1
|
- Y. Lu, W. Wang, D. Xu, and B. Bhargava
- yilu, wangwc, dxu, bb @ cs.purdue.edu
- Department of Computer Sciences
- Purdue University
|
2
|
- Privacy in peer-to-peer systems is different from the anonymity pro=
blem
- Preserve privacy of requester
- A mechanism is needed to remove the association between the identit=
y of
the requester and the data needed
|
3
|
- A mechanism is proposed that allows the peers to acquire data throu=
gh
trusted proxies to preserve privacy of requester
- The data request is handled through the peer’s proxies
- The proxy can become a supplier later and mask the original reques=
ter
|
4
|
- Trust in privacy preservation
- Authorization based on evidence and trust, [Bhargava and Zhong,
DaWaK’02]
- Developing pervasive trust [Lilien, CGW’03]
- Hiding the subject in a crowd
- K-anonymity [Sweeney, UFKS’02]
- Broadcast and multicast [Scarlata et al, INCP’01]
|
5
|
- Fixed servers and proxies
- Publius [Waldman et al, USENIX’00]
- Building a multi-hop path to hide the real source and destination=
li>
- FreeNet [Clarke et al, IC’02]
- Crowds [Reiter and Rubin, ACM TISS’98]
- Onion routing [Goldschlag et al, ACM Commu.’99]
|
6
|
- [S=
herwood
et al, IEEE SSP’02]
- provides
sender-receiver anonymity by transmitting packets to a broadcast g=
roup
- Herbivore [Goel et al, Cornell Univ Tech Report’03]
- Provides provable anonymity in peer-to-peer communication systems =
by
adopting dining cryptographer networks
|
7
|
- A tuple <requester ID, data handle, data content> is defined =
to
describe a data acquirement.
- For each element, “0” means that the peer knows nothing,
while “1” means that it knows everything.
- A state in which the requester’s privacy is compromised can be
represented as a vector <1, 1, y>, (y Є [0,1]) from whi=
ch
one can link the ID of the requester to the data that it is interes=
ted
in.
|
8
|
|
9
|
- An operation “*” is defined as:
- This operation describes the revealed information after a collusion=
of
two peers when each peer knows a part of the “secret”.<=
/li>
- The number of collusions required to compromise the secret can be u=
sed
to evaluate the achieved privacy
|
10
|
- The requester asks one proxy to look up the data on its behalf. Onc=
e the
supplier is located, the proxy will get the data and deliver it to =
the
requester
- Advantage: other peers, including the supplier, do not know the re=
al
requester
- Disadvantage: The privacy solely depends on the trustworthiness and
reliability of the proxy
|
11
|
- To avoid specifying the data handle in plain text, the requester
calculates the hash code and only reveals a part of it to the proxy=
.
- The proxy sends it to possible suppliers.
- Receiving the partial hash code, the supplier compares it to the ha=
sh
codes of the data handles that it holds. Depending on the revealed =
part,
multiple matches may be found.
- The suppliers then construct a bloom filter based on the remaining =
parts
of the matched hash codes and send it back. They also send back the=
ir
public key certificates.
|
12
|
- Examining the filters, the requester can eliminate some candidate
suppliers and finds some who may have the data.
- It then encrypts the full data handle and a data transfer key &nbs=
p;
with the public key.
- The supplier sends the data back using &nbs=
p;
through the proxy
- Advantages:
- It is difficult to infer the data handle through the partial hash =
code
- The proxy alone cannot compromise the privacy
- Through adjusting the revealed hash code, the allowable error of t=
he
bloom filter can be determined
|
13
|
|
14
|
- The above scheme does not protect the privacy of the supplier
- To address this problem, the supplier can respond to a request via =
its
own proxy
|
15
|
|
16
|
- The trust value of a proxy is assessed based on its behaviors and o=
ther
peers’ recommendations
- Using Kalman filtering, the trust model can be built as a multivari=
ate,
time-varying state vector
|
17
|
- Trust enhanced role mapping (TERM)=
server assigns roles to users based on
- Uncertain & subjective evidences
- Dynamic trust
- Reputation server
- Dynamic trust information repository
- Evaluate reputation from trust information by using algorithms
specified by TERM server
|
18
|
|
19
|
- A trust based privacy preservation method for peer-to-peer data sha=
ring
is proposed
- It adopts the proxy scheme during the data acquirement
- Extensions
- Solid analysis and experiments on large scale networks are require=
d
- A security analysis of the proposed mechanism is required
|
20
|
- B. Bhargava and Y. Zhong, “Authorization based on evidence and
trust,” in Proc. of International Conference on Data Warehous=
ing
and Knowledge Discovery (DaWaK), 2002
- B. Bhargava, “Vulnerabilities and fraud in computing
systems,” in Proc. of International Conference on Advances in
Internet, Processing, Systems, and Interdisciplinary Research (IPSI=
),
2003.
- L. Lilien and A. Bhargava, “From vulnerabilities to trust: A =
road
to trusted computing,” in Proc. of International Conference on
Advances in Internet, Processing, Systems, and Interdisciplinary
Research (IPSI), 2003.
- L. Lilien, “Developing pervasive trust paradigm for authentic=
ation
and authorization,” in Proc. of Third Cracow Grid Workshop (C=
GW),
2003.
|