KR101958256B1 - Method of delay tolerant network - Google Patents

Abstract

The present invention relates to a false name frame work system and method for protecting personal information of a delay tolerant network. In addition, according to the present invention, the method comprises the steps of: (A) transmitting, by a user device, an identity request message including an actual identity, a plurality of blind tokens, and an original certificate to an authentication confirmation authority device; (B) generating, by the authentication confirmation authority device, a challenge message including a random number and an unblind factor after extracting an actual identity and a plurality of blind tokens from the identity request message; (C) transmitting, by the user device, a challenge response message to an authentication confirmation authority; and (D) transmitting, by the authentication confirmation authority device, a false name confidence acceptance message including a plurality of blind tokens signed in response to the challenge response message.

Description

{METHOD OF DELAY TOLERANT NETWORK} < / RTI >

The present invention relates to a pseudonym framework system and method for privacy protection of a delay tolerant network.

The use of wireless sensor networks is increasing rapidly in healthcare applications (eg, Wireless Body Area Network (WBAN)). Several research projects (eg HealthGear, MobiHealth, CodeBlue) are used for these wirelessly supported healthcare applications.

However, as these trustworthy technologies have a positive impact on public health, the vulnerabilities (eg, eavesdropping, data tampering, sniffing, etc.) that exist in these communication systems directly affect the social status of the individual. Many studies address solutions for security and privacy issues and e-health applications of Delay Tolerant Networks (DTNs), a special case of potentially wireless networks in rural areas.

The concept of DTN was inspired by IPN (Interplanetary Internet) [1], [2]. DTN represents a network class that can not use persistent end-to-end connections. It provides a viable solution for networks that are experiencing intermittent connectivity due to frequent breaks in transmission media, topology, and other environmental factors (radio range, noise, bit errors, etc.). VANETs, Intelligent Transport Systems (ITS), military / combat field communications, submarine communications, space communications and RAN (Rural Area Network) [3], [4] for regional development are application networks of DTN.

 DTN is a multi-hop network paradigm, in which communication is performed via a store-forward and forward mechanism with persistent storage at each hop of the network. It is a message exchange architecture and is superimposed on top of the local network, including the Internet. The repository-delivery mechanism is performed by an application layer protocol called a bundled protocol in which messages are partitioned

And is transmitted in a basic transmission unit called a bundle. The individual bundles are carried by the convergence layer provided by the underlying network architecture (eg, Transmission Control Protocol - TCPCL when the convergence layer TCP is used in the transport layer). The DTN overlapping network is located at the top of a heterogeneous region-specific sub-layer where applications can communicate in various regions [6, 7].

DTN provides a custody-based retransmission service with expected, scheduled opportunistic connectivity and thus high latency.

In the developing world, which can be used to provide health services, education and government services to end users, such as rural areas, DTN is said to be a suitable architecture for delivering communications in stressful environments where the Internet does not work. The rural area DTN (Rural Area DTN, RA-DTN) was first introduced in [8] and [9] and has been extensively studied in [10], [11] and [12].

Privacy involves the trust and risk associated with personal data collected, stored and shared across the network. RA-DTN's privacy protection for health care is a prerequisite to protecting personal data (eg, disease type, temperature, heart rate, exercise, identity, etc.) [13, 14, 15]. The term privacy used here refers to the protection of communication personal information that hides the end user's identity from the other party, the certification authority, and other unauthorized nodes in the network. Privacy [16] defines boundaries for subject attributes and limits the right to use, manipulate, and share those attributes. It is closely intertwined with identity and is designed as a voluntary and temporary condition of separation from the public sphere. It gives individuals the ability to control the distribution of their information. The Architecture of Privacy (PbA) [17, 18] is a concept based on requiring the user to send the minimum identification information to the certification authority to request the certificate. The PbA approach provides users with a higher level of privacy protection more reliably.

Anonymity is a condition that can not be discerned from a set of topics called anonymity sets. The concept of anonymity was first proposed by Chaum [19]. The word alias comes from Greek.

Adopt a false name. Chaum has defined a digital alias in the public key used by the anonymous owner to verify the signature using that private key. Anonymity and pseudonymity are two well-known terms for achieving privacy.

Mix [19] and Onion Routing (OR) [20] are two well-known technologies adopted in the literature to maintain user privacy. In general, the Mix node accepts and decrypts the encrypted message and removes all sender-related information.

The message is also stored in the buffer until the trigger condition is reached, and the message is reordered before being forwarded or flushed to the appropriate node. OR is a four-step method of hiding routing information. Define routes, configure anonymous connections, move data through connections, and destroy anonymous connections.

Provides anonymity by providing layered encryption on all intermediate hops of the communication path. The outermost layer encryption is the first hop of the path and the innermost layer encryption is the target. The OR and various sub-technologies are not suitable for DTN because they depend on source routing and assume an end-to-end bidirectional communication path. DTN nodes can not know the correct path and the public key for layer encryption. Mixing techniques also increase the overall latency of the communication link, which is another reason not suitable.

Publication No. 10-2010-0066131 Registration number 10-0888008

[1] V. Cerf, S. Burleigh, A. Hooke, L. Torgerson, R. Durst, K. Scott, K. Fall, H. Weiss, Delay-tolerant network architecture: the evolving interplanetary internet, draft-irtfipnrg- arch-01. txt. [2] F. Warthman, et al., Delay-tolerant networks (dtns): A tutorial (2003). [3] M. J. Khabbaz, C. M. Assi, W. F. Fawaz, Disruption-tolerant networking: Communications Surveys and Tutorials, IEEE 14 (2) (2012) 607-640. [4] K. Fall, A delay-tolerant network architecture for challenged internets, in: Proceedings of the 2003 Conference on Applications, technologies, architectures, and protocols for computer communications, ACM, 2003, pp. 27-34. [5] K. L. Scott, S. Burleigh, Bundle protocol specication. [6] V. Cerf, S. Burleigh, A. Hooke, L. Torgerson, R. Durst, K. Scott, K. Fall, H. Weiss, Delay-tolerant networking architecture, Tech. rep. (2007). [7] A. Sanchez-Carmona, S. Robles, C. Borrego, Privhab +: A secure geographic routing protocol for dtn, Computer Communications 78 (2016) 56-73.  [8] S. B. Eisenman, E. Miluzzo, N. D. Lane, R. A. Peterson, G.-S. Ahn, A. T. Campbell, and Bikenet: A mobile sensing system for cyclist experience mapping, ACM Transactions on Sensor Networks 6 (1) (2009) 6. [9] A. Kate, G. M. Zaverucha, U. Hengartner, Anonymity and security in delay tolerant networks, in: Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, IEEE, 2007, pp. 504-513. [10] N. Bhutta, G. Ansa, E. Johnson, N. Ahmad, M. Alsiyabi, H. Cruickshank, Security analysis for delay / disruption tolerant satellite and sensor networks. [11] N. Ahmad, H. Cruickshank, Z. Sun, ID based cryptography and anonymity in delay / disruption tolerant networks, in: Personal Satellite Services, Springer, 2010, pp. 265-275. [12] N. Ahmad, H. Cruickshank, Z. Sun, M. Asif, Pseudonymized communication in delay tolerant networks, in: Privacy, Security and Trust (PST), IEEE, 2011, pp. 1-6. [13] E. Papapetrou, VF Bourgos, AG Voyiatzis, Privacy-preserving routing in delay tolerant networks based on bloomlters, in: World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2015 IEEE 16th International Symposium on IEEE, 2015 , pp. 1-9. [14] C. Dunbar, M. Gao, G. Qu, Pass and run: A privacy preserving delay tolerant network communication protocol for cybervehicles, in: Connected Vehicles and Expo (ICCVE) . 840-841. [15] J. Zhou, X. Dong, Z. Cao, A. V. Vasilakos, Secure and privacy preserving protocol for cloud-based vehicular dtns, IEEE Transactions on Information Forensics and Security 10 (6) (2015) 1299-1314. [16] A. Ptzmann, M. Hansen, A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (2010). [17] A. Cavoukian, Privacy by design, Take the Challenge. Information and Privacy Commissioner of Ontario, Canada. [18] K. Chen, H. Shen, Distributed privacy-protecting dtn routing: Concealing the information indispensable in routing, in: Network Protocols (ICNP), 2016 IEEE International Conference on, IEEE, 2016, pp. 1-2. [19] D. L. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Communications of the ACM 24 (2) (1981) 84-90. [20] J. Feigenbaum, A. Johnson, P. Syverson, A model of onion routing with provable anonymity, in: Financial Cryptography and Data Security, Springer, 2007, pp. 57-71. [21] R. Jansen, R. Beverly, Toward anonymity in delay tolerant networks: threshold pivot scheme, in: MILITARY COMMUNICATIONS CONFERENCE, 2010-MILCOM 2010, IEEE, 2010, pp. 587-592. [22] N. Benamar, K. D. Singh, M. Benamar, D. El Ouadghiri, J.-M. Bonnin, Routing protocols in vehicular delay tolerant networks: A comprehensive survey, Computer Communications 48 (2014) 141-158. [23] G. Vakde, R. Bibikar, Z. Le, M. Wright, Enpassant: Anonymous Routing for Disruption-Tolerant Networks with Applications and Assistive Environments, 4 (11) (2011) 1243-1256. [24] CPA Ogah, H. Cruickshank, Z. Sun, G. Chandrasekaran, Y. Cao, PM Asuquo, MA Tawqi, Privacy-enhanced group communication for vehicular delay tolerant networks, in: 2015 9th International Conference on Next Generation Mobile Applications , Services and Technologies, 2015, pp. 193-198. doi: 10.1109 / NGMAST.2015.67. [25] R. Lu, X. Lin, T. Luan, X. Liang, X. Li, L. Chen, X. Shen, Prelter: An e cient privacy-preserving relay ltering scheme for delay tolerant networks, in: Proceedings IEEE INFOCOM, 2012, pp. 1395-1403. doi: 10.1109 / INFCOM.2012.6195504. [26] J. Miao, O. Hasan, S. B. Mokhtar, L. Brunie, A. Hasan, 4pr: Privacy preserving routing in mobile delay tolerant networks, Computer Networks 111 (2016) 17-28. [27] S. A. Menesidou, V. Katos, G. Kambourakis, Cryptographic key management in delay tolerant networks: A survey, Future Internet 9 (3) (2017) 26. [28] F. Schaub, F. Kargl, Z. Ma, M. Weber, V-tokens for conditional pseudonymity in vanets, in: Wireless Communications and Networking Conference, 2010 IEEE, IEEE, 2010, pp. 1-6. [29] B. Aslam, C. C. Zou, "One-way-linkable blind signature security architecture for vanet, in: Consumer Communications and Networking Conference, 2011 IEEE, IEEE, 2011, pp. 745-750. [30] D. Chaum, Blind signatures for untraceable payments, in: Advances in cryptology, Springer, 1983, pp. 199-203. [31] A. Shamir, How to share a secret, Communications of the ACM 22 (11) (1979) 612-613. [32] Y. Duan, J. Canny, Scalable secure bidirectional group communication, in: INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE, IEEE, 2007, pp. 875-883. [33] G. V. Chockler, I. Keidar, R. Vitenberg, Group communication speci cations: a comprehensive study, ACM Computing Surveys (CSUR) 33 (4) (2001) 427-469. [34] S. C. Nelson, R. Kravets, In members only: Local and robust group management in dtns, in: Proceedings of ACM Workshop on Challenged networks, ACM, 2010, pp. 5-12. [35] D. Solo, R. Housley, W. Ford, Internet x. 509 public key infrastructure certicate and crl prole. [36] C. E. Shannon, A mathematical theory of communication, ACM SIGMOBILE Mobile Computing and Communications Review 5 (1) (2001) 3-55. [37] C. Diaz, S. Seys, J. Claessens, B. Preneel, Towards measuring anonymity, in: Privacy Enhancing Technologies, Springer, 2003, pp. 54-68. [38] C. Daz, J. Claessens, S. Seys, B. Preneel, Information theory and anonymity, in: Proceedings of the 23rd Symposium on Information Theory in Benelux, 2002, pp. 179-186. [39] G. Lowe, Casper: A compiler for the analysis of security protocols, Journal of computer security 6 (1) (1998) 53-84. [40] D. Dolev, A. C. Yao, On the security of public key protocols, Information Theory, IEEE Transactions on 29 (2) (1983) 198-208. [41] A. Keranen, J. Ott, T. Karkkainen, The One Simulator for Dtn Protocol Evaluation in: Proceedings of the 2nd International Conference on Simulation Tools and Techniques, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering ), 2009, p. 55.

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a pseudonym credential protocol that allows a user to share only a minimum identification information with a certification authority and obtain a pseudonym credential that can not be traced to a blind, There is provided a pseudonym framework system and method for privacy protection of a delay tolerant network including a pseudonym identity / certificate issuance protocol that grants the user a plurality of pseudonym identities / certificates so as not to know the actual identity .

The present invention uses a combination of encryption techniques such as critical encryption and blind signature to separate functions between certification authorities.

Further, the trust hypothesis of the present invention is reduced to one organization that generates a pseudonym trust for the user after verification and authentication.

Further, the present invention avoids the superiority of the certification authority by dividing the resolution information, that is, the alias-actual identity, between the VCA, the ICA, and the user. Generating multiple alias credentials at once reduces interaction with the VCA. On the other hand, a user may request multiple certificates from the same or a final certificate authority, ICA.

The present invention proposes a Pseudonym Credential protocol based on Personal Information Protection Architecture (PbA).

The Pseudonym Credential protocol allows a user to share only a minimum of identification information with a certificate authority and obtains a pseudonym credential that can not be blindly traced.

In addition, the present invention proposes a pseudonym / certificate issuance protocol based on Personal Information Protection Architecture (PbA), and gives various pseudonym / certificate to the user so as not to know the actual identity.

1 is a diagram illustrating a framework for a telemedicine application in RA-DTN.
2 is an exemplary diagram illustrating a detailed procedure of a pseudonym security protocol in a pseudonym framework system and method for privacy protection of a delay tolerant network according to an embodiment of the present invention.
3 is an exemplary diagram illustrating a detailed process of a pseudonym identity / certificate issuance protocol in a pseudonym framework system and method for privacy protection of a delay tolerant network according to an exemplary embodiment of the present invention .
4 is a diagram showing a role confusion attack model of a user.
5 is a diagram showing a role confusion attack model of VCA.
6 is a diagram showing multiple attacks.
7 is a diagram showing a spectrum of degree of anonymity (DoA).
Figure 8 shows the minimum and maximum levels of DoA provided by a particular group.
Figure 9 shows a comparison of two active attacks.
10 is a diagram showing group anonymity.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments will be described in detail below with reference to the accompanying drawings.

The following examples are provided to aid in a comprehensive understanding of the methods, apparatus, and / or systems described herein. However, this is merely an example and the present invention is not limited thereto.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intention or custom of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification. The terms used in the detailed description are intended only to describe embodiments of the invention and should in no way be limiting. Unless specifically stated otherwise, the singular form of a term includes plural forms of meaning. In this description, the expressions " comprising " or " comprising " are intended to indicate certain features, numbers, steps, operations, elements, parts or combinations thereof, Should not be construed to preclude the presence or possibility of other features, numbers, steps, operations, elements, portions or combinations thereof.

It is also to be understood that the terms first, second, etc. may be used to describe various components, but the components are not limited by the terms, and the terms may be used to distinguish one component from another .

The present invention proposes a framework for a telemedicine application program in RA-DTN as shown in FIG.

Telemedicine is one of many applications such as news reports and weather forecasts that RA-DTN can provide network connectivity [9, 10, 11]. Assume that a patient in a rural area is suffering from a chronic illness and wants to send a medical report to a doctor in a city / rural area (same area, other area). In this case, the patient does not want to disclose the identity to other villagers, kiosks, mobile terminals or gateway members. Achieving privacy and security in this hostile environment is a challenging task because infrastructure is loosely coupled and both passive and active attackers can compromise the network. The goal of the patient is to hide his identity.

It is difficult for an intruder to identify another person. Equally important, the patient should not be able to be linked in the message. For example, one or more messages can not be linked to the same user in the village.

The present invention proposes a new privacy anonymity framework (PF, PbA Pseudonym Framework) for maintaining personal information protection in DTN and RA-DTN.

The framework consists of two protocols: a pseudonym credential protocol and a pseudonym identity / certificate issuance protocol.

The pseudonym credential protocol can be used to securely generate a pseudonym trusted identity that can not be tracked by the Verifying Certifica- tion Authority (VCA). On the other hand, the Issuing Certicate Authority (ICA) gives the user a pseudonym and a certificate so that he / she does not know the actual identity.

1. BACKGROUND ART

Privacy protection is based on the Kate et al. [9]. Their solution uses aliases instead of the true identity of the participants. Through this mechanism, the DTN router knows that the alias belongs to a valid user without learning the identity of the user. The user chooses an arbitrary integer r _U ∈ Z _p to generate the alias identity PU = r _U .Q _U. The new pseudonym public / private key is generated according to the alias name. However, in this solution, aliases are created in a trivial way that is easily fragile and can be created on their own. The protocol should be updated regularly in the Public Key Generator (PKG) for key generation that is not practical in a DTG environment. There is no mechanism defined to refill a pseudonym or a plural alias. This protocol assumes that the gateway is a trusted entity, so it is prone to single points of failure and may be a Big Brother.

Threshold Pivot Scheme [21] considers anonymity in a military environment that is used as a possible means of DTN communication. This task considers identity and location concealment in a DTN, such as an OR mechanism called a critical pivot technique. Outbound packets sent from the origin to the destination are not sent directly to the destination, but instead are sent over any node called the pivot. The pivot is the only node that knows the identity of the receiving node. A return pivot node and a one-time symmetric key are included to hide the identity of the sender to provide bidirectional anonymity. Source routing and layered encryption is not a feasible approach in DTN because the path from source 5 to destination is not always persistent and known [22]. The concept of a pivot node on a return path and a one-time symmetric key is very impractical in a DTN environment.

EnPassent [23] used a redirection message through the peer node group to hide the relationship between source and destination. This research uses phone groups as a new idea instead of onion routing and mix. The source uses the public key of the phone group member to encrypt the message and transmit the message. Each phone group knows only the next address of the phone, but the last phone knows the destination of the message.

The identity of the sending node is published to the first phone and the identity of the receiving node is published to the last phone of the routing path. This protocol uses source routing and the initiator must know the nodes of the path to encrypt the message. Also, in the case of a return message, the sender must include the return phone group path. In DTN, however, the connection is very delayed and interrupted, so that not all nodes know the full path ahead of the communication. This solution also assumes full trust to not disclose the user's identity to the phone member.

The work of [24] focuses on group communication in DTN, a special application of Vehicular Delay Tolerant Network (VDTN). Privacy occurs in sparse networks using group communication and results are evaluated using network performance parameters such as latency and average rate. This solution does not refine the role of the certification body and maintains full trust of the certification body. This solution is not valid for other types of privacy attacks.

PReFilter [25] implemented a privacy policy in the DTN and stopped receiving junk and spam sent to the other party. This solution is similar to the Intrusion Detection System (IDS), the results show good performance in the preliminary scenario, and it is difficult for the enemy to guess the keyword of the privacy policy. However, this solution does not compare results with well-known protocols classified as privacy-enhancing technologies. Distributing policies to intermittent connectivity is also a serious problem in itself.

4PR [26] increases the probability of message routing with persistent privacy protection in DTN. This solution is analyzed for network and security parameters in various scenarios and mobility models. However, there is a lack of probabilistic analysis showing the level of personal information obtained from the results. This survey discussed literature on security and key management in DTN, but did not discuss privacy enhancement techniques in DTN.

Privacy protection has also been studied in VANET, but the proposed solution is not applicable to DTN. V-Token [28] has addressed the privacy of VANET by extending its architecture to multiple certificate authorities to divide trust. The user creates a blind signature mechanism using cut and paste functions and uses it with other certification authorities for aliased identities and certificates.

This solution is based on the connection path between the certification authority and the user and includes several message exchanges and the resolution information of the pseudonym-real identity information is stored in the pseudonym information. Thus, if a malicious user can issue a fake credential in a certificate authority, there is no evidence to map the pseudonym to a real identity. In addition, the V-token asserts privacy 6 while requesting a pseudonym certificate, but the request is signed by the user and verified to the certificate authority. One-way connectable blind signature [29] is another solution for providing privacy protection in VANET and implements all security attributes without the need for multiple transactions with trusted platforms and certification authorities. However, in order to rewrite the pseudonym, interaction with the Road Side Unit (RSU) is frequent, which is not suitable for DTN.

2. Anonymous Framework

This section first provides a brief knowledge of the various concepts used in the proposed framework, and presents the two protocols already discussed, through requirements, assumptions, and detailed message exchanges. For illustrative purposes, Table 1 lists some notations and their descriptions.

1.1. Qualifier for anonymous framework

A blind signature [30] is to sign a message without knowing the contents of the message. Suppose Alice wants Bob to sign message m but does not want to know its contents. For this reason, Alice generates a blinding factor b and encrypts it with Bob's public key (signer). When Bob receives the message, he signs the message without knowing the contents of the message and sends it back to Alice. Alice applies the unblinding factor b- ¹ and gets m signed by Bob, a simple RSA digital signature.

(a) Threshold Cryptography.

Multiparty computation, part of the public key cryptography studied over the past two decades, was first created by Adi Shamir [31]. The Shamir definition (t, s) is a threshold system in which the discriminated k is divided into s divisions.

If 1 <t <s, knowledge of any t-share allows the secret k to be reconstructed, but knowledge of the t-1 share does not reveal information.

(b) Group Communication

The concept of a group can be seen as a set of entities with a common goal / interest. Because of the limited connectivity in the DTN, it is a good idea to send a specific message to a group of nodes rather than individual nodes. In DTN, group communications can be realized in many applications such as rural area networks, military communications, disaster management networks, and sensor networks. In a DTN, the composition of a group can be based on many abstractions, such as roles (police, security, etc.) and geographical proximity (nodes that meet daily due to cause). It is assumed that the group formation of the DTN is out of the scope of the present invention, so that it is assumed that the group has already been created and the node participates in the node satisfying the specific condition.

(c) Public Key Infrastructure (PKI)

The main purpose of a Public Key Infrastructure (PKI) [35] is to issue and manage digital certificates and to bind public keys and unique identifiers of users. A digital certificate does not protect the user's personal information because the X.509 certificate usually contains the actual identity of the user who issued it. There are two ways to hide the end user ID.

1. Create an anonymous certificate in the CA, generate another ID, and ask the CA to bind the public key.

2. The user creates a pseudonym or false identity and binds it to the public key to request the certificate issuance.

When you try the first solution, the user is anonymous to other users, but the CA can act as a "Big Brother" and can connect the CA to the actual identity holder by mistake or inadvertently. The second solution makes the user anonymous to both the other user and the CA, but it is very difficult to know the true identity of the alias owner if there is malicious activity.

(d) Information theoretic analysis,

Entropy [36] is a measure of uncertainty for random variables. Let X be a discrete random variable with probability mass function Pf (i) = P (X = i). Where i represents the set of other values taken by X. Thus, the entropy H (X) with N subjects in the anonymity set is defined as: H (X) in Equation 1 takes the maximum value log (i) when the i distribution is uniform.

(1)

(e) Anonymity Set Size (ASS)

The set of nodes that can be linked to an item of interest (IoI) is called an anonymity set.

If I consider Sba, IoT, I will attack and compromise with Saa.

Therefore, the anonymity set size (ASS) quantifies the level of anonymity (AL) by the subject shown in Equation 2 after the attack.

(2)

(f) Degree of Anonymity (DoA)

This measurement metric was proposed by Diaz [37] [38], and the system can be evaluated on a scale of 0 to 1.

Anonymity If there are n objects in the system, all connections to IoI are made through all probability distributions. The maximum entropy of such a system can be expressed as H (M) in Equation (3).

(3)

Since the entropy when the attacker starts attacking may be denoted by H (X), H (M) - H (X) information is obtained after attack. Therefore, DoA can be defined by Equation (4). The formula shows that DoA is a function of EASS and maximum entropy for a particular subject.

(4)

(Table 1)

2.2. Alias Protest Protocol

The user (patient) of the RA-DTN is identified by a unique long-term identity (real identity), a certificate, and a public / private key pair. Therefore, the user wants to hide the real identity, so a pseudonym credential is needed. Thus, the user generates n blind factors b and their inverse functions b ^-1 . Everything blinded to b can be blinded to b- ¹ .

2.2.1. Token Transport and Signing Policy

Requests the number of tokens the user can send for blind signature to the Policy Distribution Authority (PDA). PDAs and users do not know the number of tokens to be signed by the Verifying Certifica- tion Authority (VCA). VCA will sign in scope.

The VCA is in the range of 1 to 12, for example, one token per month. The policy is related to the DTN as a scenario where the connection to the server is very demanding. It is therefore always beneficial to reduce frequent contact with the CA and obtain the maximum number of tokens. The user of RA-DTN should know the number of tokens that can be sent for blind signature. For this reason, the PDA has allocated 1-4 trust levels to show the level of trust allocation located in the local kiosks in the RA-DTN scenario. We updated the CRL for the certificate based on the user's anonymity and actual identity. The trust level is assigned in cooperation with the VCA and the updated CRL. The trust level is specified according to the user's previous cancellation history.

Table 2 summarizes the policies required to sign and send tokens in the Pseudonym Credential Protocol.

(Table 2)

The values in Table 2 show an increase in the number of tokens that were checked for integrity as a square of 2 from low risk to novice. This is because the risk is lower when compared to the novice user, so it uses the alias certificate to demonstrate honesty. This table shows that with reduced risk, users can send fewer tokens and get more signed tokens. Initially, VCA represents 5% confidence in the user, but trust increases to 85% depending on the time and user behavior. In summary, if a user is not involved in malicious activity in the past using a pseudonym certificate, it is necessary to send more tokens from the VCA and receive more tokens.

2.2.2. Requirements and Assumptions

This section describes the requirements and assumptions about the alias credential protocol.

PC _r must be password-safe and bound to an arbitrary value that an unauthorized user can not deny ownership.

The VCA acts as a DTN area gateway and accepts the token according to the policy defined by the user's PDA and VCA in the same zone and then blinds it.

All communications originating in the alias credential protocol are either a single hop (user visits the kiosk directly) or multi-hop (via a mobile terminal such as a bus).

2.2.3. Message exchange

In the Pseudonym Credential Protocol, a user exchanges a set of messages using a VCA to get the number of other servers, including the PDA, and the PC _r hosting the VCA in the kiosk. Figure 2 shows a system model of a pseudonym trust protocol. The message is described in detail as follows.

In FIG. 2, the user represents the user device 100, and the authentication verification authority represents the authentication verification authority apparatus 200. However, in the following description, the user apparatus is referred to as a user and the authentication check organization apparatus is referred to as an authentication check authority for convenience.

Authentication / Request Message :): The user configures the blind token according to the trust level specification. The token is generated by further XORing the hash of the new random number with the real identity.

The reason for including the actual identity in the token is to ensure that the VCA belongs to a legitimate user. The XOR function adds the blind argument b to make the token blind. The reason for using the XOR function is that the entity other than the VCA has b ^-1 , but the actual identity of the user is unknown. Also, the user must construct all blind tokens (BT) of the same type shown in equation (5), but must include different random numbers.

(5)

The user generates n blind tokens (BT) in the same way, but each blinds with another blind factor b and generates an XOR with a new unique random number r ⁱ _n . Here, n is the identifier of the blind token, i is the identifier of the user, id is the actual identity, and H denotes the hash function. The user takes a real identity and a hash of id, BTs, req, encrypts it with the private key, and proves the result with a digital signature. The digital signature is also encrypted with the VCA's public key and transmitted along with the original certificate. BT ₁ -BT _n corresponds to the number of BTs that depend on the trust bits assigned to the user by the FDA. Equation 6 shows the structure of the message.

(6)

Challenge Message: When a VCA decrypts a message with a private key and obtains a digital signature, it decrypts the signature with the public key provided in the certificate and validates the certificate. If the certificate is revoked or the signature is not verified, the VCA deletes the message and broadcasts the identity of this user as a malicious user on the network.

After successful verification, VCA has received requests for BT, id and PC _r .

The VCA randomly selects any of the n blint tokens according to the user's category and constructs the challenge, i. The challenge has two parts, I ^f and I ^p . The challenge I ^f corresponds to a full decryption such as r ⁱ _n and b ^-1 . Where I ^p denotes partial decryption information such as a random number. The VCA encrypts both parts of the challenge with the user &apos; s public key, as shown in equation (7).

(7)

Response to Challenge Message: The user sends r ⁱ _n and b ^-1 in response to the sub challenge I ^f . However, in response to I ^p , the user sends only r ⁱ _n information. The user also generates a session key, which is used to encrypt the response message by the VCA. The user includes a response to the challenge in the message and encrypts it with the public key of the VCA. The inclusion of this challenge ensures that the VCA is in conversation with the same user sending the challenge in the previous message. The message takes the form shown in equation (8).

(8)

Pseudonym Credential Grant Message: The VCA decrypts the challenge response message with its secret key and obtains a response to the two challenges.

And compares the transmitted challenge message with the received challenge response message to verify that the VCA is communicating with the authenticated user. To resolve the challenge I ^f first, the VCA performs one or both of the following to verify the authentication of the blind token:

1. After the blind is released by applying the corresponding unblind argument b- ¹ , the XOR function is obtained. Also, taking the hash function of the provided random number r ⁱ _n and taking the XOR of the hash calculated as shown in Equation (9) as the XOR function. If the user's id is found, the blind token is checked. Repeat the process for all BTs.

(9)

2. Apply the b ^-1 and remove the blinds of BT one by one to obtain the XOR function. The hash value H (r ⁱ _n ) is obtained by taking the XOR of id ⁱ _n and the XOR function. It can verify the match token when calculating the hash value of the random number and comparing it with the hash obtained after the XOR function. Equation 10 repeats the process for the rest of all BT.

(10)

The VCA cover token belongs to I ^P without knowing its contents. The following steps describe the process of blind signing of the VCA.

1. The VCA sign the BT of the set I ^P , so sBT is of the form of Equation (11).

(11)

The reason for including the VCA's identity in all signed blind tokens is to prove to the ICA that the token has been signed by a validating authority. T ^vca _n is the time stamp on which the token is signed, and all users have two unique time stamps signed at different times. The VCA also restricts the user to use this token for a particular ICA by including his id. The VCA also includes the next hop address to explicitly indicate to the user that this token is only available for this particular ICA.

2. To verify aliases VCA is a hash of all the random number received in the Challenge I ^P and configure the hash table for all user requests to the PC _r.

3. The VCA sends a signed blind token of sBT ₁ -sBT _n encrypted with the user-provided one-time session key. The message shown in Equation (12) is transmitted to the user.

(12)

The user received the message shown in Equation 12 in the VCA after applying the one-time session key obtained the sBT. The additional user applies the corresponding unblind parameter b- ¹ to all the SBTs and obtains the signed unblinded token (sUBT) shown in equation (13).

Because all users on the network are signed with the private key of the VCA, the sBT can not be modified, and all sorts of modifications cause signatures to be lost. Also, since every token has the next hop address and address of a specific ICA, the user can not duplicate the double spending token. The service of the pseudonym credential protocol starts here and is granted to all users of the network as a pool of PC _r according to the trust bits. Table 3 shows a summary of the message exchange within the alias credential protocol.

(Table 3)

2.3. Alias identity / certificate issuing protocol

3 is an exemplary diagram illustrating a detailed process of a pseudonym identity / certificate issuance protocol in a pseudonym framework system and method for privacy protection of a delay tolerant network according to an exemplary embodiment of the present invention . Here, the user 100 represents a user apparatus, and the Issuing Certicate Authority (ICA) 300 represents an authentication personalization apparatus.

The user creates an anonymous set size by joining one of the groups managed by the group manager (GM).

This group can be one or more in area / subregion and other sizes. All groups are identified by a unique group ID (GID) and a group symbolic key (GSK) K ^GSK , which is continuously updated. A group may consist of a single area with one ICA acting as a gateway, and a group may consist of more than one area.

User and subregion ICA anonymously authenticates and subscribes to the group and receives an update (K ^GSK ). The key is updated as the user enters and exits the group. All messages exchanged with GID (K ^GSK ) are valid messages without connection information to PC ^r . Group formation and anonymous authentication are not the focus of this invention. The reason for joining the group is to create an anonymity set size before actually asking the PC.

2.3.1. Requirements and Assumptions

The following is a set of requirements and assumptions for a Pseudonym Certifate Protocol.

The PT / PID must be password-safe and bound to any value that an unauthorized user communicating later can not deny ownership.

A user may request one or more alias certificates from another ICA in the same ICA or other subregion / group in the subregion / group.

vca)로 알려져 있으며 임계값 비밀키(TSK, Threshold Secrete Key)는 해당 ICA / VCA에만 알려져 있으며 TSK^ica로 표시된다.The threshold public key (TPK) is shared between the two ICAs and VCAs and all entities of the PF

vca), and the Threshold Secret Key (TSK) is known only to the ICA / VCA and is indicated as TSK ^ica .

vca로 암호화 된 메시지 M은 ICA1, ICA2 및 VCA와 같은 모든 CA의 TSK가 적용되면 해독된다.

Message M encrypted with vca is decrypted when all CA's TSK such as ICA1, ICA2 and VCA are applied.

The user can request PID and PC from the ICA belonging to the same area or another area, but the area should be the same as the VCA.

2.3.2. Message exchange

This protocol consists of two message exchanges: a Pseudonym Certification Request (PCReq) and a Pseudonym Certifate Response (PCRes). The latter is optional and the former is required.

The optional message depends on the type of application in the DTN and the level of privacy required by the user.

The system model of this protocol is shown in FIG. 3, where FIG. 2 (I) shows the intra-region and (II) shows the inter-regional PC request / response. These two areas can belong to the same group or different groups. In the latter case, the user must join the group to which ICA2 belongs.

Pseudonym Certifate Request (PCReq): The user generates a public / private key pair (pPK ⁿⁱ and pSK ⁿⁱ ) of a pseudonym that is another cryptographic key pair. The user composes a message containing a public key of the alias, a pseudonym ( _PCr ), a pseudonym identifier (PID), and a request for the PC. The first encryption layer is the group symmetric key and the second encryption layer is the ICA public key. The second tier ensures that no one but the ICA can decrypt the message, while the first tier guarantees to the ICA that the user is legitimate and the update key is granted by GM. The message is sent by the user to the next hop and the process continues until the message reaches the destination. This group communication method makes it very difficult for the ICA and the antagonist to know the sender of this message. The message takes the form of (14).

(14)

ICA operation: ICA applies SK ^ica and K ^GSK to remove both layers of encryption and obtain a pseudonym public key for binding a pseudonym identifier via PID / PT, PC, PC _r, and alias certificate.

, id^vca, T^vca _n 및 id^ica를 얻는다. If ICA can not remove both layers of encryption, it simply discards the request. After successfully decrypting, apply the VCA's well-known public key to PCr,

, id ^vca , T ^vca _n, and id ^ica .

It is impractical to validate each PC _r from VCA in RA-DTN due to intermittent / destructive connections. Thus, variants of the blind signature enable the ICA to verify without contacting the VCA.

로부터 사용자의 실제 신원을 알 수는 없다. 왜냐하면

는 난수와 실제 신원의 해시의 XOR 함수이기 때문에 둘 다 사용자에게만 알려져 있다. ICA는 타임 스탬프 T^vca와

를 제외한 PCr에서 모든 필드를 제거하여, 수학식 15와 같이 PT/PID를 구성한다.Pseudonym Token (PT) / Pseudonym Identity (PID): ICA is included in PC _r

The user's actual identity can not be known. because

Are both known to the user because they are the XOR functions of random numbers and hash of real identities. The ICA uses the time stamp T ^vca

The PT / PID is constructed as shown in Equation (15).

(15)

This is an alias token or alias identity that the user created as an alternative to the actual identity.

Because the ICA can generate more than one PT for the same PC _r according to policy, it has included a new random number to make this PT unique. When a message is encrypted with a threshold public key, this key is shared between the same ICA and VCA. Thus, the PT / PID will require decryption of all three CA's secret keys.

Pseudonym Certifate (PC): The ICA generates the same alias certificate as the X.509 standard and binds and digitally signs the PT / PID with the user's identifier and public key pPK ^user . The corresponding pseudonym private key pSK ^user is known only to the ^user . The PC is stored in a public directory for other users who want secure communication with this user.

의 해시를 가져와 HSⁱ _ica로 저장한다. i 번째 사용자에 대해 i 번째 PT에 대해 다음 형식으로 보안 데이터베이스에 항목을 기록한다.ICA Database: ICA

And stores it as HS ⁱ _ica . For the i-th user, record the entry in the security database in the following format for the ith PT:

The hash value and the time stamp are unique to each PC _r . If the user is found to have engaged in malicious activity, the mapping utilizes the resolution process.

Pseudonym Certicate Response (PCRes): This message is optional and depends on the user's DTN enforcement and security / privacy level.

Low level: Download the new PC from the public folder in either case. First, when the user is a general user (requires low level of security) and fully trusts the ICA to generate a fair PID, and second, the communication link between the user and the ICA is intermittently affected by the delay.

High: The user can request confirmation of the new PC from ICA in one of two cases. First, the user requires a high level of security / privacy and does not completely trust the ICA for fair PID generation. Second, the communication link between the user and the ICA is persistent.

Therefore, at a high level, the ICA sends the PT component to the user as shown in equation (16).

(16)

The user receives the message in Equation 16, decrypts it using the pseudonym private key, and obtains the timestamp, random number, and critical public key used in the PT. It then constructs the PT and compares it with the PT received in the message. The coincidence shows the ICA's honesty, and the discrepancy induces the user to discard the message and report this particular ICA to the VCA.

Table 4 summarizes the Pseudonym Certifate Issuance Protocol, a message exchange between the user and the ICA. Notation User (Gi) shows that the message is from a user belonging to group i, and notation Gi (User) shows that the message is for group i, not a specific user.

(Table 4)

2.3.3. Multiple Pseudonym Certifates

Users can request multiple PCs from the same or different ICAs, and can issue 1 to 30 PCs (one PC per month per month) based on one PC _r , according to the policies defined for PF. The maximum PC _r , the number of users is 12, and the maximum number of PC users is (12 x 30 = 360). Therefore, one PC can be used in one day, and the pool can be used for one year. The number of PC _r licenses and PC issuances depends entirely on the nature of the application of RA-DTN, such as VANET. There is an agreement on using three alias certificates per day. The validity period of each PC is calculated according to T ^vca _n included in PC _r . In a pseudonym identification / authentication protocol, a user can obtain multiple PIDs / PCs from a PC _r based ICA. A user can create one or more PIDs and PCs by consuming one PC _r using the same subregion / region ICA. A user can create one or more PIDs and PCs by consuming two or more PC _rs using different ICAs belonging to the same or different sub-regions.

3. Formal modeling and analysis of privacy infringement

3.1. Privacy infringement

In this section, we will analyze various privacy and security attacks against the Pseudonym Credential Protocol.

3.1.1. Repudiation Attack

A denial-of-service attack is an attack denying that a user has performed a particular transaction / action. In this attack, an honest user considered dishonest and sent a blind signature, thinking that the false BT contained a valid BT. Fake BT can be characterized. A token that does not reveal the identity of the user. However, the VCA detects a large probability for the following reasons.

The user does not know the number of signed tokens to receive from the VCA. Thus, a fake token in a valid token pool can be detected with a high probability.

The VCA randomly retrieves the tokens from the challenge message in the token pool sent by the user. The VCA removes the token and compares the ID contained in the token with the ID that sent the request.

If the VCA finds a fake token that does not contain the user's identity, it rejects the request for PC _r .

3.1.2. Impersonation Attack

Impersonation attacks impair the identity of legitimate users in the network and thus require messages to and from the actual user. In the alias framework, foes can impersonate all users of the RA-DTN to obtain PCr from the VCA. However, the attack is not successful due to the challenge response mechanism between the user and the VCA. The attacker masquerades the user in the RA-DTN and observed the communication link between the user and the VCA. An attacker can also send blind tokens to a VCA impersonating the user's identity. Therefore, the knowledge of the attacker is expressed in Equation (18) in comparison with the knowledge of the user shown in Equation (17).

(17)

(18)

The attacker first signs the captured message with his private key, encrypts it with the public key of the VCA, and sends it to the VCA. The VCA creates two problems, I ^f and I ^P , and sends the two challenges encrypted with the attacker's public key. Therefore, the knowledge of the attacker increases more than that shown in Equation (19).

The attacker's goal is to actually sign the blind token for the user at the VCA. For this purpose, the attacker needs a random number and a blind element to respond to the challenge requested by the VCA. K ^intermediate (A) ∩K (User) = {r ⁱ _n , b ^-1 _i } or if the attacker's knowledge increases to K _final (A) = K (User). However, since the user knows the unblind factor and the random number of the sender of the blind token, it is impossible in the Pseudonym Credential Protocol. Therefore, the attacker's knowledge is the same as K _intermediate (A).

3.1.3. Influence Attack

This is the lowest intensity impersonation attack version. The attacker influences or enforces to perform certain actions. The action can benefit the attacker either directly or indirectly (later in a conversation). It is assumed that the VCA can influence the law enforcement agency to become a big brother in political interest to uncover the identity of a particular user. However, the attacker is not successful due to the challenge response methodology.

In response to the challenge message of the Pseudonym Credential Protocol, the VCA has received a response to the challenges I ^p and I ^f . The VCA must sign the token that belongs to the I ^P set. However, the VCA is forced by the law enforcement agency to sign the token in the set of I ^f . The reason is clear. Law enforcement agencies want to track the communication of a particular user and must know the contents of the token. Law enforcement agencies also want to include some sort of tag in the token for tracking purposes. Thus, in a pseudonym grant message, the VCA signs the token with a set of I ^f instead of I ^p and sends it to the user.

The VCA has already decrypted and intentionally signed the token that knows its content. The user has already compiled 'BT-set'. The second set (rT) containing all tokens sent for signature corresponds to the signed blind token that the user received in the last message in the VCA. You should compare the two sets of tokens are approved if BT -set∩rT = I ^p and refuse the case, otherwise the BT -set∩rT = I ^f. The previous condition means that the token of Ip was signed and the latter token of I ^f was signed.

3.2. Formal modeling

For the secrecy and authentication attributes, we modeled the Pseudonym Credential Protocol using Casper [39] in the Dolev yao model [40].

3.2.1. Role Confusion Attack (User)

This type of attack is an attack where the node confuses its role during authentication to the VCA. In this attack, the enemy reacts with the person between the user and the VCA. In the first message, the user sends a set of blind tokens with real identity information for authentication purposes. But the message comes from an intruder who acts as a VCA. Also, the received message is falsely transmitted to the VCA. Since the VCA is under the impression that the message originated from the user, the message-1 attacker responds with message-2 just as it would get the message-2 and disguise it to the user. Now the attacker is sitting positively between the user and the server at this point.

Therefore, the user considers the VCA server to continue exchanging the remaining messages with the VCA that does not import PC _r . An abstract model of the attack is shown in FIG.

3.2.2. Role Confusion Attack (VCA)

An intruder may initiate a role-exploiting attack on the VCA. That is, the VCA is authenticated to the intruder on behalf of the user requesting the signed blind token. This attack is similar to the previous attack except that the intruder starts communicating with the VCA, and the attack is shown in FIG. This model shows that the user is completely quarantined after sending Message-1.

The user sends a message-1 containing the blind token set and the user's real identity for authentication. However, this message is fake by the intruder and VCA.

The VCA plays message-2 to the user, but this time the intruder receives the message. At this point, the intruder totally abducted the session between the user and the VCA. Therefore, the VCA thinks that the rest of the message is transmitted to the intruder and transmitted to the user.

The above role confusion attack was defended by including nonces. In the first two message exchanges, a new value of the message exchanged between the user and the VCA is exchanged.

It is therefore impossible for an intruder to generate the same remark as a legitimate user of the protocol.

3.2.3. Multiplicity Attack (VCA)

This attack is due to lack of freshness in the last message exchange and in this attack the agent does not agree with the number of times the protocol has been executed, First, the two participants of the pseudonym Credential Protocol mutually authenticate each other and agree with some data values. However, in message-4, the VCA sends a message to the user without a new nonce or an agreed nonce. Thus, an attacker can imitate the VCA and modify the message. The seriousness of this attack is that the node does not get a signed blind token, which can not be used as an alias for every attacker sending a garbage value.

Table 5 shows the attacks mentioned above and their countermeasures.

(Table 5)

4. Quantification of anonymity

In this section, anonymity is analyzed through information theory analysis, and personal information is measured in terms of entropy.

4.1. Network model

The user joins the group to obtain anonymity in terms of disconnecting the user's request and PC _r . The messages in the group are not sent directly to each other instead of being sent to the next available hop.

Therefore, there are two types of members in a group. One is a member participating in message delivery called IH and the other is a non-delivery node. The IH node has information of hop count (H ^c ); nIH indicates the number of hops for a specific message while there is no corresponding information. In a DTN, a source node can act as a relay node for its own message, so H ^c can also contain a message source.

Other group sizes are simulated in the ONE Simulation [41], taking into account the FirstContact routing algorithm.

Here, only one copy of the message is traveling, and every member of the group encounters another member, the message is delivered to the destination. Performs a simulation of several group sizes for messages sent by any group member to the ICA for PC and records the average number of relayed hops. The intermediate hop that acts as a forwarder for a particular message is represented by IH _i . The message received by IH _i has a hop count field, which tells IH _i that the message passes a certain number of hops. Thus, the number of hops depends on the size of the different groups.

4.2. Attacker model

Eavesdroppers can observe passive communication that communicates to both insiders and outsiders. An attacker can analyze full traffic information, but can not intercept or control group members. Thus, the attacker considers the group of 10 members to be equally as senders of a particular message. Thus 1/10 is the probability of finding the actual sender of a particular message. Thus, the probability that a user will be the sender of a message in n user groups is 1 / n. Thus, the increase of n increases the DoA. Hostile Group members can initiate and terminate / terminate connections between two group members.

This is an active insider attacker, and the goal is to hack the group members to reduce their anonymity.

Single / Multiple Member Compromise: An attacker can attack one or more members at any time. A corrupted group member may not forward or forward group members for a particular message.

4.2.1. Passive internal enemy

Enemies who passively observe a particular group of communication do not have information about the number of nodes N and the distribution of IH / nIH.

Therefore, the probability of damaging an IH / nIH node is the same because one node is arbitrarily damaged in order to know the dynamics of the group. Therefore, DoA is always high as 1 in this case.

If a node can corrupt the nIH, it will not get any information except to reduce the anonymity set size (A ^SS ) to the number of corrupted nodes (C _i ).

However, if the other node can damage the IH node, it obtains Hc and N information. Hence, the maximum entropy H (M) is calculated by Equation (20).

(20)

Since the enemies passively observe certain IoI quantitatively and know their source, we divide A ^SS into two lists such as (φ ^hc ). Number of hops of the damaged IH list was calculated as in equation (22) is the Ψ ^S A ^SS in Equation (21).

(21)

(22)

The term n ^h represents the next hop of the damaged IH, C ^IH _i is the number of damaged IHs, and λ is the number of possible callers in the range of a specific IH and is calculated as 1 ≤ λ ≤ N / IH. Equation 22 shows a direct relationship between lambda and C ^IH _i . Therefore, if the opponent can damage the IH, reduce ψ ^S by factor of λ.

Here, since the attacker has manually observed the activity in the IH, he assigns an arbitrary probability to the 0-1 range on both lists, but a user belonging to the same list is considered to have the same probability. Hence, the probability distribution is expressed by Equation (23).

(23)

Therefore, the degree of entropy and anonymity shown in Equation (24) after the attack is expressed in Equation (25).

(24)

(25)

4.2.2. Active internal enemy forces

In this attack, the active internal attacker can be considered to compromise the IH and additional information about the specific IoI can be obtained. The attacker's goal is to reduce ^ASS from two lists to one list.

In the first case, the attacker deduces from both lists that the source does not act as a relay for a particular IoI and therefore belongs to ψ ^S. Therefore, since? ^Hc = 0, the entropy of the system decreases and is expressed by equation (26).

(26)

In the second case, the attacker removes ψ ^S from A ^SS by acquiring routing information after capturing IH. The entropy after this attack is expressed by equation (27).

(27)

In both cases, the attacker considers the user in the list to be the same as the original message, and H (M) remains the same in both cases.

4.3. Rating of anonymity measurement results

For the number of group sizes (ie, 10-1000), the results for both active / passive and single / multiple attacks are displayed and are assigned probabilities ranging from 0 to 1. We used one simulator to calculate H ^c for several group sizes. Probabilistic simulation is initially performed by a passive attacker between a single user and multiple users and then the same for active attackers.

First, consider passive insiders. Figure 7 shows the DoAs for N, P and Ci = 1, and generally DoA increases with N. The reason for N is obvious. It is more important than comparing the larger N sets of message sources to the smaller Ns. Another parameter, P, is an interesting element for increasing or decreasing DoA. If the attacker has passively observed H ^c Assigning a higher probability to the list reduces the anonymity set size to H ^c , so DoA is lower for smaller N and higher for larger N. This increases the size of the anonymity set by increasing H ^c because the message arrives at the destination with a larger N because it passes many IHs before. DoA increases as N increases and P decreases as the anonymity set size increases by ψ ^S. This is clearly larger than φ ^Hc .

 DoA never achieves the highest level, that is, DoA = 1, because the focus is on pseudonymity. In case of malicious activity, you can trace the source. The optimal DoA level is achieved for any N with 0.4 P &lt; 0.6.

The minimum and maximum DoAs for a particular system may vary depending on the privacy requirements of the system. Therefore, it is difficult to suggest specific values before intensively testing the model.

Figure 8 shows the minimum and maximum levels of DoA provided by a particular group, i. E. Under the impairment rate of IH, which is between 10% and 80% of the CIH. This analysis considered passive observation of IH rather than cooperating with each other.

The latter considered the nIH node, not the corrupted IH, because it can ignore meaninglessness. If the group size is less than 50, the minimum DoA displayed in the result is very low and approaches zero (the attacker is sure about the origin of the IoI). If group size N ≤ 50, H ^c is less than 5, which is very low. The compromise rate shows no change. However, for N ≥ 100, the minimum DoA gradually increases and reaches a peak value of 0.50 for N = 300. An interesting situation occurs at the percentile change of C _i and 300 ≤ N ≤ 400, and DoA decreases with increasing N. Since H ^c does not increase with N, φ ^hc at N = 300 is equal to N = 400, but H (X) at N = 300 is higher than N = 400, so DoA is high.

The results show that the maximum DoA of any IoI increases with N and decreases from C _i to a percentage increase. However, for 10 ≤ N ≤ 50, DoA remains the same for different values of C _i . This is because most of the percentage value approaches 1 because H ^c for the range is less than 5. The result, however, affects DoA for 60 ≤ N ≤ 100 for the other C ⁱ . This is because the value coincides with the lower value of N when the percentage C ⁱ for the range increases. For example, if N = 80 and 90 and C ⁱ For = 0.80, DoA will be smaller than N = 90 for N = 80 because it provides the same value due to very small differences in H ^hc .

The analysis considered active in the first attack would damage the specific IH and assign φ ^hc at p = 1. In this attack, the attacker is assured that the source of a particular IoI belongs to φ ^hc , so all nodes in it are assigned the same probability.

The result of this active attack on φ ^hc , DoA is 0 for N = 30 because φ ^hc is 1, so there is no uncertainty at the end of the attacker. However, when N≥40, DoA increases and saturates to 0.60 when N≥500. Thus, DoA increases with N except for two values where N is 300 and 400. DoA is high in the former case and N in the latter case is low. The reason is that H (X) 400 ~ H (X) 300 because it is a small difference between two φ ^hc , so the attacker uncertainty is less than N = 300 compared to N = 300.

In the second active attack, enemies can damage IH, and we can infer that the source of a particular IoI is in ψ ^S , so we can assign the same probability to all the nodes in it. The results show that DoA increases linearly with increasing N and ψ ^S and that DoA saturates to 0.90 when N ≤ 500.

Figure 9 shows the comparison results of the two active attacks already discussed and shows the important differences between the two attacks. Thus, DoA depends not only on N and P, but also on the attacker's strength and the information the attacker obtains. DoA does not exceed 0.60 because the anonymity set size is small in the first attack. However, the nodes of the second attack can enjoy DoA ≥ 0.90 for N ≥ 100. The low curvature at 300 ≤ N ≤ 500 is due to the very small changes in Hc of N = 300 and 400, previously described in this section.

4.4. Group Anonymity

This is trivial because groups with large members are difficult to manage, especially in DTN, and it is cumbersome to distribute updated group secret keys. Therefore, before subscribing to a group, users want to know the level of personal information on average. Therefore, we proposed a new metric group anonymity (GDoA) that measures the anonymity of the entire group instead of a specific IoI. This new metric complements DiA's suggested DoA and is the average of individual DoAs for a given probability distribution p. For example, when the group G1 is N = 10, the user with different values of DoA varies with the change of C _i , so the average of all DoAs at each point is denoted GDoA and is represented by equation (28).

(28)

The results in FIG. 10 show that group anonymity increases as the number of users of the group increases. If N ≥ 100, DoA is always greater than 0.80 for all C _i , so the proposed PF solution provides good anonymity despite aggressive attacks.

5. Conclusion

The present invention proposes a Personal Information Protection Architecture (PbA) Pseudonym Framework (PF) based on minimum identification data collection and mitigates strong trust assumptions in certification bodies.

In the first protocol, the Pseudonym Credential Protocol, the user securely generated a pseudonym identity from a certificate authority without sharing the content. In the second protocol, the Pseudonym Identity / Certifate Issuance Protocol can not associate two aliased certificates to a single user, because it grants users multiple alias identities / certificates from the same or different certification authorities. Trust distribution among certification authorities makes it hard for a CA to become a big brother.

The first protocol was formally modeled using Casper and FDR according to the Dolev yao model. Protocol has proven to be secure against multiple attacks, such as role confusion and multiplicity attacks. Personal attack analysis of the first protocol defends against various attacks such as denial, impersonation and impact attacks. The information theoretic analysis of the second protocol measures personal information in terms of the DoA and GDoA of individual users and groups for various sizes of group N, probability distribution P, number of hops H ^c, and damaged node C _i . The protocol is analyzed for external / internal and passive / active attackers, and the results indicate that DoA depends not only on N but also on other parameters such as p, C _i and H ^c .

100: user equipment 200: authentication certification authority device
300: authentication issuing authority device

Claims (22)

(A) the user device sending an identity request message to the certificate authority device, including an actual identity, a plurality of blind tokens, and an original certificate;
(B) generating a challenge message including a random number and an unblind factor after extracting an actual identity and a plurality of blind tokens from the identity request message, and transmitting the generated challenge message to the user device;
(C) the user equipment transmitting a challenge response message to the certificate authority device; And
(D) sending a pseudonym grant grant message including a plurality of signed blind tokens in response to the challenge response message. &Lt; Desc / Clms Page number 19 &gt; The method according to claim 1,
In the step (A), the actual identity of the user of the identity request message and a plurality of blind tokens are encrypted with a private key, digitally signed, and then encrypted with the public key of the authentication confirmation authority apparatus, A pseudonym framework method for. The method according to claim 1,
Wherein the plurality of blind tokens are created by XORing the actual identity of the user with a random number hash in step (A). The method according to claim 3,
In the step (B), when the certificate decryption unit decrypts the message with the private key and obtains the digital signature, the authentication certificate authority device decrypts the signature with the public key provided in the certificate, checks the validity of the certificate, and then generates a challenge message An alias framework method for the privacy of permitted networks. The method according to claim 3,
In the step (B), the challenge message includes a part corresponding to the entire decryption information composed of the random number and the unblind factor, and a part corresponding to the partial decryption information composed of the random number, An alias framework method for the privacy of permitted networks. The method of claim 5,
In the step (C), the challenge response message includes a random number and an unblind factor in response to a part corresponding to the entire decryption information, and includes a random number in response to a part corresponding to the partial decryption information An alias framework method for the privacy of permitted networks. The method of claim 6,
In step (D), the certification authority apparatus encrypts the blind token of the set of parts corresponding to the partial decryption information, encrypts the blind token using the one-time session key transmitted from the user apparatus, and transmits the encrypted pseudonym grant message A Pseudonym Framework Method for Personal Information Protection of Delay Tolerant Networks. The method of claim 6,
In the step (D), the authentication verification institution device compares the transmitted challengeer message with the received challengeer response message, and for the privacy protection of the delay-allowed network that proceeds with the signature when the blind token of the received challengeer response message is identical Alias framework method. The method according to claim 1,
(E) applying the unblind factor to the signed blind token of the transmitted pseudonym grant message to obtain a signed unblind token; and (e) . A user device that sends an identity request message to the authentication authority device below, including an actual identity of the user, a plurality of blind tokens and an original certificate, and receives a pseudonym trust grant message including a signed plurality of blind tokens; And
And an authentication authority device for extracting a real identity and a number of blind tokens from the identity request message and then sending a pseudonym trust grant message including the signed plurality of blind tokens to the user device,
The authentication confirmation authority device generates a challenge message including a random number and an unblind factor after extracting the actual identity and a plurality of blind tokens from the identity request message and transmits the generated challenge message to the user device,
The user device sends a challenge response message to the certificate authority device,
Wherein the CAS device sends a pseudonym grant grant message containing a plurality of signed blind tokens in response to the challenge response message. delete 12. The method of claim 10,
Wherein the identity request message comprises a pseudonym framework system for privacy protection of a delay tolerant network wherein the real identity of the user and a plurality of blind tokens are encrypted with a private key, . 12. The method of claim 10,
Wherein the plurality of blind tokens are generated by XORing a real identity of a user with a random number hash. 12. The method of claim 10,
Wherein the user device obtains a signed unblind token by applying an unblind factor to the signed blind token of the transmitted pseudonym grant message. delete delete delete delete delete delete delete delete

Images