Privacy and forensics investigation process: The ERPINA protocol

https://doi.org/10.1016/j.csi.2007.10.008Get rights and content

Abstract

The rights of an Internet user acting anonymously conflicts with the rights of a Server victim identifying the malicious user. The ERPINA protocol, introduced in this paper, allows an honest user communicating anonymously with a Server through a PET, while the identity of a dishonest user is revealed. Prior research failed to distinguish objectively between an honest user and an attacker; and a reliable and objective distinguishing technique is lacking. The ERPINA protocol addresses the reliability issue efficiently by defining from the beginning of the communication what is considered as malicious and what is not.

Introduction

An honest Internet user desires to communicate anonymously with a Server while the communication offers integrity and confidentiality. Internet users can readily perform malicious actions through the Internet because the current technologies can help hide their identities [4], [1]. Currently, digital forensics investigations procedures are time-intensive and costly, and the reliability and the collection method of evidence is a concern [9]. Furthermore, a victim may well avoid performing digital forensics investigation because the victim's devices, such as a web server, may need to stop functioning for a period of time. An appropriate automatic mechanism could reduce the duration and cost and increase the reliability of an investigation, encouraging victims to prosecute attackers.

A Privacy Enhancing Technology (PET) offers privacy [8] (including communication anonymity) to Internet users. Network Forensics tries to reveal the privacy of Internet users, in order to discover the identity of attackers. However, a PET may hide the identity of attackers [7] while Network Forensics may violate the privacy of honest users. These opposite-goal technologies can be used in an appropriate way in order to build an Internet society, which discourages attackers participating and respects the privacy of honest users. To the best of our knowledge, currently the only known protocol which offers privacy to honest users and accountability to attackers is the Respect Private Information Not Abuser (RPINA) protocol [2]. However, the reliability of the RPINA protocol is currently not guaranteed. The main goal of this paper is to increase dramatically the level of the protocol's reliability. The goal is achieved with the proposed protocol, which is called Enhanced-RPINA (ERPINA).

The Fig. 1 illustrates the participated entities of the ERPINA protocol. The policy definition entity (PDE) is responsible to publish the desire policy of each entity. The directory service (DS) and the forensic investigation entity (FIE) have a very strong relation and they can be considered as one entity. The DS/FIE issues tickets to the anonymous user (AU) and performs forensic investigation. Before the AU contacts with the Server, the AU needs to contact with the PDE in order to publish his/her acceptable policy and the DS/FIE in order to get a ticket. The AU hides his/her communication identity from the Server by using a PET. In case the Server detects an attack from the AU, the Server can provide to the FIE the received messages sent by the AU and the FIE reveals the identity of the AU to the Server. Further detail analysis can be found in the rest of the paper.

The paper is organized as follows: Section 2 describes related work; Section 3 introduces the ERPINA protocol, overcoming the reliability issue of previous related protocols; Section 4 analyses the characteristics of the ERPINA and illustrates an example where the reliability of the ERPINA protocol is presented; Section 5 concludes the paper and gives directions for further research in relation to the ERPINA protocol.

Section snippets

Related work

In [5] a solution is described for revocable anonymous access, where the identity of a user who is hiding his/her identity behind a PET (offering communication anonymity) is revealed by a third entity called Management Entity. However, the solution lets the Management Entity know with whom the AU is communicating. The solution does not describe under what conditions the revocation takes place. There is not even a mechanism describing how the Management Entity is assured about the “guilt” of the

ERPINA: the conceptual framework

The ERPINA protocol (Fig. 2) is an upgraded version of the RPINA protocol which increases the level of offered reliability. The participating entities are an AU, a DS, a PET, a Server, a FIE and the PDE.

The AU signs a Policy Definition Document (PDD) and then requests a ticket from the DS. The DS issues the ticket, embedding the PDD, to the AU and the AU sends the ticket to the Server through the PET, which offers communication anonymity to the AU. Once the Server verifies the validity of the

Analysis of ERPINA

During the Forensic Investigation Phase, neither the DS/FIE nor the Server needs to reveal their private key in order to help in the investigation. Additionally, the Server:

  • a)

    Doesn't need to stop functioning until the investigators examine the Server's machines.

  • b)

    Only needs to contact with the appropriate FIE and sends the related messages. The forensic investigation procedure is specific and straight forward.

  • c)

    Doesn't need to spend money or time during the investigation.

  • d)

    Doesn't need to have large

Conclusions and future work

The ERPINA protocol fulfils the need of an honest user communicating anonymously through the Internet with a Server, and the need of a Server–victim identifying the attacker. In order to increase the reliability of the protocol, a mechanism has been proposed.

Future work is to design a mark-up language for describing Policy Definition Documents. We need, also, a technique preventing a Server collaborating maliciously with the FIE/DS and revealing the identity of honest users, who haven't

References (9)

  • D. Forte
  • G. Antoniou et al.
  • G. Antoniou et al.
  • G. Antoniou et al.
There are more references available in the full text version of this article.

Cited by (0)

View full text