.
  1   2   3   4   5

An Advance Course in Computer and Network Security

Dr. Dahlia Malkhi

The Hebrew University, Jerusalem


Anonymity - Lecture Notes1

Tzachy Reinman

I.D. 032072886


Computer Science and Engineering School

The Hebrew University, Jerusalem


Content 2

Introduction 3

What is Anonymity? 3

Motivation 3

Dining Cryptographers (DC) 7

Definition 7

Explanation 7

Extensions 8

Practical Considerations 10

Drawbacks 11

DC Networks 11

Anonymizer 12

Chaum Mixes 13

Definition 13

How it works 13

“Cascade of Mixes” or Chain of Mixes 14

Reply (“Return Address”) 15

Drawbacks 16

Comparison between Mix-net and DC-net 16

Onion Routing 18

Definition 18

How it works 18

Practical considerations and information 19

Attacks that Onion Routing is vulnerable to 19

Comparison between Onion Routing and Mixes 19

Crowds 20

Definition 20

How it works 20

Security analysis [9] 21

Encryption 24

Static vs. dynamic paths 24

Timing attacks 25

Scale 26

Drawbacks 26

Vision 27

Comparison between Crowds and Other Protocols 27

Degradation of Anonymity Methods – The Predecessor Attack 28

Questions and Answers 31

References 34


What is Anonymity?

Anonymity is a property of network security. An entity in a system has anonymity if no other entity can identify the first entity, nor is there any link back to the first entity that can be used, nor any way to verify that any two anonymous acts are performed by the same entity.

Related term - Pseudonymity: A weaker, related property is pseudonymity. Pseudonymity means that one cannot identify an entity, but it may be possible to prove that two pseudonymous acts were performed by the same entity.

“For example, imagine that you have received a letter in the mail, with no signature, no return address, and no method for you to identify the sender or respond. This letter is anonymous. If the letter contains a secret key, and you then get later letters containing the same secret key, you can be pretty sure they came from the same entity. These latter letters are pseudonymous. If the letter contains instructions for responding, other than by some public channel, and you respond and the writer then responds to you, the writer is now pseudonymous rather than anonymous. This is because you have two (or more) acts (mailing letters) that were performed by the same person” [5].


Naively, there is no privacy2 on the Web. Browsers advertise IP address, domain name, organization, referring page, platform (OS, browser) and which information is requested. The information is available to end servers, local system administrator, and other third parties (see the example below). Cookies are another violation of privacy.

Example: A typical HTTP request looks like:


User-Agent: Mozila/3.01 (X11; I; SunOS 4.1.4 sun4m)



Accept: image/gif, image/x-xbitmap, image/gpeg, image/pjpeg, */*

Cookie: session-id-time=868867200; session-id=6828-2461327-649945; group_discount_cookie=F

It can be easily seen that the site that accepts that request knows (without doing anything) the referrer (i.e. the previous site). This is neither privacy nor anonymity!

Suppose numerous sites link to Due to Referrer field, doubleclick may capture your whole click-stream!

Site A


“…referrer: site A…”

“…referrer: site B…”

Site B

The adversary

There are many kinds of adversaries:

    • Global – e.g. ISP, backbone administrator

    • Partial – e.g. in a cable Internet system, all the users use the same channel and can get everyone’s messages (encrypted), so an eavesdropper can perform a traffic analysis of another user.

    • Local – e.g. system administrator

      • Active attackers – an individual or a group, local or global, that can cause worse damage than just listening.

Anonymity in the network is relevant to:

  • Electronic voting

  • E-commerce – The efficiencies of the public Internet are strong motivation for companies to use it instead of private intranets. However, these companies may want to protect their interests. The existence of inter-company collaboration may be confidential. Private people are also interested in anonymous e-commerce. A person shopping on the Web may not want his visits tracked.

  • Sending anonymous messages or distributing anonymous content

  • Other data communications (E-mail, Web browsing, Chatting) – Avoiding traffic analysis3

  • Hiding the existence of a VPN (Virtual Private Network) between two or more participants

  • Remote Login
  • Interest group – Examples are: Private health concerns - a person who is an AIDS carrier (and therefore accesses relevant data bases) is interested that this will remain unknown; Support groups of victims of crimes (rape, violence, etc.).

  • PIR – private information retrieval. For example, a researcher using the World Wide Web to access a patents database may expect his particular focus to remain private

  • .

  • Privacy of the communication patterns (defected by cookies)

Types of anonymity protection

  • Sender anonymity – the receiver (and others) cannot know who sends the message.

  • Receiver anonymity – servers in the message path cannot know to whom the message is designated.

  • Unlinkabiliity of sender and receiver. Linkability is the possibility to link between different actions in the Internet. For example, if a specific IP address appears in several transactions, then it can be concluded that there is a connection between those transactions.

  • Publisher anonymity (broadcast).

  • Information anonymity - For example, a few years ago, a convicted child rapist working as a technician in a Boston hospital riffled through 1,000 computerized records looking for potential victims (and was caught when the father of a nine-year-old girl used caller ID to trace the call back to the hospital).

  • Client anonymity (in client-server systems).

  1   2   3   4   5

The database is protected by copyright © 2017
send message

    Main page