|
|
| Line 1: |
Line 1: |
| In [[anonymity network]]s (e.g. [[Tor (anonymity network)|Tor]], [[Crowds]], [[Mixmaster anonymous remailer|Mixmaster]], [[Tarzan (anonymity network)|Tarzan]], etc.) it is important to be able to measure quantitatively the guarantee that is given to the system. The '''degree of anonymity''' <math>d</math> is a device that was proposed at the 2002 Privacy Enhancing Technology (PET) conference. There were two papers that put forth the idea of using [[entropy]] as the basis for formally measuring anonymity: "Towards an Information Theoretic Metric for Anonymity", and "Towards Measuring Anonymity". The ideas presented are very similar with minor differences in the final definition of <math>d</math>.
| | The writer is recognized by the name of Figures Lint. My family life in Minnesota and my family enjoys it. He used to be unemployed but now he is a meter reader. He is really fond of performing ceramics but he is having difficulties to find time for it.<br><br>Here is my web blog [https://alphacomms.zendesk.com/entries/53455304-Curing-Your-Candida-Albicans-How-To-Make-It-Happen-Easily over the counter std test] |
| | |
| __TOC__
| |
| | |
| ==Background==
| |
| Anonymity networks have been developed and many have introduced methods of proving the anonymity guarantees that are possible, originally with simple [[Mix network|Chaum Mixes]] and Pool Mixes the size of the set of users was seen as the security that the system could provide to a user. This had a number of problems; intuitively if the network is international then it is unlikely that a message that contains only Urdu came from the United States, and vice-versa. Information like this and via methods like the [[Onion Routing|predecessor attack]] and [[Onion Routing|intersection attack]] helps an attacker increase the probability that a user sent the message.
| |
| | |
| ===Example With Pool Mixes===
| |
| [[Image:AD Pool Mix.jpg]]
| |
| As an example consider the network shown above, in here <math>A, B, C</math> and <math>D</math> are users (senders), <math>Q, R, S</math>, and <math>T</math> are servers (receivers), the boxes are mixes, and <math>\{A, B\} \in T</math>, <math>\{A, B, C\} \in S</math> and <math>\{A, B, C, D\} \in Q, R</math> where <math>\in</math> denotes the anonymity set. Now as there are [[pool mix]]es let the cap on the number of incoming messages to wait before sending be <math>2</math>; as such if <math>A, B</math>, or <math>C</math> is communicating with <math>R</math> and <math>S</math> receives a message then <math>S</math> knows that it must have come from ??<math>E</math>?? (as the links between the mixes can only have <math>1</math> message at a time). This is in no way reflected in <math>S</math>'s anonymity set, but should be taken into account in the analysis of the network.
| |
| | |
| ==Degree of Anonymity==
| |
| The degree of anonymity takes into account the probability associated with each user, it begins by defining the [[entropy]] of the system (here is where the papers differ slightly but only with notation, we will use the notation from {{ref|TMA}}.): <br>
| |
| <math>H(X) := \sum_{i=0}^{N-1} \left[p_i \cdot \lg\left(\frac{1}{p_i}\right)\right]</math>,
| |
| where <math>H(X)</math> is the entropy of the network, <math>N</math> is the number of nodes in the network, and <math>p_i</math> is the probability associated with node <math>i</math>.
| |
| Now the maximal [[entropy]] of a network occurs when there is uniform probability associated with each node (<math>\frac{1}{N}</math>) and this yields <math>H_M := H(X) \gets \lg(N)</math>.
| |
| The degree of anonymity (now the papers differ slightly in the definition here, {{ref|TMA}} defines a bounded degree where it is compared to <math>H_M</math> and {{ref|TIT}} gives an unbounded definition—using the entropy directly, we will consider only the bounded case here) is defined as <br>
| |
| <math>d := 1 - \frac{H_M - H(X)}{H_M} = \frac{H(X)}{H_M}</math>.
| |
| Using this anonymity systems can be compared and evaluated using a quantitatively analysis.
| |
| | |
| ===Definition of Attacker===
| |
| These papers also served to give concise definitions of an attacker:
| |
| ; Internal/External : an '''internal''' attacker controls nodes in the network, whereas an '''external''' can only compromise communication channels between nodes.
| |
| ; Passive/Active : an '''active''' attacker can add, remove, and modify any messages, whereas a '''passive''' attacker can only listen to the messages.
| |
| ; Local/Global : a '''local''' attacker has access to only part of the network, whereas a '''global''' can access the entire network.
| |
| | |
| ==Example <math>d</math>==
| |
| In the papers there are a number of example calculations of <math>d</math>, we will walk through some of them here.
| |
| | |
| ===Crowds===
| |
| In [[Crowds]] there is a global probability of forwarding (<math>p_f</math>), which is the probability a node will forward the message internally instead of routing it to the final destination. Let there be <math>C</math> corrupt nodes and <math>N</math> total nodes. In [[Crowds]] the attacker is internal, passive, and local. Trivially <math>H_M \gets \lg (N - C)</math>, and overall the entropy is <math>H(x) \gets \frac{N - p_f \cdot (N - C - 1) }{N} \cdot \lg\left[\frac{N}{N - p_f \cdot (N - C - 1)}\right] + p_f \cdot \frac{N - C - 1}{N} \cdot \lg\left[N/p_f\right]</math>, <math>d</math> is this value divided by <math>H_M</math>{{ref|TMA}}.
| |
| | |
| ===Onion routing===
| |
| In [[onion routing]] let's assume the attacker can exclude a subset of the nodes from the network, then the entropy would easily be <math>H(X) \gets \lg(S)</math>, where <math>S</math> is the size of the subset of non-excluded nodes. Under an attack model where a node can both globally listen to message passing and is a node on the path this ''decreases'' to <math>H(X) \gets \lg(L)</math>, where <math>L</math> is the length of the onion route (this could be larger or smaller than <math>S</math>), as there is no attempt in onion routing to remove the correlation between the incoming and outgoing messages.
| |
| | |
| ===Applications of this metric===
| |
| In 2004, Diaz, [[Len Sassaman|Sassaman]], and DeWitte presented an analysis{{ref|CBTPMD}} of two anonymous [[remailers]] using the Serjantov and Danezis metric, showing one of them to provide zero anonymity under certain realistic conditions.
| |
| | |
| ==See also==
| |
| * [[Onion routing]]
| |
| * [[Tor (anonymity network)]]
| |
| * [[Entropy]]
| |
| * [[Crowds]]
| |
| | |
| ==References==
| |
| # {{note|TMA}} See [http://www.freehaven.net/anonbib/cache/Diaz02.ps.gz Towards Measuring Anonymity] {{cite journal |
| |
| title = Towards measuring anonymity |
| |
| author = Claudia Diaz and Stefaan Seys and Joris Claessens and Bart Preneel |
| |
| journal = Proceedings of Privacy Enhancing Technologies Workshop (PET 2002) |date=April 2002 |
| |
| editor = Roger Dingledine and Paul Syverson |
| |
| publisher = Springer-Verlag, LNCS 2482 |
| |
| url = http://www.esat.kuleuven.ac.be/~cdiaz/papers/tmAnon.ps.gz |
| |
| volume= |
| |
| issue= |
| |
| pages= |
| |
| accessdate = 2005-11-10 |
| |
| format = – <sup>[http://scholar.google.co.uk/scholar?hl=en&lr=&q=intitle%3ATowards+measuring+anonymity&as_publication=Proceedings+of+Privacy+Enhancing+Technologies+Workshop+%28PET+2002%29&as_ylo=2002&as_yhi=2002&btnG=Search Scholar search]</sup>
| |
| }} {{dead link|date=June 2008}}
| |
| # {{note|TIT}} See [http://www.cl.cam.ac.uk/~aas23/papers_aas/set.ps Towards an Information Theoretic Metric for Anonymity] {{cite journal |
| |
| title=Towards an Information Theoretic Metric for Anonymity |
| |
| author=Andrei Serjantov and George Danezis |
| |
| journal=Proceedings of Privacy Enhancing Technologies Workshop (PET 2002)|date=April 2002 |
| |
| editor = Roger Dingledine and Paul Syverson |
| |
| publisher = Springer-Verlag, LNCS 2482 |
| |
| url = http://www.cl.cam.ac.uk/~aas23/papers_aas/set.ps |
| |
| volume= |
| |
| issue= |
| |
| pages= |
| |
| accessdate = 2005-11-10
| |
| | archiveurl = http://web.archive.org/web/20040719123728/http://www.cl.cam.ac.uk/~aas23/papers_aas/set.ps| archivedate = July 19, 2004}}
| |
| # {{note|CBTPMD}} See [http://www.cosic.esat.kuleuven.be/publications/article-98.pdf Comparison Between Two Practical Mix Designs] {{cite journal |
| |
| title=Comparison Between Two Practical Mix Designs |
| |
| author=Clauda Diaz and Len Sassaman and Evelyn Dewitte |
| |
| journal=Proceedings of European Symposium on Research in Computer Security (ESORICS 2004)|date=September 2004 |
| |
| editor = Dieter Gollmann |
| |
| publisher = Springer-Verlag, LNCS 3193| url=http://www.cosic.esat.kuleuven.be/publications/article-98.pdf |
| |
| volume= |
| |
| issue= |
| |
| pages= |
| |
| accessdate = 2008-06-06
| |
| }}
| |
| | |
| [[Category:Anonymity networks]]
| |
| [[Category:Computer network analysis]]
| |
| [[Category:Cryptographic software]]
| |
| [[Category:Internet privacy]]
| |
| [[Category:Routing software]]
| |
The writer is recognized by the name of Figures Lint. My family life in Minnesota and my family enjoys it. He used to be unemployed but now he is a meter reader. He is really fond of performing ceramics but he is having difficulties to find time for it.
Here is my web blog over the counter std test