Protocols for Anonymity and Traceability Tradeoffs

a PROJECT AT CERT INSTITUTE FOR "Protocols for Anonymity and Traceability Tradeoffs"





Problem Addressed
Existing Internet protocols were never engineered for today’s Internet, where the trustworthiness of users cannot be assumed and where high-stakes, mission-critical applications increasingly reside. Malicious users exploit the severe weakness in existing Internet protocols to achieve anonymity and use that anonymity as a safe haven from which to launch repeated attacks on their victims. Hence, service providers and other victims of cyber attack want and need traceability for accountability, redress, and deterrence. Unfortunately, our current track-and-trace capability is extremely limited by the existing protocol and infrastructure design and requires a major re-engineering effort from both technical and policy perspectives. This is discussed in an SEI special report sponsored by the U.S. State Department [1]. On the other hand, Internet users, both individuals and organizations, often want or need anonymity for a variety of legitimate reasons. The engineering challenge is to balance the apparently conflicting needs of privacy and security.
Research Approach
Traceability and anonymity are attributes that are central to the security and survivability of mission-critical systems. We believe that principled, fine-grained tradeoffs between traceability and anonymity are pivotal to the future viability of the Internet. However, such tradeoffs are rarely explicitly made, the current capability to make such tradeoffs is extremely limited, and the tradeoffs between these attributes have occurred on an ad hoc basis at best. The LEVANT (Levels of Anonymity and Traceability) project is developing the foundations for a disciplined engineering design of Internet protocols in the context of key policy issues. This will allow dynamic, fine-grained tradeoffs between traceability and anonymity to be made on the basis of specific mission requirements. We see this project as a first step toward the development of a discipline of Internet engineering, which would translate traditional design and engineering processes, such as thorough requirements gathering and attribute tradeoff analyses, into the unique context of the Internet environment and its associated security and survivability risks [2].

In any Internet transaction, trust ultimately depends not on IP addresses but on particular relationships among individuals and their roles within organizations and groups (which may be economic, political, educational, or social). Trust cannot be established while maintaining total anonymity of the actors involved. It goes without saying that there is a great need for privacy on the Internet, and it must be carefully guarded. However, trust and privacy tradeoffs are a normal part of human social, political, and economic interactions, and such tradeoffs are routinely resolved in a number of venues, for example in the marketplace. Consider the telephone system, in particular the caller identification (caller ID) feature, which displays the phone number, and often the name, associated with incoming calls. Caller ID is a feature for which many customers are willing to pay extra in return for the privacy benefits associated with having some idea of who’s calling before answering a call. However, callers are sometimes given the option of being anonymous (i.e., not identifiable by the caller ID feature) by default or on a call-by-call basis. To more fully protect their privacy, caller ID customers can choose to block all incoming calls from anonymous callers. The anonymous caller is notified of this fact by an automated message. For callers who pre-arrange with their phone companies to be anonymous by default, the only way to complete a call is to enter a key sequence to remove the anonymity for that particular call and to redial. Customers who achieve anonymity on a call-by-call basis (by entering a specific key sequence) can choose to redial without entering the key sequence that denotes anonymity. This choice is a form of negotiation between the caller and the intended recipient of the call, and it is a tradeoff between anonymity and trust that is supported by the technology of caller ID and the marketplace. There is no government mandate that all calls must be anonymous or that no calls may be anonymous. The individual caller chooses whether or not to relinquish anonymity (or some degree of privacy) in exchange for the perceived value of completing the call by increasing the degree of trust as perceived by the recipient.

One can envision next-generation Internet protocols supporting this kind of marketplace negotiation of trust versus privacy tradeoffs. For example, we are exploring the possibility of third-party certifying authorities that would serve as brokers of trust. These certifying authorities would provide mechanisms whereby packets would be cryptographically signed with very fine-grained authentication credentials of the sender. This is not the same as having an individual digitally sign a message, as a digitally signed message may be too coarse grained for a particular scenario and may reveal too much. Another capability might be the escrowing, by these certifying authorities, of complete identifying information for a specified period of time, to be revealed in the event that one or more of a user’s packets have been identified as participating in a confirmed attack.

We are investigating the fundamental concepts necessary to inform the design of Internet protocols that support dynamic, fine-grained tradeoffs between traceability and anonymity in a manner that satisfies the security, survivability, and anonymity (or privacy) requirements of the protocols’ users. Our goal is to provide an exemplar for the application of principled software and systems engineering practices in the unique context of the Internet. A key part of this process is our exploration of alternative designs for new Internet protocols that allow the originator and the recipient of an Internet transaction or service to negotiate what levels of traceability and anonymity to accept. In order to design and evaluate Internet protocols that support negotiated tradeoffs between anonymity and traceability, we need some way to quantify and measure levels of anonymity and traceability. The concept of k-anonymity provides some useful theoretical underpinnings.
Meaning of k-anonymity
We say that a user is k-anonymous in a network context if the user is only traceable to a set of measure k, where this could mean either a set of size k or a set of radius k in the topological sense of the network (as shown in Figure 1). Our goal is to explore the design of Internet protocols that assure traceability, but only to a group of k actors. The concept of k-anonymity was first defined by Pierangela Samarati [3]. Samarati showed how generalization and suppression of data can be used to enforce k-anonymity in private databases (such as those containing medical and driver’s license data) thereby reducing privacy loss. This concept was later reiterated by Latanya Sweeney in the context of medical databases [4].

Figure 1: Examples of k-anonymity

User and Service Provider Goals
Effective anonymity and traceability tradeoffs require an in-depth understanding of the specific goals of users and service providers. User goals may differ on a case-by-case basis. Below are some examples:

* User may want to hide its location and identity entirely (large k).
* User may want to hide its location somewhat (e.g., reveal the city, but not street address).
* User may want to hide its location but not its identity.

Similarly, service providers may have different goals and/or requirements. Below are some examples:

* Provider may want to know both user’s location and identity.
* Provider may want to know user’s location somewhat.
* Provider may want to know user’s identity but does not care about user’s location.

It is important to note that the value of anonymity and traceability tradeoffs extends well beyond the relationships among individual users and service providers. The ability to explicitly make such tradeoffs can provide essential support for organizations engaged in a complex mix of collaborative and competitive (adversarial) relationships. Consider the scenario below.
LEVANT Scenario
Assume that a number of organizations collaborate to build a shared (highly distributed) knowledge base that is more comprehensive and of higher quality than each could build on its own. This knowledge base provides a significant competitive advantage for the collaborators over other organizations that are not participating in this effort.

Although the participating organizations collaborate on some projects, they are competitors in other areas. Each may use the knowledge base to further its own strategies, tactical decisions, and so forth. Hence, each participating organization wants traceability in the event that the availability, integrity, or confidentially of the knowledge base is compromised or threatened, and to ensure that no external organizations get access to the data. Yet, each organization wants its own members to be able to query the knowledge base without revealing to the other collaborators (or, of course, to any outsider) the source of any query being made by that organization. LEVANT technology would provide network-level protocol support for the traceability and anonymity tradeoffs that the collaborating organizations agree upon, helping ensure the success of their cooperative and individual missions.

Some additional information on the LEVANT project is available in a summary report on SEI independent research and development projects [5].
Benefits
In this era of open, highly distributed, complex systems, vulnerabilities abound and adequate security, using defensive measures alone, can never be guaranteed. As with all other aspects of crime and conflict, deterrence plays an essential role in protecting society. Hence, the ability to track and trace attackers is crucial, because in an environment of total anonymity, deterrence is impossible, and an attacker can endlessly experiment with countless attack strategies and techniques until success is achieved. The ability to accurately and precisely assign responsibility for cyber attacks to entities or individuals (or to interrupt attacks in progress) would be of critical value. It would allow society’s legal, political, and economic mechanisms to work both domestically and internationally to deter future attacks and motivate evolutionary improvements in relevant laws, treaties, policies, and engineering technology. On the other hand, there are many legal, political, economic, and social contexts in which some protection of anonymity or privacy is essential. Without some degree of anonymity or privacy, individuals or entities whose cooperation is vitally needed may not fully participate (or participate at all) in the use or operation of systems that support the critical functions of the global information society.

Hence, traceability and anonymity are attributes that are central to the security and survivability of mission-critical systems. The LEVANT project is exploring the essential engineering and policy issues associated with traceability and anonymity tradeoffs. A primary objective is to design Internet protocols that allow these tradeoffs to be dynamic, fine grained, and based on the specific mission needs of the protocols’ users. An ultimate benefit of these new Internet protocols will be dramatically improved security and traceability for mission-critical applications and infrastructures, along with strong privacy and anonymity protection for legitimate users who act either as individuals or within specific organizational roles.
2006 Accomplishments
In FY2006, we continued our work towards establishing a solid theoretical foundation on which to base principled engineering tradeoffs between traceability and anonymity. Our research has explored the range of engineering requirements for the design of Internet protocols that support traceability and anonymity attribute tradeoffs and the negotiations that are needed to set the desired level of each attribute. We’ve generated and analyzed several LEVANT protocol scenarios of use that include specific user requirements for anonymity and traceability that must be satisfied for particular applications, systems, and missions. We’ve also investigated the underlying security and survivability themes in this research, in particular with respect to the engineering tradeoffs being explored for protocol design. Our research has also examined policy issues relating to the design and use of protocols that support negotiated levels of anonymity and traceability for individual actors and for organizations.
2007 Plans
In FY2007, we plan to complete an SEI technical report on our LEVANT project research. One or more papers derived from this technical report are also planned, along with the submission of funding proposals seeking long-term support for the LEVANT project.