On anonymity in an electronic society: A survey of anonymous communication systems

The past two decades have seen a growing interest in methods for anonymous communication on the Internet, both from the academic community and the general public. Several system designs have been proposed in the literature, of which a number have been implemented and are used by diverse groups, such as journalists, human rights workers, the military, and ordinary citizens, to protect their identities on the Internet. In this work, we survey the previous research done to design, develop, and deploy systems for enabling private and anonymous communication on the Internet. We identify and describe the major concepts and technologies in the field, including mixes and mix networks, onion routing, and Dining Cryptographers networks. We will also review powerful traffic analysis attacks that have motivated improvements and variations on many of these anonymity protocols made since their introduction. Finally, we will summarize some of the major open problems in anonymous communication research and discuss possible directions for future work in the field.

[1]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[3]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[4]  Ian Goldberg,et al.  A pseudonymous communications infrastructure for the internet , 2000 .

[5]  Birgit Pfitzmann,et al.  How to Break the Direct RSA-Implementation of Mixes , 1990, EUROCRYPT.

[6]  Paul F. Syverson,et al.  Improving Efficiency and Simplicity of Tor Circuit Establishment and Hidden Services , 2007, Privacy Enhancing Technologies.

[7]  Pankaj Rohatgi,et al.  Can Pseudonymity Really Guarantee Privacy? , 2000, USENIX Security Symposium.

[8]  George Danezis,et al.  Heartbeat traffic to counter (n-1) attacks: red-green-black mixes , 2003, WPES '03.

[9]  Gene Tsudik,et al.  Towards an Analysis of Onion Routing Security , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[10]  Andrew Hintz,et al.  Fingerprinting Websites Using Traffic Analysis , 2002, Privacy Enhancing Technologies.

[11]  G Danezis,et al.  Statistical disclosure attacks: Traffic confirmation in open environments , 2003 .

[12]  David Mazières,et al.  Tangler: a censorship-resistant publishing system based on document entanglements , 2001, CCS '01.

[13]  Dan Boneh,et al.  Almost entirely correct mixing with applications to voting , 2002, CCS '02.

[14]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[15]  George Danezis,et al.  Heartbeat Traffic to Counter (n-1) Attacks , 2004 .

[16]  Nick Mathewson,et al.  The pynchon gate: a secure method of pseudonymous mail retrieval , 2005, WPES '05.

[17]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[18]  Jeremy Clark,et al.  Usability of anonymous web browsing: an examination of Tor interfaces and deployability , 2007, SOUPS '07.

[19]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[20]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[21]  Micah Adler,et al.  Defending anonymous communications against passive logging attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[22]  Emin Gün Sirer,et al.  Herbivore: A Scalable and Efficient Protocol for Anonymous Communication , 2003 .

[23]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[24]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[25]  Ian Goldberg,et al.  Pairing-Based Onion Routing , 2007, Privacy Enhancing Technologies.

[26]  Markus G. Kuhn,et al.  Real World Patterns of Failure in Anonymity Systems , 2001, Information Hiding.

[27]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[28]  George Danezis,et al.  Statistical Disclosure Attacks , 2003, SEC.

[29]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[30]  Carmela Troncoso,et al.  Two-Sided Statistical Disclosure Attack , 2007, Privacy Enhancing Technologies.

[31]  Roger Dingledine,et al.  On the Economics of Anonymity , 2003, Financial Cryptography.

[32]  Nikita Borisov,et al.  Breaking the Collusion Detection Mechanism of MorphMix , 2006, Privacy Enhancing Technologies.

[33]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[34]  Vitaly Shmatikov,et al.  Synchronous Batching: From Cascades to Free Routes , 2004, Privacy Enhancing Technologies.

[35]  Bart Preneel,et al.  Taxonomy of Mixes and Dummy Traffic , 2004, International Information Security Workshops.

[36]  Aravind Srinivasan,et al.  P/sup 5/ : a protocol for scalable anonymous communication , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[37]  Roger Dingledine,et al.  Blending Different Latency Traffic with Alpha-mixing , 2006, Privacy Enhancing Technologies.

[38]  R. Anderson The Eternity Service , 1996 .

[39]  Lorrie Faith Cranor,et al.  Publius: A Robust, Tamper-Evident, Censorship-Resistant, and Source-Anonymous Web Publishing System , 2000, USENIX Security Symposium.

[40]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[41]  Jedidiah R. Crandall,et al.  ConceptDoppler: a weather tracker for internet censorship , 2007, CCS '07.

[42]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[43]  Roger Dingledine,et al.  The Free Haven Project: Distributed Anonymous Storage Service , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[44]  Nick Mathewson,et al.  Anonymity Loves Company: Usability and the Network Effect , 2006, WEIS.

[45]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[46]  Birgit Pfitzmann,et al.  The Dining Cryptographers in the Disco - Underconditional Sender and Recipient Untraceability with Computationally Secure Serviceability (Abstract) , 1990, EUROCRYPT.

[47]  Bernhard Plattner,et al.  Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection , 2002, WPES '02.

[48]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[49]  Anna Cartoon , 1999, HMD Prax. Wirtsch..

[50]  George Danezis,et al.  The Traffic Analysis of Continuous-Time Mixes , 2004, Privacy Enhancing Technologies.

[51]  Aravind Srinivasan,et al.  P/sup 5/ : a protocol for scalable anonymous communication , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[52]  Nick Mathewson,et al.  Practical Traffic Analysis: Extending and Resisting Statistical Disclosure , 2004, Privacy Enhancing Technologies.

[53]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[54]  Dakshi Agrawal,et al.  Limits of Anonymity in Open Environments , 2002, Information Hiding.

[55]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[56]  Luke O'Connor On Blending Attacks for Mixes with Memory , 2005, Information Hiding.

[57]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[58]  Sameer Parekh Prospects for Remailers , 1996, First Monday.

[59]  George Danezis,et al.  Introducing Traffic Analysis , 2007 .

[60]  Peter Sewell,et al.  Passive Attack Analysis for Connection-Based Anonymity Systems , 2003, ESORICS.

[61]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[62]  U Moeller,et al.  Mixmaster Protocol Version 2 , 2004 .

[63]  Claudia Díaz,et al.  Generalising Mixes , 2003, International Symposium on Privacy Enhancing Technologies.

[64]  Nick Feamster,et al.  Location diversity in anonymity networks , 2004, WPES '04.

[65]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[66]  Nick Mathewson,et al.  Deploying Low-Latency Anonymity: Design Challenges and Social Factors , 2007, IEEE Security & Privacy.

[67]  Nick Mathewson,et al.  Challenges in deploying low-latency anonymity , 2005 .

[68]  J. Doug Tygar,et al.  Electronic Auctions with Private Bids , 1998, USENIX Workshop on Electronic Commerce.

[69]  Micah Adler,et al.  The predecessor attack: An analysis of a threat to anonymous communications systems , 2004, TSEC.

[70]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[71]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[72]  G. Danezis,et al.  Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity , 2007 .

[73]  Nikita Borisov,et al.  A Tune-up for Tor: Improving Security and Performance in the Tor Network , 2008, NDSS.

[74]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[75]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[76]  Shlomi Dolev,et al.  Buses for Anonymous Message Delivery , 2003, Journal of Cryptology.

[77]  Stefan Köpsell,et al.  How to achieve blocking resistance for existing systems enabling anonymous web surfing , 2004, WPES '04.

[78]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[79]  Andrei Serjantov,et al.  Nonesuch: a mix network with sender unobservability , 2006, WPES '06.

[80]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[81]  YenerBülent,et al.  On anonymity in an electronic society , 2009 .

[82]  George Danezis Mix-Networks with Restricted Routes , 2003, Privacy Enhancing Technologies.

[83]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[84]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[85]  Andreas Pfitzmann,et al.  The Disadvantages of Free MIX Routes and how to Overcome Them , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[86]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[87]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[88]  Peter Palfrader,et al.  Mixmaster protocol --- version 2 , 2000 .

[89]  Aviel D. Rubin,et al.  Publius: a robust, tamper-evident, censorship-resistant web publishing system , 2000 .

[90]  Ari Juels,et al.  Dining Cryptographers Revisited , 2004, EUROCRYPT.

[91]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[92]  Matthew K. Wright,et al.  Salsa: a structured approach to large-scale anonymity , 2006, CCS '06.

[93]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[94]  I. S. Moskowitz,et al.  Metrics for Traffic Analysis Prevention , 2003 .

[95]  Oliver Berthold,et al.  Dummy Traffic against Long Term Intersection Attacks , 2002, Privacy Enhancing Technologies.

[96]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[97]  Hannes Federrath,et al.  Web MIXes: A System for Anonymous and Unobservable Internet Access , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[98]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[99]  Dogan Kesdogan,et al.  The Hitting Set Attack on Anonymity Protocols , 2004, Information Hiding.

[100]  Zach Brown Cebolla: Pragmatic IP Anonymity , 2010 .

[101]  Richard E. Newman,et al.  On the Anonymity of Timed Pool Mixes , 2003, SEC.

[102]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.