Abstract
In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.
- BRIER, S. 1997. How to keep your privacy: Battle lines get clearer. New York Times (Jan. 13).Google Scholar
- CHAUM, D. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 2 (Feb.), 84-88. Google ScholarDigital Library
- CRISTIAN, F. 1991. Reaching agreement on processor group membership in synchronous distributed systems. Distrib. Comput. 4, 175-187.Google ScholarDigital Library
- DESWARTE, Y., BLAIN, L., AND FABRE, J. 1991. Intrusion tolerance in distributed computing systems. In Proceedings of the 1991 IEEE Symposium on Research on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 110-121.Google Scholar
- DIFFIE, W. AND HELLMAN, M. E. 1976. New directions in cryptography. IEEE Trans. Inf. Theor. 22, 6.Google ScholarDigital Library
- GABBER, E., GIBBONS, P., MATIAS, Y., AND MAYER, A. 1997. How to make personalized web browsing simple, secure, and anonymous. In Proceedings of the Conference on Financial Cryptography. Springer-Verlag, New York, NY. Google Scholar
- GARFINKEL, S. AND SPAFFORD, a. 1997. Web Security and Commerce. O'Reilly and Associates. Google Scholar
- GONG, L. 1993. Increasing availability and security of an authentication service. IEEE J. Sel. Areas Commun. 5, 11 (June), 657-662.Google Scholar
- GULCU, C. AND TSUDIK, a. 1996. Mixing e-mail with BABEL. In Proceedings of the Symposium on Network and Distributed System Security. 2-16. Google Scholar
- MILLER, L. 1997. No solitude in cyberspace. USA Today (June 9).Google Scholar
- MOSER, L. E., MELLIAR-SMITH, P. M., AND AGRAWALA, V. 1991. Membership algorithms for asynchronous distributed systems. In Proceedings of the 11th IEEE International Conference on Distributed Computing Systems (Arlington, TX, May). IEEE Computer Society Press, Los Alamitos, CA, 480-488.Google Scholar
- MOTWANI, R. AND RAGHAVAN, P. 1995. Randomized Algorithms. Cambridge University Press, New York, NY. Google Scholar
- PFITZMANN, A. AND PFITZMANN, B. 1989. How to break the direct RSA-implementation of mixes. In Proceedings of the Conference on Advances in Cryptology (EUROCRYPT '89). Google Scholar
- PFITZMANN, A., PFITZMANN, B., AND WAIDNER, M. 1991. ISDN-mixes: Untraceable communication with very small bandwidth overhead. In Proceedings of the GI/ITG Conference on Communication in Distributed Systems. 451-463. Google Scholar
- PFITZMANN, A. AND WAIDNER, M. 1987. Networks without user observability. Comput. Secur. 2, 6, 158-166. Google ScholarDigital Library
- REITER, M. K. 1996. Distributing trust with the Rampart toolkit. Commun. ACM 39, 4 (Apr.), 71-74. Google ScholarDigital Library
- REITER, M. K. 1996. A secure group membership protocol. IEEE Trans. Softw. Eng. 22 (Jan.), 31-42. Google ScholarDigital Library
- REITER, M. K., BIRMAN, K. P., AND VAN RENESSE, R. 1994. A security architecture for fault-tolerant systems. ACM Trans. Comput. Syst. 12, 4 (Nov.), 340-371. Google ScholarDigital Library
- RICCIARDI, A. M. AND BIRMAN, K. P. 1991. Using process groups to implement failure detection in asynchronous environments. In Proceedings of the lOth Annual ACM Symposium on Principles of Distributed Computing (PODC '91, Montreal, Que., Canada, Aug. 19-21, 1991). ACM Press, New York, NY, 341-353. Google ScholarDigital Library
- SCHLICHTING, R. D. AND SCHNEIDER, F. B. 1983. Fail stop processors: An approach to designing fault-tolerant computing systems. ACM Trans. Comput. Syst. 1,222-238. Google ScholarDigital Library
- SYVERSON, P. F., GOLDSCHLAG, D. M., AND REED, M. G. 1997. Anonymous connections and onion routing. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Press, Piscataway, NJ. Google Scholar
Index Terms
- Crowds: anonymity for Web transactions
Recommendations
CoverUp: Privacy Through "Forced" Participation in Anonymous Communication Networks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMany privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis ...
Refereed paper: A secure world-wide-web daemon
In this paper we begin by discussing some of the protection-related history of World-Wide-Web servers and clients, some of their betterknown vulnerabilities, and the need for a more secure server environment. We then discuss the protection goals we ...
Comments