contributed articles
DoI: 10.1145/1941487.1941508
Privacy-preserving attribution of IP packets
can help balance forensics with an individual’s
right to privacy.
BY mIKhaIL afanas YeV, taDaYoshI Kohno,
JustIn ma, nICK muRPh Y, stefan saVaGe,
aLex C. snoeRen, anD GeoffRe Y m. VoeLKeR
Privacy-
Preserving
network
forensics
researCh In net Work security has traditionally
focused on defense—mechanisms designed to
impede an adversary. However, paraphrasing security
expert Butler Lampson, practical security requires
a balance between defense and deterrence. While
defense may block an adversary’s current attacks, only
an effective deterrent can prevent the adversary from
choosing to attack in the first place. But creating such
a deterrent is usually predicated on an effective means
of attribution—tying an individual to an action.
In the physical world, this link is established
through concrete evidence (such as DnA, fingerprints,
and writing samples), but the Internet has no such
robust forensic trail. Indeed, functional anonymity is
implicit in the Internet’s architecture,
since the lowest-level identifiers—
network addresses (IP addresses)—are
inherently virtual and insecure. It can
be extremely challenging to attribute
an online action to a physical origin,
let alone to a particular individual. Reducing this expectation of anonymity
even slightly can potentially disincentivize a range of criminal activity and
lengthen the effective lifetime of defense mechanisms.
Compelling though this line of
thinking may be, there is a natural tension between the need for attribution
and user expectations of privacy. While
the public generally appreciates that
criminal acts should be subject to scrutiny, civil libertarians are considerably
less sanguine about exposing identifying information as a matter of course.
Indeed, a recently leaked document, of
allegedly International Telecommunications Union provenance, lends credence to libertarian fears, motivating
the need for network-level “IP trace-back” capabilities via a government’s
desire to identify anonymous political
opponents. 12 Though this is but one
example, it is time to explore technical solutions that balance the enforcement interests of the state and the privacy interests of individuals.
We seek to achieve such a balance
by introducing a new network-layer
capability we call privacy-preserving
forensic attribution. We propose a
packet-level cryptographic signature
key insights
an anonymous Internet protects the
privacy of people’s Internet activity
but means criminal activity could go
unattributed.
a fully attributed, non-anonymous
Internet linking all Internet traffic back
to its source would help monitor and
track criminal activity but could also
compromise the privacy of everyday
users.
all Internet packets are inherently
anonymous but, with appropriate
credentials, authorized parties can
revoke that anonymity and attribute
packets back to their source.
