掩盖:通过“强制”参与匿名通信网络的隐私

David M. Sommer, Aritra Dhar, Luka Malisa, Esfandiar Mohammadi, D. Ronzani, Srdjan Capkun
{"title":"掩盖:通过“强制”参与匿名通信网络的隐私","authors":"David M. Sommer, Aritra Dhar, Luka Malisa, Esfandiar Mohammadi, D. Ronzani, Srdjan Capkun","doi":"10.1145/3052973.3056126","DOIUrl":null,"url":null,"abstract":"Many privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis attacks. The only ACN with a high number of participants (around 1.5 million users) is Tor. Yet, Tor is prone to traffic analysis attacks traffic pattern attacks. While other ACNs have been proposed that are even secure against global attackers, they are not scalable and suffer from a low number of participants, since even a perfect ACN can at most hide a user among all participating users. These ACNs are in a vicious circle: the lack of participants leads to low degree of anonymity, and a low degree of anonymity makes these ACNs unattractive for users. In this work, we break this vicious cycle by studying the question: Can an anonymous communication network be strengthened by \"forced\" participation? What privacy guarantees and performance can such an ACN provide? We develop CoverUp, a system that \"forces\" visitors of highly accessed websites (entry servers) to become involuntary participants of an ACN. CoverUp triggers users to participate in a centralized, constant-rate mix by leveraging basic functionality of their browsers to execute (JavaScript) code served by the entry servers. Candidates for entry servers could be universities or news sites. They would let a distinct CoverUp server provide (via an iframe) JavaScript code to the end-users' browsers, which in turn makes them participate in the ACN via a mix server. Visitors of these entry servers' websites become (involuntary) participants of an ACN, creating cover traffic for voluntary participants. For voluntary participants, we developed a browser extension that renders their CoverUp requests indistinguishable from the cover traffic of involuntary participants. We build two applications on top of CoverUp: an anonymous feed and a chat-both use an additional external CoverUp application. As the feed is uni-directional, we do not need to trust more than the client's machine. As the chat is bi-directional, we do need to trust the CoverUp and the mix server. We show that both achieve practical performance and strong privacy properties via experimental evaluations and an analysis. CoverUp renders voluntary and involuntary participants indistinguishable, thereby including all voluntary and involuntary participants into an anonymity set. Given this, CoverUp provides even more than mere anonymity: the voluntary participants can hide the very intention to use the ACN. As the concept of forced participation raises ethical and legal concerns, we discuss these concerns and describe how these can be addressed.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"CoverUp: Privacy Through \\\"Forced\\\" Participation in Anonymous Communication Networks\",\"authors\":\"David M. Sommer, Aritra Dhar, Luka Malisa, Esfandiar Mohammadi, D. Ronzani, Srdjan Capkun\",\"doi\":\"10.1145/3052973.3056126\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis attacks. The only ACN with a high number of participants (around 1.5 million users) is Tor. Yet, Tor is prone to traffic analysis attacks traffic pattern attacks. While other ACNs have been proposed that are even secure against global attackers, they are not scalable and suffer from a low number of participants, since even a perfect ACN can at most hide a user among all participating users. These ACNs are in a vicious circle: the lack of participants leads to low degree of anonymity, and a low degree of anonymity makes these ACNs unattractive for users. In this work, we break this vicious cycle by studying the question: Can an anonymous communication network be strengthened by \\\"forced\\\" participation? What privacy guarantees and performance can such an ACN provide? We develop CoverUp, a system that \\\"forces\\\" visitors of highly accessed websites (entry servers) to become involuntary participants of an ACN. CoverUp triggers users to participate in a centralized, constant-rate mix by leveraging basic functionality of their browsers to execute (JavaScript) code served by the entry servers. Candidates for entry servers could be universities or news sites. They would let a distinct CoverUp server provide (via an iframe) JavaScript code to the end-users' browsers, which in turn makes them participate in the ACN via a mix server. Visitors of these entry servers' websites become (involuntary) participants of an ACN, creating cover traffic for voluntary participants. For voluntary participants, we developed a browser extension that renders their CoverUp requests indistinguishable from the cover traffic of involuntary participants. We build two applications on top of CoverUp: an anonymous feed and a chat-both use an additional external CoverUp application. As the feed is uni-directional, we do not need to trust more than the client's machine. As the chat is bi-directional, we do need to trust the CoverUp and the mix server. We show that both achieve practical performance and strong privacy properties via experimental evaluations and an analysis. CoverUp renders voluntary and involuntary participants indistinguishable, thereby including all voluntary and involuntary participants into an anonymity set. Given this, CoverUp provides even more than mere anonymity: the voluntary participants can hide the very intention to use the ACN. As the concept of forced participation raises ethical and legal concerns, we discuss these concerns and describe how these can be addressed.\",\"PeriodicalId\":20540,\"journal\":{\"name\":\"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-04-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3052973.3056126\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3052973.3056126","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

摘要

许多增强隐私的技术,特别是作为关键构建块的匿名通信网络(acn),都缺乏足够数量的参与者。如果用户参与度不高,acn很容易受到流量分析攻击。唯一一个拥有大量参与者(约150万用户)的ACN是Tor。然而,Tor容易受到流量分析攻击和流量模式攻击。虽然已经提出的其他ACN甚至可以安全抵御全球攻击者,但它们不具有可扩展性并且受到参与者数量少的影响,因为即使是完美的ACN最多也只能在所有参与用户中隐藏一个用户。这些acn陷入了一个恶性循环:缺乏参与者导致低匿名度,而低匿名度又使得这些acn对用户没有吸引力。在这项工作中,我们通过研究这个问题来打破这种恶性循环:匿名通信网络是否可以通过“强制”参与来加强?这样的ACN可以提供什么样的隐私保证和性能?我们开发了CoverUp,一个“强制”访问高访问量网站(入口服务器)的访问者成为ACN的非自愿参与者的系统。CoverUp通过利用浏览器的基本功能来执行由入口服务器提供的(JavaScript)代码,从而触发用户参与集中的、恒定速率的混合。候选的入口服务器可以是大学或新闻网站。他们将让一个独立的CoverUp服务器(通过iframe)向最终用户的浏览器提供JavaScript代码,这反过来又使他们通过混合服务器参与ACN。这些入口服务器网站的访问者成为ACN的(非自愿)参与者,为自愿参与者创造掩护流量。对于自愿参与者,我们开发了一个浏览器扩展,使他们的掩盖请求与非自愿参与者的掩盖流量无法区分。我们在CoverUp之上构建了两个应用程序:一个匿名提要和一个聊天——它们都使用了一个额外的外部CoverUp应用程序。由于馈送是单向的,我们不需要信任客户端以外的机器。由于聊天是双向的,我们确实需要信任CoverUp和mix服务器。我们通过实验评估和分析表明,两者都实现了实用性能和强大的隐私性。掩盖使得自愿和非自愿参与者无法区分,从而将所有自愿和非自愿参与者包括在一个匿名集合中。鉴于此,CoverUp提供的不仅仅是匿名:自愿参与者可以隐藏使用ACN的意图。由于强迫参与的概念引起了道德和法律问题,我们讨论了这些问题并描述了如何解决这些问题。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
CoverUp: Privacy Through "Forced" Participation in Anonymous Communication Networks
Many privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis attacks. The only ACN with a high number of participants (around 1.5 million users) is Tor. Yet, Tor is prone to traffic analysis attacks traffic pattern attacks. While other ACNs have been proposed that are even secure against global attackers, they are not scalable and suffer from a low number of participants, since even a perfect ACN can at most hide a user among all participating users. These ACNs are in a vicious circle: the lack of participants leads to low degree of anonymity, and a low degree of anonymity makes these ACNs unattractive for users. In this work, we break this vicious cycle by studying the question: Can an anonymous communication network be strengthened by "forced" participation? What privacy guarantees and performance can such an ACN provide? We develop CoverUp, a system that "forces" visitors of highly accessed websites (entry servers) to become involuntary participants of an ACN. CoverUp triggers users to participate in a centralized, constant-rate mix by leveraging basic functionality of their browsers to execute (JavaScript) code served by the entry servers. Candidates for entry servers could be universities or news sites. They would let a distinct CoverUp server provide (via an iframe) JavaScript code to the end-users' browsers, which in turn makes them participate in the ACN via a mix server. Visitors of these entry servers' websites become (involuntary) participants of an ACN, creating cover traffic for voluntary participants. For voluntary participants, we developed a browser extension that renders their CoverUp requests indistinguishable from the cover traffic of involuntary participants. We build two applications on top of CoverUp: an anonymous feed and a chat-both use an additional external CoverUp application. As the feed is uni-directional, we do not need to trust more than the client's machine. As the chat is bi-directional, we do need to trust the CoverUp and the mix server. We show that both achieve practical performance and strong privacy properties via experimental evaluations and an analysis. CoverUp renders voluntary and involuntary participants indistinguishable, thereby including all voluntary and involuntary participants into an anonymity set. Given this, CoverUp provides even more than mere anonymity: the voluntary participants can hide the very intention to use the ACN. As the concept of forced participation raises ethical and legal concerns, we discuss these concerns and describe how these can be addressed.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信