Lucent Personalized Web Assistant (LPWA)

Like mentioned above anonymizing tools are good at keeping peoples identities secret while surfing the internet. However often services provided online need at least some information about user visiting the site, in order working properly. Online discussion boards or simply sites, where people are able to create accounts, need at least data like username, password and often a valid email address (for account activation and validation of given email address). Some sites just ask for an email address, like websites providing newsletters. When email addresses are disclosed however, there is always a potential for abuse (e.g. spam, junk mails).

Unfortunately people tend to use the same information for identification among different sites, because it is difficult to remember different usernames, passwords for every single site they use. Reuse of login information does not only enable linking of actions (simply by comparing usernames), but could also be very dangerous. If an attacker is able to gain access to one account (e.g. by breaking the password), he could easily log into another account created by the same user.

To solve this problem LPWA generates aliases for users, consisting of username, password (and email address if needed). When a user is asked to enter information, the user enters

4.2 Pseudonymity 66

predefined prefixes into the form (e.g. /u for username, /p for password), hence LPWA knows where to enter the automatically generated information. When this same user is visiting the site again, LWPA recognizes the site and login information can be entered the same way as during registration.

Features of LPWA include (cf. [Gab99]):

Alias Generator: LPWA generates automatically secure, consistent pseudonyms, which build different personae (partial identities) for different websites. Usually these identities consist of username and password. Sometimes email addresses are included too, when this information is requested by a website.

Email Service: the tool not only generates usernames and passwords, but email addresses too. When a website sends an email to the automatic generated address, the message is automatically forwarded to the users true email address.

Anti-spam Support: When an email is forwarded to the users true inbox, not only the address generated by LPWA appears as sender, but the address, from where the message originated, is stored in the mails CC-field (carbon copy⁴). Thus it is possible to block mails sent by this site in the future, in case spam was distributed. Despite a measure called address spoofing⁵ people using LPWA are not only able to block spam, but can identify the site, which was responsible for the spam-mail in the first place (e.g. which site disclosed information to spam distributors). This is possible because LPWA-user are only known to different websites by the data generated by LPWA. Although spam distributors are still able to change (or spoof) originating addresses to avoid spam-filters, these emails can still be blocked, because the email can not only be identified by the originating email address, but also by addresses generated by LPWA. If a LPWA user wants to block mails sent to a certain email account generated by LPWA and forwarded to him, he has just to block mails sent to this account. This information can’t be changed by spam-distributors, hence address spoofing is useless with LPWA.

Filtering of HTTP-Headers: sensitive information is removed from headers.

Indirection: every request made by the user is rerouted through a proxy - hence server are only able to see the proxies address, not the true address, where the request originated from.

Statelessness: LPWA doesn’t store translation tables (associating data for relationships between pseudonyms/personae and websites) remotely. Hence LPWA can’t be forced to disclose sensitive data stored on a central server - a potential target for hacker attacks.

After describing LPWAs features, the tools main components (cf. [Gab99]) will be introduced below:

4 to email addresses inserted into this field, a copy of sent message is issued. Unlike BCC (blind carbon copy) receiver-addresses are visible for all receivers

5 real address is concealed, so address may not be recognized by spam filters

4.2 Pseudonymity 67

Persona Generator: generates a persona by using the janus function⁶. LPWA needs a user ID (valid email address) and a secret serving as universal password. Additionally the generator uses the address of the target website to generate data of the partial identity. Given information is used to generate username and password. The email address for a particular persona is a combination of the website domain and a secret key. The generator itself can be integrated directly into the users browser (or on the Browsing Proxy - see below).

Browsing Proxy: The proxy used by LPWA is not only redirecting requests, but filters as well HTTP-headers. The proxy could be implemented remotely on a firewall, ISP access point etc.

Email Forwarder: forwards messages sent to generated addresses to the user’s true address.

The forwarder has to be placed somewhere remotely, away from the user, so numerous generated email addresses can’t be linked to the user.

Figure 4.7: LPWA Proxy Configuration

In [Gab99] were numerous trade-offs identified, concerning LPWA:

Trust: LPWAs persona generator is provided with information, which is probably sensitive to the user. Therefore user have to trust the mechanisms used with LPWA and that the information is secure and isn’t abused.

Anonymity: no components (Browsing Proxy, Email Forwarder) should make it possible for attackers to gain information about people using LPWA.

Performance: if proxies or other nodes, connections can’t handle the amount of requests issued, a performance degradation can be expected. When [Gab99] was published

6 combination of cryptographic functions