Anonymous and confidential communication using PDAs
Anonymizers based on an intermediate computer (a set of them) located between the sender and the receiver of an e-mail message have been used for several years by senders of e-mail messages who do not wish to disclose their identity to the receivers. The job of the computer in the middle (the mediator) is to receive the message from the sender, delete the sender's address and other personal data from the header of the message, and forward the message to its final destination. In this paradigm, there are no means to hide the identity of the user from the mediator simple because the message sent arrives in the middle computer, with information that easily leads to the identity of the sender. The origin of this problem is that the sender uses a computer identified by an IP-address that unambiguously leads to the identity of its user. In fact, the sender discloses his identity to the mediator computer from the very moment lie sends his message in the hope that the mediator will protect it. Because of this, in this paradigm the strength of the system for protecting the identity of the sender depends on the ability and willingness of the mediator to keep the secret. In this dissertation we propose a novel approach to sending truly anonymous and confidential messages over the Internet which does not depend on a third party. Our idea departs from the mediator approach in that we do not use an IP-addressed computer to send anonymous messages, we use an IP-addressless computer instead, to be specific, we use a Personal Digital Assistant (PDA) which is IP-addresslessly connected to the Internet with the support of a Mobile Support Station (MSS). The PDA is identified by the MSS by a temporary, non-personal, random identifier (TmpId) which is assigned by the MSS and is valid only for one communication session. Thanks to the use of the TmpId, the sender of the anonymous messages does not need to disclose his identity to the MSS or to anybody else; thus, the strength of the system does not depend on any mediator. Having observed that a public telephone box provides complete anonymity when operated by coins, we took its functionality as a paradigm for our system. Thus, the main idea of our approach is to make the PDA, the MSS, and the Internet communication infrastructure imitate the work of a public telephone box connected to the telephone network. For this to be possible the PDA user uses anonymous electronic cash to pay for his anonymous message. To prove the feasibility of our approach and its correctness, the protocol of the proposed system was designed, specified in Promela specification language, and its basic safety properties and proper end-states were validated using the Spin validator.