320 likes | 491 Views
Anonymity, Unlinkability, Undetectability , Unobservability , Pseudonymity and Identity Management – A Consolidated Proposal for Terminology. Authors: Andreas Pfitzmann and Marit Hansen Presented by: Murtuza Jadliwala. Goals of this work.
E N D
Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas Pfitzmann and Marit Hansen Presented by: Murtuza Jadliwala
Goals of this work • Unambiguously define the important terminology used in privacy literature • Anonymity • Unlinkability • Undetectability • Unobservability • Pseudonymity • Other Goals: • Give a rationale for their definition (why they are defined the way they are?) • Relationship between these terms • Main mechanisms to provide these properties CS 898AB - Privacy Terminology
Setting – Where does this Terminology Apply? Universe Outsiders System Insiders CS 898AB - Privacy Terminology
Adversary? Attacker? Bad Guys? • Interested in “Items of Interest (IOI)” in the system: • What communications is happening (passive) • Who is sending, who is receiving… (passive) • Manipulate the communications (active) • All definitions are based on the “perspective” of the attacker • Perspective defines the set of all possible observations • Attacker may also have limited computation capabilities • Both the above define the information available to the attacker CS 898AB - Privacy Terminology
Attacker Scope: Insider Universe System CS 898AB - Privacy Terminology
Attacker Scope: Outsider Universe System CS 898AB - Privacy Terminology
Implicit Assumptions • Adversary never has access to message content to get information about senders/receivers • Why is this a reasonable assumption? • It is unreasonable to assume that an adversary “forgets” any information • Information once known cannot be assumed to be suddenly lost! • If anything, knowledge only increases! CS 898AB - Privacy Terminology
1. Anonymity • Anonymity: Subject is not identifiable within a set of subjects, the anonymity set • Anonymity Set: Set of similar subjects or subjects with similar attributes, for example, • Set of senders • Set of receivers • A sender can be anonymous only within an anonymity set of senders! • Anonymity of a set of subjects within an (potentially larger) anonymity set means that all these individual subjects are not identifiable within this anonymity set CS 898AB - Privacy Terminology
1. Anonymity CS 898AB - Privacy Terminology
1. Anonymity • Anonymity: Subject is not identifiable within a set of subjects, the anonymity set • What is the problem with this definition? • Attacker perspective or knowledge not considered at all! • Anonymity of a subject from an attacker’s perspective: Means that the attacker cannot “sufficiently” identify the subject within a set of subjects, the anonymity set • “Sufficiently” over here needs to be quantified! • Individual anonymity, group anonymity • Note: Anonymity set cannot increase w.r.t. a particular IOI • Why? • Remember: We cannot assume that attacker forgets something he already knows! CS 898AB - Privacy Terminology
1. Anonymity CS 898AB - Privacy Terminology
1. Anonymity - Properties • Quantification of Anonymity • Detailed description of the system needed? • May always not be possible • Robustness of Anonymity • How stable the quantification is with changes, e.g., change in adversary strength • Quality of Anonymity = Quantification + Robustness CS 898AB - Privacy Terminology
1. Anonymity - Properties • An anonymity delta (regarding a subject's anonymity) from an attacker's perspective: Specifies the difference between the subject's anonymity taking into account the attacker's observations (i.e., the attacker’s a-posteriori knowledge) and the subject's anonymity given the attacker's a-priori knowledge only • If we can quantify anonymity in concrete situations, we can quantify the anonymity delta • Note: • If attacker has no a-priori knowledge about the particular subject, having no anonymity delta implies anonymity • If attacker has an a-priori knowledge covering all actions of the particular subject, having no anonymity delta does not imply any anonymity at all CS 898AB - Privacy Terminology
2. Unlinkability • Unlinkability: Unlinkability of two or more items of interest (IOIs, e.g., subjects, messages, actions)from an attacker’s perspective means that within the system, the attacker cannot sufficiently distinguish whether these IOIs are related or not • Can you defined Linkability? • Linkability: Linkability of two or more items of interest (IOIs, e.g., subjects, messages, actions) from an attacker’s perspective means that within the system, the attacker can sufficiently distinguish whether these IOIs are related or not CS 898AB - Privacy Terminology
2. Unlinkability - Example • Example: If the probability that these two messages are sent by the same sender is sufficiently close to 1/5. • Size of sender anonymity set = 5 CS 898AB - Privacy Terminology
2. Unlinkability change • Unlinkability delta: An unlinkability delta of two or more items of interest (IOIs, e.g., subjects, messages, actions, ...) from an attacker’s perspective specifies the difference between the unlinkabilityof these IOIs taking into account the attacker’s observations and the unlinkabilityof these IOIs given the attacker’s a-priori knowledge only. • Perfect Unlinkability delta: Unlinkability delta is zero • Remember the knowledge of the attacker never decreases (attacker never forgets)! So unlinkability just based on a-priori knowledge never increases CS 898AB - Privacy Terminology
2. Anonymity in terms of Unlinkability • Anonymity • Subject is not identifiable within a set of subjects, the anonymity set • A sender s sends a message m anonymously, iffs is anonymous within the set of potential senders of m, the sender anonymity set of m. • A message m is sent anonymously, iffm can have been sent by each potential sender, i.e., by any subject within the sender anonymity set of m. • Anonymity in terms of Unlinkability: • Sender anonymity of a subject means that to this potentially sending subject, each message is unlinkable. • Recipient anonymityof a subject means that to this potentially receiving subject, each message is unlinkable. • Relationship anonymity of a pair of subjects, the potentially sending subject and the potentially receiving subject, means that to this potentially communicating pair of subjects, each message is unlinkable CS 898AB - Privacy Terminology
2. Anonymity in terms of Unlinkability • Unlinkability sufficient condition for anonymity, but not necessary! • Failing unlinkability w.r.t some attributes does not necessarily affect anonymity! • Relationship anonymity is a weaker property than each of Sender anonymity and Recipient anonymity! Why? • Sender anonymity Relationship anonymity, Receiver anonymity Relationship anonymity • Relationship anonymity ? Sender anonymity, Receiver anonymity CS 898AB - Privacy Terminology
3. Undetectability • Undetectability:Undetectability of an IOI from an attacker’s perspective means that the attacker cannot sufficiently distinguish whether it exists or not • For example, if the IOI under consideration is a message, then it means that a message is not sufficiently distinguishable from random noise • Perfect or Maximal Undetectability: If the attacker can never distinguish (or distinguish with zero probability) whether an IOI exists or not. • In some applications (e.g. steganography), it might be useful to quantify undetectability to have some measure how much uncertainty about an IOI remains after the attacker’s observations. CS 898AB - Privacy Terminology
3. Undetectabilitychange • Undetectability delta: An undetectability delta of an IOI from an attacker’s perspective specifies the difference between the undetectability of the IOI taking into account the attacker’s observations and the undetectability of the IOI given the attacker’s a-priori knowledge only. • Perfect Preservation of Undetectability: Undetectability delta is zero • Important! Undetectability of an IOI clearly is only possible w.r.t. subjects not involved in the IOI • For a sender of a message, the sent message is always detectable! • Question: Is undetectability related to anonymity? • With the above definition, No! • But it can be combined with anonymity to define a new property. CS 898AB - Privacy Terminology
4. Unobservability • Unobservability of an IOI:means • undetectabilityof the IOI against all subjects uninvolved in it, and • anonymity of the subject(s) involved in the IOI • Sender unobservability:means that it is sufficiently undetectable whether any sender within the unobservability set sends • Sender unobservability is perfect: iff it is completely undetectable whether any sender within the unobservability set sends • Similarly, Recipient unobservability and Relationship unobservability are defined! CS 898AB - Privacy Terminology
4. Unobservability change • Unobservability delta of an IOI:means • undetectability delta of the IOI against all subjects uninvolved in it, and • anonymity delta of the subject(s) involved in the IOI even against the other subject(s) involved in that IOI • Perfect preservation of unobservability: Unobservability delta is zero • Undetectability delta is zero • Anonymity delta is zero CS 898AB - Privacy Terminology
Relationships • Unobservability Anonymity • Sender Unobservability Sender Anonymity • Recipient Unobservability Recipient Anonymity • Relationship Unobservability Relationship Anonymity • Sender anonymity Relationship anonymity • Recipient anonymity Relationship anonymity • Sender unobservability Relationship unobservability • Recipient unobservability Relationship unobservability • Unobservability Undetectability CS 898AB - Privacy Terminology
Mechanisms • Sender anonymity, Relationship anonymity can be achieved by MIX-net [Chau81]* • How to provide unobservability in addition to anonymity? • Add dummy traffic • A mechanism to achieve some kind of anonymity appropriately combined with dummy traffic yields the corresponding kind of unobservability! • Undetectability can be achieved using Steganography or Spread Spectrum! CS 898AB - Privacy Terminology
5. Pseudonymity • Any two-way communication still requires appropriate identifiers! • Pseudonym: An identifier of a subject other than one of the subject’s real name(s) • Holder: The subject to which the pseudonym belongs to • The subject is pseudonymous if a pseudonym is used instead of the real name(s) • Pseudonymity: Use of pseudonyms as identifiers in communications CS 898AB - Privacy Terminology
5. Pseudonymity CS 898AB - Privacy Terminology
5. Pseudonymity – Relationship with Anonymity • Group Pseudonyms: A group pseudonym refers to a set of holders, i.e., it may refer to multiple holders • Transferable Pseudonym: Atransferable pseudonym can be transferred from one holder to another subject becoming its holder • Group pseudonyms and Transferable pseudonyms induce anonymity! • Digital pseudonym:Bit string which is • Unique as identifier (at least with very high probability) and • Suitable to be used to authenticate the holder’s messages (IOIs) sent • E.g., IP addresses, usernames, etc. CS 898AB - Privacy Terminology
5. Can Holders of Digital Pseudonyms held Accountable? • Authenticating IOIs (or messages) relative to pseudonyms usually is not enough for accountability! Why? • Digital pseudonyms (at least, with the current definition) are not tied to the civil identities of the holders (people, computers, etc.) • How to overcome this problem? • Attach funds to digital pseudonyms to cover claims • Let identity brokers authenticate digital pseudonyms (i.e., check the civil identity of the holder and then issue a digitally signed statement that this particular identity broker has proof of the identity of the holder of this digital pseudonym and is willing to divulge that proof under well-defined circumstances) • Both the above CS 898AB - Privacy Terminology
5.Relationship between Pseudonymity and Linkability • Linkability: Linking a message (from its pseudonym) to the subject or holder that sent it Accountability Anonymity Pseudonymity CS 898AB - Privacy Terminology
5.Relationship between Pseudonymity and Linkability • Based on knowledge of linking, three kinds of pseudonyms • Public pseudonym: The linking between a public pseudonym and its holder may be publicly known even from the very beginning (e.g., telephone numbers) • Initially non-public pseudonym: The linking between an initially non-public pseudonym and its holder may be known by certain parties, but is not public at least initially (e.g., bank account number ) • Initially unlinked psuedonym: The linking between an initially unlinked pseudonym and its holder is – at least initially – not known to anybody with the possible exception of the holder himself/herself (e.g., biometrics like DNA, fingerprint) • Knowledge of linking cannot decrease! CS 898AB - Privacy Terminology
5.Relationship between Pseudonymity and Linkability CS 898AB - Privacy Terminology
Overview CS 898AB - Privacy Terminology