Michael K. Reiter
Aviel D. Rubin
Abstract
In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.
- BRIER, S. 1997. How to keep your privacy: Battle lines get clearer. New York Times (Jan. 13).Google Scholar
- CHAUM, D. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 2 (Feb.), 84-88. Google ScholarDigital Library
- CRISTIAN, F. 1991. Reaching agreement on processor group membership in synchronous distributed systems. Distrib. Comput. 4, 175-187.Google ScholarDigital Library
- DESWARTE, Y., BLAIN, L., AND FABRE, J. 1991. Intrusion tolerance in distributed computing systems. In Proceedings of the 1991 IEEE Symposium on Research on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 110-121.Google Scholar
- DIFFIE, W. AND HELLMAN, M. E. 1976. New directions in cryptography. IEEE Trans. Inf. Theor. 22, 6.Google ScholarDigital Library
- GABBER, E., GIBBONS, P., MATIAS, Y., AND MAYER, A. 1997. How to make personalized web browsing simple, secure, and anonymous. In Proceedings of the Conference on Financial Cryptography. Springer-Verlag, New York, NY. Google Scholar
- GARFINKEL, S. AND SPAFFORD, a. 1997. Web Security and Commerce. O'Reilly and Associates. Google Scholar
- GONG, L. 1993. Increasing availability and security of an authentication service. IEEE J. Sel. Areas Commun. 5, 11 (June), 657-662.Google Scholar
- GULCU, C. AND TSUDIK, a. 1996. Mixing e-mail with BABEL. In Proceedings of the Symposium on Network and Distributed System Security. 2-16. Google Scholar
- MILLER, L. 1997. No solitude in cyberspace. USA Today (June 9).Google Scholar
- MOSER, L. E., MELLIAR-SMITH, P. M., AND AGRAWALA, V. 1991. Membership algorithms for asynchronous distributed systems. In Proceedings of the 11th IEEE International Conference on Distributed Computing Systems (Arlington, TX, May). IEEE Computer Society Press, Los Alamitos, CA, 480-488.Google Scholar
- MOTWANI, R. AND RAGHAVAN, P. 1995. Randomized Algorithms. Cambridge University Press, New York, NY. Google Scholar
- PFITZMANN, A. AND PFITZMANN, B. 1989. How to break the direct RSA-implementation of mixes. In Proceedings of the Conference on Advances in Cryptology (EUROCRYPT '89). Google Scholar
- PFITZMANN, A., PFITZMANN, B., AND WAIDNER, M. 1991. ISDN-mixes: Untraceable communication with very small bandwidth overhead. In Proceedings of the GI/ITG Conference on Communication in Distributed Systems. 451-463. Google Scholar
- PFITZMANN, A. AND WAIDNER, M. 1987. Networks without user observability. Comput. Secur. 2, 6, 158-166. Google ScholarDigital Library
- REITER, M. K. 1996. Distributing trust with the Rampart toolkit. Commun. ACM 39, 4 (Apr.), 71-74. Google ScholarDigital Library
- REITER, M. K. 1996. A secure group membership protocol. IEEE Trans. Softw. Eng. 22 (Jan.), 31-42. Google ScholarDigital Library
- REITER, M. K., BIRMAN, K. P., AND VAN RENESSE, R. 1994. A security architecture for fault-tolerant systems. ACM Trans. Comput. Syst. 12, 4 (Nov.), 340-371. Google ScholarDigital Library
- RICCIARDI, A. M. AND BIRMAN, K. P. 1991. Using process groups to implement failure detection in asynchronous environments. In Proceedings of the lOth Annual ACM Symposium on Principles of Distributed Computing (PODC '91, Montreal, Que., Canada, Aug. 19-21, 1991). ACM Press, New York, NY, 341-353. Google ScholarDigital Library
- SCHLICHTING, R. D. AND SCHNEIDER, F. B. 1983. Fail stop processors: An approach to designing fault-tolerant computing systems. ACM Trans. Comput. Syst. 1,222-238. Google ScholarDigital Library
- SYVERSON, P. F., GOLDSCHLAG, D. M., AND REED, M. G. 1997. Anonymous connections and onion routing. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Press, Piscataway, NJ. Google Scholar
Index Terms
- Crowds: anonymity for Web transactions
Recommendations
CoverUp: Privacy Through "Forced" Participation in Anonymous Communication Networks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMany privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis ...
Refereed paper: A secure world-wide-web daemon
In this paper we begin by discussing some of the protection-related history of World-Wide-Web servers and clients, some of their betterknown vulnerabilities, and the need for a more secure server environment. We then discuss the protection goals we ...
Reviews
Valentin Cristea
The Crowds system implements a new approach to protecting users' privacy when they retrieve information on the Web. The approach is based on the idea of grouping Web users into a geographically diverse collection, called a crowd, and hiding each user's actions among the actions of many other members of the group. To execute Web transactions, a user first joins a group of users. The user's request to a Web server is transmitted by way of a simple randomized routing protocol, to protect the user against attackers. Several degrees of anonymity are defined, ranging from no anonymity to complete anonymity, with several interesting intermediate degrees. The design of the Crowds system is described, with emphasis on the measures it takes to defend against various attacks that result from the way the Web works. The performance, scalability, and limitations of the system are also presented. After the introduction, section 2 presents the anonymity goals of the system and introduces the notion of degree of anonymity. Three intermediate points in the anonymity spectrum are defined: beyond suspicion, probable innocence, and possible innocence. What Crowds does and does not achieve in terms of these degrees of anonymity is discussed. Based on these definitions, in the following section the authors compare Crowds with other approaches to anonymity. The basic Crowds mechanisms are described in section 4 with the help of graphs and pseudocode. The security of Crowds is analyzed in section 5, based on probabilities. The performance and scalability of the system are presented in the next two sections. Response latency as a function of path length, page size, and number of embedded images is presented using diagrams and an analytic model. Section 8 is devoted to crowd membership, and section 9 describes the user interface. The obstacles that firewalls present to wide adoption of Crowds are briefly presented in s ection 10. Section 11 contains conclusions. The organization of the topics is good, and the level of detail is suitable. The reference list includes both recent works and important older papers. This work may be useful to many people interested in Internet security and especially in how to hide their identity from the servers they access.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments