with Pseudonyms Seungyeop Han Vincent Liu Qifan Pu Simon Peter Thomas Anderson Arvind Krishnamurthy David Wetherall University of Washington Internet Tracking is Pervasive ID: 555354
Download Presentation The PPT/PDF document "Expressive Privacy Control" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Expressive Privacy Control with Pseudonyms
Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall
University of WashingtonSlide2
Internet Tracking is Pervasive
2Alice
Bob
Tracker
User1:
UW, CSE, Route to [Alice’s home]
User2
:
SIGCOMM, Hacking, Depression
Trackers
link
user activities to form large user profiles
SIGCOMM 2013Slide3
Implications of Tracking for Users
Pros: 3
Cons:
Lack of Privacy
Personalization
Better Security
Revenue for Service
SIGCOMM 2013Slide4
Threat Model: Trackers Correlate Unwanted Traffic
4Alice
Bob
Tracker
User1:
UW, CSE, Route to [Alice’s home]
User2
:
SIGCOMM, Hacking, Depression
SIGCOMM 2013Slide5
Goal: Give Users Control over How They are Tracked
5Alice
Bob
Tracker
User1: UW, CSE
User2: Route to [Alice’s home]
User3
:
SIGCOMM, Hacking
User4: Depression
SIGCOMM 2013Slide6
Implications of Giving Users Control
Pros: 6
Cons:
Lack of Privacy
Personalization
Better Security
Revenue for Service
SIGCOMM 2013Slide7
Current Defenses Provide Insufficient Control
Current DefensesApplication Layer: Third-party cookie blocking, DoNotTrackNetwork Layer: Tor, Proxies LimitationsCoarse-grained Not cross-layer7SIGCOMM 2013Slide8
Outline
Motivation / BackgroundApproach: Cross-Layer PseudonymsSystem DesignApplication-LayerNetwork-LayerImplementation and EvaluationConclusion 8SIGCOMM 2013Slide9
Trackers Link User Requests
Important identifiers for Web tracking:Application info. (cookie, JS localstorage, Flash)IP Address 9Multiple requests are linkable by remote trackers, if they share the same identifiers.
Req. 1 (128.208.7.x), header: cookie(…)
Req. 2 (128.208.7.x), header: cookie(…)
User
Tracker
SIGCOMM 2013Slide10
Approach: Pseudonym Abstraction
Pseudonym = A set of all identifying features that persist across an activityAllow a user to manage a large number of unlinkable pseudonymsUser can choose which ones are used for which operations.10
Pseudonym1
IP1
Cookie1
Pseudonym2
IP2
Cookie2
Alice
Tracker
Medical information
Location-related (Alice’s home)
SIGCOMM 2013Slide11
How We Want to Use Pseudonyms
11ApplicationIP1
Policy Engine
Alice
OS
IP
Tracker
Pseudonym1
IP1
Cookie1
IP
IP
Pseudonym2
IP2
Cookie2
DHCP
Routers
SIGCOMM 2013
2. Network-Layer Design
1. Application-Layer Design
Medical
LocationSlide12
Application-Layer Design
Application needs to assign different pseudonyms into different activities.How to use pseudonyms depends on user and application.APIs are provided to define policies.Policy in Web browsing: a function of the request information and the state of the browser.Window ID, tab ID, request ID, URL, whether request is going to the first-party, etc.12SIGCOMM 2013Slide13
Sample Pseudonym Policies for the Web
SIGCOMM 201313Default: P1 = P2 = P3Per-Request: P1 != P2 != P3Per-First Party: P1 = P2 != P3
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3Slide14
Sample Pseudonym Policies for the Web
SIGCOMM 201314Default: P1 = P2 = P3Per-Request: P1 != P2 != P3Per-First Party: P1 = P2 != P3
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3Slide15
Sample Pseudonym Policies for the Web
SIGCOMM 201315Default: P1 = P2 = P3Per-Request: P1 != P2 != P3Per-First Party: P1 = P2 != P3
Facebook
cannot know
the user’s visit to
news.com
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3Slide16
Pseudonyms in Action
16ApplicationIP1
Policy Engine
Alice
OS
IP
Tracker
Pseudonym1
IP1
Cookie1
IP
IP
Pseudonym2
IP2
Cookie2
DHCP
Routers
SIGCOMM 2013
2. Network-Layer DesignSlide17
Network-Layer Design Consideration
Many IP addresses for an end-hostProper mixingEfficient routingEasy revocationSupport for small networks 17SIGCOMM 2013Slide18
Network-Layer Design Consideration
Many IP addresses for an end-hostProper mixingEfficient routingEasy revocationSupport for small networks 18
SIGCOMM 2013Slide19
1) IPv6 Allows Many IPs per Host
IPv6 Address128bits19
Small networks get /64 address space (1.8e19)SIGCOMM 2013Slide20
2, 3) Symmetric Encryption for Mixing and Routing
20SIGCOMM 2013Network Prefix
To route the packet “within” the network
To route the packet
“to” the network
Networks can use this part
as they want
IPv6 Address
128bitsSlide21
2, 3) Symmetric Encryption for Mixing and Routing
128bitsNetwork Prefix
21
Subnet
Host
Pseudonym
Network Prefix
Encrypted ID
Encrypt
Decrypt
Use symmetric-key encryption
End-hosts know
only encrypted IP
addresses
Router uses the
base addresses
to forward packets
By
longest-prefix matching with
subnet::host
,
thus
,
the size of routing table does not change.
Base
Encrypted
SIGCOMM 2013Slide22
Routing Example
22InternetISP ( Prefix :: … )
Prefix
Encrypted ID
Sub::Host::Pseudo
Sub::Host::Pseudo
SIGCOMM 2013Slide23
Outline
Motivation / BackgroundApproach: Cross-Layer PseudonymsSystem DesignApplication-LayerNetwork-LayerImplementation and EvaluationConclusion 23SIGCOMM 2013Slide24
IPv6
InternetPrototype Implementation24Web Browser
Policy Engine
Alice
Web Server
IP1
OS
IP
IP
IP
IPv6 Tunnel Broker
Extension
Gateway
/64 network
IP
IP
IP
SIGCOMM 2013
function
extreme_policy
(request, browser)
{
return
request.requestID
;
}Slide25
Evaluation
Is the policy framework expressive enough?How many pseudonyms are required?Do policies effectively preserve privacy?Are that many pseudonyms feasible?How much overhead in OS and router?SIGCOMM 2013
25Slide26
Pseudonym Policy is Expressive
26NameDescriptionTrivial Every request uses the same pseudonymExtreme Every request uses different pseudonym
Per tab [1]Request from each tab uses different pseudonym
Per 1
st
-party [2]
Based on the connected page (1
st
-party)’s domain
Time-based [3]
Change pseudonym every 10 minutes
We could implement all the protection mechanisms from the related work in a cross-layer manner.
SIGCOMM 2013
More examples in the paper: Per browsing session, 3
rd
-party blocking
[1]
CookiePie
Extension, [2] Milk, Walls et al. HotSec 2012, [3] Tor Slide27
Privacy Preservation over Policies
27SIGCOMM 201310 bitsSlide28
Privacy Preservation over Policies
28SIGCOMM 2013Slide29
Conclusion
Pseudonym abstraction: user control over unlinkable identities. Provided new network addressing and routing mechanisms that exploit the ample IPv6 address space.Enabled various policies with expressive policy framework.Prototyped with an extension for web browser to show the feasibility29SIGCOMM 2013