EP2294761A1

EP2294761A1 - Method of tracing and of resurgence of pseudonymized streams on communication networks, and method of sending informative streams able to secure the data traffic and its addressees

Info

Publication number: EP2294761A1
Application number: EP09757544A
Authority: EP
Inventors: Michel Riguidel; Philippe Laurier; Laurent Ladouari
Original assignee: Telecom ParisTech
Current assignee: Telecom ParisTech
Priority date: 2008-06-03
Filing date: 2009-06-03
Publication date: 2011-03-16
Also published as: FR2932043B1; US20110307691A1; CN102084624A; WO2009147163A1; JP2011522336A; US9225618B2; FR2932043A1

Abstract

The network comprising communication supports (31, 32, 33) sending streams (36) to receiving agents (37, 38, 39), the method comprises at least: - a step of allocating a cryptonymic identity (34) to communication supports by a first instance A, the streams (36) sent by a support bearing a mark dependent on its cryptonym, the cryptonymic identity of a support being distinct from its real identity; - a step of reading and analyzing (41, 42) the streams by a second instance B (22), said analysis comprising a phase of identifying streams to their communication supports by searching for similitude between the mark of the streams and the cryptonymic identity of the supports, with the aid of a table referencing the cryptonyms, and a phase of logging observable characteristics of the streams through the network; a behaviour defined by a set of characteristics is declared typical or atypical by comparison with a given set of criteria, the table of cryptonymic identities having no relationship with the real identities. The invention applies in particular for combating illegal downloads, the sending of material which is unsolicited or which may cover up identifiable malicious intentions.

Description

METHOD OF TRACEABILITY AND RESURGENCY OF FLOW

PUDDED ON COMMUNICATION NETWORKS, AND

METHOD OF TRANSMITTING INFORMATION FLOW TO SECURE THE

TRAFFIC IN DATA AND ITS ADDRESSEES

The present invention relates to a method of traceability and resurgence of pseudonymised flows in communication networks, in particular telecommunication and television broadcasting, capable of facilitating the detection of unauthorized flows, or sought for other reasons such as statistical processing or metrological analyzes. It also relates to a method of transmitting an information flow in such a network, able to secure traffic or access to data, its recipients and the terminal equipment used by them. It also relates to an interlocutor identity guarantee device capable of avoiding the use of the disclosure of real identities.

The invention applies in particular to fight against illegal downloads of works of the mind (ascending or descending - "uploading", "downloading" - and any form of provision for a broadcast or a flow activation), as well as the sending of unsolicited messages or the massive solicitation of subscribers to encourage the recall of numbers actually billed in particular. It also applies to analyze and protect interdependencies in critical information and communication infrastructures. It also applies to build trust in relations between communicators.

Subsequently, the word "flow" will mean, in particular, sending of files, documents, stream transmissions, letters, telephone calls, in analog or digital form, as well as a transmission via activation of its equipment by a third party, more whether they are available voluntarily or not. This flow can occur between all types of terminals or communication media. Activation such as recipients or stream content may or may not be desired, and chosen or random.

Subsequently, the word "server" will denote as much a server, a computer, a computer machine, or any medium involved in a computer operation information distribution. This includes everything communication medium, any equipment capable of transmitting a stream over a telecommunication or television broadcasting network, such as mobile phones such as electronic diaries or networks of sensors or actuators. It more generally encompasses equipment that is ancillary to the first and likely to participate in this action, for example external electronic memories.

Open or closed networks, used in telecommunication for the transmission and circulation of all types of flows, see the coexistence of lawful or illicit, friendly or untimely uses. Their large number, in terms of diversity and speed, reduces the possibility of easily detecting these deviant uses. In addition to technical difficulties, there are legal, regulatory, ethical, cultural or economic constraints.

Downloads, particularly on the Internet, or variants such as peer-to-peer, availability for a streaming as well as a streaming stream, have mainly appeared with the emergence of broadband at the subscriber (ADSL or optical fiber). This problem is topical, in the world but particularly in France, following the current success of broadband and in particular the following constraints, sometimes contradictory:

- creators and producers want to be paid for access to their works;

- internet service providers (ISPs) do not wish to exercise a police function on the network;

- the majority of Internet users want to consume legally, on the condition that it is simple and inexpensive;

- lastly, organizations for the protection of freedoms, like the CNIL in France, are reluctant to observe, outside of any legal framework, the private behavior of Internet users and to access the content and private data of citizens on a network. The IP address, especially in France, the subject of debate as to its membership in the private sphere.

The protection of individual freedoms can thus incidentally favor piracy, since it also protects hackers. A need therefore exists to fight against illegal downloading (ascending, descending, or any variant) on a large scale, while respecting the preceding constraints. It is essentially a question of identifying, tracing and identifying the major hackers who are collecting audiovisual content or computer files to put them back into the commercial circuit, this tracking being in accordance with the laws in force. Encouraging the standard user to consume legally means being easier and cheaper than illegally consuming. Several known anti-piracy solutions could be envisaged, but they do not respond to the need, nor to all the constraints imposed. Filtering content on networks is difficult to operate across the Internet or a 3G network. The "radars" placed at strategic points on the network to control the contents are only partially authorized, and with various restrictions, because they constitute the way open to the espionage of the contents on the networks of the convergence, assimilable often to illicit listening. Any process that is too intrusive and non-discriminating ethically is likely to trigger a response in advance to hard protection modes, such as data encryption, which in turn increases the difficulty of their observation and triggers a reciprocal escalation. means resulting in the coexistence of spaces with excess opacity or excess porosity.

Moreover, the technical generations of attackers evolve rapidly, typically every 3 years. Downloading tools quickly become obsolete as, within each technical generation, fraudsters know how to convert abruptly, as soon as the hacking method proves to be too dangerous for them. It is therefore inefficient to track the methods of the current attacks and imagine a security system permanently updated, because this system would be unlocked a few months later, without the possibility of sufficient evolution. The invention instead aims to provide an open solution with sufficient durability to remove or limit the various illicit methods on the Internet while respecting the various constraints involved.

Telecommunication networks experience a reduction in current usage costs but a concomitant sophistication of services so-called value-added. This divergence creates an asymmetry where the sending of messages or phone calls for the purpose of fraud, for example, costs the attacker less and less, but more and more to the victims through, inter alia, reminder numbers, high billing. This results in a technical and financial facility for mass mailings to a large number of interlocutors, causing general nuisances and a sufficient rate of individuals likely to fall into the trap. There is a need to sort and listen to the huge flows circulating on telecommunication networks, messages having a characteristic profile of this type of mail.

Similarly, the downward trend in the costs of issuing a flow, combined with the ease of mass mailing, opens a dangerous window favorable for example to "punches", worms or computer viruses. These deviances are facilitated by the absence, for technical or social reasons, of easy implementation, for example cryptographic protocols of non-repudiation at the sending, or at the reception, which would make it possible to know the origin and the destination messages. These obstacles call for new ways of monitoring flows, allowing these risks to be reduced while respecting the legality as well as the rules relating to privacy, privacy and the desire for anonymity of many users.

Among the other constraints is the fact that, on the universal network of digital convergence - Internet but also for example the network of telecom operators GPRS or 3G -, servers are sometimes out of spatio-temporal scope. For example, they may be beyond the reach of a country's justice, for two reasons in particular: either the server is located abroad, or it is in the country or in a bordering zone but proceeds constantly by way of escape identity ("he zaps"): the life of the server is ephemeral, it is born, performs its misdeeds and disappears to reappear under another identity.

Finally a problem is related to the scattering or the cooperation ("naperization") of the servers. There is more and more peer-to-peer activity (Bittorrent, eDonkey, eMule), overlay applications on the Internet, or distributed computing, which means that Multimedia content can come from multiple servers, simultaneously or not.

A first particularity of the invention lies in its finding that better secure content distribution will require to be as much as possible both at the beginning and at the end of the chain of distribution, or at least at strategic points. networks where we can intervene or collect all the information. As a reminder, IP routing on the Internet allows great freedom of routing information packets within a network. The invention therefore aims to intervene or to distribute a secret at the beginning of the chain (or as far upstream as possible), for each approved interlocutor, and to find this intervention or this secret later, so as to know that these flows are listed and to be able to presume them less or more indifferent in the light of a search. In this way, if necessary after cascade filtering (in series and / or in parallel), a large volume of presumed flows having a higher probability of correspondence with the object of the search will be eliminated. Only then will focus on the residual flow detected in successive sieves, using for example in this case the protocols not associated with this intervention or this secret, for more auscultate. This possibility of selective sorting by cascading filtering brings to the present process a flexibility of use and reconfiguration, to adapt to any evolution of modes and preferences of use for illicit uses. It also gives it the qualities of a machine tool holder, which can simultaneously use an unlimited number of auscultation tools.

It is through its joint capacity of variability and variety of marking, that the device proposes to remedy the weaknesses mentioned above.

One of the major advantages brought by the presence of this secret element lies in its ability to be periodically modified at intervals to be defined, random, correlated with a risk of discovery, or advantageously left to the discretion of the public. homologating body. These modifications take interest not to be predictable or reconstructible either in their moment of occurrence, or in the variation made to the scratching, as defined below. No limit to the brevity of existence of a secret is necessary, other than determined by the technical constraints of the marking device and auscultation.

In order to propose a flow observation solution that respects the various constraints involved, the invention particularly relates to a pseudonymized flow detection method.

It uses on the one hand cryptonymic identities of transmitters, kinds of both arbitrary claw and external sign referencing. These cryptonymes will be called later "scratching" in analogy with the usual function of scratching in other areas of technology, including horticulture (scratching plants to designate them with this mark to attention of a later speaker), and by more general allusion to the term claw, denoting the printing of a mark or a personal style on an object. The electronic cryptonymes used in the method according to the invention define a set of technical possibilities of marking or encapsulation, either of a technical equipment, a file or a stream, or finally of all these elements (to As an extreme example, a scratch can also be a particular protocol such as IPsec, MPLS, etc.). The invention establishes a cryptonyme, or "masking cryptonyme" to emphasize the masking function, the true identity of the flow or its issuer. It provides a marking or encapsulation system separately affixable to both a transmitter and a file or stream, but without having the need to know by a real identity.

Another advantage of the invention lies in its ability to create and enforce a pseudonymizing procedure. This procedure is based on coordination and complementarity between the means of creating this pseudonymisation, previously represented by the notion of "masking scratching", and the means of enforcing this pseudonymisation during an observation. flow, articulated around a segmentation of entities supplemented by a particular partitioning between these instances. The method comprises at least three steps: a step of assigning a cryptonymic identity to communication media by a homologous first instance A, the streams emitted by a medium carrying a clawing function of its cryptonyme, the cryptonyme of a medium being distinct from its real identity , the communication medium can not be definitively freed from scratching without an authorization signal from the first instance A;

a step of reading, analyzing and sorting (filtering) the streams by a second instance B, said analysis comprising a phase of identifying flows with their communication supports by searching for similarity between the "hiding masking" of the streams; and the cryptonymic identity of the media using a table referencing the cryptonymes, and a phase of observable characteristics of the flows through the network; A behavior, defined by a set of characteristics, is declared typical or atypical compared to a given set of criteria, the cryptony table having no link with real identities. The analysis of behavior is for example carried out in priority on the streams having no masking scratching reported on a communication medium provided with a cryptonyme. The user can be usefully informed of this feature, in order to encourage him to acquire a cryptonyme. The efficiency of the process is partly due to the fact that a high rate of voluntarily approved persons facilitates research by restricting the residual field to be observed as a matter of priority. For example, a communication medium may provisionally or selectively omit a masking scratch without an authorization signal from the first instance.

For example, a communication medium may temporarily or selectively omit a masking scratch via an authorization signal from the first instance.

The term dogging covers a function, which is to hide the real identity of a sender, since it functionally prohibits the instance B to search the latter on a given stream. B is entitled to look at or memorize a real identity after finding no scratching. The second instance B can perform stream reading at any point in the network, and can advantageously carry out this stream reading, for example at the input and / or the output of the communication media of the network operators, so as not to imply directly these. Advantageously, the flow analysis is for example performed on their communication protocols.

The method may comprise a third step of receiving the signaling of typical or atypical behaviors, by a third instance C, said instance being able to verify the lawfulness of the corresponding flows. The instance C is for example able to check the contents of the corresponding flows.

Advantageously, the instances A, B, C can be partitioned without mutual access to their respective data other than by requests, according to a predefined degree of authorization to issue or respond, offline or in real time. The process finds its full effectiveness of privacy in a strong compartmentalization between A, B and C.

It is particularly to emphasize the double interest presented by this referencing resulting in a masking scratch, both anonymity in case of observation, and greater probability of not being observed in its overall behavior.

Different forms of utility can be envisaged in other auscultation configurations, such as the possibility for a homologated structure, to choose and possess its personalized and exclusive scratching, then to receive privately and confidentially a countdown. record of its recorded flows. This in the optics for example of a big server owner fearing the influence of his equipment by a pirate, for misuse such as the broadcast of large quantities of pirated music files. A third particularity of the invention lies in its finding that multimedia traffic, such as music or video downloads as well as stream streaming streams, are too large to easily allow them to be explicitly examined. by a tattoo inlaid inside the content for example. The method according to the invention will therefore simply inspect the network traffic, as regards for example its nature, its volume, its frequency, its form, its syntax or its complexity, and this without initially checking the content of users and without touching this content, regardless of applications and users. The invention thus differs from the usual control devices focused on content management (content labeling, fingerprint, electronic signature, "fingerprinting", "hash code") since it makes it possible to identify prior behaviors during telecommunications, without need at certain stages to identify by name, by their real identity, neither their protagonists nor the contents exchanged.

The invention is therefore intended to mark the container, but not the content of the communication. It does not initially affect the content of the information of the transmitters and receivers, nor so to mark them nor at first glance to access them in order to know them. This scratching will be done on the container of the communication, that is to say on the rules, the protocols used by the communication machines, independently of the physical actors. It is therefore not the responsibility of the end user or the issuer, but of a third party (A). Thus, this scratching largely escapes the wills and the actors, in the sense that these marks do not interact with the private life and in the behaviors of these actors. It also escapes pirate parades by encrypting content.

The term "scratching" covers a procedure consisting of an addition, an amputation or a characteristic modification, on a communication protocol, while respecting the standard of this protocol. As such, because of this alteration, the mark can be considered a scratch carried to the original protocol, returning for a given moment to a single approved shipper. It is therefore also a claw in the sense of signature, but a signature does not refer directly to an identity real. This cryptonymic signature is advantageously chosen by the instance A. This scratching is only partially assimilable to an absolute secret, since its degree of readability, its ease or not to be detected, and more generally its capacity to be invisible, inaccessible or inaccessible. incomprehensible, will be at the discretion of the instance A. The claw brings to face of possible offenders an element of additional uncertainty, since they can not anticipate the degree of camouflage chosen at a given moment, and for a provisional duration .

Subsequently, the term "dogging" must be understood in a broad sense, thus designating in particular:

• a labeling, a label, visible, erasable or indelible, a label of an IP packet or a stream (for example, labeling may consist in filling a field of a header of a protocol);

• an undetectable, leachable or indelible tattoo of an IP session, connection, stream or packet (for example, cryptographic writing of a distinctive sign);

• a steganographic marking of spatial type (for example marking in a field of the protocol, before or after the useful content of the user) or temporal (for example specific use of the duration or the rate of transmission of the information, however respecting standards);

• the use of a protocol with specific parameters (for example, the use of IPsec in IP with a given security association);

• the packaging of a communication by a protocol composition (for example, the use of the MPLS protocol, in addition to the IP protocol); • the use of an additional protocol or additional traffic.

This branding and tracing system has security properties. Trademark confidentiality and the discretion of the system is an asset. An original finding on which the invention is based is to consider that a The only tagging strategy, at a given moment and in all communication networks, would be largely ineffective, inefficiency reinforced with the revolution of uses and the ways of circumventing used by hackers. Accordingly, the method must be able to handle multiple types of scratching simultaneously.

Several strategies of scratching are indeed possible, strategies depending on the security policy of the rights holders. Some will want to apply a very strict and very expensive security policy, others may want to apply only a deterrent marking. For example, a server can scratch in a standard way with an MPLS VPN and another with an IPSec AH security association in transport mode, in particular to present very simple standard cases.

Various strategies can also be envisaged as to the degree of automaticity of the clawing of a certified transmitter. It can either be mandatory and without the possibility of temporarily avoiding it, or be subject to a framed right with the exception, for example for a situation where an owner would lend to others his approved communication terminal.

The marking or encapsulation system proposed by the invention can be subdivided into two parts:

First, the marking device itself. This device can be either in the communication medium of the transmitter, or at its output, or at a later point on the network, or at a predetermined intermediate, such as the instance A;

The second part consists of a so-called secret element. This element belongs to two large families.

- The first family concerns the secret elements transmitted by A and materially then held by their approved carrier. It includes various types of potential carriers: o Technical support for issuance of the approved registrant, such as his computer or mobile phone. The secret element may for example be stored as a cookie in a temporary directory. It may also be several transmission media of the same declarant; o A removable or mobile support, such as a USB key, a smart card. This medium may be held in the name of a person or an approved structure such as a company, as a legal person, acting on behalf of its various members using the removable or mobile common medium; o A natural person knowing the secret element or a personal identifier activating it to carry out this marking; o Or any composition of these previous solutions. The secret element can be stored for as long as it is written dynamically, from data taken from outside each time, while leading to a marking of the flow by the sender equipment itself.

- The second family includes the secret elements kept in direct management: o by the entity A; o by a network operator or an access provider, as examples of intermediaries. o by a trusted third party chosen by the approved registrant. In this second approach, the secret element is activated in terms of marking when A or any delegated authority finds a connection to the network or a flow under a previously approved identity. The identity concerned may be in particular that of a communication medium (technical identity code), or that of a natural or legal person (such as a subscriber: individual or company).

These two families do not exclude each other, and can lead to mixed solutions. The bearer can therefore be as much a fixed as a mobile entity, as much a physical object as a logical one, as much a natural person as a moral person. Depending on the chosen security policy, there will be available a range of choices, each with different qualities and weaknesses. Each security policy regarding the choice of the carrier is a search for optimum. The method does not aim at a total absence of risk of circumvention, but a reduction of this risk, in a constant optic of incitement not to circumvent it, for statistical interest. The resulting device may be labeled as "low security" in the sense that it aims to remain permanently sufficient to deter a significant number of offenders. It is a tactic of "just enough", which integrates the economic and sociological aspects into the setting of this optimal level. Advantageously, a method according to the invention performs for example a marking of an informative nature, intended to produce a message, such as warning or warning about the harmfulness of the content. This marking will adopt the term "macaroon" in analogy with the usual function of macaroons in other areas of public life. It is for example affixed by the second instance B or the third C, on request or by referral to a moral authority. This mark may be made readable by a chosen communicant. Advantageously, it can be read by the receiving communication media of the stream. In a particular implementation, it may give rise to sending an informative message this time to the shipping address, for example to report remarks. The informative marking may be carried out by marking means at any remote point, such as a point of passage of the network.

A real identity of flow emitter can be associated separately on the one hand with an invariant pseudonym, on the other hand with a variant cryptonyme, functionally dissimulating of the true identity, these two attributes benefiting from possible bridges between them, but neither their addition does not allow an outside party to ascend, by their knowledge or possession, to this real identity. Identities are personal and untransferable to third parties. The pseudonym may be brought to the explicit knowledge of third parties by its holder, the cryptonym not being.

Advantageously, it is for example deployed, in terms of identity management, three partially partitioned entities: an instance A above, a Z instance and an anonymizing authority:

- instance A knowing explicitly the link between real identity and scratching.

the instance Z knowing explicitly the link between real identity and pseudonym. - the anonymisation authority knowing explicitly the link between pseudonym and scratching.

Advantageously, an invariant pseudonym of a given identity and a variant cryptonyme of this same identity are for example in constant bijection, within the instance charged with this bijection, without intercession of this real identity at any time.

The subject of the invention is also a method of transmitting a pseudonymized stream on a communication medium through telecommunication or television broadcasting networks able to secure the data traffic, the stream comprising a scratch representing a cryptonyme independent of the the real identity of its transmission communication medium and the content it conveys, said cryptonym being referenced in a first instance A, the referencing indicating the link with the corresponding real identity, and said cryptonym being identifiable by a second instance B does not have access to the corresponding real identity.

Advantageously, the cryptonym is, for example, in the form of a secret element, considering that the methods of combating the illegal downloading or the broadcasting of dangerous messages must themselves be secured.

The clawing is for example inserted in the format of the communication protocol used, such as for example in the protocol header, while respecting the protocol standard, without interfering with the user's own data. Other characteristics and advantages of the invention will become apparent with the aid of the description which follows, given with regard to appended drawings which represent:

- Figure 1, a presentation of two major steps in the implementation of the method according to the invention; - Figure 2, a presentation of the flow supervision entity segmented into three instances;

FIG. 3, an illustration of a marking authorization phase for communication media by a first instance;

FIG. 4, an illustration of a flow analysis phase by a second instance;

FIG. 5, an exemplary embodiment of a type of informative marking carried out by the method according to the invention;

FIG. 6, an illustration of the different possible steps of a method according to the invention applied to an emitted stream; - Figure 7, an example of access to a pseudonym from the possession or knowledge of a masking scratch;

- Figure 8, a particular mode of operation where an identity, excluding real identity, relating to the issuer of a stream, is likely to be subdivided into two.

FIG. 1 shows two major steps of a method according to the invention which will be largely detailed subsequently, on the one hand the creation 1 of cryptonymes of the emitters, translated by the use of masking scratches and on the other hand the segmentation 2 supervision of traffic and content, from scratches.

Before going further in the description, it is recalled that multimedia traffic, such as downloads of music or video as well as streaming such as "streaming" in particular, are too bulky so that we can easily afford to examine them explicitly, by a tattoo embedded in the content for example. In addition, an organization such as CNIL in France, the National Commission for Data Protection and Freedom, may not allow this type of direct reading for reasons of privacy protection. In addition, an Internet service provider or service provider may not wish to provide a filtering service for illegal content so as not to enter a spiral of new responsibilities. The method of the invention will therefore simply inspect the network traffic, without initially checking the content of users and without touching this content.

The invention therefore uses on the one hand cryptonymes emitters, both arbitrary scratching and external sign referencing. These cryptonymes are separately apposable to both an issuer and a document or stream. These electronic claws used in the method according to the invention define a set of technical possibilities of marking or encapsulation, either of a technical equipment, a document or a flow, or finally of all these elements,

On the other hand, the invention implements a segmentation of an entity for controlling or supervising traffic and content. For example, three separate instances can be used. These instances are partitioned in such a way that they do not have mutual or reciprocal access to their respective databases. Only certain predefined information can be transmitted directly or on request. The possible delegations mentioned below are to be considered as likely to weaken the qualities of the process, and can only be considered as technical palliatives to which then apply the same means and purposes partitioning.

FIG. 2 shows these three instances 21, 22, 23. A first instance 21, hereinafter called instance A, intervenes in the marking or encapsulation of the servers or communication media. She references the speakers. She accepts, refuses or withdraws a referencing, a referencing being source of marking by scratching. This clawing can be done at the transmitter on its equipment, directly or by possible delegation including through network operators, access providers or any other actor in charge of the organization or routing of flows on these networks. The marking of a transmitter uses a technical device causing the hiding masking of any document, and any flow, leaving this emitter. Such a marking system can be provided by the instance A, which here also has the function of a trusted third party, for example, with telecommunication system players such as ISPs, users or distributors. Scratching a file or stream can be effective regardless of the type of party who activated the sending, whether it is a communication manager or a third party. Enabling this sending can be done from the sending equipment both at a distance or at various points in the network from other facilities. This activation can be concomitant with the sending or programmed.

Scratching a file or a stream is also possible during transfer by a dedicated support for this task and controlled by the instance A, or any authorized third party, anywhere in the network. The masking hiding of a stream can be read or recorded by an approved controller such as the instance B defined below, or by possible delegation an operator for example, at any time and at any stage of the transfer. Clawing documents can be made discreet, by a secret in particular, so that it can be read or detected only by an authorized instance.

A second instance 22, called instance B thereafter, makes a report of activity. In particular, it identifies behaviors by relating fluxes to cryptonymes of emitters in the case of masking scratching. This is to identify behaviors that may be at fault or sought for any other reason. This instance searches in priority for the presence or absence of masking scratching: in case of presence, it is content to conduct its analyzes from this cryptonyme, and search for a real identity in its absence. As a result, scratching is functionally comparable to a carnival mask that does not remove a face but covers it in the eyes of an appointed observer, with no right for the latter to remove it. He can only observe behavior during the carnival. Instance B does not have the authorization nor the access to the real identities referenced by their clawings, these identities being only known from the instance A. The instance B only has for example a directory, or table, cryptonymes in particular to bring the transmitted streams closer to their communications medium, or transmitters, respectively. This directory can be updated in real time, in view of the need to rely on the permutation of scratching by the instance A. The instance B also does not have the possibility to check if a suspicion of fault is exact or no, this role being vested in the following instance 23.

Following this flow reading, a second type of marking, of an informative nature, may also have the function of bringing to the attention of communicators, such as recipients or intermediaries of the stream, a message including an alert on this stream. . This message, says macaron, can be expressed in any form such as sound or visual for example. It can be explicitly formulated or reduced to possibly standardized signage.

A third instance 23, hereinafter referred to as instance C, is receptive of the reports of behavioral findings sought because, for example, being atypical or presumed to be at fault, issued by the instance B.

It has the possibility to validate or invalidate the hypotheses emanating from these observations, in particular by checking the content of the programs.

However, instance C does not have access to the data found by instance B about an issuer's detailed behavior. It does not know if these data are considered representative of an unlawful or lawful behavior, typical or atypical, and useful or indifferent with regard to the search criteria of BC The instance C is ideally informed only of the desire to verify, accompanied by possible hypotheses on a possible supposable or sought-after content.

Figure 3 illustrates a first phase of implementation of the invention. More particularly, it illustrates the masking scratch in association with the first supervision instance 21, the instance A. To remove the lock of the vulnerabilities of the servers out of reach, hackers, anonymous, ephemeral or scattered among others, the invention uses the system scratching. This use of scratching makes it possible to separate the traffic on the networks in two. On the one hand are the servers that distribute content with a scratch and the other content, without scratching, which can be considered a priori more suspicious. A analysis can thus be carried out in priority on these contents without masking scratching.

Figure 3 illustrates Internet actors 31, 32, 33 symbolized by proper names Barnabe, Paul and John. They emit files, phone calls, mails, or any other flow as defined above. They can also provide equipment to emit these flows. The three actors in Figure 3 illustrate three different cases. Barnabe 31 requests a referencing to the instance A, that is to say the authorization to mark its flows of a scratching. In the example in Figure 3, instance A denies this permission to Barnabe. Paul 32 requests an authorization of referencing which is granted to him by the instance A. Finally, Jean 33 does not ask the use of scratches.

Paul's server 32 receives for example a secure element, with a secret. This secure element can be installed and stored on the computer for example on a USB key, a smart card or stored as a "cookie" cookie in a temporary directory, or in any other way that is both physical and logical. . The secrecy may be modified according to periods of time to be defined or left to the discretion of the homologating authority, for example every day, randomly or on request. This secret is a means of identifying and authenticating flows, packets, entities circulating on a network, in particular an application, a session, a connection, a stream, IP packets, MPLS packets, etc. For this purpose, the entities are marked by a scratch 34 which contains this secret. For example, one can decide to create a virtual private network (VPN) between the server, Paul in the example of Figure 3, and the ISP 35, via IPSec or via MPLS including. MPLS acts as input to the server and output to the ISP server. In this case, the virtual private network is only a security association. It is still possible to add an IPSec hardware device in front of Paul's server and in front of the ISP, IPSec being here in transport mode and under the AH protocol, with the mark of the input server. The actors 31, 32, 33 will issue streams 36 to other actors 37, 38, 39 who are receivers passive or active. For example, they are active when they execute a download. The streams are transmitted via a network managed by an ISP 35. Among these flows, those from Paul will be marked with a masking scratch, the others from Barnabe and Jean do not will not be and will be more sought after. Instance A does not have the function of detecting the presence of scratches in the streams, it only interacts with the content distribution managers, such as Barnabe, Paul or Jean, automatically or not. Request for claw requests can for example be done automatically from the servers of the actors 31, 32, 33 to a server constituting the instance A.

In general, the instance A is able to homologate the identity of servers, or of all communication media, by authorizing scratches on the one hand on these communication media and on the other hand on any stream sent by these entities. The instance A may thus be receptive of declarations of existence likely to emanate from all types of communication media capable of transmitting streams. A declaration may result as much from a legal, regulatory or contractual obligation as from an optional option. It can for example be:

- a spontaneous approach of a user;

- an obligation or a request from a third party, to be entitled to access its equipment or data, such as a commercial website, school or associative or an electronic counter; - a judicial obligation, applying to users subject to behavioral clauses or court-ordered supervision.

Instance A accepts or refuses the use of scratching. For this purpose, it is possible to initiate activity checks and identity or behavioral inquiries prior to granting a cryptonyme.

The acceptance triggers a scratching of the technical support of emission of the authorized declarant, Paul in the example of figure 3. The grafts awarded and the identity of their beneficiaries are for example registered in an updated directory.

In addition to authorizing the clipping of the technical supports, the instance A may perform an approval of the technical codes indicating the identity of the transmitters, such as the address field of the source or IP packet, for example. The homologated identities are for example gathered in an updated directory. In a particular mode of implementation, it is possible to consider an initial approval of a transmitter for later affixing, at any point in the network, by the instance A or any authorized third party, a masking hiding on the streams carrying his technical codes of identity. Cryptony directories are provided to instance B, or by delegation for example to network managers, access providers or any actor in charge of the organization, regulation, routing or control of flows on these networks.

- In a first variant of implementation, these interlocutors do not have access to the exhaustive directory but transmit to the instance

A, then the only holder of the directory the copies of the masking marks collected, for verification purposes for example of their authenticity or their validity. The instance sends a response on each individual request. In a second variant, it is possible to use a black box made available to the instance B or a delegated third party, this provision being made by the instance A. The black box remains under the control of this instance A for managing and modifying the data it contains. - In a third variant, instance B or any delegated third party will have available updated copy, in direct access and management.

FIG. 4 illustrates the activity analysis phase exerted by the instance B. As previously described, the secret issued by the instance A generates a marking by a so-called masking scratch. This clawing is inserted in the format of the communication protocols, for example at the level of the IP fields, and not on the own contents of the users. The instance B will therefore observe these protocols at strategic points preferably on the paths taken by the flows. In practice, observation systems such as probes are located at these points. Advantageously, it is possible to take as the strategic point of observation the input or the output of the servers of ISP providers 35. FIG. 4 illustrates this check for the actors 31, 32, 33 of FIG. In the example of FIG. 4, the positions of the reading points are upstream 41 and downstream 42 of the ISP or any other network or access manager. Masks can be read by instance B, or any other delegated authorized actor such as network managers or access providers. The reading can be automated by the use in particular of protocol analyzers. It can be conducted on the occasion of already existing relays on the networks, either by operation for example bypass established at any point of this network.

FIG. 5 illustrates a second type of marking established by the invention, called informative marking, intended to produce a message, possibly brought back to a sign, displayed at one of the communicators, automatically or at its request, or as a corollary intended to remain invisible to some third parties or unwanted intermediary receivers in the information circle. Some flows 36, approved or not, can be provided after their analysis 40, 41, 42 informative macaroons 100, intended in particular to prevent the recipient 37, 38, 39 of a possible danger to him, this particular when the content identified by C or the behavior of the sender found by B, suggests a desire to nuisance, or conversely indicate that the issuer or its stream has a label of confidence a priori. Advantageously, the decision to affix this computer badge can be delegated to a third entity 101, here named "moral authority", in order not to give the B and C instances a power of judgment, nor an analysis capacity on the opportunity. The recipient of the informative badge may also be the sender as indicated in the protocol fields, to communicate remarks.

The invention generally elaborates a marking system whose role depends on the variety of possible functions of a mark, depending also on the time and place where it is affixed, as well as on whether or not it is voluntarily apparent. social or technical actor. The instance B monitors and analyzes, at any possible point in the network, and advantageously at the reading points 41, 42, the traffic of the masking scratches. It also monitors and often prioritizes flows that are not marked by scratching. Instance B monitors and analyzes preferentially outside the boundaries of each of the entities, these entities ranging from distribution servers to end users through ISPs.

The analysis phase allows instance B to identify behaviors. For this purpose, the instance B can carry out censuses of kinship between emitters and emitted flows. For this purpose, the instance B has means for reading and processing data. These means thus report, for purposes of comparison, the clawing of the sending to a parallel marking of the sender. In this way, the instance B can identify behaviors reported to each communicant without knowing the corresponding identities. A behavior is the set of observable characteristics relating to one or more flows. To characterize typical or atypical behavior, these characteristics can then be compared with a set of criteria or reference characteristics. These behaviors can therefore be reflected in the following characteristics, for example by the number of shipments, the volume of the items or their recurrence, their schedules, their timing, their automated appearance, and more generally by any character likely to translate a behavior. underlying or an intention. The method according to the invention therefore relies, as indicated above, on the search for similarities, or relatedness, between a scratch listed as being affixed to the transmitter and the same clipping affixed to a flowing file or to a stream, always without knowing the actual identity of the sender or the content of the feed. This identification of behaviors can be done either at a given moment, simultaneous or a posteriori, or over time on all exchanges or only part of the exchanges. Advantageously, the analysis can be quantitative or temporal type.

The tracing carried out by the instance B consists therefore in particular to discover, find, follow and analyze the marks or their absence in order to detect early abnormalities or atypical behavior, and more generally than any desired behavior. A learning period may be necessary to apprehend the effervescence of the movement and the agitation of all these marks or scratches. Conventional traffic analysis tools generally used in large networks can be used here. Statistical laws can be erected during time to evolve, if necessary, the criteria for assessing atypical behavior.

FIG. 6 illustrates all the possible steps for implementing the method according to the invention as described above. The figure illustrates the case of the transmission of a stream 36 by Paul's communication medium 32 to the Astrid receiving communication medium 37. The first instance 21, the instance A, has allowed Paul's communication medium to mark the outgoing flows of a claw 34 indicating the cryptonymic identity of the transmission medium 32. The instance A is the only instance that knows the real identity of the medium 32, by referencing. This real identity may be the identity of the person responsible Paul, natural or legal person, or any identity to unambiguously identify the communication medium 32, in particular its location. The second instance 22, the instance B, makes a finding of activated without knowing the real identity of Paul nor the content conveyed by the stream. Instance B only has access to Paul's cryptonym, represented for example by a secret element contained in the masking scratch, this secret element being able to be modified periodically. Instance B performs the identification of relatives 53 between the claws of the containers, that is to say the streams, and the transmitters, Paul's communication medium in the example of the figure. Instance B also performs behavior analysis, primarily on flows without scratches, but the analysis can also include fluxes with masking scratches, for example in less dense sampling than in fluxes without grafting. .

The following instance 23, the instance C, can at the end of the analyzes of behavior carried out by the instance B, to initiate procedures of verification in particular of content of flows suspects or sought. A suspicious or searched flow is a flow, with or without a claw, whose behavior is considered as typical or atypical following the analysis of the instance B. In other words, the instance C does not know 54 that the only communicants to the behaviors noted by B as being sought. It may also be unaware of how this behavior was considered typical or atypical, particularly in cases where initial suspicion or research would ultimately be unfounded. According to desired degree of compartmentalization, C may not be aware of the overall behavior concerned, eg ignore other flows from the same source, or to the same destination, but not found to be wanted or suspected, as well as data can help to know this global behavior, such as the schedules, numbers, degree of regularity and repetitiveness of these flows, or even help to deduce a real identity, individual or related to an identifiable community. If there is a desire for extreme partitioning, the instance C itself can be internally fragmented so that the officiants in charge of the observation of the content and those who participate in the prior action of interception or storage the flow concerned do not communicate, so that the first ignore the identities (cryptonymic or real) of the senders and receivers of the flow. At the end of the process, the C instance may communicate, automatically or not, information concerning a flow a priori illicit to an authority with a judicial power capable of initiating a formal investigation procedure. This is able to cross-check the global behaviors collected by the B instance, and the analysis for example of the content conducted by the C instance. This authority with a power such as judicial for example may be the sole final holder of information from the three instances:

- the contents, to obtain from C;

- behaviors, to obtain from B;

- the real identities of the users wearing a masking scratch, to obtain from A.

Advantageously, the inverted order from which this authority with judicial power is preferentially activatable, makes it possible in this case to not grasp it and give it the possibility of merging all the information, once the process of analysis has been advanced. less until the B instance, and ideally until the C instance. The latter is intended to be after finding the contents, the most legitimate to seize the authority with judicial powers. Vis-à-vis, the invention thus establishes several types of authorities, different according to their functions and their attributions. These authorities will be in charge of receiving requests or reports, and more generally all information, coming in whole or part of the entities A, B or C, in order to process them and possibly to follow up. They will also be able to receive requests or proposals from external third parties, such as research organizations or judicial investigators, with whom they will act as an interface and buffer to reinforce the external partitioning of A, B and C. In particular, the following are identified: - a first form of authority with a judicial power, for example, to benefit from a right to know the content under examination, and to initiate or participate in legal proceedings;

- a second form of authority, previously called "moral authority", with or without judicial powers, and likely to judge the advisability of attaching an informative mark to a stream, in order to indicate to a communicant, such as its receiver, elements relating, for example, to any alleged innocuousness or dangerousness; - a third form of authority, with no judicial power and informative marking capability to the receiver. This authority is enabled in the case of searches on the streams and users of networks not related to their lawfulness. It is vested with the right to receive the data, for example essentially from the B instance. This is to interface with users the collected statistical data, for example for sociological, statistical or even metrological research. This authority being able to judge the opportunity of data transmission, and remaining in charge of the guarantee of anonymity of these data transmitted. Access to the various pieces of information, and the right to merge them, will remain subject to the constraints of the law and to the rule of compartmentalisation enacted by the supervisor of the process, in respect of the invention;

- A fourth, named "anonymization authority", will function to manage pseudonyms, according to the reason explained below. In a particular mode of operation illustrated in particular by FIG. 8, the non-real identity, relating to the issuer of a stream, is capable of being subdivided into two, both of which are indirectly related since related to a single real sender identity, but responding to different functions, modes of modification and access modes. The interest of this process resting in the ability of one or the other identity to give access to the other, under the restriction of prior authorizations, without having to go by revealing or knowing the real identity: the first identity, already seen above, being present on the stream and corresponding to the masking scratch itself, remains protected as much as desired, in particular in the sense of undetectable, indelible, inaccessible or unintelligible to any actor or receiver other that the instances A, B and possibly C. This part can be modified periodically and without logical sequence at the discretion of A, and thus not being stable nor predictable or reconstitutable in its formal expression;

- the second identity, subsequently named "pseudonym", absent on the flow, will be stable in time and in relation to its bearer, likely to be able to carry another parallel or to follow. This second identity will eventually be selectable by the issuer.

The management of the pseudonym and the cryptonyme expressed by a scratching refers to partitions between three entities: the instance A 21, the anonymizing authority 72, and an entity 81 subsequently named Z. The instance Z is dedicated the only management of the link between a real identity and his pseudonym, without explicit knowledge of graffiti. An approved transmitter 82 receives a proposal to choose a pseudonym, either from the instance A, or from Z. Z will be the recipient of this choice, except for the instance A, which has not no vocation to know it. The Z instance is functionally unable to locate a scratch in emails or other streams it receives from the transmitter. It transmits the chosen pseudonym to the anonymizing authority 72, accompanied by the electronic mail or other stream coming from the transmitter and specifying this choice, this mail bearing a scratch awarded by A, but that Z can not detect and read. Just like instance B, the anonymizing authority has the functional ability to detect scratches, which are its priority search, but their presence prevents it from then ascertaining the real identity of this transmitter. anonymisation thus receives both the pseudonym and the clawing of an issuer, whose real identity it does not intend to know. Instance A then transmits to the anonymization authority the updated versions of this scratch, without referring to the real identity of its transmitter, but referring either to a previous scratching of this transmitter, or to original scratching here named mother scratching, either to an arbitrary identifier coupled to this genealogy of scratching. The anonymizing authority has once received a copy of this parent scratch or one of its subsequent variations through the Z instance. The anonymizing authority cross-checks between its two sources. It emerges from this device:

- that the instance A knows the real identity of a transmitter and its clawing, but not its pseudonym;

that the instance Z knows the real identity of a transmitter and its pseudonym, without knowing how to detect and read its clawing; - that the authority of anonymisation 72 knows the pseudonym and the genealogy of the grafts, without having functionally access to the true identity concerned.

Instance B is only interested in the first identity, corresponding to the masking scratch. It does not search for the second, corresponding to the pseudonym, just as it does not conduct any research on the real identity of the stream and its issuer.

Various uses can be envisaged. A first use is the access to the pseudonym from the possession or knowledge of masking dogging as illustrated for example in Figure 7. In this example, Paul 32 is provided with a scratch and a pseudonym. He asks for access to the site of Julie 39 who wants to know if he has a homologation giving scratching and if he has already come to his site.

This pseudonym can be communicated or made punctually accessible, visible or readable in the eyes of some interlocutors such as for example a website of Julie 39 who would make a request in good standing. Requirement can be accompanied for example by transmitting a copy of the protocol header 71 of the communication protocol, or a more general copy of the carrier flow of the claw. Access to the pseudonym will be obtained from those authorized to keep it as well as to communicate it: o in a first variant, by or with an anonymizing authority 72; o in a second variant, by a third party, trustworthy, that he has delegated for this purpose; o in a third variant, by or from the anonymization authority, with visibility permission granted by the issuer of the stream.

A second possible use is restricted on the part of the anonymizing authority either to inform a pseudonym but simply to confirm it, namely to confirm that such pseudonym known by a receiver, corresponds to the clawing contained in a message. claiming this pseudonym. In this variant, the fact that the issuer has not made known his pseudonym to the recipient, prevent the latter to access his knowledge by obtaining the authority of anonymization. It is thus one of the cases where the acceptance, by the issuer, that his pseudonym is known by a third 83, is preliminary, indispensable, even nominative. Another way is that the issuer authorizes the anonymizing authority to communicate later to a designated third party or such type of third, as previously indicated in said third variant. These devices are conceivable in particular for cases where a pledge of sincerity would be requested from this issuer, such as a site allowing access to a service that it offers for free, for example as a later counterpart to another reciprocal service from the issuer, in a logic here barter, or ethics, such as the commitment to keep a secret obtained at the first visit. In the event that this counterparty has not been completed subsequently, the site would be able to recognize this issuer during a future visit and deny him new access until the counterparty has been obtained or repaired. The advantage of this process lies in the fact of providing a stable pseudonym attached to a changing mask (scratching) itself relating to a real identity stable but not known. Like a carnival mask that can change regularly in the eyes of an observer posted at the entrance or inside, but can not during successive balls that remain attached to the same pseudonym constant in time. Paul can change masks regularly, but each new and different mask will be attached to the only stable pseudonym of Harlequin 73, originally chosen by Paul. "Paul" and "Harlequin" are perennial, while the mask evolves. The pseudonym is only visible to whomever the issuer wishes, either the authority holding that alias, or both. In this way, any observer present on the network and having knowledge or detention (by reception but without being able to recognize or read it) of the claw of the sender or its flow, could not access the stable pseudonym without the agreement of this issuer and / or the anonymisation authority. And any authorized recipient of this stable pseudonym could not know by this means the true identity of the issuer. The advantage of this process is that the receiver would be certain however that the stable pseudonym is related to any masking scratch, in the sense that it emanates from an unspecified transmitter but has been deemed worthy of approval, or to a precise masking scratch, in the sense that it actually corresponds to the issuer of such message. In this second case, the receiver benefits from the guarantee provided by the anonymisation authority that it is indeed the same issuer as during a previous contact, even if the scribbling of this transmitter would have been meanwhile modified by the instance A. This guarantee of interlocutor can be carried out as well on an asymmetrical mode, as in the previous case where only one of the two interlocutors request guarantee, that in a symmetrical mode. This device presenting originality not to rely on real identities, but on identities with the triple complementary feature of being artificial, stable and unique.

Another use is to obtain a confirmation of possession by Paul of a grading homologation, from the possession or knowledge of the pseudonym. In this inverted method, the pseudonym can be used by addressing its owning proxy authority, or any delegated third party. On this request of the receiver of a flow claiming a given pseudonym, the authority can confirm the reality of possession of a scratch by the sender, without specifying the content.

This confirmation of approval of interlocutor can be conducted in both asymmetric and symmetrical mode.

These pseudonyms facilitate the constitution of relations between communicators on bases totally or partially anonymized, but immodifiable, immutable and non-transferable otherwise than by any restrictive rules defined by the authority.

Claims

A method of identifying flows that can be searched in a communications network comprising communication media (31, 32, 33) transmitting streams (36) to receivers (37, 38, 39), characterized in that it comprises at least: - a step of assigning a cryptonymic identity (34) to communication media by a first instance (A, 21), the streams (36) emitted by a medium carrying a masking scratch, according to its cryptonymic identity, the cryptonyme of a support being distinct from its real identity (21, 22, 23); a step of reading and analyzing flows (41, 42) by a second instance (B, 22), said analysis comprising a phase of identifying flows to their communication supports (31, 32, 33) by searching similarity between the eventual clawing of the flows and the possible cryptonymic identity of the supports using a table referencing the cryptonymes, and a phase of observable characteristics of the flows through the network; a behavior, defined by a set of characteristics, being declared typical or atypical compared to a given set of criteria, the table of cryptonymic identities having no link with real identities.

2. Method according to claim 1, characterized in that the behavior analysis is performed in priority on the fluxes having no scratching (34) relative to a communication medium provided with a cryptonyme.

3. Method according to any one of the preceding claims, characterized in that it comprises a third step of receiving reports of typical or atypical behavior by a third instance (C, 23), said instance being able to verify the lawfulness of corresponding flows.

4. Method according to claim 3, characterized in that the third instance (C, 23) is able to verify the contents of the corresponding flows.

5. Method according to any one of claims 3 or 4, characterized in that the third instance (C, 23) is not informed of the result of the comparison which led to declare a typical flow or atypical.

6. Method according to any one of the preceding claims, characterized in that the instances (A, B, C) are partitioned without mutual access to their respective data other than by requests issued according to a degree of authorization likely to be predefined. .

7. Method according to any one of the preceding claims, characterized in that the second instance (B) performs flow reading at a point of the network (35).

8. Method according to any one of the preceding claims, characterized in that the cryptonymic identity supplied to a communication medium (32) is a secret element, the secret determining the cryptonyme of the medium, the flows (36) emitted by this support comprising (32) a dogging containing this secret element.

9. Method according to claim 8, characterized in that the secret element can be stored on the medium or be written dynamically from data from each time outside, while terminating to a scratching of the flow by the sending equipment.

10. The method of claim 8 characterized in that the secret element can be held by an external party, likely to affix after the output of the stream, under a previously approved identity.

11. Method according to any one of claims 8 to 10, characterized in that the secret element is periodically modifiable by the first instance (A).

12. Method according to any one of claims 1 to 9, characterized in that the clawing masking flux is automatically established in or at the output of the transmission communication medium (32) during each shipment.

13. Method according to any one of claims 1 to 1 1, characterized in that the clawing masking a flow is performed at a point of passage of the network by marking means.

14. Method according to any one of the preceding claims, characterized in that an informative mark is affixed by marking means on request of a signal from the second instance (B) or the third instance (C). ).

15. Method according to any one of the preceding claims, characterized in that an informative mark is affixed by marking means on request of a signal from an independent authority that can appreciate the opportunity.

16. Method according to any one of claims 14 or 15, characterized in that the informative marking of a stream (36) is carried out at a point of passage of the network by marking means.

17. Method according to any one of claims 14 to 16, characterized in that the information contained in the informative mark is readable by receiving communication media (37, 38, 39) or senders (31, 32, 33). of the flow.

18. Method according to any one of the preceding claims, characterized in that a communication medium (31, 32, 33) can not be definitively freed from a masking scratch without an authorization signal from the first instance ( A, 21).

19. Method according to any one of the preceding claims, characterized in that a communication medium (31, 32, 33) can temporarily or selectively freeze a masking scratch without an authorization signal from the first instance (A).

20. Method according to any one of claims 1 to 18, characterized in that a communication medium (31, 32, 33) can temporarily or selectively omit a masking scratch via an authorization signal. of the first instance (A).

21. Method according to any one of the preceding claims, characterized in that the flow analysis is performed on their communication protocols.

22. The method of claim 21, characterized in that the dogging is inserted in the format of the communication protocol used, while respecting the protocol standard, without interfering with the data of the user.

23. The method of claim 22, characterized in that the clawing is inserted in the protocol header.

24. Method according to any one of the preceding claims, characterized in that a real flux transmitter identity (82) is separately associated on the one hand with an invariant pseudonym, on the other hand with a variant cryptonyme, functionally concealers of the true identity, these two attributes benefiting from possible bridges between them, but neither their addition allowing an external third party to go back, by their knowledge or their detention, to this real identity.

25. The method of claim 24, characterized in that the identities are personal and non-transferable to third parties.

26. Method according to any one of claims 24 or 25, characterized in that the pseudonym is brought to the explicit knowledge of third parties by its holder, the cryptonyme not being.

27. Method according to any one of claims 24 to 26, characterized in that it is deployed, in terms of identity management, three partially partitioned entities: an instance A (21), a Z instance (81). ) and an anonymizing authority (72):

- instance A knowing explicitly the link between real identity and scratching.

the instance Z knowing explicitly the link between real identity and pseudonym.

the anonymization authority (72) knowing explicitly the link between pseudonym and scratching.

28. Method according to any one of the preceding claims, characterized in that an invariant pseudonym of a given identity and a variant cryptonyme of this same identity are in constant bijection, within the instance charged with this bijection, without intercession of this real identity at any time.

29. A method of transmitting a stream (36) by a communication medium through a telecommunication or television broadcasting network able to secure the data traffic, characterized in that it comprises a scratch representing a cryptonyme independent of the the actual identity of its transmission communication medium and the content it conveys, said cryptonym being referenced in a first instance (A), the referencing indicating the link with the corresponding real identity and said crytonyme being detectable by a second instance (B) that does not have access to the corresponding real identity.

30. The method of claim 29, characterized in that the cryptonyme is in the form of a secret element.

31. Method according to any one of claims 29 or 30, characterized in that the dogging is inserted in the format of the communication protocol used, while respecting the protocol standard, without interfering with the data of the user.

32. The method of claim 31, characterized in that the clawing is inserted into the protocol header.