Cro wds Anonymit fo eb ransactions Michael K
89K - views

Cro wds Anonymit fo eb ransactions Michael K

Reiter and Aviel D Rubin TT LabsResea rch In this pap er in tro duce system called Cro wds for protecting users anon ymit on the orld widew eb Cro wds named for the notion of blending in to cro wd op erates grouping users in to large and geographic

Tags : Reiter and Aviel
Download Pdf

Cro wds Anonymit fo eb ransactions Michael K

Download Pdf - The PPT/PDF document "Cro wds Anonymit fo eb ransactions Micha..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation on theme: "Cro wds Anonymit fo eb ransactions Michael K"— Presentation transcript:

Page 1
Cro wds: Anonymit fo eb ransactions Michael K. Reiter and Aviel D. Rubin T&T LabsResea rch In this pap er in tro duce system called Cro wds for protecting users anon ymit on the orld- wide-w eb. Cro wds, named for the notion of blending in to cro wd, op erates grouping users in to large and geographic ally div erse group (cro wd) that collectiv ely issues requests on ehalf of its mem ers. eb serv ers are unable to learn the true source of request ecause it is equally lik ely to ha originated from an mem er of the cro wd, and ev en collab orat ing cro wd mem ers cannot

distinguish the originator of request from mem er who is merely forw arding the request on ehalf of another. describ the design, implemen tation, securit erformance, and scalabilit of our system. Our securit analysis in tro duces de gr es of anonymity as an imp ortan to ol for describing and pro ving anon ymit prop erties. Categories and Sub ject Descriptors: C.2.0 Computer-Comm unication Net orks ]: General se curity and pr ote ction C.2.2 Computer-Comm unication Net orks ]: Net ork Proto cols applic ations K.4.1 Computers and So ciet ]: Public olicy Issues privacy K.4.4 Comput- ers and So

ciet ]: Electronic Commerce se curity General erms: Securit Additional Key ords and Phrases: anon ymous comm unication, orld-wide-w eb 1. INTRODUCTION Every man should know that his onversations, his orr esp ondenc e, and his ersonal life ar private. Lyndon B. Johnson, presiden of the United States, 196369 The lac of priv acy for transactions on the orld-wide-w eb, or the In ternet in general, is ell-do cumen ted fact [Brier 1997; Miller 1997]. While encrypting com- unication to and from eb serv ers (e.g., using SSL [Hic kman and Elgamal 1995]) can hide the con ten of the transaction from an

ea esdropp er (e.g., an In ternet service pro vider, or lo cal system administrator), the ea esdropp er can still learn the IP addresses of the clien and serv er computers, the length of the data eing exc hanged, and the time and frequency of exc hanges. Encryption also do es little to protect the priv acy of the clien from the serv er. eb serv er can record the In ternet addresses at whic its clien ts reside, the serv ers that referred the clien ts to it, and the times and frequencies of accesses its clien ts. With additional effort, this information can com bined with other data to in

ade the priv acy of clien ts ev en further. or example, automatically finger ing the clien computer shortly after an access and comparing the idle time for eac user of the clien computer with the serv er access time, the serv er administrator can often deduce the exact user with high lik eliho d. Some consequences of suc priv acy abuses are describ ed in [Miller 1997]. In this pap er in tro duce new approac for increasing the priv acy of eb
Page 2
transactions and system, called Cr owds that implemen ts it. Our approac is based on the idea of blending in to cro wd, i.e., hiding

ones actions within the actions of man others. execute eb transactions in our mo del, user first joins cro wd of other users. The users request to eb serv er is first passed to random mem er of the cro wd. That mem er can either submit the request directly to the end serv er or forwar it to another randomly hosen mem er, and in the latter case the next mem er ho oses to submit or forw ard indep enden tly When the request is ev en tually submitted, it is submitted random mem er, th us prev en ting the end serv er from iden tifying its true initiator. Ev en cro wd mem ers cannot

iden tify the initiator of the request, since the initiator is indistinguishable from mem er that simply forw ards request from another. In studying the anon ymit prop erties pro vided this simple mec hanism, in- tro duce the notion of de gr es of anon ymit argue that the degree of anon ymit pro vided against an attac er can view ed as con tin uum, ranging from no anon ymit to complete anon ymit and ha ving sev eral in teresting oin ts in et een. informally define these in termediate oin ts, and for our Cro wds mec hanism describ ed ab e, refine these definitions and pro anon

ymit prop erties for our system. exp ect these definitions and pro ofs to yield insigh ts in to pro ving anon ymit prop erties for other approac hes, as ell. An in triguing prop ert of Cro wds is that mem er of cro wd ma submit requests initiated other users. This has oth negativ and ositiv consequences. On the negativ side, the user ma incorrectly susp ected of originating that request. On the ositiv side, this prop ert suggests that the mere ailabili of Cro wds offers the user some degree of deniabilit for her observ ed bro wsing eha vior, if it is ossible that she as using Cro

wds. Moreo er, if Cro wds ecomes widely adopted, then the presumption that the computer from whic request is receiv ed is the computer that originated the request will ecome decreasingly alid (and th us decreasingly utilized). The anon ymit pro vided Cro wds is sub ject to some ca eats. or example, Cro wds ob viously cannot protect users anon ymit if the con ten of her eb trans- actions rev eals her iden tit to the eb serv er (e.g., if the user submits her name and credit card um er in eb form). More subtley Cro wds can undermined executable eb con ten that, if do wnloaded in to the users

bro wser, can op en net- ork connections directly from the bro wser to eb serv ers, th us ypassing Cro wds altogether and exp osing the user to the end serv er. In to da ys bro wsers, suc ex- ecutable con ten tak es the form of Ja applets and Activ eX con trols. Therefore, when using Cro wds, it is recommended that Ja and Activ eX disabled in the bro wser, whic can ypically done via simple preferences men in the bro wser. The rest of this pap er is structured as follo ws. In Section 2, more precisely state the anon ymit goals of our system and in tro duce the notion of de gr es of anon ymit

This giv es us sufficien groundw ork to compare our approac to other approac hes to anon ymit in Section 3. describ the basic Cro wds mec hanism in Section and analyze its securit in Section 5. describ the erformance and scalabilit of our system in Sections and 7, resp ectiv ely discuss cro wd mem ership in Section 8, the systems user in terface in Section 9, and the obstacles that firew alls presen to wide scale adoption of Cro wds in Section 10. conclude in Section 11.
Page 3
exposed provably exposed absolute privacy beyond suspicion probable innocence possible

innocence Fig. 1. Degrees of anon ymit y: Degrees range from absolute privacy where the attac er cannot erceiv the presence of comm unication, to pr ovably exp ose where the attac er can pro the sender, receiv er, or their relationshi to others. 2. GO ALS 2.1 Anonymit As discussed in [Pfitzmann and aidner 1987], there are three yp es of anon y- mous comm unication prop erties that can pro vided: sender anon ymit receiv er anon ymit and unlink abilit of sender and receiv er. Sender anonymity means that the iden tit of the part who sen message is hidden, while its receiv er (and the

message itself migh not e. eiver anonymity similarly means that the iden tit of the receiv er is hidden. Unlinkability of sender and eiver means that though the sender and receiv er can eac iden tified as participating in some comm unication, they cannot iden tified as comm unicating with ach other second asp ect of anon ymous comm unication is the attac ers against whic these prop erties are ac hiev ed. The attac er migh an ea esdropp er that can observ some or all messages sen and receiv ed, collab orations consisting of some senders, receiv ers, and other parties, or ariations

of these [Pfitzmann and aidner 1987]. these asp ects of anon ymous comm unication, add third: the de gr of anon ymit As sho wn in Figure 1, the degree of anon ymit can view ed as an informal con tin uum. or simplicit elo describ this con tin uum with resp ect to sender anon ymit but it can naturally extended to receiv er anon ymit and unlink abilit as ell. On one end of the sp ectrum is absolute privacy absolute sender priv acy against an attac er means that the attac er can in no distinguish the situations in whic oten tial sender actually sen comm unication and those in whic it did

not. That is, sending message results in no observ able effects for the attac er. On the other end of the sp ectrum is pr ovably exp ose the iden tit of sender is pro ably exp osed if the attac er cannot only iden tify the sender of message, but can also pro the iden tit of the sender to others. or the purp oses of this pap er, the follo wing three in termediate oin ts of this sp ectrum are of in terest, listed from strongest to eak est. Bey ond suspicion senders anon ymit is ey ond suspicion if though the attac er can see evidence of sen message, the sender app ears no more lik ely to

the originator of that message than an other oten tial sender in the system. Probable inno cence sender is probably inno cen if, from the attac ers oin of view, the sender app ears no more lik ely to the originator than to not the originator. This is eak er than ey ond suspicion in that the attac er ma ha reason to exp ect that the sender is more lik ely to resp onsible than an other oten tial sender, but it still app ears at least as lik ely that the sender is not
Page 4
resp onsible. ossible inno cence sender is ossibly inno cen if, from the attac ers oin of view, there is non

trivial probabilit that the real sender is someone else. It is ossible to describ these in termediate oin ts for receiv er anon ymit and sender/receiv er unlink abilit as ell. When necessary define these in terme- diate oin ts more precisely Whic degree of anon ymit suffices for user ob viously dep ends on the user and her circumstances. Probable inno cence sender anon ymit should prev en man yp es of attac ers from acting on their suspicions (therefore oiding man abuses, e.g., cited in [Miller 1997]) due to the high probabilit that those suspicions are incorrect. Ho ev er, if the

user wishes to oid an suspicion whatso ev erincluding ev en suspicions not sufficien tly certain for the attac er to act up onthen she should insist on ey ond suspicion sender anon ymit The default degree of anon ymit on the eb for most information and attac ers is exp ose as describ ed in Section 1. All recen ersions of Netscap Na vigator and In ternet Explorer are configured to automatically iden tify the clien computer to eb serv ers, passing information including the IP address and the host platform in request headers. 2.2 What Cro wds achieves As describ ed in Section 1, our

system consists of dynamic collection of users, called cr owd These users initiate eb requests to arious eb serv ers (and receiv replies from them), and th us the users are the senders and the serv ers are the receiv ers. consider the anon ymit prop erties pro vided to an individual user against three distinct yp es of attac ers: A lo cal ea esdropp er is an attac er who can observ all (and only) comm uni- cation to and from the users computer. Collab orating cro wd mem ers are other cro wd mem ers that can ol their information and ev en deviate from the prescrib ed proto col. The end

serv er is the eb serv er to whic the eb transaction is directed. The ab descriptions are in tended to capture the full capabilities of eac at- tac er. or example, collab orating mem ers and the end serv er cannot ea esdrop on comm unication et een other mem ers. Similarly lo cal ea esdropp er cannot ea esdrop on messages other than those sen or receiv ed the users computer. lo cal ea esdropp er is in tended to mo del, e.g., an ea esdropp er on the lo cal area net ork of the user, suc as an administrator monitoring eb usage at lo cal fire- all. Ho ev er, if the same LAN also serv es the

end serv er, then the ea esdropp er is effectiv ely global, and pro vide no protections against it. The securit offered against eac of these yp es of attac ers is summarized in able and justified in the remainder of the pap er. As indicated the omission of an unlink abilit of sender and receiv er column from this table, our system serv es primarily to hide the sender or receiv er from the attac er. In this table, denotes the um er of mem ers in the cro wd (for the momen treat this as static) and denotes the probabilit of forw arding, i.e., when cro wd mem er receiv es

request, the probabilit that it forw ards the request to another mem er, rather
Page 5
able 1. Anon ymit prop erties pro vided Cro wds ttac er Sender anon ymit Receiv er anon ymit lo cal ea esdropp er exp osed (b ey ond suspicion collab oratin mem ers, probable inno cence (absolute priv acy 1) (absolute priv acy end serv er ey ond suspicion N/A than submitting it to the end serv er. is explained more fully in Section 4.) The oldface claims in the tablei.e., probable inno cence sender anon ymit against collab orating mem ers and ey ond suspicion sender anon ymit against the end serv

erare guaran tees. The probabilit of ey ond suspicion receiv er anon ymit against lo cal ea esdropp er, on the other hand, only increases to one asymptotically as the cro wd size increases to infinit Put another if the lo cal ea esdropp er is sufficien tly luc ky then it observ es ev en ts that exp ose the receiv er of eb request, and otherwise the receiv er is ey ond suspicion. Ho ev er, the probabilit that it views these ev en ts decreases as function of the size of the cro wd. Similarly senders assurance of absolute priv acy against collab orating mem ers also holds

asymptotically with probabilit one as cro wd size gro ws to infinit (for constan um er of collab orators). Th us, if the collab orators are unluc ky users ac hiev absolute priv acy pro vide more careful treatmen of these notions in Section 5. Of course, against an attac er that is comprised of or more of the attac ers describ ed ab e, our system yields degrees of sender and receiv er anon ymit that are the minim um among those pro vided against the attac ers presen t. or example, if lo cal ea esdropp er and the end serv er to whic the users request is destined collab orate in an attac

k, then our tec hniques ac hiev neither sender anon ymit nor receiv er anon ymit Another ca eat is that all of the claims of sender and receiv er anon ymit in this section, and their justifications in the remainder of this pap er, require that neither message con ten ts themselv es nor priori kno wledge of sender eha vior giv clues to the senders or receiv ers iden tit 2.3 What Cro wds do es not achieve Cro wds mak es no effort to defend against denial-of-service attac ks rogue cro wd mem ers. cro wd mem er could, e.g., accept messages from other cro wd mem- ers and refuse to

pass them along. In our system, suc denial-of-service can result from malicious eha vior, but ypically do es not result if (the pro cess represen ting) cro wd mem er fails enignly or lea es the cro wd. As result, these attac ks are detectable. More difficult to detect are activ attac ks where cro wd mem ers substitute wrong information in resp onse to eb requests that they receiv from other cro wd mem ers. Suc attac ks are inheren in an system that uses in terme- diaries to forw ard unprotected information, but fortunately they cannot utilized to compromise anon ymit directly 3. RELA TED

ORK There are basic approac hes previously prop osed for ac hieving anon ymous eb transactions. The first approac is to in terp ose an additional part (a pr oxy e-
Page 6
een the sender and receiv er to hide the senders iden tit from the receiv er. Exam- ples of suc pro xies include the Anon ymizer http://www.anonymize and the Lucen ersonalized eb Assistan [Gabb er et al. 1997] ). Cro wds pro vides protection against wider range of attac ers than pro xies do. In particular, pro xy-based systems are en tirely vulnerable to passiv attac er in con trol of

the pro xy since the attac er can monitor and record the senders and receiv ers of all comm unication. Our system presen ts no single oin at whic passiv attac can cripple all users anon ymit In addition, pro xy is ypically single oin of failure; i.e., if the pro xy fails, then anon ymous bro wsing cannot con tin ue. In Cro wds, no single failure discon tin ues all ongoing eb transactions. second approac to ac hieving anon ymous eb transactions is to use mix [Chaum 1981]. mix is actually an enhanced pro xy that, in addition to hiding the sender from the receiv er, also tak es measures to pro

vide sender and receiv er unlink abilit against global ea esdropp er. It do es so collecting messages of equal length from senders, cryptographically altering them (t ypically decrypt- ing them with its priv ate ey), and forw arding the messages to their recipien ts in differen order. These tec hniques mak it difficult for an ea esdropp er to determine whic output messages corresp ond to whic input messages. natural extension is to in terp ose se quenc of mixes et een the sender and receiv er [Chaum 1981]. sequence of mixes can tolerate colluding mixes, as an single correctly-b eha

ving mix serv er in the sequence prev en ts an ea esdropp er from linking the sender and receiv er. Mixes ha een implemen ted to supp ort man yp es of comm unication, for example electronic mail (e.g., [Gulcu and Tsudik 1996]), ISDN service [Pfitz- mann et al. 1991], and general sync hronous comm unication (including eb bro ws- ing) [Syv erson et al. 1997]. The prop erties offered Cro wds is differen from those offered mixes. As describ ed ab e, Cro wds pro vide (probable inno cence) sender anon ymit against collab orating cro wd mem ers. In con trast, in the closest

analog to this attac in ypical mix systemsi.e., group of collab orating mix serv ersmixes do not pro- vide sender anon ymit but do ensure sender and receiv er unlink abilit [Pfitzmann and aidner 1987]. Another difference is that mixes pro vide sender and receiv er unlink abilit against global ea esdropp er. Cro wds do es not pro vide anon ymit against global ea esdropp ers. Ho ev er, our in ten tion is for cro wd to span ul- tiple administrativ domains, where the existence of global ea esdropp er is un- lik ely Another difference is that mixes ypically rely on public ey

encryption, the algebraic prop erties of whic ha een exploited to break some implemen ta- tions [Pfitzmann and Pfitzmann 1990]. Cro wds unique prop erties admit ery efficien implemen tations in comparison to mixes. With mixes, the length of message routed through mix net ork gro ws prop ortionally to the um er of mixes through whic it is routed, and the mix net- ork ust pad messages to fixed lengths and generate deco messages to foil traffic analysis. Moreo er, in ypical mix implemen tation, routing message through sequence of mixes incurs cost of public ey

encryptions and priv ate ey decryptions on the critical path of the message, whic are comparativ ely exp ensiv op erations. Th us, since the unlink abilit pro vided mixes is toleran of up to mixes colluding, increasing impro es anon ymit but urts erformance. Priv acy in Cro wds can similarly enhanced increasing the erage um er of times
Page 7
request is forw arded among mem ers efore eing submitted to the end serv er, but this should impact erformance less ecause there are no public/priv ate ey op er- ations, no inflation of message transmission lengths (b ey ond small, constan

t-size header), and no deco messages needed. Another erformance adv an tage of Cro wds is that since eac user activ ely partic- ipates in the function of the cro wd, the throughput of cro wd gro ws as function of the um er of users. In fact, sho in Section that cro wd can scale al- most limitlessly (in theory), in the sense that the load on eac users computer is exp ected to remain roughly constan as new users join the cro wd. With fixed net ork of mixes, the load of eac serv er increases prop ortionally to the um er of users, with resulting linear decrease in throughput. 4. CRO WD

VERVIEW As discussed previously cro wd can though of as collection of users. user is represen ted in cro wd pro cess on her computer called jondo (pronounced John Do e and mean to con ey the image of faceless participan t). The user (or lo cal administrator) starts the jondo on the users computer. When the jondo is started, it con tacts serv er called the blender to request admittance to the cro wd. If admitted, the blender rep orts to this jondo the curren mem ership of the cro wd and information that enables this jondo to participate in the cro wd. defer further discussion of the blender

and cro wd mem ership main tenance to Section 8. The user selects this jondo as her eb pro xy sp ecifying its host name and ort um er in her eb bro wser as the pro xy for all services. Th us, an request coming from the bro wser is sen directly to the jondo. Up on receiving the first user request from the bro wser, the jondo initiates the establishmen of random ath of jondos that carries its users transactions to and from their in tended eb serv ers. More precisely the jondo pic ks jondo from the cro wd (p ossibly itself at random, and forw ards the request to it. When this jondo receiv

es the request, it flips biased coin to determine whether or not to forw ard the request to another jondo; the coin indicates to forw ard with probabilit If the result is to forw ard, then the jondo selects random jondo and forw ards the request to it, and otherwise the jondo submits the request to the end serv er for whic the request as destined. So, eac request tra els from the users bro wser, through some um er of jondos, and finally to the end serv er. ossible set of suc paths is sho wn in Figure 2. In this figure, the paths are serv er serv er serv er serv er serv er

and serv er Subsequen requests initiated at the same jondo follo the same path (except erhaps going to differen end serv er), and serv er replies tra erse the same path as the requests, only in rev erse. pseudo co de description of jondo is presen ted in Figure 3. This figure describ es thread of execution that is executed er receiv ed request. This description uses clien t-serv er terminology where one jondo is client of its successor on the path. The services that ust pro xied include Gopher, FTP HTTP and SSL. Otherwise, e.g., FTP requests triggered do wnloading eb page ould not

go through the cro wd, and ould th us rev eal the users IP address to the end serv er. Ja and Activ eX should disabled in the bro wser as ell, ecause Ja applet or Activ eX con trol em edded in retriev ed eb page could connect bac to its serv er directly and rev eal the users IP address to that serv er.
Page 8
Crowd Web Servers Fig. 2. aths in cro wd (the initiator and eb serv er of eac path are lab eled the same) or eac path, indicated ath id the alue next[path id] is the next jondo on the path. assign next jondos for paths, eac jondo main tains set Jondos of jondos that it eliev

es to activ (itself included). When it ho oses to direct the path to another jondo, it selects the next jondo uniformly at random from this set (lines 6, 16, and 26); i.e., denotes selection from the set uniformly at random. Subsequen sections shed greater ligh on the op eration of jondo and the pseudo co de description of Figure 3. or tec hnical reasons, it is con enien for the jondo at eac osition in path to hold differen path iden tifier for the path. That is, if jondo receiv es request mark ed with path id from its predecessor in path, then it replaces path id with

differen path iden tifier stored in translate[path id] efore forw arding the request to its successor (if jondo). This enables jondo that ccupies ultiple ositions on path to act indep enden tly in eac osition: if the path id remained the same along the path, then the jondo ould eha iden tically eac time it receiv ed message on the path, resulting in an infinite lo op. ath iden tifiers should unique; in our presen implemen tation, new path id() (lines and 15) returns random 128-bit alue. Omitted from the description in Figure is that fact that all comm unication et een

an jondos is encrypted using ey kno wn only to the of them. Encryption eys are established as jondos join the cro wd, as is discussed in Section 8. 5. SECURITY ANAL YSIS In this section consider the question of what information an attac er can learn ab out the senders and receiv ers of eb transactions, giv en the mec hanisms de- scrib ed in Section 4. The yp es of attac ers consider ere describ ed in Section 2. Our analysis egins with the attac ers for whic analysis is more straigh tfor-
Page 9
(1) clien t,request receiv request() (2) if (clien bro wser) (3) sanitize(request) /*

strip co okies and iden tifying headers */ (4) if (m path id /* if path id is not initialized ... */ (5) path id new path id() (6) next[m path id] Jondos (7) forw ard request(m path id) (8) else /* clien is jondo */ (9) path id remo path id(request) /* remo incoming path id */ (10) if (translate[path id] /* incoming path id is new */ (11) coin coin flip( /* tails with probabilit */ (12) if (coin heads (13) translate[path id] submit (14) else (15) translate[path id] new path id() /* set outgoing path id */ (16) next[translate[path id]] Jondos /* select next jondo at random */ (17) if

(translate[path id] submit) (18) submit request() (19) else (20) forw ard request(translate[path id]) (21) subroutine forw ard request(out path id) (22) send out path id || request to next[out path id] (23) reply ait reply( /* ait for reply or recognizable jondo failure */ (24) if (reply jondo failed) /* jondo failed */ (25) Jondos Jondos next[out path id] /* remo the jondo */ (26) next[out path id] Jondos /* assign new random jondo for this path */ (27) forw ard request(out path id) /* try again */ (28) else /* receiv ed reply from jondo */ (29) send reply to clien (30) subroutine submit

request () (31) send request to destination(request) /* send to destination eb serv er */ (32) reply ait reply(timeout) /* ait for reply timeout, or serv er failure */ (33) send reply to clien /* send reply or error message to clien */ Fig. 3. Pseudo co de description of jondo ard, namely lo cal ea esdropp er and the end serv er. This is follo ed an analysis of cro wd securit ersus collab orating jondos. 5.1 Lo cal eavesdropp er Recall that lo cal ea esdropp er is an attac er that can observ all (and only) comm unication emanating from an individual users computer. When this user initiates

request, the fact that she did so is exp osed to the lo cal ea esdropp er, since mak no effort to hide correlations et een inputs to and outputs from the initiating computer. That is, the lo cal ea esdropp er observ es that request output the users computer did not result from corresp onding input. Th us, offer no sender anon ymit against lo cal ea esdropp er. The mec hanisms describ ed do, ho ev er, ypically prev en lo cal ea esdropp er from learning the in tended receiv er of request, ecause ev ery message forw arded on path, except for the final request to the end serv

er, is encrypted. Th us, while the ea esdropp er is able to view an message emanating from the users computer, it only views message submitted to the end serv er (or equiv alen tly plain text message con taining the end serv ers address) if the users jondo ultimately submits the users request itself. Since the probabilit that the users jondo ultimately sub- mits the request is /n where is the size of the cro wd when the path as created, the probabilit that the ea esdropp er learns the iden tit of the receiv er decreases
Page 10
10 as function of cro wd size. Moreo er, when the

users jondo do es not ultimately submit the request, the lo cal ea esdropp er sees only the encrypted address of the end serv er, whic suggest yields receiv er anon ymit that is (informally) ey ond suspicion. Th us, (b ey ond suspicion) for receiv er anon ymit 5.2 End servers no consider the securit of our system against an attac the end serv er only Because the eb serv er is the receiv er, ob viously receiv er anon ymit is not ossible against this attac er. Ho ev er, the anon ymit for the path initiator is quite strong. In particular, since the path initiator first forw ards to another

jondo when creating its path (see Section 4), the end serv er is equally lik ely to receiv the initiators requests from an cro wd mem er. That is, from the end serv ers ersp ectiv e, all cro wd mem ers are equally lik ely to ha initiated the request, and so the actual initiators sender anon ymit is ey ond suspicion. It is in teresting to note that this result, as opp osed to that for collab orating jondos elo w, do es not dep end on (the probabilit of forw arding; see Section 4). Indeed, increasing exp ected path length offers no additional assurance of anon ymit against an end serv

er. 5.3 Collab rating jondos Consider set of collab orating (corrupted) jondos in the cro wd. single malicious jondo is simply sp ecial case of this attac er, and our analysis applies to this case as ell. Because eac jondo can observ plain text traffic on path routed through it, an suc traffic, including the address of the end serv er, is exp osed to this attac er. The question consider here is if the attac er can determine who initiated the path. precise, consider an path that is initiated non-collab orating mem er and on whic collab orator ccupies osition. The goal of the collab

orators is to determine the mem er that initiated the path. Assuming that the con ten ts of the comm unication do not suggest an initiator, the collab orators ha no reason to susp ect an mem er other than the one from whic they immediately receiv ed it, i.e., the mem er immediately preceding the first collab orator on the path. All other noncollab orating mem ers are eac equally lik ely to the initiator, but are also ob viously less lik ely to the initiator than the collab orators immediate predecessor. no analyze ho confiden the collab orators can that their immediate predecessor

is in fact the path initiator. Let 1, denote the ev en that the first collab orator on the path ccupies the th osition on the path, where the initiator itself ccupies the 0th osition (and ossibly others), and define +1 +2 Let denote the ev en that the first collab orator on the path is immediately preceded on the path the path initiator. Note that but the con erse is not true, ecause the initiating jondo migh app ear on the path ultiple times. Giv en this notation, the collab orators no hop to determine 1+ ), i.e., giv en that collab orator is on the path, what is the

probabilit that the path initiator is the first collab orators immediate predecessor? Refining our in tuition from Section 2, sa that the path initiator has probable inno cence if this probabilit is at most 2. Definition 5.1. The ath initiator has probable inno cence (with esp ct to sender
Page 11
11 anonymity) if 1+ In order to yield probable inno cence for the path initiator, certain conditions ust met in our system. In particular, let the probabilit of forw arding in the system (see Section 4), let denote the um er of collab orators in the cro wd, and let denote the

total um er of cro wd mem ers when the path is formed. The theorem elo giv es sufficien condition on and to ensure probable inno cence for the path initiator. Theorem 5.2. If 1) then the ath initiator has pr ob able inno- enc against ol lab or ators. Pr oof. an to sho that 1+ if 1). First note that This is due to the fact that in order for the first collab orator to ccup the th osition on the path, the path ust first ander to noncollab orators (eac time with probabilit ), eac of whic ho oses to forw ard the path with probabilit and then to collab orator (with probabilit ). The

next facts follo immediately from this. 2+ =1 1+ =0 Other probabilities need are 1, and 2+ The last of these follo ws from the observ ation that if the first collab orator on the path ccupies only the second or higher osition, then it is immediately preceded on the path an noncollab orating mem er with equal lik eliho d. No w, can captured as 2+ 2+ np cp Then, since 1+ get 1+ 1+ 1+ 1+ 1) So, if 1), then 1+ As result of Theorem 5.2, if then probable inno cence is guaran teed as long as 3( 1). More generally Theorem 5.2 implies tradeo et een the length of paths (i.e., erformance) and

abilit to tolerate collab orators. That is, making the probabilit of forw arding high, the fraction of collab orators that can tolerated approac hes half of the cro wd. On the other hand, making the probabilit
Page 12
12 of forw arding close to one-half decreases the fraction of collab orators that can tolerated. The alue of 1+ deriv ed in the pro of of Theorem 5.2 sho ws that 1+ as if are held constan t. Assuming that collab orators cannot observ path on whic they ccup no ositions, it follo ws that (absolute priv acy) for sender anon ymit and receiv er anon ymit The rate of this gro

wth, ho ev er, can slo if is large. 5.3.1 Timing attacks. So far the analysis of securit against collab orating jondos has not tak en timing attac ks in to accoun t. The ossibilit of timing attac ks in our system results from the structure of HTML, the language in whic eb pages are written. An HTML page can include URL (e.g., the address of an image) that, when the page is retriev ed, causes the users bro wser to automatically issue another request. It is the immediate nature of these requests that oses the great- est opp ortunit for timing attac ks collab orating jondos. Sp ecifically

the first collab orating jondo on path, up on returning eb page on that path con taining URL that will automatically retriev ed, can time the duration un til it receiv es the request for that URL. If the duration is sufficien tly short, then this could rev eal that the collab orators immediate predecessor is the initiator of the request. In our presen implemen tation, eliminate suc timing attac ks as follo ws. When jondo receiv es an HTML reply to request that it either receiv ed directly from users bro wser or submitted directly to an end serv eri.e., the jondo is either the

users (i.e., the path initiator) or the last jondo on the pathit parses the HTML page to iden tify all URLs that the users bro wser will automatically request as result of receiving this reply The last jondo on the path requests these URLs and sends them bac along the same path on whic the original request as receiv ed. The users jondo, up on receiving requests for these URLs from the users bro wser, do es not forw ard these requests on the path, but rather simply aits for the URLs con ten ts to arriv on the path and then feeds them to the bro wser. In this other jondos on the path nev er

see the requests that are generated the bro wser, and th us cannot glean timing information from them. Note that misb eha vior the last jondo on the path (or an in termediate jondo) can result only in denial of service, and not in successful timing attac k. In particular, if an attac king jondo inserts an em edded URL in to the returning page, the users jondo will iden tify it and exp ect the URL con ten ts to arriv e, but will not forw ard the request for the URL that the users bro wser initiates. This mec hanism prev en ts jondos other than the users from observing requests automatically

generated due to the retriev al of page. Therefore, all requests ob- serv able attac king jondos are generated explicit user action. It is conceiv able that users resp onse to page (e.g., clic king on con tained URL), if sufficien tly rapid, could rev eal to the jondo in the first osition on the path that its predecessor is the initiator of the path, in similar to ho an automatic request migh t. Ho ev er, the users resp onse ould need to extremely fastt ypically within These URLs are con tained in, for example, the src attributes of type=image> and tags, the background attributes

of and tags, the content attributes of tags, and others.
Page 13
13 fraction of second of viewing the pageto risk rev ealing this information. exp ect that suc resp onse times are unc haracteristic of uman bro wsing, and can made ev en less so educating users of this risk. If, ho ev er, this presumption turns out to incorrect, the users jondo could insert random dela er user- generated request, thereb decreasing the hances of rev ealing this information to virtually zero. The primary dra wbac of our presen approac to defending against timing at- tac ks is that it is not easily

compatible with some eb tec hnologies. or example, eb pages that con tain executable scripts, e.g., written in Ja aScript, can mak it difficult for jondo to iden tify in adv ance the URLs that bro wser will automat- ically request as result of in terpreting those pages. One to address this is for the users jondo to dela requests receiv ed from the bro wser immediately after feeding the bro wser page con taining Ja aScript. more fo olpro of defense, whic recommend, is for the user to disable Ja aScript in the bro wser when bro ws- ing via Cro wds; this can done easily via preference men

in most bro wsers. Another tec hnology that presen ts some difficulties is SSL, proto col whic eb pages can encrypted during transp ort. enable oth the users jondo and the last jondo on the path to parse SSL-retriev ed pages, the SSL connection to the eb serv er ust made the last jondo on the path. In this case, HTTP comm unication is not protected from jondos on the path, but is protected from other ea esdropp ers ecause all comm unication et een jondos is encrypted. the time of this writing, ho ev er, SSL is not supp orted Cro wds. 5.3.2 Static aths. Early in the design of Cro wds, ere

tempted to mak paths uc more dynamic than they are in the presen system, e.g., ha ving jondo use differen path for eac of its users, er time erio d, or ev en er user request. The adv an tages of more dynamic paths include the oten tial for etter erformance via load balancing among the cro wd. In this section, ho ev er, caution that dynamic paths tends to decrease the anon ymit prop erties pro vided the system against collab orating jondos. The reason is that the probable inno cence offered Theorem 5.2 anishes if the collab orators are able to link man distinct paths as eing

initiated the same jondo. Collab orating jondos migh able to link paths initiated the same unkno wn jondo based on related path con ten or timing of comm unication on paths. prev en this, made paths static, so the attac er simply do es not ha ultiple paths to link to the same jondo. see wh ultiple link ed paths initiated the same jondo could compromise its users anon ymit note that collab orating jondos ha higher probabilit of receiving eac path initiation message (i.e., the first request on the path) from the initiator of the path than from an other individual mem er (see the pro of of

Theorem 5.2). Multiple paths initiated the same users jondo therefore pinp oin that jondo as the one from whic the collab orators most often receiv the initiating messages. Put another if the collab orators iden tify paths from the same (unkno wn) initiator, then the exp ected um er of paths on whic the first collab orator is directly preceded the path initiator is 1) ). By Cherno ounds, the probabilit that the first collab orator is immediately preceded the initiator on substan tially few er of these paths is small: the first collab orator is immediately preceded the path

initiator on few er than (1 paths with
Page 14
14 probabilit only (see [Mot ani and Ragha an 1995, Theorem 4.2]). Th us, the initiator ould iden tified with high probabilit Again, it is for this reason that jondo sets up one path for all its users com- unications, and this path is altered only under circumstances. First, path is altered when failures are detected in the path. More sp ecifically paths are only rerouted when the failure of jondo is unmistak enly detected, i.e., when the jondo executes fail-stop failure [Sc hlic ting and Sc hneider 1983]. In our presen im-

plemen tation, suc failures are detected the TCP/IP connection to the jondo breaking or eing refused; jondo do es not reroute path based on simply timing out on the subsequen jondo in the path (see line 23 of Figure 3). While this in- creases our sensitivit to denial-of-service attac ks (see Section 2.3), it strengthens our promise of anon ymit to the user. reasonable question, ho ev er, is whether malicious jondo on path can feign its wn failure in hop es that the path will rerouted through collab orator, yielding information that incriminates the path initiator. ortunately the answ er is

no. If jondo in path fails (or app ears to fail), the path remains the same up un til the predecessor of that fault jondo, who reroutes the remainder of the path randomly (line 26 of Figure 3). Since the collab orating jondos cannot distinguish whether that predecessor is the originator or not, the random hoices made that predecessor yield no additional information to the collab orators. The second circumstance in whic paths are altered is when new jondos join the cro wd. The motiv ation for rerouting paths is to protect the anon ymit of joining jondo: if existing paths remained static, then

the joiners new path can easily attributed to the new jondo when it is formed. Th us, to protect joiners, all jondos forget all paths after new jondos join, and re-establish paths from scratc h. oid exp osing path initiators to the attac describ ed previously in this section, joins are group ed in to infrequen sc heduled ev en ts called join ommits (see Section 8). Once join commit ccurs, existing paths are forgotten, and the newly joined jondos are enabled to participate in the cro wd. Batc hing man joins in to single join commit limits the um er of times that paths are rerouted and th us

the um er of paths vulnerable to link age collab orators. Moreo er, eac user is alerted when join commit ccurs and is cautioned from con tin uing to bro wse con ten related to what she as bro wsing prior to the commit, lest collab orators are attempting to link paths based on that con ten t. 6. PERF ORMANCE In this section describ the erformance of Cro wds 1.0. As discussed in Section 3, erformance is one of the motiv ating factors ehind the design of Cro wds and, eliev e, strength of our approac relativ to mixes [Chaum 1981] (though there are few published erformance results for mix implemen

tations to whic to compare our results). And, while Cro wds erformance is already encouraging, it could impro ed further re-implemen ting it in compiled language suc as C. Cro wds 1.0 is implemen ted in erl (a partially in terpreted language), whic hose for its rapid protot yping capabilities and its ortabilit across Unix and Microsoft platforms. Results of erformance tests on our implemen tation are sho wn in Figures 45. In these tests, the source of requests as Netscap 3.01 bro wser configured to
Page 15
15 500 1000 1500 2000 path length page size (kbytes) msecs ath age size

(kb ytes) length 288 247 264 294 393 386 573 700 900 1157 1369 1384 692 945 1113 1316 1612 1748 814 1004 1191 1421 1623 1774 992 1205 1446 1620 1870 2007 Fig. 4. Resp onse latency (msecs) as function of path length and page size allo maxim um of sim ultaneous net ork connections. The cro wd consisted of four jondos, eac executing on separate, mo derately loaded 150 MHz Sparc 20 running SunOS 4.1.4. The eb serv er as fairly busy 133 MHz SGI orkstation running Irix 5.3 and an Apac he eb serv er. All of these computers are lo cated in T&T Labs, and th us are in close net ork pro ximit to one

another. Figure sho ws the mean latency in milliseconds of retrieving eb pages of ar- ious sizes (con taining no em edded URLs) for arious path lengths. Eac um er indicates the erage duration eginning when the users jondo receiv es the request from the bro wser and ending when the page has een written bac to the bro wser. In this figure, the path length is the um er of app ar anc es of jondos on the path. That is, if jondo app ears times on path, then this jondo con tributes to the total path length. So, for example, in Figure 2, the paths initiated jondos 1, 4, and are eac of length o,

and the paths initiated 2, 3, and are eac of length three. One observ ation can mak from Figure is that the latency sharply increases when the path length increases from one to o. The primary reason for the sharp increase is that path length of is the first length at whic encryption of page con ten ts tak es place. In path of length one (whic ould emplo ed only if there ere one cro wd mem er), the users jondo acts as simple pro xy et een the bro wser and end serv er, to strip iden tifying information from HTTP headers. In path of length o, ho ev er, oth the request and reply are

Page 16
16 passed, and encrypted, et een the jondos on the path. slo the gro wth of this latency as the path gets longer, this encryption is erformed using ath key whic is ey shared among all jondos on path. path ey is created the jondo initiating the path, and eac jondo on path forw ards it to the next jondo encrypting the path ey with ey it shares with the next jondo (see Section 8). The existence of path ey enables requests to encrypted at the jondo initiating the path, decrypted the last jondo in the path, and passed in termediate jondos without encrypting or decrypting the

requests. Similarly replies are encrypted at the last jondo in the path, and decrypted only at the jondo where the path as initiated. The cryptographic op erations are erformed using an efficien stream cipher, allo wing some of the encrypting and decrypting streams for the reply to generated while the jondos are aiting for the reply from the eb serv er. Ho ev er, since ev en this cipher is implemen ted in erl for ortabilit it remains ottlenec in our implemen tation. Figure sho ws the mean latency in milliseconds of retrieving, via paths of arious differen lengths, pages con taining

URLs that are automatically retriev ed the bro wser (see Section 5.3.1). In these tests, eac em edded URL is the address of 1-kilob yte image residen on the same serv er as the page that referenced it. Eac um er indicates the erage duration eginning when the users jondo receiv es the initial request from the bro wser and ending when the jondo finishes writing the page and all of the images on the page to the bro wser. It is clear from Figure that the um er of images considerably impacts the latency of resp onses. Though this is to exp ected in general, this effect is particularly

pronounced in our implemen tation, and is due primarily to encryption costs. Moreo er, returning images on the path has the effect of serializing their retriev al, whic further increases the latency er that ac hiev ed mo dern bro wsers alone (whic use sev eral net ork connections to retriev ultiple images concurren tly). Because paths (and th us path lengths) are established randomly at run time, the user cannot ho ose her path length to predict the request latency she exp eriences. Ho ev er, the exp ected path length can influenced mo difying the alue i.e., the probabilit that

jondo forw ards to another jondo ersus submitting to the end serv erat all jondos. Sp ecifically if 1, the exp ected length of path is (1 =0 2)( (1 =0 =0 (1 (1 This suggests that ultiple yp es of cro wds should exist: those emplo ying small for etter erformance but less resilience to collab orating jondos (see Theorem 5.2), and those using large to increase securit with cost to erformance. erformance seen in practice ma differ from Figures and 5, dep ending on the platforms running jondos and the sp eed of net ork connectivit et een jondos. In particular, jondo connected to the In

ternet via slo mo dem link considerably
Page 17
17 10 15 20 25 4000 6000 8000 10000 12000 path length 1-kbyte images msecs ath Num er of 1-kb yte images length 10 15 20 25 2069 4200 5866 7219 8557 3313 4915 6101 8195 10994 4127 5654 7464 9611 11809 4122 6840 8156 10380 11823 4508 7644 9388 11889 13438 Fig. 5. Resp onse latency (msecs) as function of path length and um er of em edded images impacts latencies on paths that use it. Again, this suggests ultiple yp es of cro wds, namely ones con taining only jondos connected via fast links, and ones allo wing jondos connected via slo er

links. 7. SCALE The um ers in Section giv little insigh in to ho erformance is affected as cro wd size gro ws. do not ha sufficien resources to measure the erformance of cro wd in olving undreds of computers, eac sim ultaneously issuing requests. Ho ev er, in this section mak some simple analytic argumen ts to sho that the erformance should scale ell. The measure of scale that ev aluate is the exp ected total um er of app earances that eac jondo mak es on all paths at an oin in time. or example, if jondo ccupies ositions on one path and one osition on another, then it mak es total

of three app earances on these paths. Theorem 7.1 sa ys that the eac jondos exp ected um er of app earances on paths is virtually constan as function of the size of the cro wd. This suggests that cro wds should able to gro quite large. Theorem 7.1. In cr owd of size the exp cte total numb er of app ar anc es that any jondo makes on al aths is (1 (1 Pr oof. Let the size of the cro wd. compute the load on jondo, sa egin computing the distribution of the um er of app earances made
Page 18
18 on eac path. Let 0, denote the ev en that this path reac hes exactly times (not coun ting the

first if initiated the path). Also, define as follo ws: (1 =0 (1 In tuitiv ely is the probabilit that the path, once it has reac hed will nev er reac again. Then, ha =0 (1 =0 (1 =0 (1 +1 rom this, the exp ected um er of app earances that mak es on path formed another jondo is ounded from ab y: =0 1) 1) (1 1)) 1) (1 1)) (1 )( 1) ((1 )( 1)) (1 1) Therefore, the exp ected um er of app earances that mak es on all paths is ounded from ab y: (1 1) (1 8. CRO WD MEMBERSHIP The mem ership main tenance pro cedures of cro wd are those pro cedures that de- termine who can join the cro wd and

when they can join, and that inform mem ers of the cro wd mem ership. discuss mec hanisms for main taining cro wd mem ership in Section 8.1, and olicies regarding who can join cro wd in Section 8.2. 8.1 Mechanism There are man sc hemes that could adopted to manage mem ership of the cro wd. Existing gr oup memb ership pr oto ols toleran either of enign (e.g., [Cristian 1991;
Page 19
19 Ricciardi and Birman 1991; Moser et al. 1991]) or malicious [Reiter 1996b] faults, can used for main taining consisten view of the mem ership among all jondos, and the mem ers could use oting to

determine whether an authen ticated prosp ec- tiv mem er should admitted to the cro wd. Indeed, similar approac has een adopted in prior ork on secure pro cess groups [Reiter et al. 1994]. While pro viding robust distributed solutions, these approac hes ha the disadv an tages of incurring significan erhead and of pro viding seman tics that are arguably to strong for the application at hand. In particular, hallmark of these approac hes is guaran teed consisten view of the group mem ership among the group mem ers, whereas it is unclear whether suc strong guaran tee is required here. In our

presen implemen tation ha therefore opted for simpler, cen tralized solution. Mem ership in cro wd is con trolled and rep orted to cro wd mem ers serv er called the blender mak use of the blender (and th us the cro wd), the user ust establish an ac ount with the blender, i.e., an accoun name and passw ord that the blender stores. When the user starts jondo, the jondo and the blender use this shared passw ord to authen ticate eac others comm unication. As result of that comm unication (and if the blender accepts the jondo in to the cro wd; see Section 8.2), the blender adds the new jondo

(i.e., its IP address, ort um er, and accoun name) to its list of mem ers, and rep orts this list bac to the jondo. In addition, the blender generates and rep orts bac list of shared eys, eac of whic can used to authen ticate another mem er of the cro wd. The blender then sends eac ey to the other jondo that is in tended to share it (encrypted under the accoun passw ord for that jondo) and informs the other jondo of the new mem er. this oin all mem ers are equipp ed with the data they need for the new mem er to participate in the cro wd. Ho ev er, to protect itself from attac ks describ ed in

Section 5.3.2, the new mem er refrains from doing so un til it receiv es join commit message from the blender. This is discussed further in Section 8.2. Eac mem er main tains its wn list of the cro wd mem ership. This list is ini- tialized to that receiv ed from the blender when the jondo joins the cro wd, and is up dated when the jondo receiv es notices of new or deleted mem ers from the blender. The jondo can also remo jondos from its list of cro wd mem ers, if it detects that those jondos ha failed (see line 25 of Figure 3). This allo ws for eac jondos list to div erge from others if

differen jondos ha detected differen failures in the cro wd. This app ears to ha little qualitativ effect on our securit analysis of Section 5, unless attac ers are able to prev en comm unications et een correct jondos to the exten that eac remo es the correct jondos from its list of mem ers. disadv an tage of this approac to mem ership main tenance is that the blender is trusted third part for the purp oses of ey distribution and mem ership rep orting. ec hniques exist for distributing trust in suc third part among man third part replicas, in that the corruption of some

fraction of the replicas can tolerated (e.g., [Desw arte et al. 1991; Gong 1993; Reiter 1996a]). In its presen t, non-replicated form, ho ev er, the blender is est executed on secure computer, e.g., with login access ailable only at the console. Ev en though it is trusted third part for some functions, note that users HTTP comm unication is not routed through the blender, and th us passiv attac on the blender do es not immediately rev eal users eb transactions (unlik the Anon ymizer; see Section 3). Moreo er, the failure of the blender do es not in terfere with ongoing eb transactions (again

Page 20
20 unlik the Anon ymizer). an ticipate that in future ersions of Cro wds, jondos will establish shared eys using Diffie-Hellman ey exc hange [Diffie and Hellman 1976], where the blender serv es only to distribute the Diffie-Hellman public eys of cro wd mem ers. This will eliminate the presen reliance on the blender for ey generation. 8.2 olicy It is imp ortan in ligh of Section that some degree of con trol er cro wd mem- ership main tained. First, if an one can add arbitrarily man jondos to cro wd, then single attac er could launc enough collab orating jondos

so that 1), at whic oin Theorem 5.2 no longer offers protection. Sec- ond, since joins cause paths to re-routed (see Section 5.3.2), if joins are allo ed to ccur frequen tly and without con trols, then paths ma re-routed sufficien tly frequen tly to allo collab orating jondos to moun the correlation attac describ ed in Section 5.3.2. In our presen implemen tation, the blender serv es as the oin at whic joins to the cro wd are con trolled. address the latter concern, the blender batc hes joins together so they ccur in one sc heduled, discrete ev en called join ommit The sc hedule of

join commits is configurable parameter of the blender, but en vision that one commit er da should ypically suffice. The blender informs all cro wd mem ers of the join commit, at whic oin all newly joined mem ers are enabled to participate in the cro wd and all old mem ers reset their paths, as describ ed in Section 5.3.2. The need to limit the um er of collab orators that join the cro wd suggests that differen yp es of cro wds will exist. The first yp ould consist of relativ ely small (e.g., 1030) collection of individuals who, based on ersonal kno wledge of eac other,

agree to form cro wd together. Eac mem er ould allo ed to include at most one jondo in the cro wd. More precisely eac erson ould giv en one accoun t, and only one jondo er accoun ould allo ed. Eac mem ers ersonal kno wledge of the other mem ers enables her to trust that sufficien tly few mem ers collab orate to ensure that 1). The second yp of cro wd ould uc larger public cro wd, admitting mem ers that migh not kno wn to substan tial fraction of the presen mem er- ship. The priv acy offered the cro wd against collab orating mem ers ould rely on the size of the cro wd eing so large

that an attac aimed at making 1) ould require considerable effort to go undetected. That is, limiting eac user to one accoun (e.g., the blender administrator sets up an accoun for user only after receiving written, notarized request from that user) and eac accoun to one jondo, and monitoring and limiting the um er of jondos on an one net- ork (using IP address), the attac er ould forced to launc jondos using man differen iden tities and on man differen net orks to succeed. 9. USER INTERF CE In our presen implemen tation, there are sev eral ys in whic user in teracts with her

jondo, i.e., the jondo that serv es as the HTTP pro xy of her bro wser. (1) The user can issue cr owd query app ending ?crowd? to the end of an URL that she requests. This returns list of all of the activ jondos in the cro wd,
Page 21
21 Fig. 6. Cro wd query: cro wd query sho ws the jondos that are ailable, and indicates whic one is acting as the users HTTP pro xy for the bro wser. according to her jondo. The information includes eac jondos accoun name, its IP address and its ort um er. An example is sho wn in Figure 6. (2) When user is bro wsing via the cro wd, the ord Cr owd: is

prep ended to the title of eac page. Th us, user can hec whether or not she is using the cro wd lo oking at the title of the do cumen ts in the bro wser. Of course, eb serv er could add this ord to the title of an do cumen to fo ol the user, and so this alone should not relied up on. (3) Cro wds offers other informational pages to the user via the bro wser, similar to Figure 6. or example, Cro wds alerts the user when join commit ccurs. The sa vvy Cro wds user can also fine-tune her jondos eha vior of configuration file that defines the eha vior of her jondo.

This configuration file includes, for example, parameter settings to allo or disallo the passage of okies i.e., data that eb serv er can do wnload to the users bro wser and that the users bro wser will include in subsequen requests to that serv er. By default, jondo strips all co okies out of requests it receiv es from bro wsers in order to etter protect its users priv acy but the jondo can configured to let co okies pass. Other configurable parameters of jondo include, for example, the host and ort of the cro wd blender, and the accoun name and passw ord under whic

the jondo requests
Page 22
22 admission to the cro wd. In the future, other configuration options ma added to giv the user further con trol er her jondo. or example, parameter could included to define threshold so that if the um er of cro wd mem ers drops elo this alue, then the user is alerted to this fact. Other parameters could included that sp ecify whic HTTP headers are allo ed to pass in requests (presen tly jondo strips an that con tain information haracterizing the user or her platform) or what yp es of con ten (e.g., Ja a, Ja aScript) are allo ed to pass in to

the bro wser. 10. FIREW ALLS Firew alls presen problem for Cro wds. Lik all net ork serv ers, jondos are iden- tified their IP address and ort um er. Most corp orate firew alls do not allo incoming connections on orts other than few ell-kno wn ones. Th us, fire- all will generally prev en jondo outside the firew all from connecting to another ehind the firew all. or this reason, firew alls represen barrier to wide-scale in ter-corp oration adoption of Cro wds. Since most firew alls are configured to allo outgoing connections on an ort, it is

still ossible for jondo to initiate path that go es outside the firew all and ev en tually to eb serv ers. Ho ev er, the firew all giv es the first jondo on the path outside that domain to erify that the initiating computer resides within the domain: it simply tries to op en connection bac to its predecessor on the path, and if that fails, then the path ust ha originated in the predecessors domain. Th us, cro wd mem er ehind firew all is not offered the same anon ymit as those that are not. It is conceiv able that if Cro wds ecomes widespread, and there is demand

for sp ecial reserv ed ort, that firew alls can op en this ort and allo jondos to comm u- nicate. Un til then, Cro wds will most useful across academic institutions, as service pro vided In ternet service pro viders, and within large corp orations. 11. CONCLUSION In this pap er ha presen ted no el approac to protecting users priv acy while retrieving information on the orld-wide-w eb, and system that implemen ts it. Our approac orks grouping eb users in to geographically div erse collection, called cr owd whic retriev es information on its users ehalf of simple randomized routing proto

col. Using de gr es of anonymity ha haracterized the anon ymit prop erties pro vided this proto col against sev eral classes of at- tac ers. ha also describ ed the Cro wds system that ha implemen ted, the measures it tak es to defend against arious attac ks resulting from the the eb orks to da and the erformance, scalabilit and limitations of our system. The principles ehind our system can more broadly applied for anon ymizing other forms of comm unication. the time of this writing, ha distributed er 450 copies of the Cro wds co de free-of-c harge in resp onse to user requests, and are main

taining the blender for an activ cro wd on the In ternet. Information ab out obtaining the Cro wds co de can found at http://www.resea rch.a m/pro jects /crow ds
Page 23
23 Ackno wledgements thank Gerrit Bleumer, Marc Briceno, Hal Finney Ian Goldb erg, Da vid Gold- sc hlag, Raph Levien, Jim McCo abian Monrose, Mic hael Reed, aul Syv erson, and Da vid agner for man aluable suggestions regarding Cro wds and this pap er. REFERENCES Brier, S. 1997. Ho to eep our priv acy: Battle lines get clearer. The New ork Times Jan uary 13, 1997. Cha um, D. 1981. Un traceable electronic mail,

return addresses, and digital pseudon yms. Communic ations of the CM 24 (F ebruary), 8488. Cristian, F. 1991. Reac hing agreemen on pro cessor group mem ership in sync hronou distributed systems. Distribute Computing 175187. Desw ar te, Y., Blain, L., and abre, J. 1991. In trusion tolerance in distributed com- puting systems. Pr dings of the 1991 IEEE Symp osium on ese ar ch in Se curity and Privacy 110121. Diffie, W. and Hellman, M. E. 1976. New directions in cryptograph IEEE ansactions on Information The ory 22 6. Gabber, E., Gibbons, P., Ma tias, Y., and Ma yer, A. 1997. Ho to mak

ersonalized eb bro wsing simple, secure, and anon ymous. Pr dings of Financial Crypto gr aphy 97 Gong, L. 1993. Increasing ailabilit and securit of an authen ticatio service. IEEE Jour- nal on Sele cte as in Communic ations 11 (June), 657662. Gulcu, C. and Tsudik, G. 1996. Mixing e-mail with BABEL. Symp osium on Network and Distribute System Se curity 216. Hickman, K. E. B. and Elgamal, T. 1995. The SSL proto col. Internet dr aft dr aft- hickman-netsc ap e-ssl-01.txt Miller, L. 1997. No solitude in cyb erspace USA day June 9, 1997. Moser, L. E., Melliar-Smith, P. M., and gra ala, V. 1991.

Mem ership algorithms for async hronous distributed systems. Pr dings of the 11th International Confer enc on Distribute Computing Systems 480488. Motw ani, R. and Ra gha an, P. 1995. andomize lgorithms Cam bridge Univ ersit Press. Pfitzmann, A. and Pfitzmann, B. 1990. Ho to break the direct RSA-implemen tation of mixes. dvanc es in Cryptolo gyEUR OCR YPT 89 373381. Pfitzmann, A., Pfitzmann, B., and aidner, M. 1991. ISDN-mixes: Un traceable com- unication with ery small bandwidth erhead. GI/ITG Confer enc e: Communic ation in Distribute Systems 451463. Pfitzmann, A. and aidner, M. 1987.

Net orks without user observ abilit Computers Se curity 6, 158166. Reiter, M. K. 1996a. Distributing trust with the Rampart to olkit. Communic ations of the CM 39 (April), 7174. Reiter, M. K. 1996b. secure group mem ership proto col. IEEE ansactions on Soft- war Engine ering 22 (Jan uary), 3142. Reiter, M. K., Birman, K. P., and an Renesse, R. 1994. securit arc hitecture for fault-tolera systems. CM ansactions on Computer Systems 12 (No em er), 340 371. Ricciardi, A. M. and Birman, K. P. 1991. Using pro cess groups to implemen failure de- tection in async hronous en vironmen ts. Pr dings of

the 10th CM Symp osium on Prin- ciples of Distribute Computing 341351. Schlichting, R. D. and Schneider, F. B. 1983. ail-stop pro cessors: An approac to designing fault-toleran computing systems. CM ansactions on Computer Systems (August), 222238. Syverson, P. F., Goldschla g, D. M., and Reed, M. G. 1997. Anon ymous connection and onion routing. Pr dings of the 1997 IEEE Symp osium on Se curity and Privacy