Design and Evaluation of Anonymity Solutions for Mobile Networks

(1)

DISSERTATION

Karlstad University Studies

2007:48

Christer Andersson

Design and Evaluation of

Anonymity Solutions for Mobile

Networks

(2)

Karlstad University Studies 2007:48

Design and Evaluation of

Anonymity Solutions for Mobile

Networks

(3)

DISSERTATION

Karlstad University Studies 2007:48 ISSN 1403-8099

ISBN 978-91-7063-152-8

Distribution:

Faculty of Economic Sciences, Communication and IT Computer Science

SE-651 88 Karlstad SWEDEN

+46 54-700 10 00

www.kau.se

(4)

ffect on today’s society. New

services are constantly being deployed, in which personal data are being processed in re-turn for personally tailored services. While mobile networks lay the groundwork for new innovative services, at the same time they pose numerous privacy challenges. There is the risk that honest citizens participating in mobile communications will have their privacy invaded for “the greater good”. We stress the importance of empowering individuals so that they can retain control over their personal spheres. The goal of this thesis is to design and evaluate anonymous overlay networks adapted for mobile networks that allow users to control which information leaves their personal spheres in a mobile communication.

By using a particular anonymity solution, an anonymous overlay network, users can communicate with their peers without disclosing their network identities. In this thesis, we propose three different anonymous overlay networks tailored for mobile networks. First, two approaches are proposed for anonymous browsing on the mobile Internet, namely mCrowds and a Tor-based approach. By applying theoretical analysis and/ or practical experiments, we show that these approaches offer an appropriate tradeoff between the of-fered degree of anonymity and performance loss. Second, an anonymous overlay network for use in mobile ad hoc networks – Chameleon – is suggested.

Besides the actual design of these anonymous overlay networks, this thesis provides novel contributions in other essential areas of privacy protection and anonymous commu-nication. First, also non-technical aspects of privacy protection are thoroughly discussed, including legal, social, and user interface aspects. Second, we survey existing metrics for quantifying anonymity and also propose new ideas regarding anonymity metrics. Third, we review and classify existing mechanisms for anonymous communication in mobile ad hoc networks. Lastly, we also propose a cryptographic technique for building up the user base of an anonymous overlay network in a secure and privacy-friendly manner.

Keywords: privacy, anonymity, anonymous overlay networks, anonymity metrics,

pseudo-nymity, identity management, mobile Internet, location based services, mobile ad hoc net-works.

(5)

(6)

Also, thanks to my other co-authors, especially Reine Lundin and Leonardo Augusto Mar-tucci, and to my secondary supervisors Dogan Kesdogan and Thijs J. Holleboom. Many thanks also goes to my friends and (current or previous) office mates Leonardo “Augo” Martucci and Torbjörn Andersson: I have collaborated and discussed a lot with Leonardo A. Martucci, while Torbjörn Andersson deserves a big thank you for helping me setting up the experiment for Paper III. Moreover, thanks to my other colleagues in the PRISEC research group, including friend and former colleague Albin Zuccato, for giving helpful advices and providing constructive criticism, as well as to my other colleagues at the De-partment of Computer Science for making it such a friendly and inspiring workplace. Also thanks to all new friends I have met through Swedish IT Security Network for PhD Students (SWITS), especially from the information security groups at Chalmers Tekniska Högskola and Blekinge Tekniska Högskola, and the Security and Privacy Research Group at RWTH Aachen for being so good hosts during my stay in Aachen, Germany, in November 2006. As life is more than work, I also owe my hobbies – fishing and football – a big thank you. Last but not least, many thanks to my family, friends, and my beloved girlfriend Mari.

My research has partly been funded by the EU 6th_{Framework project PRIME (Privacy} and Identity Management in Europe) and the FIDIS (Future of Identity in the Information Society) Network of Excellence, respectively.

Pluralities of thank you!

(7)

(8)

using the Roman numbers associated with the papers such as “Paper I”.

I. Simone Fischer-H¨ubner and Christer Andersson. Privacy Risks and Challenges

for the Mobile Internet. In Proceedings of the IEE Summit on Law and Computing, London, UK, 2 Nov 2004.

This paper presents some results that were also reported in:

• Simone Fischer-H¨ubner and Christer Andersson, editors. PRIME Public

de-liverable D14.0.a - Framework V0, 9 Jun 2004. For more information see https://www.prime-project.eu/prime products/reports/fmwk/.

• Simone Fischer-H¨ubner, Christer Andersson, and Thijs J. Holleboom, editors.

PRIME Public deliverable D14.1.a - Framework V1, 13 Jun 2005. For more information see https://www.prime-project.eu/prime products/reports/fmwk/.

II. Christer Andersson and Reine Lundin. On the Fundamentals of Anonymity

Met-rics. In Proceedings of the IFIP WG 9.2, 9.6/11.7 Summer School on Risks and Challenges of the Network Society, Karlstad, Sweden, 6 – 10 Aug 2007.

III. Christer Andersson, Reine Lundin, and Simone Fischer-H¨ubner. Privacy Enhanced

WAP Browsing with mCrowds – Anonymity Properties and Performance Evaluation of the mCrowds System. In Hein Venter, Jan Eloff, Les Labuschagne, and Mariki Eloff, editors, Proceedings of the ISSA 2004 Enabling Tomorrow Conference, Gal-lagher Estate, Midrand, South Africa, 30 Jun – 2 Jul 2004.

IV. Christer Andersson and Andriy Panchenko. Practical Anonymous Communication

on the Mobile Internet using Tor. In Proceedings of the 3rd_{International Workshop} on the Value of Security through Collaboration (SECOVAL 2007), held in conjunc-tion with the 3rdInternational Conference on Security and Privacy in Communica-tion Networks (SecureComm2007), IEEE Xplore Digital Library, Nice, France, 17 Sep 2007.

V. Christer Andersson, Leonardo Martucci, and Simone Fischer-H¨ubner.

Require-ments for Privacy-EnhanceRequire-ments in Mobile Ad Hoc Networks. In Armin B. Cremers, Rainer Manthey, Peter Martini, and Volker Steinhage, editors, 3rd_{German Workshop} on Ad Hoc Networks (WMAN 2005), Proceedings of INFORMATIK 2005 - Infor-matik LIVE! Band 2, Gesellschaft f¨ur InforInfor-matik (GI) Jahrestagung (2), volume 68 of LNI, pages 344–348, Bonn, Germany, 19–22 Sep 2005.

The paper extends results also reported in:

• G¨unter M¨uller and Sven Wohlgemuth, editors, FIDIS Deliverable 3.3: Study on

(9)

VI. Leonardo A. Martucci, Christer Andersson, Simone Fischer-H¨ubner. Towards

Ano-nymity in Mobile Ad Hoc Networks: The Chameleon Protocol and its AnoAno-nymity Analysis. Karlstad University Studies 2006:35, Karlstad University, Sweden, Aug 2006.

The paper is an extended version of:

• Leonardo A. Martucci, Christer Andersson, Simone Fischer-H¨ubner.

Cha-meleon and the Identity-Anonymity Paradox: Anonymity in Mobile Ad Hoc Networks. In Short-Paper Proceedings of the International Workshop on Secu-rity (IWSEC 2006), pages 123–134, Kyoto, Japan, 23–24 Oct 2006.

VII. Christer Andersson, Leonardo A. Martucci, and Simone Fischer-H¨ubner. Privacy

& Anonymity in Mobile Ad Hoc Networks. Book chapter in Yan Zhang, Jun Zheng, Miao Mia, editors, Handbook of Research on Wireless Security, Information Science Reference, USA, to be published in Jan 2008.

VIII. Christer Andersson, Markulf Kohlweiss, Leonardo A. Martucci, Andriy Panchenko

(alphabetic order). Self-certified Sybil-Free Pseudonyms: Introducing Privacy in Infrastructureless Wireless Networks. Submitted for publishing.

IX. Christer Andersson, Jan Camenisch, Stephen Crane, Simone Fischer-H¨ubner, Ronald

Leenes, Siani Pearson, John S¨oren Pettersson, Dieter Sommer (alphabetic order). Trust in PRIME. In Proceedings of the 5th_{IEEE Int. Symposium on Signal} Process-ing and IT, Athens, Greece, 18–21 Dec 2005.

(10)

6.2. The scenarios in Section 2 are based on previous work by the authors and other contributors in the public PRIME deliverable Framework V0;

• Paper II: Most of the paper writing was done by me, although Reine Lundin

con-tributed with ideas for most sections. Especially, the underlying ideas in Section 4 constitute a collaborative effort between Reine and myself;

• Paper III: I am responsible for most of the written material. The underlying ideas

constitute a collective effort between myself and Reine Lundin. Section 3.2 is based on a previous analysis of the performance properties in Crowds/ mCrowds by Reine Lundin. The implementation of the prototype was mainly done by myself, although Reine Lundin contributed with ideas. Simone Fischer-H¨ubner mainly served as a supervisor (by contributing to the ideas, approaches, and outline of the paper);

• Paper IV: The writing of the paper and conducting of the experiments were mainly

done by me, although Andriy Panchenko contributed with ideas regarding both the paper content, outline of the paper, and experimental design;

• Paper V: I am responsible for most written material. The underlying ideas stem

from a collective effort by myself and Leonardo A. Martucci, while Simone Fischer-H¨ubner mainly served as a supervisor (by discussing the project and paper with us). As input to the analysis, a previous analysis by Leonardo A. Martucci was used;

• Paper VI: Leonardo A. Martucci proposed the initial sketch for the protocol, which

was later refined and described using state transition diagrams collectively by myself and Leonardo. Leonardo A. Martucci was the main responsible for describing the protocol while Christer Andersson was the main responsible for the theoretical anal-ysis and anonymity evaluation. Simone Fischer-H¨ubner took part in the discussions regarding the protocol functionality and the theoretical analysis;

• Paper VII: Most material was written by me, except the section “On the Relation

between Anonymity and Privacy” that was written by Simone Fischer-H¨ubner (who also contributed with ideas for the survey). Leonardo A. Martucci contributed with some text for the section “Introduction” and with ideas for the section “Future Trends”;

• Paper VIII: The paper is a collaborative effort where I contributed significantly to all

sections except the appendices. Leonardo A. Martucci formulated the initial research problem and Markulf Kohlwiess contributed most to the underlying cryptography;

• Paper IX: My primary contribution for this paper is being responsible for most text

in Section 3, as well as co-editing the inputs from the other authors collectively with Simone Fischer-H¨ubner. The scenario in Section 3 is based on previous work by the authors and other contributors in the public PRIME Deliverable Framework V1.

(11)

co-edited a number of additional publications.

• Christer Andersson, Simone Fischer-H¨ubner, Reine Lundin, mCrowds: Anonymity

for the Mobile Internet. In John S¨oren Pettersson, editor, Book chapter in HumanIT 2003 - volymen, Karlstad University Studies 2003:26, Aug 2003.

• Christer Andersson, Simone Fischer-H¨ubner, and Reine Lundin. Enabling

Ano-nymity in the Mobile Internet Using the mCrowds Approach. In Penny Duquenoy, Simone Fischer-H¨ubner, Jan Holvast, and Albin Zuccato, editors, Proceedings of the IFIP WG 9.2, 9.6/11.7 Summer School on Risks and Challenges of the Network Society, pages 178 – 189. Karlstad University Studies 2004:35, 4 – 8 Aug 2003.

• Simone Fischer-H¨ubner and Christer Andersson, editors. PRIME Public

deliver-able D14.0.a - Framework V0, 9 Jun 2004. For more information see https://www. prime-project.eu/prime products/reports/fmwk/

• Simone Fischer-H¨ubner, Christer Andersson, and Thijs J. Holleboom, editors. PRIME

Public deliverable D14.1.a - Framework V1, 13 Jun 2005. For more information see https://www.prime-project.eu/prime products/reports/fmwk/

• Ninni Danielsson, Christer Andersson, Introducing Users to Privacy and Identity

Management in the Context of User Testing. In Anders G. Nilsson, Remigijus Gus-tas, Wita Wojtkowski, W. Gregory Wojtkowski, Stanislaw Wrycza, and Joze Zu-pancic, editors, Pre-Conference Proceedings of the Fourteenth International Confer-ence on Information Systems Development (ISD 2005), Karlstad University Studies 2005:30, Karlstad, Sweden, pages 91–102, 15–17 Aug 2005.

• Leonardo A. Martucci, Christer Andersson, Wim Schreurs, and Simone

Fischer-H¨ubner. Trusted Server Model for Privacy-Enhanced Location Based Services. In Viiveke Fåk, editor, Proceedings of the 11th Nordic Workshop on Secure IT-systems (NordSec 2006), Link¨oping, Sweden, 19–20 Oct 2006.

• Leonardo A. Martucci, Christer Andersson, Simone Fischer-H¨ubner. Chameleon

and the Identity-Anonymity Paradox: Anonymity in Mobile Ad Hoc Networks. In Short-Paper Proceedings of the International Workshop on Security (IWSEC 2006), Kyoto, Japan, 23–24 Oct 2006.

(12)

9 Conclusion & Outlook 116 Paper V: Requirements for Privacy-Enhancements for Mobile Ad Hoc Networks 119 1 Introduction 121 2 A Possible Solution: Anonymous Overlay Networks 122 3 Requirements for Anonymous Overlay Networks 122 4 An Evaluation of State-of-the-Art Anonymous Overlay Networks 123 5 Conclusions & Outlook 125 Paper VI: Towards Anonymity in Mobile Ad Hoc Networks 127 1 Introduction 129 2 Definitions & Related Work 130 3 The Identity-Anonymity Paradox 132

(16)

4 Chameleon: an Anonymous Overlay Network 135

4.1 Protocol Basics and Assumptions . . . 135

4.2 Detailed Protocol Description . . . 136

5 Theoretical Analysis 142 5.1 Attacker Model of Chameleon . . . 143

5.2 Anonymity Analysis of Chameleon . . . 144

6 Conclusions 148 Paper VII: Privacy & Anonymity in Mobile Ad Hoc Networks 157 1 Introduction 159 2 Background 160 2.1 Definitions of Anonymity and Related Concepts . . . 160

2.2 On the Relation between Privacy & Anonymity . . . 162

2.3 On Measuring Anonymity . . . 163

3 Anonymous Communication in Mobile Ad Hoc Networks 164 3.1 Anonymous Routing Protocols . . . 165

3.2 Anonymous Overlay Networks . . . 165

3.3 Comparison between Anonymous Routing Protocols and Anonymous Over-lay Networks . . . 166

4 Survey of Anonymous Communication Mechanisms 167 4.1 Evaluation Criteria . . . 167

4.2 Survey of Anonymous Routing Protocols . . . 168

4.3 Summary of Survey Results for Anonymous Routing Protocols . . . 174

4.4 Survey of Anonymous Overlay Networks . . . 175

4.5 Survey Results for Anonymous Overlay Networks . . . 176

4.6 Discussion . . . 177

5 Future Trends 178 5.1 The Sybil Attack in Mobile Ad Hoc Networks . . . 178

5.2 Mechanisms for Detecting the Sybil Attack in Ad Hoc Networks . . . 179

6 Conclusions 179 Paper VIII: Self-certified Sybil-Free Pseudonyms 185 1 Introduction 187

(17)

2 Related Work 189

2.1 The Sybil Attack . . . 189 2.2 Identifiers in Mobile Ad Hoc Networks . . . 190 2.3 Cryptographic Related Work . . . 191

3 Self-certified Sybil-Free Pseudonyms 191

3.1 E-Token Signatures . . . 191 3.2 Instantiation based on E-Token Signatures . . . 193 3.3 Efficiency . . . 195

4 Security Analysis 195

4.1 The Sybil-Proof & Unlinkability Properties . . . 195 4.2 Sharing/ Theft of Membership Certificates . . . 196 4.3 Corrupt Domain Controllers and Partitioning Attacks . . . 197

5 Application Scenario: Mobile Ad Hoc Crowds 197

5.1 Scenario Walkthrough . . . 198 5.2 Security Properties of the Application Scenario . . . 200

6 Discussion 201

6.1 On the Assumption of the Initial Sybil-free Domain . . . 201 6.2 Other Sybil-Free Applications . . . 202

7 Summary & Outlook 203

A Appendix 207

A.1 Details on Cryptographic Construction . . . 207 A.2 Cryptographic Building Blocks . . . 208 A.3 Cryptographic Details . . . 209

Paper IX: Trust in PRIME 211 1 Introduction 213 2 PRIME Architecture 215

2.1 Components and Mechanisms . . . 216 2.2 Example Interaction . . . 219

3 Example Scenario: Privacy-Enhanced E-Shopping 220

3.1 Browsing . . . 220 3.2 Negotiation and Purchase . . . 221 3.3 Payment and Delivery . . . 222

(18)

5 HCI in PRIME and Trust 224

5.1 Usability Tests and Problems Encountered . . . 224 5.2 Possible HCI Solutions for Enhancing Trust . . . 225

(19)

(20)

(21)

(22)

1 Introduction

Internet and mobile communications have had a profound effect on society and the way we are living. Nowadays, at least in the developed nations, a majority of the population has access to Internet either via desktop computers or powerful mobile devices. Additionally, novel kinds of services are currently being deployed, in which an increasing amount of personal data is being passed to service providers in return for value-added services. One example is Location Based Services (LBS), where data about users’ locations are passed to service providers in return for services such as traffic navigation or friend finders. Another hot topic is the Ambient Intelligence (AMI) paradigm, in which applications are based on ubiquitous computing devices and sensors seamlessly gathering data about the surrounding environment and people in the whereabouts. If the more futuristic AMI scenarios become a reality, the electronic surveillance society pictured by George Orwell in his novel “1984” already in 1948 might become a reality. Moreover, the use of various means for electronic surveillance by law enforcement agencies is constantly increasing. For example, the recent EU Directive 2006/24/EC [1] states that service providers must retain traffic and location data for the purpose of investigation, detection, and prosecution of serious crime, where these data must be retained for not less than six months and not more than two years from the date of communication. Although an increased data surveillance might have positive consequences, such as helping law enforcement agencies to prevent crime, there is the risk that the majority of the everyday citizens will have to tolerate that their privacy is invaded for “the greater good” (including people that believe that they have “nothing to hide” and thus nothing to fear [2]). We do not think that banning anonymity technologies is the right solution for preventing crime. Instead, we think that it is critical for our society and for democracy to retain and maintain the individuals’ control over their personal spheres. Furthermore, we believe that it should be possible to strike a balance between enabling law enforcement agencies to detect misuse of information and communication technologies, and respecting the privacy of the great majority of well-behaving users.

In fact, the gradual loss of privacy in today’s society outlined above has caused an increasing amount of attention among the public and in the media in the last years. Some examples of recent privacy breaches are given in [3]. Numerous surveys point out the users’ wish for privacy (e. g., [4]). Regarding media attention, one comprehensive example dating back to 2003 is the 27 pages article “Watching You: The World of High-Tech Surveillance” in the National Geographic’s November 2003 issue [5]. Here one can read that “the future is here, where cameras can film you wherever you go, where your cell phone can signal exactly where you are, where one glance can reveal exactly who you are”. Another more recent subject of controversy among the media and the public is Google (the providers of, among many services, their massively used Internet search engine), which has been accused of being a threat to privacy due to the massive amounts of personal data they store and process (see, e.g., [6]). In a recent consultation report from 2007, Privacy International ranks Google as “hostile to Privacy”, due to, among other things, their vague and unclear privacy and data retention policies [7].

(23)

Warren and Brandeis defined privacy already in 1890 as “the right to be let alone” [8]. In the context of information and communication technologies Westin [9] introduced the concept of informational privacy, which implies that a person can control how, when, and to what extent information about him or her is being communicated by others. This relates to any personal information such as name, age, interests, and credit card number. Spatial pri-vacy, on the other hand, means that a person has control over what information is presented to his senses, that is, what information enters his personal sphere (see [10], page 28). One example of a threat to spatial privacy in the context of mobile networks is (mobile) spam. Also many proposed AMI scenarios would introduce severe implications for the spatial privacy of the everyday citizen due to their pervasive nature. Finally, in order to capture the multidimensional nature of privacy, Daniel J. Solove recently proposed a comprehen-sive taxonomy of privacy, including four categories (information collection, information processing, information dissemination, and invasion) and sixteen subcategories [3].

Two common means for ensuring online privacy are technology and legislation. The former approach – commonly denoted Privacy-Enhancing Technologies (PETs) – mainly refers to technical measures that are integrated into information systems or networks to eliminate or minimize the collection of personal data, or, in cases where personal data have already been collected, technically enforce legal privacy requirements regarding that data. One example of a PET is anonymous overlay networks that aim to eliminate the processing of personal data altogether by permitting the users act anonymously. Another example is systems for privacy-enhanced Identity Management (IDM) that enforce infor-mational self-determination by, among other things, allowing the users act under pseudo-nyms and controlling the release of their personal data. Legislative measures for enhancing privacy, on the other hand, refer to data protection legislation restricting the collection and usage of personal data by the data processing agency. Two examples are the EU Directives 95/46/EC [11] and 2002/58/EC [12] that for instance regulates the usage of collected per-sonal information. Nowadays, it is commonly believed that privacy is most successfully protected by a holistic solution that combines both technological and legislative efforts.

1.1 Scope

Below, we discuss the scope of the thesis (application domain and types of solutions):

• We have mainly studied mobile networks, in which wireless and mobile nodes

par-ticipate in communications. Mobile networks are of great interest as they on the one hand lay the groundwork for new innovative applications that may facilitate ev-eryday life for citizens, but at the same time they pose many challenges to privacy. Mobile networks can be classified as being either ad hoc networks or infrastructured networks conditional on whether or not they can function without the aid of a central infrastructure. Regarding infrastructured mobile networks, they are often intercon-nected with wired networks to enable access to services on, for instance, the Internet. In this thesis, we have studied LBS applications and anonymous WAP browsing. In these scenarios, the client is situated in a Public Land Mobile Network (PLMN) while the service provider is situated in the (wired) Internet.

(24)

• The type of anonymous communication mechanism mainly studied in this thesis

is anonymous overlay networks, which enable anonymity in the layer between the communication and application layers, usually by constructing virtual paths along which messages are forwarded during communications between different communi-cation partners in a network. Alone, anonymous overlay networks do not constitute a panacea for all privacy problems in mobile networks. However, they offer a pos-sible solution for those cases where it is desirable or appropriate for users to be anonymous. Moreover, anonymous overlay networks constitute an underlying build-ing block for more advanced solutions, such as tools for privacy-enhancbuild-ing Identity Management. Anonymous overlay networks are further described in Section 2.2.

1.2 Objective

One goal of this thesis is to analyze the privacy risks present in mobile networks, and, building on this, elicit both technical and legal requirements for solutions addressing these privacy risks. We moreover aim to develop a set of solutions based on these elicited require-ments. Given that performance plays an important role in (often heterogeneous) mobile networks such as ad hoc networks, another main goal is to analyze the degree of privacy protection and performance loss these solutions offer. In this context, we are especially interesting in finding a reasonable tradeoff between these two aspects. Finally, we are also interested in finding out how privacy could be protected by an interdisciplinary approach including not only technical aspects, but also, for instance, legal and social aspects.

1.3 Structure

The remainder of this introductory summary is constructed as follows. Section 2 provides the theoretical background for the thesis. This section includes a subsection that defines anonymity and related terms (Section 2.1), as well as subsections that introduce anonymous overlay networks (Section 2.2) and examples of such networks (Section 2.3). Furthermore, Section 2.5 examines how to quantify anonymity while Section 2.4 provides an introduc-tion to anonymity attacks. Then, Secintroduc-tion 3 explains the research quesintroduc-tions underlying this thesis and the research methodology employed to answer them. After this, Section 4 dis-cusses existing PETs for enhancing privacy in mobile networks, while Section 5 outlines the contributions of this thesis. Thereafter, Section 6 summarizes the papers in the thesis. Finally, Section 7 summarizes the main conclusions and gives an outlook to future research.

(25)

2 Background

2.1 Definition of Anonymity & Related Terms

Many people have their own notion of what it means to be “anonymous”, like blending into the crowd or not sticking out too much. In this thesis, we adopt a somewhat more formal definition introduced by Pfitzmann and Hansen [13]: “Anonymity is the state of being not identifiable within a set of subjects, the anonymity set”. The anonymity set includes all possible subjects in a given scenario, such as the possible senders of a message. When communicating over a communication network, the anonymity set can be divided into two subsets: the sender and recipient anonymity sets. These sets can be disjoint, overlap, or be the same (see Figure 1). The size of these sets may vary over time, as new knowledge may allow an attacker to exclude members from one of either sets (see Figure 2).

Figure 1: Sender and receiver ano-nymity sets, and message set.

Figure 2: The number of possible senders in the anonymity set is narrowed down to three. Anonymity involves both preserving the confidentiality of user data in the application layer (data level anonymity) and hiding the network identifiers of the communication part-ners in the network layer (network level anonymity). Anonymous overlay networks are often used to achieve network level anonymity, while pseudonymous applications (e.g., Idemix [14] or blind signatures [15]) and filtering proxies (e.g., Privoxy [16]) are common techniques for enabling data level anonymity. Often, techniques for achieving anonymity of the network and data level are combined as there is no real anonymity on the data level without anonymity on the network level. The main focus of this thesis lies on network level anonymity, although we also touch upon data level anonymity.

Related to anonymity is unlinkability, which implies that – from an attacker’s point-of-view – two or more items of interest (e.g., senders, receivers, or messages) are no more and no less related than they are given the a-priori knowledge of the attacker [13]. Unlinkability is an issue even when a user’s identity is kept secret, as linkability between different actions of an anonymous user may still enable an attacker to profile the user based on his actions. Unlinkability between a message and a sender is illustrated in Figure 3. If, however, a message can be linked to a sender (or a receiver), as in Figure 4, there is no unlinkability.

(26)

Figure 3: Sender unlinkability. Figure 4: No sender unlinkability.

Anonymity from the perspective of the sender and receiver can be defined in terms of unlinkability [13]. Sender anonymity means that a message cannot be linked to its origin sender, while receiver anonymity implies that a message cannot be linked to the receiver of that message. Lastly, relationship anonymity means that it not possible to determine who is communicating with whom, that is, it is impossible to link a sender to a recipient.

Also related to anonymity is unobservability, which implies that messages sent between senders and receivers in a communication network must not be discernible from random noise. In a system providing anonymity for both senders and receivers, it may still be possible to observe that messages are being sent, albeit these messages cannot be linked to any sender and receiver. For a system to provide unobservability, it must not even be possible to observe the mere fact that messages are being sent.

Finally, pseudonymity implies the usage of pseudonyms as identifiers [13]. As defined in [17], pseudonymity can allow a user to use an application without disclosing his identity while still being accountable for the application usage. Anonymity on the network level is often used as an building block when implementing data level pseudonymity.

2.2 Anonymous Overlay Networks

An overlay network is a virtual network of nodes and logical links built on top of an exist-ing network with the purpose to implement network services not available in the existexist-ing network. The purpose of an anonymous overlay network is to provide anonymous commu-nication services to users in a particular network, such as the Internet or an ad hoc network, where such services normally are lacking. An anonymous overlay network is comprised of the following three basic components or a subset of them: anonymous communication clients, anonymity proxies, and information servers. These entities are introduced below.

(27)

2.2.1 Anonymous Communication Clients

From the users’ perspective, the anonymous communication clients constitute entry points to an anonymous overlay network with which the users can communicate anonymously with their communication partners (which both may or may not be anonymous commu-nication clients themselves). An anonymous commucommu-nication client can be generalized to having two basic functionalities – the group buildup function and the hiding function1:

• The purpose of the group buildup function is to provide the anonymous

communi-cation client with an accurate view of the user base (the anonymous communicommuni-cation clients) and the group of anonymity proxies. In the case of Peer-to-Peer (P2P) based topologies (see below), these two groups generally overlap. Having an accurate view of the group of anonymity proxies is essential regarding the buildup of virtual paths; if an attacker succeeds to get control over one or more anonymity proxies in a given path, he may compromise the anonymity properties of the network. One example means to secure the group buildup function is the anonymous authentication tech-niques in Paper VIII that empower the clients with the possibility to ensure that each network identifier in the user base correspond to exactly one underlying logical iden-tity. Alternatively, if the locations of the anonymity proxies are fixed, clients could take into consideration also the proxies’ geographical locations. In this way, the client’s hiding function (see below) can construct widespread paths spanning several continents. The latter strategy is used in Tor, see Paper IV;

Figure 5: A virtual path.

• The purpose of the hiding function is to establish virtual paths, comprised of one or

more intermediary proxies (see next section), along which packets are transmitted anonymously (see Figure 5). Using various approaches described in this section, the hiding function ensures that the correlation between the sender and the receiver is hidden to achieve network level anonymity. Depending on which algorithm is being used for path setup, the client may be fully responsible for deciding the path, or it may only be responsible for initiating path setup. If the algorithm is based on onion routing or related approaches, the client decides the full path. In this case, layered encryption can be used (messages are wrapped in several layers of encryption, see Papers IV or VII). An alternative approach is used in, for instance, Crowds, where the client only selects its successor in the path (see Paper III).

1_{These terms are inspired by the terms group function and embedding function that was introduced in [18].}

However, we use these terms in a more general manner than in [18], which mainly considers mixes (Section 2.3.2). For instance, in [18] “embedding function” refers to the blending of real messages and dummy traffic.

(28)

2.2.2 Anonymity Proxies

In general, an overlay network in which the anonymous communication clients function as entry points is comprised of several anonymity proxies. As mentioned, these proxies collectively make up the paths along which the clients’ messages are routed. The main task of an anonymity proxy is to participate in the implementation of the hiding function (see above). This may involve sending dummy traffic and / or delaying and reordering (mixing) incoming messages. In all cases, it involves setting up virtual paths on behalf of the anonymous communication clients. This is done both in cooperation with the clients and other anonymity proxies according to the protocol of the given anonymous overlay network. Regarding the topology of the proxies, a topology can be classified as being either centralized, (partly) distributed, or P2P-based (completely distributed):

• In a centralized topology, the anonymity proxies are operated by organizations such

as private companies or universities. The number of proxies is normally limited for a centralized topology. Traditionally, most approaches have adhered to this topol-ogy. Examples of centralized approaches are JAP [19] and Chaumian Mixes [20] (see Sections 2.3.1 and 2.3.2). An advantage with centralized topologies is that the reliability can be anticipated to be superior as centralized anonymity proxies can be expected to be run on powerful computers that are operated by experts. However, as all traffic passes through a limited set of proxies, there is an upper limit on the bandwidth. Further, as centralized proxies constitute single points of attack, they may attract additional attention from attackers.

• In a distributed topology, anonymity proxies operated by end users rather than

or-ganizations2_{. In recent years, an increasing number of distributed approaches have}

been proposed or even deployed (most notably: Tor [21]). One advantage with dis-tributed topologies is that the required amount of centrally administrated services can be minimized (for instance, in Tor merely the information servers could be labeled as a central service). This is a prerequisite for some application areas. Another advan-tage is that the scalability properties are superior to those of centralized topologies as the more the users that use the system, the more the users can be expected to act as anonymity proxies. It is on the other hand more difficult to make strong claims about the reliability of distributed topologies, as they are made up by proxies running on computers with heterogenous bandwidth and computational capabilities. The latter was clearly observed in the performance evaluation described in Paper IV.

• Finally, a P2P-based topology is a completely distributed topology where all users

collectively perform the different network roles. That is, the users both constitute the anonymous communication clients, the anonymity proxies, and the information servers (see next section). This places hard requirements on the protocols used in such topologies regarding, for instance, trust management and scalability.

2_{Of course, also a private person could set up a centralized mix server, such as a JAP node. But in this case the}

(29)

The advantages and disadvantages of centralized and distributed topologies, respec-tively, are further elaborated in [22]. In the context of this thesis, mCrowds (Paper III) and the mobile Tor approach proposed in Paper IV can be classified as a distributed topology, while Chameleon (Paper VI) is a P2P-based approach.

2.2.3 Information Servers

Basically, the task of an information server (or a hierarchy of servers) is to announce the network addresses of the anonymity proxies (possibly together with other information, such as location, bandwidth, or node reliability) to all anonymous communication clients. A simple solution is to let the information server flood this information to the clients. How-ever, in practical scenarios the clients and the information server usually communicate using a dedicated communication protocol, such as the directory protocol in Tor [23].

A distinction can be made between overlay networks where the information server needs to provide the clients with a full view of the network and systems that provide only a partial view. In free route networks, every anonymous communication client must know about the existence of every anonymity proxy, while in a restricted route network, each client needs to know only about a limited set of proxies. Examples of free route networks are Tor and Crowds, while Tarzan [24] and MorphMix [25] are restricted route networks.

Another issue is to decide which entity in the network that should perform the role of an information server. In a partly wired network, the best solution is probably to let the information server run on some dedicated hardware in the wired domain (as being done in e.g. Tor). However, in a distributed network, such as a mobile ad hoc network, a subset of the end users must perform this role. For example, in Chameleon (Paper VI), a subset of the network nodes acts as directory servers, while in Paper VIII the temporal group manager, which can be an untrusted end user, acts as an information server.

Lastly, note that the information server partakes in the provisioning of a secure group buildup function. It is fundamental from a security and anonymity perspective that the information server provides the clients with an accurate view of the network topology, otherwise the network is prone to a range of attacks, including Sybil and partitioning attacks (see Section 2.4).

2.3 Examples of Anonymous Overlay Networks

2.3.1 Low-Latency Anonymous Overlay Networks

Low-latency anonymous overlay networks seek to provide a (from the user’ point of view) reasonable trade-off between anonymity and performance, and, hence, they can be used to anonymize interactive network traffic, such as Internet traffic. This section introduces some of the most prominent low-latency approaches: Crowds, Tor, Jap, and Onion Routing.

(30)

Crowds [26] is a partially P2P-based approach for anonymous web browsing providing

anonymity against web servers and network nodes. To achieve anonymity, a user’s actions are hidden within the actions of many users in a crowd that issues requests to web servers on behalf of its members. The crowd is built up by many proxies – denoted jondos – through which the traffic is routed. The degree of anonymity in Crowds towards a web server is “beyond suspicion”, meaning that the sender appears no more likely to be the origin sender than any other crowd member [26]. Below, we briefly discuss the hiding and group buildup functions in Crowds.

• The Group Buildup Function. The directory server in Crowds is denoted the

blender. It periodically distributes the membership list to all crowd members (e.g., IPs, ports), including information about newly added jondos. In a practi-cal scenario, the functions of the blender should be distributed, or else it would likely constitute a performance bottleneck. No explicit approaches are imple-mented in the blender to protect against Sybil attacks (see Section 2.4). In Paper VIII, we discuss how to augment the blender in a mobile ad hoc scenario with Sybil attack protection by using self-certified Sybil-free pseudonyms.

• The Hiding Function. Each jondo is a local application running on a member’s

computer, and due to the P2P-based nature of Crowds, each jondo serves both as an anonymous communication client to which the user’s web browser can pass HTTP requests and as an intermediary anonymity proxy serving the other users in the crowd. The algorithm for path setup briefly functions as follows (link encryption is used between intermediary jondos): the sender selects its successor randomly. In turn, this jondo flips a biased coin (where the bias is determined by the “probability of forwarding”, pf) to decide whether it should end the path and connect to the web server, or extend the path to a new random jondo. The coin flipping is repeated until a jondo decides to connect to the web server. Owing to this algorithm, neither of the intermediary jondos can deduce with certainty that the preceding jondo is the origin sender. If certain charac-teristics are met, a succeeding malicious jondo cannot attribute its predecessor as the sender with a probability of 1₂ or more [26]). Yet, various research, in-cluding [27, 28], have described attacks that may enable an attacker in the path to point out its predecessor as the sender with a much higher probability. In this thesis, Crowds is further discussed in Papers III, VI, and VIII.

The Tor Network To this day, Tor [21] is the largest distributed overlay network for

anony-mizing network traffic. The anonymous communication clients in Tor are called Tor clients, the anonymity proxies are denoted Tor servers (or Tor nodes), while the in-formation servers are called directory servers. As Tor has a distributed topology, the Tor servers are often operated by private users. The Tor network is the successor to Onion Routing [29]. It was launched in 2004 and has been growing since. Cur-rently, Tor has more than 200 000 users (clients), and the numbers of Tor servers are approaching 1000 [30]. Below, we discuss Tor’s hiding and group buildup function.

(31)

• The Group Buildup Function. In Tor, the directory servers are responsible for

providing the group buildup function. Directory servers are divided into two categories: first and second level servers. The Tor client first contacts one of the first level servers and requests a so called network status document that in-cludes the list of active Tor servers and the addresses of the secondary servers where the descriptors of single Tor servers can be downloaded3. The fact that Tor is a geographically widespread network spanning all continents can be used to enable partial Sybil attack protection in Tor. The transcontinental nature of Tor also improves resistance against traffic analysis, although on the other hand recent research has shown that Internet Exchange Points (IXPs) constitute ideal positions from which traffic analysis can be conducted [31]. In OnionCoffe – a Java version of the Tor client developed in the PRIME project4_{– the default}

set-tings require Tor servers to be situated in different countries and subnetworks.

• The Hiding Function. The Tor client decides upon the full path, which under

default settings consists of three Tor proxies. During path construction, the path is extended iteratively, one hop at the time. That is, the client first extends the path to the first Tor proxy. After receiving an acknowledgement, the client then requests the first proxy to extend the path to the second proxy, and so on. This iterative method for path setup is sometimes referred to as “telescope encryp-tion”. After completion, the client shares symmetric keys with each Tor proxy in the path (through the use of Diffie-Hellman key exchange [32] during path setup), and therefore layered encryption can be used during message transfer. Due to the properties of the hiding function, only the first Tor proxy knows the identity of the sending Tor client, while only the last Tor proxy knows the identity of the receiver (but not the sender). An intermediary Tor proxy in the path knows neither the sender nor the receiver. The authentication protocol dur-ing path construction Tor was proven secure in [33]. Recently, there has been a great deal of research regarding Tor, including papers that try to make the path construction process more efficient [34, 35], as well as papers that analyze security of Tor and propose subsequent enhancements [30, 35–37].

In this thesis, Paper IV uses the Tor network as a building block.

Onion Routing [29] is a bi-directional overlay network for real-time anonymous

com-munication that builds on layered encryption. Onion Routing was the predecessor of the Tor network (see above). A variant of Onion Routing called the Freedom Network [38] was commercially deployed between 1999 and 2001. However, it thereafter had to be shut down due to lack of financial resources.

3_{See http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt for more information on Tor’s directory server protocol.} 4_{For more information about the OnionCo}_{ffe prototype, see http://www.prime-project.eu/prototypes/anon.}

(32)

JAP [19] is an anonymous communication client enabling access to a selection of

de-ployed and widely used cascades of anonymity proxies (a cascade is basically a static and centralized virtual path). The anonymity proxies in the cascades apply mixing of data streams. JAP was a candidate for being used in the experiments in Paper IV, but finally Tor was preferred due to its distributed and growing nature. Recently, a commercial (i.e., not free) variant of JAP called JonDonym [39] was launched, which gives access to a commercial proxy cascade with higher bandwidth properties.

2.3.2 High-latency Anonymous Overlay Networks

Although this thesis mainly focuses on low-latency mechanisms, we include a section on high-latency anonymous overlay networks for the sake of completeness. High-latency ap-proaches seek to provide a strong degree of anonymity at a possibly increased performance cost. Usually, they aim to defeat even a global eavesdropper capable of observing the whole network. High-latency approaches are used when there are no tight constraints regarding the latency, as they usually make use of expensive functionalities in terms of performance, such as mixing and dummy traffic (see below). As can be seen in [40], messages can be delayed for hours. Obviously, such delays are not realistic when, for example, browsing the Internet. However, one common application area for high-latency networks where large delays can be tolerated is anonymous email, and proposals in this arena include [41–43].

In a seminal proposal belonging to this category, David Chaum proposed in 1981 to anonymize network traffic by sending the traffic through a series of dedicated anonymity proxies called mixes [20]. Chaum’s original mixes destroyed the correlation between in-coming and outgoing traffic in the following manner: first, collect n messages, second, reorder them randomly, and, finally, flush all messages. Then start over again. During the years, some extensions have been proposed to this model. For example, instead of flushing all messages at each iteration, some approaches keep a subset of the messages in the proxy until next round [44]. A different strategy is proposed by Kesdogan et al. in [45], where individual messages instead are being delayed for a randomly chosen amount of time.

Alternatively to mixing, broadcasting may be employed as an underlying technique for providing anonymity. To achieve both sender and receiver anonymity such systems gen-erally combine broadcasting with other means of achieving anonymity, such as encryption and dummy traffic. A well known example is the so called Dining Cryptographer net-works (DC-Nets) proposed by Chaum [46]. DC-Nets provide “perfect anonymity” in the information-theoretic sense [47] by implementing unobservability (see Section 2.1); the fact that someone is sending is hidden by a one-time pad while the fact that someone is receiving is hidden by broadcasting and implicit addressing [48]. Yet, DC-Nets consume vast amounts of bandwidth and are vulnerable to attackers causing deliberate collisions during transmissions (i.e., denial of service attacks), and thus only a few implementations exist. If classified according to the entities and functions discussed in Section 2.2, we can note that neither anonymity proxies nor information servers are actually required in DC-nets; instead, the network could be solely comprised of anonymous communication clients implementing the group buildup and hiding functions (e.g., in case of a ring topology).

(33)

A technique often applied in high-latency anonymous overlay networks is dummy traf-fic (also called cover traffic). Dummy traffic is made up by “fake” messages (i.e., messages lacking any meaningful content) passed around in the network. The aim of dummy traffic is to provide unobservability, and thereby making it harder for an attacker to extract in-formation from a traffic analysis attack (see Section 2.4). Dummy traffic introduces extra traffic overhead and, thus, degrades performance. Therefore, low-latency approaches such as Tor and Crowds do not employ dummy traffic.

Dummy traffic may also be used as a mechanism for achieving unobservability (see Section 2.1). In anonymous overlay networks that implement unobservability it is not pos-sible for an eavesdropper to differentiate between a real message and random noise, or even infer that a message has been sent in the first place. One example of such a system is Pipenet [49]. Unfortunately, due to the large amount of extra traffic that must be generated to maintain a constant traffic load, these systems are generally not practical.

2.4 Introduction to Anonymity Attacks

In the context of this thesis, an attacker is an entity that deliberately tries to compromise the anonymity of one or more users of a computer network, such as an anonymous overlay network. Attackers can be classified according to which kinds of attacks they are capable of launching (see Figure 6). Several dimensions can to be considered when describing the abilities and deficiencies of a given attacker5_{. For example, attackers can be either passive}

or active. An active attacker can modify the traffic in a network, while a passive attacker (also called an eavesdropper) is restricted to merely observing the traffic. Attackers can further be classified as either local or global attackers. Local attackers launch their attacks in a subset of the network while global attackers launch their attacks on the whole network.

Figure 6: A taxonomy of attackers.

The general strategy of an attacker is to obtain probabilistic relationships between input and output messages of one or several anonymity proxies in order to be able to narrow down the set of possible senders or recipients (as in Fig-ure 2). The result of an attack could be that one user appears to be the message originator with a high probability. If the attacker succeeds in reducing the anonymity set size into a single-ton, the sender is unambiguously identified. Concerning attacks against the group buildup function, one example is the Sybil at-tack [51], which entails an atat-tacker controlling arbitrarily many user identities in a system. 5_{Other dimensions beyond those in Figure 6 are sometimes discussed in the context of attacker models. For}

example, a distinction can be made between internal and external attackers; an internal attacker controls one or more internal entities in the system while an external attacker controls only communication links [50].

(34)

This attack is very powerful as an attacker who can control arbitrarily many user identities is in a perfect position for breaking the security properties of most conceivable systems. Another example is the partitioning attack [21], which implies an attacker that manages to convey false or partial views of the network to other users. For instance, the attacker could be a malicious directory server only announcing rogue networks identities to honest users. Regarding attacks against the hiding function, two general strategies are traffic analy-sis [21] and traffic confirmation [21]. When an attacker conducts traffic analysis, he ob-serves traffic patterns in the network to trace particular messages through the network. Examples of such attacks are predecessor attacks [27, 28] and intersection attacks [52]. Regarding traffic confirmation, this refers to an attacker seeking to confirm that he is con-trolling the endpoints in a system, such as the first and last node in a virtual path. There are numerous viable strategies to do this, such as (passive) timing analysis or (active) traffic injection/ modification (for instance [30] describes a traffic confirmation attack).

Lastly, some of these aforementioned attacks are further discussed in Paper VIII, namely the Sybil attack, predecessor attack, intersection attack, and partitioning attack.

2.5 On Measuring Anonymity

Anonymity is often perceived as a relative notion. That is, instead of viewing anonymity as something “binary” where a person is either anonymous or not anonymous, anonymity is often quantified on a relative scale. Thus, it is possible to be more or less anonymous. So called anonymity metrics can be applied to measure the “amount” of anonymity available for a user of for instance an anonymous overlay network. Using coined terms, these models quantify the degree (or level) of anonymity of the given scenario.

However, before evaluating the degree of anonymity, one must first define the abilities and limitations of the potential attackers in a given scenario. Such a model is called an attacker model. The attacker model, together with the properties of the studied anonymity technology, is then passed as input to the chosen anonymity metric, which in turn produces some kind of quantitative measure of the degree of anonymity (see Figure 7).

(35)

The resulting output from an anonymity metric is usually a purely quantitative measure. However, it is important to take into consideration the qualitative aspects of anonymity too [53]. Qualitative aspects include, among other things, the robustness against various kinds of active attacks (for instance, denial of service attacks), as well as the security of implementation of the given anonymous overlay network (for instance, the quality of the implemented cryptographic primitives). Also, properties such as availability, usability, and performance affect the quality of anonymity [54]. For instance, a low degree of perfor-mance or bad usability properties are likely to scare away potential users of an anonymity technology, which, in turn, will decrease the size of user base and, therefore, reduce the degree of anonymity. Ultimately, the qualitative aspects of anonymity are very likely to (indirectly or directly) affect the provided (quantitative) degree of anonymity. The qualita-tive aspects of anonymity are sometimes referred to as the “robustness of anonymity” [13]. The subject of anonymity metrics is thoroughly treated in Paper II. Thus, we defer the reader to Paper II for examples of anonymity metrics. Finally, we can note that the metrics discussed in Paper II are mostly local anonymity metrics, that is, they quantify anonymity with respect to a particular sender or a particular message. As an alternative, the degree of the system, including all current users and messages in the system, could be quantified by a system-wide anonymity metric. Such a metric has recently been proposed in [55].

3 Research Issues

This section states the research questions we pose in this thesis, as well as the research methods we make use of to answer these research questions.

3.1 Research Questions

The overall research questions for this thesis are:

1. What privacy risks are present in mobile networks, and, furthermore, what technical

and legal requirements can be elicited for PETs for mobile networks developed to address these risks?

The first part of the question (about the privacy risks) is dealt with in Papers I and VIII. The second part is addressed in Paper I (mostly legal requirements) and Pa-pers II and V (technical requirements). Such a list of suitable legal and technical requirements also serve as “evaluation criteria” according to which PETs for mobile networks can be evaluated, as done in Papers IV, VI, and VII.

(36)

2. How can privacy be enhanced in mobile networks by technical means with a

reason-able tradeoff between anonymity protection and performance loss?

This is a challenging question that we investigate further in Papers III–VIII. As a rule of thumb, a stronger degree of anonymity normally results in lower performance (and, thus, lower usability). However, to approach an answer for this question we need viable metrics for quantifying both anonymity (see Paper II) and performance (see Section 3.2). Regarding performance, pocket-size mobile devices usually of-fer computational capabilities inof-ferior to those of desktop computers or laptops (for instance, less memory, less processing power, and smaller screen size). These restric-tions imposes an upper limit on the amount and complexity of the operarestric-tions a PET running in a mobile device can execute while still providing acceptable performance.

3. How can privacy be protected by a interdisciplinary approach, taking into account

not only technical aspects by also social and legal aspects?

This research question is dealt with in Papers I and IX. Besides including technical aspects these papers take an interdisciplinary approach: Paper I in addition focuses on legal aspects, while Paper IX discusses privacy from a socio-psychological view-point and also discusses Human Computer Interface (HCI) aspects related to privacy.

3.2 Research Method

Below, we describe the research method used to address the aforementioned questions.

First research question. The first question in Section 3.1 has mainly been addressed by the means of a combined literature study and theoretical analysis. Generally, we first studied exposed personal data in certain application scenarios and then defined possible misuse cases for these scenarios. Concerning requirements, the European legal framework was scrutinized for legal requirements that apply in mobile network environments (Paper I). Moreover, technical requirements for anonymity metrics and anonymity technologies in mobile ad hoc networks have been derived from literature (Papers II and V).

Second research question. For the second question (Section 3.1), we have primarily applied experimental research. This method relies on the philosophical assumption that the world works according to a number of causal laws. The goal is to establish these cause-and-effect laws by performing experiments [56]. In the thesis, we conducted experiments to assess the degree of performance and anonymity in the studied anonymity technologies:

• Regarding performance, we used the means of a performance evaluation [57], in

which various aspects of a system’s performance are scrutinized to, e.g., compare systems, fine tune parameters, identify bottlenecks, or characterize the workload of a system. Before designing a performance evaluation, the researcher must decide which evaluation technique to use. In [57], four common evaluation techniques are distinguished – analytical modeling, simulation, emulation, and live measurement:

(37)

– An analytical model is a mathematical expression describing the performance

of a system. The modeled system’s performance can be predicted under a range of conditions by varying the input parameters of the model.

– A simulation uses an abstract representation of the system that is created by

a computer program called the simulation tool. Compared to analytical mod-eling, more details about the system can usually be included in a simulation, and, thus, simulations often produce more realistic results. Information about simulation in the context of performance evaluation can be found in [58].

– During an emulation measurements are performed on a real implementation

of a running system. Yet, some aspects of the system are abstracted through an emulation tool. Emulation combines pros with simulation (controlled and reproducible environment) and live measurement (realistic test environment).

– In a live measurement an operational system is studied (e.g., a computer

net-work). One obvious advantage is that since real code are being tested in a real environment, eventual doubts whether the modeled system represents the real systems are obviate. However, when complex systems are tested it is generally hard to produce controlled and reproducible experiments.

Paper III describes a performance emulation of the research prototype mCrowds. Here, Dummynet [59] was used to impose an artificial propagation delay to emulate a large geographical distance between the mCrowds nodes. In Paper IV, a live net-work evaluation of the performance of the Tor client OnionCoffe (see Section 2.3.1) – applied in a mobile setting – was conducted. In Papers VI and VIII, claims about performance were also validated by analytical arguments. Further, several evaluation techniques are often combined to validate the results from a performance evaluation. In our case, we for instance combined emulation with (elementary) analytical mod-eling in Paper III to examine what impact the system-wide probability constant pf in mCrowds had on performance and anonymity. Also, a follow-up paper to Paper VI is planned, in which the analytical performance claims about the Chameleon prototype in Paper VI will be compared to the results from an ongoing simulation;

• Concerning anonymity, we have applied analytical anonymity metrics (Section 2.5

and Paper II) to quantify the degree of anonymity in a set of scenarios some of the included papers (see below). In general, anonymity metrics are often based on mathe-matics foundations such as probability theory. For example, several metrics are based on Shannon’s theories on information theory and entropy [47, 50, 60]. In Paper III, IV, and VI we use the Crowds-based anonymity metric [26] to quantify the degree of anonymity of the proposed systems. Further, in Paper II, we evaluate several exam-ple scenarios using a number of state-of-the-art anonymity metrics against a set of criteria. Finally, in Paper VII the degree of anonymity for a number of anonymous communication mechanisms for mobile ad hoc networks are analytically evaluated against certain criteria regarding the protection level against different attackers.

(38)

Third research question. This question has been dealt with in the interdisciplinary and international PRIME project. In this context, the legal aspect of privacy has been be studied by reviewing European legislations, such as EU Data Protection Direc-tive 95/46/EC [11], EU Directive 2002/58/EC on privacy and electronic communi-cations [12], and EC Data Retention Directive 2006/24/EC [1]. In a similar fashion, user studies, Human Computer Interface (HCI) research, and socio-psychological research has been conducted to address these non-technical aspects of privacy.

4 Related Work

In this section, we describe related work for enabling anonymity or pseudonymity in mobile networks. The section is divided into one section about enabling anonymity in mobile infrastructured networks (in, e.g., WAP or LBS scenarios over GSM/ GPRS networks), and one section about enabling anonymity in mobile infrastructureless (ad hoc) networks.

4.1 Enabling Anonymity in Infrastructured Mobile Networks

This section describes related work for anonymous browsing on the mobile Internet and privacy-enhanced LBS.

4.1.1 Approaches for anonymous browsing on the mobile Internet

To this date, we are only aware of one approach that is directly tailored for anonymous web browsing on the mobile Internet (besides the approaches we propose in Papers III and IV): in [61], a framework for providing anonymity in mobile Internet is proposed. The users connect their mobile phones via a Security Provider (SP) to a deployed anonymous overlay network, such as Jap or Tor. The SP acts as a Trusted Third Party (TTP) providing an interface between the user and the anonymous overlay network. The SP also helps users by performing cryptographic operations on their behalf when setting up a virtual paths. A potential problem is that the SP constitutes a single point of failure and trust. Compared to the approaches in Papers III and IV, the framework in [61] neither presents an anonymity analysis nor a performance evaluation.

4.1.2 Approaches for privacy-enhanced LBS

This section describes four infrastructures for deploying LBS [62] and gives examples of existing approaches for enhancing privacy in these infrastructures. They are comprised of a subset of the following entities: the mobile device (U), the Telecom Service Provider (or Mobile Operator) (TSP), the LBS provider (LBS), and the location intermediary (LI).

Design and Evaluation of Anonymity Solutions for Mobile Networks

Karlstad University Studies

Christer Andersson

Design and Evaluation of

Anonymity Solutions for Mobile

Networks

Design and Evaluation of

Anonymity Solutions for Mobile

Networks

Pluralities of thank you!

Contents

1

Introduction

1.1

Scope

1.2

Objective

1.3

Structure

2

Background

2.1

Definition of Anonymity & Related Terms

2.2

Anonymous Overlay Networks

2.3

Examples of Anonymous Overlay Networks

2.4

Introduction to Anonymity Attacks

2.5

On Measuring Anonymity

3

Research Issues

3.1

Research Questions

3.2

Research Method

4

Related Work

4.1

Enabling Anonymity in Infrastructured Mobile Networks