Many modern network services have seemingly contradictory goals. On
one hand, users are concerned about privacy and wish to remain
anonymous for fear of their identities being misused. Service
providers, on the other hand, need to have at least some form of
accountability to stymie malicious and abusive users. Our work is
focused on providing practical, inexpensive anonymous authentication
so that both the user and the service providers know under exactly
what conditions a user's identity will be revealed. We want our system
to be easily applicable to general protocols and have a small trusted
computing base (TCB).
Our system is based around the notion of contracts. When a user
accepts a contract, their identity is placed in escrow on a server
running Flicker to execute code with access to the identity in
isolation on the server. Flicker allows the server to prove to both
the user and service provider that the user's identity will be
revealed by the server if and only if the client breaks the
client. Due to the design of our system, our system can be adapted to
protocols that send messages at high rates. In addition, because the
accountability server uses Flicker to attest to the conditions upon
which identities will be revealed, the TCB contains only the small
trusted code that runs in isolation on the accountability server.
Our system, RECAP
, has two advantages over similar works. First, our system
is designed to be fast -- it can support protocols that have high throughputs. Note that these comparisons are not apples to oranges; you should read our paper to fully understand the experiment.
|Throughput at service provider||
Throughput at user|
Our system is fair. Unlike related systems, a well behaved user
cannot be discriminated against in our system. In contrast, competing
systems allow a well behaved user can be banned for no reason.
Find out more!
Download our NDSS 2010 paper
or look at our CyLab partner's conference
- Edward J. Schwartz
- David Brumley
- Jonathan M. McCune