Check out the new USENIX Web site. next up previous
Next: Publius Up: Related work Previous: Connection Based Anonymity Tools

Author Based Anonymity Tools

Janus, currently known as Rewebber (, is a combination author and connection based anonymizing tool. With respect to connection based anonymity, Janus functions almost exactly like the Anonymizer; it retrieves Web pages on an individual's behalf. Publisher anonymity is provided by a URL rewriting service. An individual submits a URL U to Janus and receives a Janus URL in return. A Janus URL has the following form
Where Ek(U) represents URL U encrypted with Janus's public key. This new URL hides U's true value and therefore may be used as an anonymous address for URL U. Upon receiving a request for a Janus URL, Janus simply decrypts the encrypted part of the URL with its private key. This reveals the Web page's true location to Janus. Janus now retrieves the page and sends it back to the requesting client. Just before Janus sends the page back to the client each URL, contained in the page, is converted into a Janus URL. Goldberg and Wagner [12] describe their implementation of an anonymous Web publishing system based on a network of Rewebbers. The Rewebber network consists of a collection of networked computers, each of which runs an HTTP proxy server and possesses a public/private key pair. Each HTTP proxy server is addressable via a unique URL. An individual wishing to hide the true location of WWW accessible file f, first decides on a set of Rewebber servers through which a request for file f is to be routed. Using an encryption technique similar to the one used in onion routing, the URLs of these Rewebber servers are encrypted to form a URL U. Upon receiving an HTTP GET request for URL U, the Rewebber proxy uses its private key to peel away the outermost encryption layer of U. This decryption reveals only the identity of the next Rewebber server that the request should be passed to. Therefore only the last Rewebber server in the chain knows the true location of f. The problem with this scheme is that if any of the Rewebber servers along the route crashes, then file f cannot be found. Only the crashed file server possesses the private key that exposes the next server in the chain of Rewebber servers that eventually leads to file f. The use of multiple Rewebber servers and encryption leads to long URLs that cannot be easily memorized. In order to associate a meaningful name with these long URLs the TAZ server was invented. TAZ servers provide a mapping of names (ending in .taz) to URLs in the same way that a DNS server maps domain names to IP addresses. This anonymous publishing system is not currently operating as it was built as a ``proof of concept'' for a class project. Most of the previous work in anonymous Web publishing has been done in the context of building a system to realize Anderson's Eternity Service [2]. The Eternity Service is a server based storage medium that is resistant to denial of service attacks and destruction of most participating file servers. An individual wishing to anonymously publish a document simply submits it to the Eternity Service along with an appropriate fee. The Eternity Service then copies the document onto a random subset of servers participating in the Eternity Service. Once submitted, a document cannot be removed from the Eternity Service. Therefore an author cannot be forced, even under threat, to delete a document published on the Eternity Service. Below we review several projects whose goals closely mirror or were inspired by the Eternity Service. Usenet Eternity [3] is a Usenet news based implementation of a scaled down version of Anderson's Eternity Service. The system uses Usenet to store anonymously published documents. Documents to be published anonymously must be formatted according to a specific set of rules that call for the addition of headers and processing by PGP and SHA1. The correctly formatted message is then sent to alt.anonymous.messages. A piece of software called the eternity server is used to read the anonymously posted articles from the alt.anonymous.messages newsgroup. The eternity server is capable of caching some newsgroup articles. This helps prevent the loss of a document when it is deleted from Usenet. The problem with using Usenet news to store the anonymously published file is that an article usually exists on a news server for only a short period of time before it is deleted. In addition a posting can be censored by a particular news administrator or by someone posting cancel or supercede requests ( to Usenet. A much more ambitious implementation is currently being designed (

FreeNet [7] is an adaptive network approach to the censorship problem. FreeNet is composed of a network of computers (nodes) each of which is capable of storing files locally. In addition, each node in the network maintains a database that characterizes the files stored on some of the other nodes in the network. When a node receives a request for a non-local file it uses the information found in its database to decide which node to forward the request to. This forwarding is continued until either the document is found or the message is considered timed-out. If the document is found it is passed back through the chain of forwarding nodes. Each node in this chain can cache the file locally. It is this caching that plays the main role in dealing with the censorship issue. The multiple copies make it difficult for someone to censor the material. A file can be published anonymously by simply uploading it to one of the nodes in the adaptive network. The FreeNet implementation is still in its infancy and many features still need to be implemented. Intermemory [11] is a system for achieving an immense self-replicating distributed persistent RAM using a set of networked computers. An individual wishing to join the Intermemory donates some disk space, for an extended period of time, in exchange for the right to store a much smaller amount of data in the Intermemory. Each donation of disk space is incorporated into the Intermemory. Data stored on the Intermemory is automatically replicated and dispersed. It is this replication and dispersion that gives the Intermemory properties similar to Anderson's Eternity Service. The main focus of the Intermemory project is not anonymous publishing but rather the preservation of electronic media. A small Intermemory prototype is described in [6]. The security and cryptographic components were not fully specified in either paper so we cannot comment on its anonymity properties. Benes [4] describes in detail how one might implement a full-fledged Eternity service. Benes and several students at Charles University are attempting to create a software implementation of the Eternity Service based on this thesis.

next up previous
Next: Publius Up: Related work Previous: Connection Based Anonymity Tools
Avi Rubin