Measuring Anonymity: The Disclosure Attack

ing Mixes Because an adversary can easily determine anonymity sets at the network level, Mixes assume that all network links are observable. Thus, by observing messages to and from an anonymity service, an attacker can determine anonymity sets. Rather than discuss the technical details of any anonymity technique here, we abstract them using the following properties2: • In each anonymous communication, a subset A′ of all senders A sends a message to a subset B′ of all recipients B—that is, A′ ⊂ A and B′ ⊂ B, as Figure 1 illustrates. In a particular system, the set of all senders A can be the same as the set of all recipients B. • The size of the sender anonymity set is |A′| = b, where 1≤ b << |A|. • The size of the recipient anonymity set is |B′| = n, where 1 ≤ n << |B| and n ≤ b—that is, several senders can communicate with the same recipient. The typical values for |A|, |B|, |A′|, and |B′| vary from implementation to implementation and with the environment in which they operate. Stefan Köpsell, Hannes Federrath, and Marit Hansen present an implementation they call Web-Mixes, in which (|A|) is around 20,000.5 They don’t give typical values for |A′| for Web-Mixes, but we generally expect |A′| < 100. Attack model We model attacks by considering a bipartite graph G = (A ∪ B, E) with partite sets A and B. The set of edges E describes the hidden relationships between senders and recipients—that is, a sender a and a recipient b are connected by an edge if b is a recipient of the messages sent by a. An intruder or adversary must reconstruct the portion of the bipartite graph connected directly to a targeted sender by discovering its edges, as Figure 2 shows. We assume the attacker in our model notices each anonymous communication act. Each act gives the adversary a randomly selected A′ and B′ (that is, A′ ⊂ A and http://computer.org/security/ ■ IEEE SECURITY & PRIVACY 3 AMix is an intermediary relay station that hides a message’s appearance, including its bit pattern and length. It also hides the temporal relationships (or order) among incoming and outgoing messages. An ideal Mix implementation prevents even an omnipresent attacker (an attacker that observes all incoming and outgoing lines) from linking an incoming message to an outgoing one. For example, say Alice generates a message MessageBob to Bob with constant length (add padding bits or split). A sender protocol recursively encrypts the message with public keys cBob and cMix: [[Bob, MessageBob]] := cMix(RN, Bob, cBob(MessageBob)). This act is similar to enclosing a letter in successive envelopes starting with the recipient. Padding a one-time random number RN within the encryption will avoid replay attacks. A Mix hides the message’s appearance by decrypting it with a private key dMix and strips off the unique random numbers: cMix(RN, Bob, cBob(MessageBob)) → Bob, cBob(MessageBob). Using the letter analogy, Mix removes the outermost envelope and finds the inner envelope with the recipient’s address. Next, the Mix forwards the inner envelope to the intended recipient after reordering the incoming messages. To hide a message’s order, the Mix collects three messages from distinct users, [[Bob, MessageBob]], [[Dave, MessageDave]], [[Cleo, MessageCleo]], and forwards them (after decryption) randomly. An attacker observing all incoming and outgoing lines from the Mix can only deduce that Alice has communicated with one of the individuals {Bob, Dave, Cleo}. Mix in Action