Pretty Private Group Management

TL;DR

This paper introduces a distributed group management system using DHTs that enhances privacy and security by eliminating central authorities, with formal validation and a prototype implementation.

Contribution

It proposes a novel distributed protocol for group management that ensures privacy and security without relying on central authorities.

Findings

Formal security validation using AVISPA

Prototype implementation on Vuze's DHT

Enhanced privacy and security features

Abstract

Group management is a fundamental building block of today's Internet applications. Mailing lists, chat systems, collaborative document edition but also online social networks such as Facebook and Twitter use group management systems. In many cases, group security is required in the sense that access to data is restricted to group members only. Some applications also require privacy by keeping group members anonymous and unlinkable. Group management systems routinely rely on a central authority that manages and controls the infrastructure and data of the system. Personal user data related to groups then becomes de facto accessible to the central authority. In this paper, we propose a completely distributed approach for group management based on distributed hash tables. As there is no enrollment to a central authority, the created groups can be leveraged by various applications. Following this paradigm we describe a protocol for such a system. We consider security and privacy issues inherently introduced by removing the central authority and provide a formal validation of security properties of the system using AVISPA. We demonstrate the feasibility of this protocol by implementing a prototype running on top of Vuze's DHT.